http://informationweek.com/story/showArticle.jhtml?articleID=60300331 By Gregg Keizer TechWeb News Feb. 10, 2005 It didn't take hackers long to start banging hard on the vulnerabilities Microsoft disseminated Tuesday. Just a day after the Redmond, Wash.-based developer rolled out a dozen advisories containing 16 vulnerabilities, 10 of them tagged as "Critical," exploit code has gone public for one, Microsoft said late Wednesday. "Microsoft won't be happy that someone has posted information about how to take advantage of their critical security hole within 48 hours of their patch being released," said Graham Cluley, senior technology consultant for Sophos, in a statement. "Many computer users are bound to have not yet defended themselves," he added. Microsoft posted an online advisory to its Web site, confirming that exploit code exists. "Microsoft is aware of exploit code available on the Internet that targets an issue addressed this week by the update released with Microsoft Security Bulletin MS05-009," Microsoft said. The bulletin in question patched two vulnerabilities, one in Windows Media Player, the other in MSN Messenger and Windows Messenger, Microsoft's instant messaging clients. All three applications can be attacked using malformed PNG image files. According to other security firms' analyses, the exploit code -- dubbed Exploit-PNGfile by McAfee -- can instruct the infected machine to run any payload the hacker bundles with it. Possible payloads could include such typical malware as Trojans, backdoor components, or worms to wrench control from the real user, or even spyware such as key loggers to steal information and identities. Although exploit code is out and about, Microsoft said it had not yet seen any actual attack. "We will continue to actively monitor the situation and provide updated customer information and guidance as necessary," the advisory continued. Microsoft said that patched systems were immune from the exploit, and outlined recommended steps for both individuals and enterprises that included updating both Windows and MSN Messenger for the former, and either uninstalling MSN Messenger or blocking it in the latter. "MSN Messenger is not intended for corporate environments," Microsoft said. "Instead, use Windows Messenger, which is included with Windows." Another option is to download the beta of MSN Messenger 7, which is not susceptible to the exploit. One stumbling block in eliminating this vulnerability is that users must update MSN Messenger manually, since it's not part of Windows per se (unlike Windows Messenger, the similar-but-not-identical IM client bundled with the OS). "Although there is an automatic update notification system present in MSN Messenger, it can take a long time for it to actually inform the user about a newer version," wrote Kaspersky Labs in its alert on the issue. Core Security Technologies, the Boston security firm which first found the flaw and reported it to Microsoft in August 2004, said that the MSN Messenger bug was extremely dangerous. "Due to the particular characteristics of the MSN Messenger communications protocol, exploitation of the vulnerability is likely to pass unnoticed to network Intrusion Detection Systems (IDS), Intrusion Prevention Systems (IPS), and firewalls that do not implement decoding and normalization of the MSN Messenger protocol encapsulated within HTTP," the company said in its own advisory posted Tuesday. Core also said that exploits could be crafted that would compromise unpatched machines "without crashing or disrupting the normal functioning of the MSN Messenger client application," making detection almost impossible by the end user. "This vulnerability is serious," said Sophos' Cluley. "Everyone should ensure their systems are properly protected with the security patch at the earliest opportunity." _________________________________________ Bellua Cyber Security Asia 2005 - http://www.bellua.com/bcs2005
This archive was generated by hypermail 2.1.3 : Fri Feb 11 2005 - 03:17:41 PST