http://www.eweek.com/article2/0,1895,2090525,00.asp By Joe Wilcox February 5, 2007 Microsoft zero-day vulnerabilities are increasingly so commonplace, the risk is lost with the message. On Feb. 2, Microsoft issued another security alert, this one for Excel, that largely went unnoticed. In its security bulletin, Microsoft warned that "other Office applications are potentially vulnerable" to the zero-day flaw. Zero-day refers to a flaw for which there is an exploit but no available fix. The Excel vulnerability is Microsoft's fifth zero-day exploit since December, and part of an increasingly troubling trend. The zero-day flaw affects Office versions 2000, XP, 2003 and 2004 for the Mac, but not 2007 or Works 2004, 2005 or 2006. An attacker could exploit the flaw either by enticing a user to click on a file hosted on a Web site or an attachment sent via e-mail. Either exploit would require some end-user interaction. The vulnerability poses the greatest risk to users running with Administrator privileges. Successful exploit of the attack would grant the attacker the same user rights as the user. Office running on Windows Vista could be more hardened to the attack, as all userseven those running as Administratorsoperate in standard mode. Until a patch is released, Microsoft recommends that users avoid opening attachments from "untrusted sources or that you receive unexpectedly from trusted sources." Security software developers are taking the ongoing zero-day flaw problem seriously. On Feb. 6, at the RSA Conference in San Francisco, CA will announce a host-based intrusion prevention system tool for combating zero-day vulnerabilities. Trend Micro also is bolstering features, particularly those that detect virus-like behavior. "A lot of the zero-days are variants on existing code," said David Finger, Trend Micro's global product marketing manager. "We're able to use a lot of indicators to detect [malicious behavior]." Zero-day flaws present unique problems for security software, in part because of the way security signatures are developed and dispatched. Time is another factor. The days are gone when security software developers could respond with patches in a few days. "Now, it's minutes," Finger said. One response tactic is to harden software against blended attacks, which the new Excel zero-day exploit is good example. Some of that hardening occurs within the operating system, like Microsoft's User Account Control feature in Windows Vista, Finger added. For Trend Micro and some of its competitors, security software uses heuristics and other techniques to assess virus-like behavior. Microsoft is taking the zero-day threat more seriously than ever. Two weeks ago it brought together security experts and botnet hunters to brainstorm responses. Still, Microsoft's responsiveness to some zero-day exploits falls short of the urgency. During January's release of security updates, Microsoft pulled zero-day Word flaws at the eleventh hour. The company next releases security patches on Feb. 23. Microsoft's untimely response relates to compatibility testing. If a patch breaks enterprise applications, the cure could cause more problems than the zero-day threat. ______________________________________ Subscribe to the InfoSec News RSS Feed http://www.infosecnews.org/isn.rss
This archive was generated by hypermail 2.1.3 : Mon Feb 05 2007 - 23:29:50 PST