[ISN] New Zero-Day Threat Excels

From: InfoSec News (alerts@private)
Date: Mon Feb 05 2007 - 23:19:40 PST


By Joe Wilcox
February 5, 2007

Microsoft zero-day vulnerabilities are increasingly so commonplace, the 
risk is lost with the message. On Feb. 2, Microsoft issued another 
security alert, this one for Excel, that largely went unnoticed.

In its security bulletin, Microsoft warned that "other Office 
applications are potentially vulnerable" to the zero-day flaw.

Zero-day refers to a flaw for which there is an exploit but no available 
fix. The Excel vulnerability is Microsoft's fifth zero-day exploit since 
December, and part of an increasingly troubling trend.

The zero-day flaw affects Office versions 2000, XP, 2003 and 2004 for 
the Mac, but not 2007 or Works 2004, 2005 or 2006.

An attacker could exploit the flaw either by enticing a user to click on 
a file hosted on a Web site or an attachment sent via e-mail. Either 
exploit would require some end-user interaction.

The vulnerability poses the greatest risk to users running with 
Administrator privileges. Successful exploit of the attack would grant 
the attacker the same user rights as the user. Office running on Windows 
Vista could be more hardened to the attack, as all userseven those 
running as Administratorsoperate in standard mode.

Until a patch is released, Microsoft recommends that users avoid opening 
attachments from "untrusted sources or that you receive unexpectedly 
from trusted sources."

Security software developers are taking the ongoing zero-day flaw 
problem seriously. On Feb. 6, at the RSA Conference in San Francisco, CA 
will announce a host-based intrusion prevention system tool for 
combating zero-day vulnerabilities.

Trend Micro also is bolstering features, particularly those that detect 
virus-like behavior.

"A lot of the zero-days are variants on existing code," said David 
Finger, Trend Micro's global product marketing manager. "We're able to 
use a lot of indicators to detect [malicious behavior]."

Zero-day flaws present unique problems for security software, in part 
because of the way security signatures are developed and dispatched. 
Time is another factor. The days are gone when security software 
developers could respond with patches in a few days.

"Now, it's minutes," Finger said.

One response tactic is to harden software against blended attacks, which 
the new Excel zero-day exploit is good example. Some of that hardening 
occurs within the operating system, like Microsoft's User Account 
Control feature in Windows Vista, Finger added.

For Trend Micro and some of its competitors, security software uses 
heuristics and other techniques to assess virus-like behavior.

Microsoft is taking the zero-day threat more seriously than ever. Two 
weeks ago it brought together security experts and botnet hunters to 
brainstorm responses.

Still, Microsoft's responsiveness to some zero-day exploits falls short 
of the urgency. During January's release of security updates, Microsoft 
pulled zero-day Word flaws at the eleventh hour. The company next 
releases security patches on Feb. 23.

Microsoft's untimely response relates to compatibility testing. If a 
patch breaks enterprise applications, the cure could cause more problems 
than the zero-day threat.

Subscribe to the InfoSec News RSS Feed

This archive was generated by hypermail 2.1.3 : Mon Feb 05 2007 - 23:29:50 PST