Hackers Jump On Windows Vulnerability
Less than 24 hours after Microsoft released details of the latest vulnerability in Windows, hackers were sharing details and eager to get their hands on exploit code, said Ken Dunham, the director of malicious code research for Reston, Va.-based security intelligence provider iDefense.
"Hackers are already actively discussing the new JPEG vulnerability and how to exploit it," said Dunham in an e-mail.
On Tuesday, Microsoft noted that a bug in Windows XP, Windows XP SP1, and Windows Server 2003, as well as many of the company's flagship applications, could allow attackers to grab control of PCs.
Exploit code exists, added Dunham, to launch a successful denial-of-service (DoS) attack on vulnerable applications, proving it's possible to create an exploit that executes code. In other words, a worm.
"While this type of exploit code has not yet publicly emerged in the [attacker] underground, this does prove that it's more likely for hackers to develop such exploit code," said Dunham.
Another analyst, Vincent Weafer, the senior director of Symantec's virus research team, agreed. "We fully expect that [hackers] will go into this," Weafer said. "There's enough knowledge about this [vulnerability] to easily make it exploitable."
The most likely attack avenue, both Dunham and Weafer said, is an HTML e-mail that includes or links to a hostile .jpg image, although links to malicious Web sites or even instant messages could be used as attack vectors.
Another issue that hackers will undoubtedly use to their benefit, said Weafer, is the reputation of .jpg-formatted images. "Generally, they're considered safe by most users," he said. "People send JPEG images all the time." Images, for instance, are rarely blocked by e-mail security at the gateway, unlike other file formats such as .exe or .com. That makes it "even more likely" said Weafer, that hackers will rush to roll out worms.
Difficulties patching the bug will add to the problem, Dunham and Weafer predicted. "[It's] complicated and tough for administrators to audit," Dunham said. Because the JPEG processing flaw is widespread -- not only in the operating systems but also in such popular applications as those in the Office XP and Office 2003 suites -- administrators may be hard-pressed to patch before an exploit is circulating.
"If this vulnerability is exploited on a widespread basis it may be some time before all of the vulnerable computers are identified and properly patched," said Dunham.
Worse, even patched systems can be later turned into vulnerable computers, added Weafer, if applications with the flawed image processing .dll are later installed on made-safe PCs.
"That could 'undo' the patch," said Weafer, "and makes the 'stickiness' of the more difficult than normal."
In addition, Dunham concluded, not even the massive Service Pack 2 (SP2) update for Windows XP completely protects against the bug, since "other products may also need to be patched to fully protect against this vulnerability."
*This story courtesy of TechWeb.com.