Hackers Quickly Target Newly Disclosed Microsoft Flaw - InformationWeek

InformationWeek is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

05:36 PM

Hackers Quickly Target Newly Disclosed Microsoft Flaw

Just a day after rolling out a dozen advisories--10 of them tagged "critical"--exploit code has gone public for one, Microsoft said late Wednesday.

It didn't take hackers long to start banging hard on the vulnerabilities Microsoft disseminated Tuesday.

Just a day after the Redmond, Wash.-based developer rolled out a dozen advisories containing 16 vulnerabilities, 10 of them tagged as "Critical," exploit code has gone public for one, Microsoft said late Wednesday.

"Microsoft won't be happy that someone has posted information about how to take advantage of their critical security hole within 48 hours of their patch being released," said Graham Cluley, senior technology consultant for Sophos, in a statement.

"Many computer users are bound to have not yet defended themselves," he added.

Microsoft posted an online advisory to its Web site, confirming that exploit code exists. "Microsoft is aware of exploit code available on the Internet that targets an issue addressed this week by the update released with Microsoft Security Bulletin MS05-009," Microsoft said.

The bulletin in question patched two vulnerabilities, one in Windows Media Player, the other in MSN Messenger and Windows Messenger, Microsoft's instant messaging clients. All three applications can be attacked using malformed PNG image files.

According to other security firms' analyses, the exploit code -- dubbed Exploit-PNGfile by McAfee -- can instruct the infected machine to run any payload the hacker bundles with it. Possible payloads could include such typical malware as Trojans, backdoor components, or worms to wrench control from the real user, or even spyware such as key loggers to steal information and identities.

Although exploit code is out and about, Microsoft said it had not yet seen any actual attack. "We will continue to actively monitor the situation and provide updated customer information and guidance as necessary," the advisory continued.

Microsoft said that patched systems were immune from the exploit, and outlined recommended steps for both individuals and enterprises that included updating both Windows and MSN Messenger for the former, and either uninstalling MSN Messenger or blocking it in the latter.

"MSN Messenger is not intended for corporate environments," Microsoft said. "Instead, use Windows Messenger, which is included with Windows."

Another option is to download the beta of MSN Messenger 7, which is not susceptible to the exploit.

One stumbling block in eliminating this vulnerability is that users must update MSN Messenger manually, since it's not part of Windows per se (unlike Windows Messenger, the similar-but-not-identical IM client bundled with the OS).

"Although there is an automatic update notification system present in MSN Messenger, it can take a long time for it to actually inform the user about a newer version," wrote Kaspersky Labs in its alert on the issue.

Core Security Technologies, the Boston security firm which first found the flaw and reported it to Microsoft in August 2004, said that the MSN Messenger bug was extremely dangerous.

"Due to the particular characteristics of the MSN Messenger communications protocol, exploitation of the vulnerability is likely to pass unnoticed to network Intrusion Detection Systems (IDS), Intrusion Prevention Systems (IPS), and firewalls that do not implement decoding and normalization of the MSN Messenger protocol encapsulated within HTTP," the company said in its own advisory posted Tuesday.

Core also said that exploits could be crafted that would compromise unpatched machines "without crashing or disrupting the normal functioning of the MSN Messenger client application," making detection almost impossible by the end user.

"This vulnerability is serious," said Sophos' Cluley. "Everyone should ensure their systems are properly protected with the security patch at the earliest opportunity."

We welcome your comments on this topic on our social media channels, or [contact us directly] with questions about the site.
Comment  | 
Print  | 
More Insights
2021 State of ITOps and SecOps Report
2021 State of ITOps and SecOps Report
This new report from InformationWeek explores what we've learned over the past year, critical trends around ITOps and SecOps, and where leaders are focusing their time and efforts to support a growing digital economy. Download it today!
InformationWeek Is Getting an Upgrade!

Find out more about our plans to improve the look, functionality, and performance of the InformationWeek site in the coming months.

IT Leadership: 10 Ways to Unleash Enterprise Innovation
Lisa Morgan, Freelance Writer,  6/8/2021
Preparing for the Upcoming Quantum Computing Revolution
John Edwards, Technology Journalist & Author,  6/3/2021
How SolarWinds Changed Cybersecurity Leadership's Priorities
Jessica Davis, Senior Editor, Enterprise Apps,  5/26/2021
Register for InformationWeek Newsletters
Current Issue
Planning Your Digital Transformation Roadmap
Download this report to learn about the latest technologies and best practices or ensuring a successful transition from outdated business transformation tactics.
White Papers
Twitter Feed
Sponsored Live Streaming Video
Everything You've Been Told About Mobility Is Wrong
Attend this video symposium with Sean Wisdom, Global Director of Mobility Solutions, and learn about how you can harness powerful new products to mobilize your business potential.
Sponsored Video
Flash Poll