Exploits Out For 7 Of 21 Bugs Microsoft Patched This Week

Hackers often reverse-engineer patch code to figure out exactly where the bug is so that they can crank out a worm or Trojan.
"Since this issue is related to Web script and doesn't rely on any special low-level details of the targeted service, an attacker could trivially develop a reliable and effective exploit," Symantec told customers of its DeepSight Threat Management System Wednesday.

An attack, Symantec hypothesized, could involve an attacker spoofing what seems to be a legitimate message to an OWA user, add a script payload that steals cookie information about the Web session (thus hijacking the session), and so walking off with any information within the compromised mailbox.

But the OWA bug wasn't the only one worth worrying about.

VeriSign iDefense also noted that almost 20 percent (4 out of 21) of the patches fixed bugs that had previously been disclosed in public forums. Two of the four went public in May and one in April, but the fourth harks back to December 2005.

Known flaws that haven't been patched are often called "zero-day" vulnerabilities

"Zero-day vulnerabilities are a fast-growing trend," said Chris Andrew, vice president of security technologies at patch and vulnerability management maker PatchLink. "They've really boomed since the beginning of the year.

"But Microsoft is taking the same amount of time this year as last year in its patch cycle, so the thing that's shrinking is the time between a vulnerability going public and an exploit appearing.

"That's just a fact of life that we all have to get used to," Andrew added.

Editor's Choice
Samuel Greengard, Contributing Reporter
Brandon Taylor, Digital Editorial Program Manager
Jessica Davis, Senior Editor
Cynthia Harvey, Freelance Journalist, InformationWeek
Carrie Pallardy, Contributing Reporter
John Edwards, Technology Journalist & Author
Astrid Gobardhan, Data Privacy Officer, VFS Global
Sara Peters, Editor-in-Chief, InformationWeek / Network Computing