http://www.computer
world.com/action/article.do?command=viewArticleBasic&art
icleId=9001182
By Jaikrishna Vijayan
Computerworld
June 14, 2006
Security firms are warning about the availability of attack
code
targeting some of the flaws for which Microsoft Corp.
released patches
yesterday (see "Microsoft releases fixes for 21
vulnerabilities" [1]).
Most of the exploits target flaws that were previously known
but for
which patches became available only as part of Microsoft's
June
monthly security update. But at least two publicly available
exploits
are directed at newly disclosed flaws in the company's
products.
"Exploit code had already existed for three of the
vulnerabilities
prior to yesterday, as they were already public
issues," said Michael
Sutton, director of VeriSign Inc.'s iDefense Labs.
"Beyond that, we're
seeing public exploit code emerge for some of the new
vulnerabilities
and are hearing rumors of private code existing for
others."
The availability of such exploits heightens the risk for
companies
that have not yet been able to patch their systems and are
important
factors to consider when deciding which systems to patch
first, he
said.
"We believe that it is far more beneficial to withhold
proof-of-concept code for an amount of time so that
customers can get
the vulnerabilities patched," said Stephen Toulouse,
security program
manager at Microsoft's security response center. "The
public
broadcasting of code so quickly after a bulletin release, we
believe,
tends to help attackers."
Microsoft is telling its cusomers to pay special attention
to three
key updates -- MS06-021, MS06-022 and MS06-023 -- because
they could
be particularly easy to exploit using Internet Explorer.
"There are
methods by which if you just browse to a Web site, there
could be code
execution," Toulouse said.
According to iDefense, some form of exploit code is publicly
available
against the cross-domain information disclosure
vulnerability
described in bulletins MS06-021, the address bar spoofing
flaw in
MS06-021 and the Word malformed object pointer vulnerability
described
in MS06-027.
All three were previously known flaws and were given a
severity rating
of "critical" by Microsoft.
In addition, exploits have also become publicly available
for both of
the newly disclosed server message block vulnerabilities in
MS06-030,
according to iDefense.
The SANS Internet Storm Center this morning posted a note
also listing
exploits released by penetration-testing vendors to
customers. One of
the exploits was directed against the Windows Media Player
flaw in
MS06-024, while the other was targeted at the routing and
remote-access vulnerability in MS06-025.
Denial-of-service attack codes are also privately available
for a
TCP/IP flaw in MS06-032, according to SANS.
Outside of the Word malware, which began circulating last
month,
Microsoft has not yet seen any of these exploits used by
attackers,
Toulouse said.
The availability of exploit code once again shows that there
is no
longer any "patching window" for companies, said
Johannes Ullrich,
chief research officer at the Internet Storm Center.
"Companies don't have the luxury of sitting back and
waiting," Ullrich
said. "They have to expect that public exploits will
become available
the day after vulnerabilities are disclosed, and they have
to expedite
the patching process," despite the challenges
involved, he said.
Robert McMillan of the IDG News service contributed to this
report.
[1] http://www.computer
world.com/action/article.do?command=viewArticleBasic&art
icleId=9001163
_________________________________
Attend the Black Hat Briefings and
Training, Las Vegas July 29 - August 3
2,500+ international security experts from 40 nations,
10 tracks, no vendor pitches.
www.blackhat.com
|