Security bloggers remain fixated on the Windows ANI flaw, even
though
Microsoft patched it last week and released
a new batch of fixes Tuesday for new
Windows flaws one expert described as very
wormable.
There are two reasons for this:
The ANI patch itself was flawed and the
digital underground continues to churn out a ton of exploits.
The flaws patched this week will no doubt be the target of new
exploits. But attacks against the ANI flaw have been ongoing,
keeping it high on everyone's radar screen.
The blogs of San Diego-based Websense Inc. and Santa Clara,
Calif.-based McAfee Inc. were still chock full of ANI attack
analysis this week.
The
Websense Security blog declared that more
than 2,000 unique Web sites are currently hosting exploit code
or have been hijacked and turned into drones that direct
browsers to machines hosting the malcode.
"There are two main attacks that comprise the majority of these
sites," Websense said. One set of attacks appears to have been
created by groups in the Asia-Pacific Region.
In these cases, Websense said, the bad guys have compromised
hundreds of machines and placed IFRAMEs back to the main servers
that host the exploit code. In most cases the payload and
motivation of these attacks is to gather credentials for online
games such as Lineage, a very popular online game in Asia.
"The second set of attacks started just a couple days ago [and]
appear to be from a group in Eastern Europe," the company
continued. "This group has been placing exploit code on sites for
many years now and has a very resilient infrastructure. They have
used WMF, VML, and several other exploits in there routines
previously. As of now they have also added the ANI attacks to their
arsenal."
In this case, attackers are more likely to install rootkits and
other crimeware in hopes of stealing personal information from the
user. In the past, Websense said, these attackers have installed
fake antispyware software on targeted machines.
McAfee has its own laundry list of ANI exploits in its
Avert Labs blog.
The company said it has been tracking a series of malformed
image files that prey on the ANI flaw. This includes ANI headers
that have been modified in a way that creates extra noise to throw
traditional content filtering and antivirus products off
course.
"All of these malformed image files are rendered by Internet
Explorer and can cause remote code execution or memory corruption
in unpatched Windows systems in our tests," McAfee said. "Many of
these exploits … created using freely-available toolkits … still go
undetected by a majority of antivirus products tested."
Just as ambiguity and variations in specifications and
implementation can lead to bugs and security issues, they can also
be exploited by malware authors to circumvent conventional
detection, McAfee said, adding, "This presents a new challenge to
security products that scan image files for malicious content using
basic methods that ignore the context of the threat."
While some security organizations continue to fill their blogs
with new attack data, others are still wondering why it took so
long for Microsoft to patch a flaw it learned about in December.
Atlanta, Ga.-based
Errata Security offered an opinion in its
blog, tracing the slow patching process back to Microsoft's
need to investigate problems in third-party programs. In this
case, the software giant had a RealTek problem to
investigate.
"This bug happened because of something wrong in RealTek's code,
not Microsoft's code, Errata said. "Few people realize this but
when Microsoft tests a patch prior to shipping, they also test
popular third-party applications. They find conflicts due to other
people's code. When they encounter such an issue, they change their
patch until the third-party bug no longer appears." In some cases,
Errata said, Microsoft changed the Windows specification just to
fix some weirdness in a popular application.
"Microsoft doesn't like to talk about this because they don't
want to insult other people, but this sort of thing happens a lot,"
the blog continued. "What appears to be Microsoft's fault is
actually Microsoft covering for other vendors."
One thing that would shift attention away from ANI would be a
new attack against one of the more recently-publicized flaws.
Eric Schultz, chief security architect at Shavlik Technologies
LLC, in Roseville, Minn., is convinced the flaws fixed in Microsoft
bulletins
MS07-018 and
MS07-019 Tuesday have the fixings for a
major attack; that they are the most wormable holes he has seen
in some time.
"Both are server-side attacks that could be remotely exploited
over the Internet without the user doing anything," he said. "Every
XP box on the planet is vulnerable to the Plug and Play flaw.
Attackers will be very excited about these."
Here's hoping he's wrong.