Attackers have set their sights on two Microsoft flaws
-- an unpatched DirectX Media vulnerability and theXML Core Services flawthe software maker patched last week in itsMS07-042security
update.
Antivirus company Symantec has issued alerts for both exploits
in emails to customers of its
DeepSight threat management service. The security company said
it had raised its
ThreatCon to level 2 in response to the
threats.
"The first instance of a malicious Web site exploiting the
Microsoft DirectX Media SDK DXTLIPI.DLL ActiveX control buffer
overflow vulnerability has been identified," Symantec said in one
email alert. "A patch for this vulnerability is not available."
The exploit, cooked up by researcher Krystian Kloskowski,
carries a payload designed to download and execute a malicious file
on targeted machines running Microsoft DirectX Media SDK, a set of
multimedia-related APIs for the Windows operating system. The
DirectX Media SDK 'DXTLIPI.DLL' ActiveX control is prone to a
buffer-overflow flaw because it fails to perform adequate boundary
checks on user-supplied data, Symantec said.
"Successfully exploiting this issue allows remote attackers to
execute arbitrary code in the context of the application using the
ActiveX control (typically Internet Explorer)," the security vendor
added. "Failed exploit attempts likely result in denial-of-service
conditions." However, attackers must lure users to a malicious Web
page to exploit the glitch.
Meanwhile, Symantec warned, Alla Bezroutchko, a senior security
engineer at Brussels-based Scanit NV/SA, has mapped out JavaScript
code that can crash Internet Explorer 6.0 on computers running
Windows 2000 and XP Service Pack 2 by exploiting the XML Core
Services flaw Microsoft patched in
MS07-042. Microsoft said attackers could
exploit the flaw by luring Internet Explorer users to a
specially crafted Web page. The flaw affects all supported
editions of Windows 2000, Windows XP, Windows Vista, Microsoft
Office 2003, and the 2007 Microsoft Office System.
The exploits of August
While there's no indication these exploits will lead to massive
attacks, there does tend to be a
history of trouble following Microsoft's August
patch releases.
 | | | | | The first instance of a malicious
Web site exploiting the Microsoft DirectX Media SDK DXTLIPI.DLL
ActiveX control buffer overflow vulnerability has been
identified.
Symantec Security
Response, |
| | | | | |
| |
|
Last year, the U.S. Department of Homeland Security, which
rarely joins the post-Patch Tuesday stampede of warnings, issued a
public advisory urging Windows users to install the
MS06-040 security update as soon as possible
because the Windows Server Services flaw addressed in the update
was considered highly wormable. Within days of the patch
release, attackers were targeting the flaw with malware in a bid
to expand their IRC-controlled botnets.
Two years ago, security experts sounded the alarm following the
Windows Plug and Play vulnerability, which Microsoft had patched in
its
MS05-039 security update. Attackers
exploited the flaw a few days later with the
Zotob worm.
And in July 2003, Microsoft released
MS03-026 to patch the RPC-DCOM flaw. By
early August, the
Blaster worm was using the flaw to tear up
cyberspace.
Some have theorised that August tends to be a bad month because
attackers like to strike when a lot of IT professionals are on
summer vacation. Others believe it's because hackers like to use
Microsoft's August flaws to
try out attack methods they picked up at the
Black Hat and Defcon conferences, which are held each year
at the beginning of August.