Attackers have set their sights on two Microsoft flaws -- an unpatched DirectX Media vulnerability and the XML...
Core Services flaw the software maker patched last week in its MS07-042 security update.
Antivirus company Symantec has issued alerts for both exploits in emails to customers of its DeepSight threat management service. The security company said it had raised its ThreatCon to level 2 in response to the threats.
"The first instance of a malicious Web site exploiting the Microsoft DirectX Media SDK DXTLIPI.DLL ActiveX control buffer overflow vulnerability has been identified," Symantec said in one email alert. "A patch for this vulnerability is not available."
The exploit, cooked up by researcher Krystian Kloskowski, carries a payload designed to download and execute a malicious file on targeted machines running Microsoft DirectX Media SDK, a set of multimedia-related APIs for the Windows operating system. The DirectX Media SDK 'DXTLIPI.DLL' ActiveX control is prone to a buffer-overflow flaw because it fails to perform adequate boundary checks on user-supplied data, Symantec said.
"Successfully exploiting this issue allows remote attackers to execute arbitrary code in the context of the application using the ActiveX control (typically Internet Explorer)," the security vendor added. "Failed exploit attempts likely result in denial-of-service conditions." However, attackers must lure users to a malicious Web page to exploit the glitch.
The exploits of August
While there's no indication these exploits will lead to massive attacks, there does tend to be a history of trouble following Microsoft's August patch releases.
Last year, the U.S. Department of Homeland Security, which rarely joins the post-Patch Tuesday stampede of warnings, issued a public advisory urging Windows users to install the MS06-040 security update as soon as possible because the Windows Server Services flaw addressed in the update was considered highly wormable. Within days of the patch release, attackers were targeting the flaw with malware in a bid to expand their IRC-controlled botnets.
Two years ago, security experts sounded the alarm following the Windows Plug and Play vulnerability, which Microsoft had patched in its MS05-039 security update. Attackers exploited the flaw a few days later with the Zotob worm.
Some have theorised that August tends to be a bad month because attackers like to strike when a lot of IT professionals are on summer vacation. Others believe it's because hackers like to use Microsoft's August flaws to try out attack methods they picked up at the Black Hat and Defcon conferences, which are held each year at the beginning of August.