Attackers target two Microsoft security flaws

News

Attackers target two Microsoft security flaws

Bill Brenner, Senior News Writer

Attackers have set their sights on two Microsoft flaws -- an unpatched DirectX Media vulnerability and the XML Core Services flaw the software maker patched last week in its MS07-042 security update.

Antivirus company Symantec has issued alerts for both exploits in emails to customers of its DeepSight threat management service. The security company said it had raised its ThreatCon to level 2 in response to the threats.

"The first instance of a malicious Web site exploiting the Microsoft DirectX Media SDK DXTLIPI.DLL ActiveX control buffer overflow vulnerability has been identified," Symantec said in one email alert. "A patch for this vulnerability is not available."

The exploit, cooked up by researcher Krystian Kloskowski, carries a payload designed to download and execute a malicious file on targeted machines running Microsoft DirectX Media SDK, a set of multimedia-related APIs for the Windows operating system. The DirectX Media SDK 'DXTLIPI.DLL' ActiveX control is prone to a buffer-overflow flaw because it fails to perform adequate boundary checks on user-supplied data, Symantec said.

"Successfully exploiting this issue allows remote attackers to execute arbitrary code in the context of the application using the ActiveX control (typically Internet Explorer)," the security vendor added. "Failed exploit attempts likely result in denial-of-service conditions." However, attackers must lure users to a malicious Web page to exploit the glitch.

Meanwhile, Symantec warned, Alla Bezroutchko, a senior security engineer at Brussels-based Scanit NV/SA, has mapped out JavaScript code that can crash Internet Explorer 6.0 on computers running Windows 2000 and XP Service Pack 2 by exploiting the XML Core Services flaw Microsoft patched in MS07-042. Microsoft said attackers could exploit the flaw by luring Internet Explorer users to a specially crafted Web page. The flaw affects all supported editions of Windows 2000, Windows XP, Windows Vista, Microsoft Office 2003, and the 2007 Microsoft Office System.

The exploits of August
While there's no indication these exploits will lead to massive attacks, there does tend to be a history of trouble following Microsoft's August patch releases.

The first instance of a malicious Web site exploiting the Microsoft DirectX Media SDK DXTLIPI.DLL ActiveX control buffer overflow vulnerability has been identified.
Symantec Security Response,

Last year, the U.S. Department of Homeland Security, which rarely joins the post-Patch Tuesday stampede of warnings, issued a public advisory urging Windows users to install the MS06-040 security update as soon as possible because the Windows Server Services flaw addressed in the update was considered highly wormable. Within days of the patch release, attackers were targeting the flaw with malware in a bid to expand their IRC-controlled botnets.

Two years ago, security experts sounded the alarm following the Windows Plug and Play vulnerability, which Microsoft had patched in its MS05-039 security update. Attackers exploited the flaw a few days later with the Zotob worm.

And in July 2003, Microsoft released MS03-026 to patch the RPC-DCOM flaw. By early August, the Blaster worm was using the flaw to tear up cyberspace.

Some have theorised that August tends to be a bad month because attackers like to strike when a lot of IT professionals are on summer vacation. Others believe it's because hackers like to use Microsoft's August flaws to try out attack methods they picked up at the Black Hat and Defcon conferences, which are held each year at the beginning of August.


Email Alerts

Register now to receive ComputerWeekly.com IT-related news, guides and more, delivered to your inbox.
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
 

COMMENTS powered by Disqus  //  Commenting policy