Posted on 02/10/2005 7:31:00 PM PST by Eagle9
It didn't take hackers long to start banging hard on the vulnerabilities Microsoft disseminated Tuesday.
Just a day after the Redmond, Wash.-based developer rolled out a dozen advisories
containing 16 vulnerabilities, 10 of them tagged as "Critical," exploit code has gone public for one, Microsoft said late Wednesday.
"Microsoft won't be happy that someone has posted information about how to take advantage of their critical security hole within 48 hours of their patch being released," said Graham Cluley, senior technology consultant for Sophos, in a statement.
"Many computer users are bound to have not yet defended themselves," he added.
Microsoft posted an online advisory to its Web site, confirming that exploit code exists. "Microsoft is aware of exploit code available on the Internet that targets an issue addressed this week by the update released with Microsoft Security Bulletin MS05-009," Microsoft said.
The bulletin in question patched two vulnerabilities, one in Windows Media Player, the other in MSN Messenger and Windows Messenger, Microsoft's instant messaging clients. All three applications can be attacked using malformed PNG image files.
According to other security firms' analyses, the exploit code -- dubbed Exploit-PNGfile by McAfee -- can instruct the infected machine to run any payload the hacker bundles with it. Possible payloads could include such typical malware as Trojans, backdoor components, or worms to wrench control from the real user, or even spyware such as key loggers to steal information and identities.
Although exploit code is out and about, Microsoft said it had not yet seen any actual attack. "We will continue to actively monitor the situation and provide updated customer information and guidance as necessary," the advisory continued.
Microsoft said that patched systems were immune from the exploit, and outlined recommended steps for both individuals and enterprises that included updating both Windows and MSN Messenger for the former, and either uninstalling MSN Messenger or blocking it in the latter.
"MSN Messenger is not intended for corporate environments," Microsoft said. "Instead, use Windows Messenger, which is included with Windows."
Another option is to download the beta of MSN Messenger 7, which is not susceptible to the exploit.
One stumbling block in eliminating this vulnerability is that users must update MSN Messenger manually, since it's not part of Windows per se (unlike Windows Messenger, the similar-but-not-identical IM client bundled with the OS).
"Although there is an automatic update notification system present in MSN Messenger, it can take a long time for it to actually inform the user about a newer version," wrote Kaspersky Labs in its alert on the issue.
Core Security Technologies, the Boston security firm which first found the flaw and reported it to Microsoft in August 2004, said that the MSN Messenger bug was extremely dangerous.
"Due to the particular characteristics of the MSN Messenger communications protocol, exploitation of the vulnerability is likely to pass unnoticed to network Intrusion Detection Systems (IDS), Intrusion Prevention Systems (IPS), and firewalls that do not implement decoding and normalization of the MSN Messenger protocol encapsulated within HTTP," the company said in its own advisory posted Tuesday.
Core also said that exploits could be crafted that would compromise unpatched machines "without crashing or disrupting the normal functioning of the MSN Messenger client application," making detection almost impossible by the end user.
"This vulnerability is serious," said Sophos' Cluley. "Everyone should ensure their systems are properly protected with the security patch at the earliest opportunity.
M$ Insecurity Ping!
> ... attacked using malformed PNG image files.
Amazing. PNG is a recent enough graphics file format that
I would have expected even Microsoft to heavily bounds-
check any code that reads it. Guess not.
From another report: "Media Player doesn't properly
handle .png files with excessive width or height."
Pick up jaw. Sigh.
After I get my PowerBook, this PC is going to be used for games and pretty much nothing else.
At least one per security hole...(and that's a lot of meetings)
Not sure where you get this "recent enough" part. PNGS were available, royalty free circa 1996. We used them in a mud I was part of then.
What do you expect from the company that, after all the Y2K hype, puts out a Win2K OS that required manual tweaking to make it Y2K compliant? There seems to be madness in their methodology.
I am as quick to jump on MS as the next guy, but they do have pateches out for this..
yeah, wonder if they don't bother to look at the return value of malloc because it would slow down their bloatware even more
Simple solution. Update your computer.
Yes it does. The JPEG group was trying to extract royalties at the time. It's all so muddled right now, I can't comment accurately. PNGs are lossless. They are better than gifs.
Not as much fun as bitching, apparently.
Ping
A month from now they will have the new fix ...
>> PNG is a recent enough graphics file format ...
> Not sure where you get this "recent enough" part.
> PNGS were available, royalty free circa 1996.
Which is long after MS would have had corporate awareness
of buffer overflow exploits. They did, after all, include
anti-virus support in DOS 6.x years before that.
When did MS implement PNG support in Windows?
Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair use of copyrighted works.