[ISN] Hackers Quickly Target Newly Disclosed Microsoft Flaw

InfoSec News isn at c4i.org
Fri Feb 11 03:39:36 EST 2005


By Gregg Keizer 
TechWeb News 
Feb. 10, 2005 

It didn't take hackers long to start banging hard on the
vulnerabilities Microsoft disseminated Tuesday.

Just a day after the Redmond, Wash.-based developer rolled out a dozen
advisories containing 16 vulnerabilities, 10 of them tagged as
"Critical," exploit code has gone public for one, Microsoft said late

"Microsoft won't be happy that someone has posted information about
how to take advantage of their critical security hole within 48 hours
of their patch being released," said Graham Cluley, senior technology
consultant for Sophos, in a statement.

"Many computer users are bound to have not yet defended themselves,"  
he added.

Microsoft posted an online advisory to its Web site, confirming that
exploit code exists. "Microsoft is aware of exploit code available on
the Internet that targets an issue addressed this week by the update
released with Microsoft Security Bulletin MS05-009," Microsoft said.

The bulletin in question patched two vulnerabilities, one in Windows
Media Player, the other in MSN Messenger and Windows Messenger,
Microsoft's instant messaging clients. All three applications can be
attacked using malformed PNG image files.

According to other security firms' analyses, the exploit code --
dubbed Exploit-PNGfile by McAfee -- can instruct the infected machine
to run any payload the hacker bundles with it. Possible payloads could
include such typical malware as Trojans, backdoor components, or worms
to wrench control from the real user, or even spyware such as key
loggers to steal information and identities.

Although exploit code is out and about, Microsoft said it had not yet
seen any actual attack. "We will continue to actively monitor the
situation and provide updated customer information and guidance as
necessary," the advisory continued.

Microsoft said that patched systems were immune from the exploit, and
outlined recommended steps for both individuals and enterprises that
included updating both Windows and MSN Messenger for the former, and
either uninstalling MSN Messenger or blocking it in the latter.

"MSN Messenger is not intended for corporate environments," Microsoft
said. "Instead, use Windows Messenger, which is included with

Another option is to download the beta of MSN Messenger 7, which is
not susceptible to the exploit.

One stumbling block in eliminating this vulnerability is that users
must update MSN Messenger manually, since it's not part of Windows per
se (unlike Windows Messenger, the similar-but-not-identical IM client
bundled with the OS).

"Although there is an automatic update notification system present in
MSN Messenger, it can take a long time for it to actually inform the
user about a newer version," wrote Kaspersky Labs in its alert on the

Core Security Technologies, the Boston security firm which first found
the flaw and reported it to Microsoft in August 2004, said that the
MSN Messenger bug was extremely dangerous.

"Due to the particular characteristics of the MSN Messenger
communications protocol, exploitation of the vulnerability is likely
to pass unnoticed to network Intrusion Detection Systems (IDS),
Intrusion Prevention Systems (IPS), and firewalls that do not
implement decoding and normalization of the MSN Messenger protocol
encapsulated within HTTP," the company said in its own advisory posted

Core also said that exploits could be crafted that would compromise
unpatched machines "without crashing or disrupting the normal
functioning of the MSN Messenger client application," making detection
almost impossible by the end user.

"This vulnerability is serious," said Sophos' Cluley. "Everyone should
ensure their systems are properly protected with the security patch at
the earliest opportunity."

More information about the ISN mailing list