Three Exploits Out for New Microsoft Security Holes
If you were entertaining the idea of holding off downloading and installing the batch of security patches Microsoft made available yesterday for Windows users, think again. Less than 24 hours after the patches were released, security researchers published instructions that show would-be attackers just how to exploit at least two of the flaws to break into vulnerable PCs.
The instructions, known in computer security circles as "proof of concept" code, usually are crude but effective computer programs that by design point to the exact location of the security hole that the patch is designed to fix. People responsible for defending computer networks can use the blueprints to determine where they are vulnerable. Network security specialists also can incorporate snippets of the attack instructions into their digital defenses so that any hostile Internet traffic bearing those code snippets gets rejected, much like the human body's immune system rejects disease-causing pathogens after being immunized against a variety of illnesses.
Trouble is, the bad guys also can use those instructions to build attack tools of their own. And if history is any teacher, they will do just that -- and soon. One exploit published yesterday by the French Security Incident Response Team targets one of three flaws in the Internet Explorer Web browser that Microsoft detailed ysterday. If successfully exploited, the flaw could allow hackers to take complete control over a victim's computer.
The other proof of concept example deals with a security flaw found mainly in business systems. Dave Aitel of Immunity Inc. published exploit code this morning for a flaw Microsoft detailed in a patch release yesterday. It's not at all clear just how many types of commercial software products this security hole affects, but Microsoft says hackers can use the weakeness to gain total control over vulnerable machines.
Finally, Danish security company Secunia published news of a "critical" flaw in Microsoft's "Jet Database Engine." Nevermind what Jet does, just know that Secunia says the flaw could be exploited by a maliciously-crafted Microsoft Access file. Here's the rub: Secunia says this flaw could let attackers take complete control over affected computers. Microsoft only heard about this problem yesterday and has not released a patch for it yet.
The exploit highlighted by Secunia today is what's known as a "zero day exploit," and it's the kind of thing that keeps security experts up late at night. Zero day refers to the fact that the precise methods and tools for exploiting a security flaw are released to the public before a patch is issued to fix the vulnerability. The problem is that companies generally take several weeks to roll out patches to their desktop computers and servers because they must first test them to ensure they don't interfere with or break other (often custom-made) software already running on top of the Windows operating system.
The bottom line for home users -- keep your Windows software updated. Here's the page on Microsoft's site where you can learn how to do that automatically.
April 13, 2005; 4:22 PM ET
Categories: Latest Warnings
Save & Share: Previous: The Fix is In: Eight New Security Updates for Windows
Next: Comcast Network Problem Strands Some Users
The comments to this entry are closed.