More Windows Exploits Out; Hacker Wins $10K Challenge
Several security sources are reporting that "exploit code" -- instructions showing bad guys how to attack vulnerabilities -- has been posted online for several more security flaws for which Microsoft just issued patches.
As I mentioned in yesterday's patch roundup, exploits already are out for the Microsoft Word flaw and at least two of the eight vulnerabilities fixed in the Internet Explorer patch. But according to the SANS Internet Storm Center, working exploits also are known for the "critical" Windows Media Player flaw and for the "routing and remote access" vulnerability, which also earned a "critical" label from Microsoft.
The two exploits for the routing and remote access flaws were posted online today by this guy, who claims to have alerted Microsoft about the vulnerabilties and is a bit sore that Redmond declined to give him credit in their advisories.
There also are less-serious exploits released for two flaws that Microsoft assigned "important" ratings -- less serious because it may be harder to use them for taking over a targeted Windows machine.
Meanwhile, iDefense, a Verisign security company, says it has developed a reliable "proof of concept" exploit code for a security hole in the way Windows handles image files ending in ".ART," a file type most commonly used by Web sites and services from America Online. Not to take anything away from the guys at iDefense (they purchased this flaw from an anonymous security researcher through their controversial "Vulnerability Contributor Program"), but if they can devise a working exploit, so can the bad guys.
Speaking of iDefense (scoop alert!) ... remember back in February when I wrote about iDefense offering their "quarterly vulnerability challenge," a $10,000 purse to anyone who could come to them with a previously unknown "critical" flaw in Windows? Well, iDefense paid that prize to the anonymous hacker who reported the .ART flaw.
TippingPoint, which competes with iDefense with its own vulnerability-buying program called the Zero Day Initiative, is now offering up to $50,000 to researchers who can prove that they have found an unpatched "critical" flaw in popular software applications. Taken together, software flaws identified or purchased by TipppingPoint and iDefense made up 6 of the 21 flaws Microsoft patched this week. It kind of makes you wonder what the criminal underground and certain governments (ours not excluded) may be willing to pay for this same information.
At any rate, there are likely to be more exploits out for additional Windows flaws in the coming days. If you use Windows and were thinking about putting off installing the latest updates, think again. Take care of it now and pay a visit to Microsoft Update.
One or two final notes: In looking over the media coverage of this month's patches, I couldn't help but notice that nearly every news outlet completely bought Microsoft's spin, saying the company's 12 patches fixed just eight critical flaws. Actually, Microsoft's 12 patches fixed a total of 21 flaws, 12 of which were critical; some of those updates included fixes for multiple vulnerabilities, including one that fixed four critical flaws and eight flaws altogether.
Microsoft says it groups certain security fixes together in a single patch if they all relate to the same class of flaws or application. But you can hardly blame Redmond for wanting to disguise the number of fixes in this update. This was the largest bundle of critical updates Microsoft has ever released at a single time. I had to go back over several years' worth of my coverage of these patches to find that the company came close in October 2004 when it patched 21 flaws, but in that case, there were only seven critical flaws.
The comments to this entry are closed.