 |
 Lingering security woes plague top browser
July 16, 2004
The bad news just keeps coming from Microsoft -- this week alone the company released a patch for seven new security vulnerabilities, three of them affecting the company's Internet Explorer browser and described as "critical" flaws by Microsoft. The latest flaws add to the many security woes Microsoft and its customers have been experiencing. Microsoft has promised its commitment to a stronger focus on security.
Of the new vulnerabilities, Windows Shell (MS04-024)--has been picked out by security experts as a potential target for future worms and viruses. Ben Nagy, senior security engineer at security researcher firm eEye, said he expects the Windows Shell bug to be the most serious threat--despite Microsoft rating the problem as 'important' rather than 'critical'. According to Microsoft, if a user is vulnerable to MS04-024 and has administrator privileges, an attacker could "take complete control of the affected system, including installing programs; viewing, changing, or deleting data; or creating new accounts with full privileges.
Richard Starnes, president of security industry group ISSA UK, said that malware writers usually reverse-engineer Microsoft's patches in order to produce exploits. Based on his own experience of previous threats, he expects the first batch of new exploit codes to be available as early as next week. These would probably be used to create a worm delivered as an email attachment.
"Given the trend, it will probably take between five and seven days for exploits to start appearing--depending on their complexity. Because it has to be locally executed, it is likely to be another LoveBug scenario," Starnes said.
EEye's Nagy agrees that to exploit the vulnerability, a virus will most likely be distributed as an e-mail attachment, but the vulnerability could also be 'blended' with another attack. "I don't think either vulnerability could create a Sasser or MSBlast type-worm, but we are seeing many blended threats, so it could be used in combination with other exploits," said Nagy.
The second critical problem involves vulnerability in the "Task Scheduler" stemming from an unchecked buffer, which is a program in memory that accepts data from external sources. An unchecked buffer is one that does not include commands to ensure that the data is valid. Two of these problems announced Tuesday rated highest on Microsoft's severity scale.
The company defines its "critical" rating as: "vulnerabilities whose exploitation could allow the propagation of an Internet worm without user action." Microsoft said that if a user is logged on with administrative privileges, an attacker who successfully exploited this vulnerability could take complete control of an affected system, including installing programs, deleting data or creating new accounts with full privileges. Microsoft added that users whose accounts are configured to have fewer privileges on the system would be at less risk than users who operate with administrative privileges.
According to Symantec, in a Web-based attack scenario, an attacker would have to host a Web site that contains a Web page used to exploit this vulnerability. An attacker also would have to persuade them to visit the Web site, typically by getting them to click a link that takes them to the attacker's site. "These newly announced vulnerabilities may be exploited remotely, which could allow denial-of-service attacks, and could result in the loss of confidential data," Symantec said in a statement. "Symantec strongly advises users to apply security patches for these vulnerabilities immediately."
Microsoft said critical update concerns vulnerabilities related to "HTML Help" and "showHelp." If a user is logged on with administrative privileges, an attacker who successfully exploited the most severe of these vulnerabilities could take complete control of an affected system, the company said.
|
|
