Users should stay away from untrusted Web sites and e-mails from unfamiliar sources to avoid becoming victims of an attack aided by three serious security holes in Windows, security firms warned over the weekend.
An attacker could exploit the unpatched vulnerabilities to cause a denial of service and launch spyware or other malicious code, according to Symantec Security Response and Danish security firm Secunia, which called the problems "highly critical."
"We believe these threats to be serious, especially given the time of year that they have been discovered," Alfred Huger, senior director of Symantec Security Response, said in a statement. "Many consumers are shopping online and many businesses are short-staffed, making these threats more worrisome. Two out of these three vulnerabilities could potentially be used to install malicious code such as spyware on an unsuspecting victim's computer, and take complete control of their computer."
The security holes were initially reported by Chinese security forum
The first problem is a remotely exploitable vulnerability confirmed in the LoadImage API instruction used by many Web browsers and e-mail clients. "This issue can be exploited by simply visiting a malicious Web site or opening an HTML e-mail containing a malicious image," Symantec said. "No interaction is required once an image has been viewed."
The second vulnerability is in the winhlp32.exe application used to interpret Windows help files (.hlp). "These vulnerabilities exist as a result of decoding errors that manifest themselves in the parsing of a malicious help file," Symantec said. "These decoding errors are exploitable to cause a heap-based buffer overflow. Malicious help files, encountered either through e-mail, or via a malicious Web site may be used to exploit this vulnerability."
A third vulnerability is in the Windows kernel. A denial of service can result when a malicious ANI file is encountered. "Exploitation of this vulnerability, either via e-mail or a malicious Web site, will result in a crash and subsequent restart of any vulnerable system," Symantec said. "This vulnerability requires no interaction other than viewing a malicious Web site or e-mail in order to succeed."
At the time of writing, Microsoft had not responded to a request for comment.
Until the issues are patched, any interaction with Internet-based content using any software package for the Microsoft Windows platform may result in a compromise, Symantec said.
"Symantec recommends its customers update their virus definitions with the latest updates, which includes the Bloodhound.Exploit.19 signature," the firm said in its statement. "This signature will prevent instances of exploitation of the Microsoft Windows LoadImage API Function Integer Overflow. Additionally, Symantec recommends the following action be taken until patches are available: Block e-mail attachments with the .hlp extension; do not visit untrusted Web sites or open e-mail messages from unknown sources [and] read e-mail messages in plain text format only."