A Trojan horse program is targeting one of the security holes recently found in Windows. It doesn't look serious, but experts worry bigger exploits could be around the corner.
Meanwhile, Microsoft confirmed it's investigating the reported vulnerabilities and blasted Chinese security forum Xfocus
"Microsoft is disappointed that Xfocus took actions that could put computer users at risk by not following the commonly accepted industry practice of privately reporting security vulnerabilities to software vendors," a spokeswoman for the software giant said in an e-mail. "This practice, known as responsible disclosure, allows vendors to review the reports for accuracy and to determine the best response for customers."
She said Microsoft is "actively investigating Xfocus' new public reports… to determine the appropriate guidance, and if necessary develop a security update, to protect customers from malicious attackers who may seek to use the proof-of-concept code provided by the organization to harm computer users."
To date, she added, Microsoft is not aware of any active malicious attacks attempting to exploit the reported vulnerabilities and that there's no immediate customer impact based on the issues. "However, upon completion of its investigation, Microsoft will take the appropriate actions to protect customers, which may include providing a fix through our monthly release process or an out-of-cycle security update, depending on customer needs."
While Microsoft has heard of no exploits, antivirus firms like Symantec and F-Secure Corp. said they have. Cupertino, Calif.-based Symantec said Trojan.Phel-A is distributed as an HTML file and attempts to exploit the HTML help control local zone security restriction bypass vulnerability in Internet Explorer. "Trojan.Phel-A attempts to infect computers running Microsoft Windows XP with Service Pack 2," the firm said in its advisory.
Security holes summarized
The first problem identified last week is a remotely exploitable vulnerability confirmed in the LoadImage API instruction used by many Web browsers and e-mail clients. "This issue can be exploited by simply visiting a malicious Web site or opening an HTML e-mail containing a malicious image," Symantec said in an earlier statement. "No interaction is required once an image has been viewed."
The second vulnerability is in the winhlp32.exe application used to interpret Windows help files (.hlp). "These vulnerabilities exist as a result of decoding errors that manifest themselves in the parsing of a malicious help file," Symantec said. "These decoding errors are exploitable to cause a heap-based buffer overflow. Malicious help files, encountered either through e-mail, or via a malicious Web site may be used to exploit this vulnerability."
A third vulnerability is in the Windows kernel. A denial of service can result when a malicious .ani file is encountered. "Exploitation of this vulnerability, either via e-mail or a malicious Web site, will result in a crash and subsequent restart of any vulnerable system," Symantec said. "This vulnerability requires no interaction other than viewing a malicious Web site or e-mail in order to succeed."
A fourth problem is newer. The HTML help control exploit hat uses a number of different vulnerabilities to bypass Internet Explorer's local zone protections in order to run scripts on the host. This is the one exploited by Trojan.Phel-A.
"We're a bit worried about the four new Windows vulnerabilities that were found during [the] Christmas holidays… especially since there are no current patches against them. Windows XP SP2 is immune to some but not all of them," Mikko Hypponen, director of AV research for F-Secure, said in the blog he keeps on the firm's Web site. "These vulnerabilities could be used in future viruses -- for example in mass mailers. At least this last exploit has already been used for dropping Trojans."
"While waiting for a patch, we recommend upgrading to Windows XP SP2 and using a browser no one else is using," he added.