Exploit code has been released for two of the security holes Microsoft addressed in its mammoth patch release Tuesday, according to several security organizations.
The Bethesda, Md.-based SANS Internet Storm Center (ISC) noted on its Web site that the proof-of-concept code focuses on the following:
MS05-005, which fixes a buffer overrun in Microsoft Office XP software. According to the Common Vulnerabilities and Exposures Web site, an attacker could exploit the flaw to launch malicious code and take control of the affected system using "a link with a URL file location containing long inputs after (1) '%00' (null byte) in .doc filenames or (2) '%0a' (carriage return) in .rtf filenames."
MS05-009, which fixes a glitch in Media Player, Windows Messenger and MSN Messenger that an attacker could also use to take control of vulnerable machines.
Media Player doesn't properly handle .png files with excessive width or height. "An attacker could try to exploit the vulnerability by constructing a malicious .png that could potentially allow remote code execution if a user visited a malicious Web site or clicked a link in a malicious e-mail message," Microsoft said. Windows Messenger and MSN Messenger also improperly handle corrupt or malformed .png files.
"Both of these are on the critical patch list, and we expect to see malware utilizing either of these attacks in the near future," the ISC said. "The portion of MS05-009 that relates to MSN Messenger, the… libpng vulnerability, is especially serious, as CORE Security has determined that this attack may be possible to execute in a completely undetected manner to the end user with little to no user interaction, depending on MSN client settings."
ISC noted the major antivirus vendors have signatures posted or nearly complete for both vulnerabilities.
"Since the fix is available, it is time to apply some patches right now," Finnish security firm F-Secure Corp. said in its daily Web log.
Cupertino, Calif.-based antivirus giant Symantec is calling the code targeting MS05-005 Bloodhound.Exploit.25. "[It] is a heuristic detection for the Microsoft Office XP HTML link processing remote buffer overflow vulnerability," the firm said in its advisory.
In both cases the exploit code isn't considered dangerous. But security experts said damaging attacks could quickly follow the proof-of-concept code, and urged users to patch their systems as soon as possible.
The 13th patch
Meanwhile, ISC pointed out that in Tuesday's ruckus, "many of us missed the fact that Microsoft quietly issued an update to the MS04-035 SMTP server DNS validation overflow issue from October, 2004. It appears that Exchange 2003 and the 'Exchange-Lite' SMTP Server bundled with Windows Server 2003 are also susceptible to this attack. Get'cher patch on."