As expected, exploits are now circulating that attack flaws made public by Microsoft on Patch Tuesday.
Several security vendors and research websites have posted information warning of various exploits, including French Security Incident Response Team (FrSIRT). FrSIRT has ranked the risks critical.
Microsoft sent out seven security bulletins this month, two ranked critical, the most severe rating.
Of the two critical flaws, attack codes are now circulating for one: MS06-005. The flaw is in the way Windows Media Player deconstructs bitmap (.bmp) files. The bulletin said hackers could construct a bad file that leads to remote code execution if a user visits a malicious Web site or views a malicious e-mail message. The alert also notes significant user interaction is required to exploit this vulnerability.
Alain Sergile, of Internet Security Systems Inc.'s X-Force team in Atlanta, disagreed. "Our researchers looked at some proof-of-concept code and we think it's very easy to exploit," he said.
Sergile predicted exploits would be out very soon because Media Player, which is Microsoft's streaming audio and video tool, would be an attractive target. The program is one of the most widely used and is loaded by default on most Windows OS versions, such as XP.
An attack code for a second WMP flaw has also been published. The problem is addressed in MS06-006, and was ranked only as important by Microsoft when the patch was issued on Tuesday. However, FrSIRT has ranked the risk critical and said a bug in the WMP plug-in could be used to execute arbitrary commands.
Mikko Hypponen, an antivirus research director with the Finnish security firm F-Secure Corp., was not as concerned about the WMP problems. Instead, he turned his attention to this month's other critical flaw MS06-004.
"MS06-004 is nasty," Hypponen said. "This one allows code execution when a corrupted WMF file is viewed with unpatched IE."
So far, no exploit for this vulnerability has been reported.
Microsoft has become familiar with graphics-rendering bugs recently. Last month, attackers began exploiting another flaw in WMF. Microsoft was forced to push out a patch early due to the severity of the vulnerability, which allowed hackers to take control of a system through a specially crafted WMF image posted on a Web site or sent through e-mail.
Sergile said it is still too early to tell if there will be fallout from January's bug, but noted that most of the machines still vulnerable are not in the enterprise where managers patch fairly quickly. Hypponen said exploits are still circulating and sees a similar path for the new WMF glitch.
"The previous WMF vulnerability is still regularly used in attacks," he said. "This one will probably end up getting used, too, when a public exploit is made available by someone."
While this new WMF problem is similar to the previous flaw, it impacts a much smaller audience. Only systems running IE 5.01 with Windows 2000 Service Pack 4 are affected. The newest WMF vulnerability will not affect users of IE 6 or other Windows versions.
Sergile said the reason for Microsoft's recent graphics rendering blues has to do with opportunity. "Once an area of weakness is pinpointed, hackers tend to dig at it," he said. "As more eyes turn to that area, more defects are found."