Security researchers are urging IT shops to install Microsoft's latest batch of patches as quickly as possible to head off attempted attacks against some flaws, most notably the GDI vulnerabilities Microsoft addressed in its MS08-021 bulletin.
Symantec Corp. has raised its ThreatCon to Level 2 in response to in-the-wild exploits against the GDI flaws, which attackers could exploit to hijack targeted machines by tricking users into opening malware-laced .emf or .wmf files. Microsoft labeled the update critical for those running Microsoft Windows 2000 Service Pack 4 and all supported releases of Windows XP, Windows Server 2003, Vista, and Windows Server 2008.
Symantec defines a Level 2 threat as one in which knowledge or the expectation of attack activity is present, without specific events occurring or when malicious code reaches a moderate risk rating. The Cupertino, Calif.-based security vendor issued an alert to customers of its DeepSight threat management service after observing exploit attempts via its honeynet.
One item researchers are watching is proof-of-concept code publicly posted to the milw0rm.com site that successfully targets Chinese editions of Windows 2000 Service Pack 4 (SP4).
"At least three different sites are hosting [malicious] images," Symantec said in its alert. "Analysis of the images has shown that although they appear to be malicious, they do not contain enough data in the associated image property to sufficiently trigger the vulnerability."
Despite that, Symantec said it has received reports that reliable exploitation is occurring in the wild. Users are advised to apply the patches immediately and IT administrators should filter activity to the following IP addresses and/or domains: * 126.96.36.199 (hxxp://igloofamily.com), * 188.8.131.52 (hxxp://amrc.com.tw), and * ad.goog1e.googlepages.com.
The threat was considered serious enough for the United States Computer Emergency Readiness Team (US-CERT) to post an alert on its website.
The Bethesda, Md.-based SANS Internet Storm Center also posted a warning on its website. "If you haven't already patched do so now and don't forget to remind your users not to open image files," the storm center's Deborah Hale wrote.
The GDI issues were among several critical security holes Microsoft addressed in its April 2008 patch rollout.
Bill Sisk of the Microsoft Security Response Center has cited MS08-021 as one of the most important updates for the month.
While attempted exploits bear watching, it is not something IT administrators get overly anxious about. Such activity always follows Microsoft's monthly patch release, and many IT shops have installed layers of security in their environments that allows for an orderly patch test and deployment process.