Researchers warily watch for Microsoft GDI exploits

By Bill Brenner, Senior News Writer 16 Apr 2008 | SearchSecurity.com

Security Wire Daily News Digg This!     StumbleUpon     Del.icio.us

Security researchers are urging IT shops to install Microsoft's latest batch of patches as quickly as possible to head off attempted attacks against some flaws, most notably the GDI vulnerabilities Microsoft addressed in its MS08-021 bulletin.

Analysis of the images has shown that although they appear to be malicious, they do not contain enough data in the associated image property to sufficiently trigger the vulnerability. Symantec Alert

Symantec Corp. has raised its ThreatCon to Level 2 in response to in-the-wild exploits against the GDI flaws, which attackers could exploit to hijack targeted machines by tricking users into opening malware-laced .emf or .wmf files. Microsoft labeled the update critical for those running Microsoft Windows 2000 Service Pack 4 and all supported releases of Windows XP, Windows Server 2003, Vista, and Windows Server 2008.

Symantec defines a Level 2 threat as one in which knowledge or the expectation of attack activity is present, without specific events occurring or when malicious code reaches a moderate risk rating. The Cupertino, Calif.-based security vendor issued an alert to customers of its DeepSight threat management service after observing exploit attempts via its honeynet.

One item researchers are watching is proof-of-concept code publicly posted to the milw0rm.com site that successfully targets Chinese editions of Windows 2000 Service Pack 4 (SP4).

Latest Microsoft updates: Microsoft releases April trove of patches: Windows, Office and IE all have patches deemed critical by Microsoft this month. Inside MSRC: Microsoft gives guidance on security updates: Microsoft's Bill Sisk takes the reader through the software giant's April 2008 security bulletins.

"At least three different sites are hosting [malicious] images," Symantec said in its alert. "Analysis of the images has shown that although they appear to be malicious, they do not contain enough data in the associated image property to sufficiently trigger the vulnerability."

Despite that, Symantec said it has received reports that reliable exploitation is occurring in the wild. Users are advised to apply the patches immediately and IT administrators should filter activity to the following IP addresses and/or domains: * 211.239.126.10 (hxxp://igloofamily.com), * 59.124.92.168 (hxxp://amrc.com.tw), and * ad.goog1e.googlepages.com.

The threat was considered serious enough for the United States Computer Emergency Readiness Team (US-CERT) to post an alert on its website.

The Bethesda, Md.-based SANS Internet Storm Center also posted a warning on its website. "If you haven't already patched do so now and don't forget to remind your users not to open image files," the storm center's Deborah Hale wrote.

The GDI issues were among several critical security holes Microsoft addressed in its April 2008 patch rollout.

Bill Sisk of the Microsoft Security Response Center has cited MS08-021 as one of the most important updates for the month.

While attempted exploits bear watching, it is not something IT administrators get overly anxious about. Such activity always follows Microsoft's monthly patch release, and many IT shops have installed layers of security in their environments that allows for an orderly patch test and deployment process.

Tags: Windows Security: Alerts, Updates and Best Practices,  Security Patch Management,  VIEW ALL TAGS

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Windows Security: Alerts, Updates and Best Practices Microsoft to fix 26 flaws in Windows, Office Microsoft warns that IE zero-day vulnerability causes data leakage Microsoft issues critical security update, blocks IE 6 attacks Microsoft emergency IE update to block latest corporate attacks Latest zero-day attacks only target IE 6, Microsoft says Hackers used IE zero-day in Google, Adobe attacks, McAfee says Microsoft issues advisory on Internet Explorer zero-day Microsoft releases Windows OpenType Font Engine patch Microsoft to patch single Windows 2000 vulnerability IIS configuration error leads to increased threat, Microsoft says Security Patch Management Microsoft gives Internet Explorer a major security overhaul Information security book excerpts and reviews What patch management metrics does Project Quant use? Squad: Tokenization, Phishing and the Feds Should management processes change based on a patch release schedule? Should Windows Mobile updates come from Microsoft? Adobe updates ColdFusion, JRun, Flex Trusteer CEO criticizes Adobe, touts better patch deployments Patch management study shows IT taking significant risks Vulnerability mitigation study shows need for faster patching

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary BotHunter  (SearchSecurity.com) principle of least privilege (POLP)  (SearchSecurity.com) security identifier  (SearchSecurity.com) trusted computing  (SearchSecurity.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary