Update: Windows zero-day flaw 'very dangerous,' experts say
With Vista at risk, eEye issues unofficial patch; attacks traced to Chinese hackers
Computerworld - The Windows zero-day bug now being used by attackers is extremely dangerous, security researchers said today, and ranks with the Windows Metafile vulnerability of more than a year ago on the potential damage meter.
"This is a good exploit," Roger Thompson, CTO of Exploit Prevention Labs, said in an instant message exchange. "It's very dangerous. One of the reasons is that there's no crash involved...it's instantaneous. And all it takes is visiting a site."
Yesterday, Microsoft Corp.'s Security Response Center (MSRC) issued an advisory acknowledging a bug in Windows' animated cursor, a component that lets developers show a short animation at the mouse pointer's location. Attackers, who are already exploiting the bug in limited fashion, can hijack PCs by tempting users to malicious Web sites or by sending them a malformed file via e-mail.
Other researchers waded in today with warnings of the animated cursor danger. "This is reminiscent of the former Windows Metafile (WMF) attacks from 2005 and 2006," Ken Dunham, director of VeriSign Inc.'s iDefense rapid response team, said in an e-mail. "It's trivial to update, multiple sites now host the code in a short period of time, and the highly virulent file exploitation vector within Windows Explorer exists."
In late 2005, exploits of the WMF vulnerability swept through malicious sites and infected thousands of PCs with a raft of malware, including spyware and bot Trojans. Microsoft rushed a patch into place in early January 2006, one of the few times it has gone out-of-cycle with a fix.
"There are a lot of exploits the equivalent of triple lutzes," said Ross Brown, the CEO of eEye Digital Security. "Only those high to the right on the hacker bell curve can pull it off. But this one doesn't need a lot of sophistication.
"It doesn't require a PhD in hacking," Brown said. "The number of people who can use this is huge."
eEye considered it so dangerous that early this morning it released a rare unofficial patch to temporarily plug the dike. This is only the second time that eEye has put out an unsanctioned fix for a Microsoft bug.
"We have some internal criteria for doing that, which this met," said Brown. "First, there's no direct mitigation, no registry switch or kill bit that a user or administrator can set. Second, the patch itself should be unobtrusive. And third, we want to make sure that the patch will unload itself when Microsoft releases its patch."
eEye's fix is "straight-forward," said Brown, who likened it to a shim. "This prevents any animated cursor except those already installed by Windows from being executed," he said. eEye's patch notes said that the fix blocks cursors from being loaded outside of %SystemRoot%, which prevents sites from loading their own, potentially malicious animated cursors.
- The Truth About Cloud Security "Security" is the number one issue holding business leaders back from the cloud. But does the reality match the perception?
- Enable secure remote access to 3D data without sacrificing visual perfomance Design and manufacturing companies must adapt quickly to the demands of an increasingly global and competitive economy. To speed time to market for...
- Virtually Delivered High Performance 3D Graphics "A picture is worth a thousand words." That old phrase is as true today as it ever was. Pictures (i.e., those with heavy...
- Best Practices for Securing Hadoop Historically, Apache Hadoop has provided limited security capabilities. To protect sensitive data being stored and analyzed in Hadoop, security architects should use a...
- What should I look for in a Next Generation Firewall? SANS Provides Guidance With so many vendors claiming to have a Next Generation Firewall (NGFW), it can be difficult to tell what makes each one different....
- Responding to New SSL Cybersecurity Threat The featured Gartner research examines current strategies to address new SSL cybersecurity threats and vulnerabilities. All Security White Papers | Webcasts
Our new bimonthly Internet of Things newsletter helps you keep pace with the rapidly evolving technologies, trends and developments related to the IoT. Subscribe now and stay up to date!