Hackers will exploit Windows kernel bug, researchers say
Expect drive-by attacks against IE 'sooner rather than later,' experts say
Computerworld - Hackers will quickly jump on one of the 15 vulnerabilities Microsoft patched Tuesday to build attack code that infects Internet Explorer users, security researchers agreed today.
The bug, which Microsoft patched as part of a record-tying security update for the month of November, is in the Windows kernel, the heart of the operating system. The kernel improperly parses Embedded OpenType (EOT) fonts, a compact form of fonts designed for use on Web pages that can also be used in Microsoft Word and PowerPoint documents.
Microsoft rated the flaw as "critical," its highest threat rating, and gave the bug an exploitability ranking of "1," which means it expects a working exploit to appear in the next 30 days.
Outside researchers expect it much sooner than that.
"An exploit will appear sooner rather than later," said Jason Miller, the security and data team manager for patch management vendor Shavlik Technologies. "The target is Internet Explorer, and browsing is the number one attack vector in the world right now. Users can be infected simply by browsing to a [malicious] site."
Another researcher said an exploit may be imminent. HD Moore, the creator of the popular open-source Metasploit penetration testing framework and the chief security officer for security firm Rapid7, said he was already working on an exploit for the critical flaw Microsoft patched Tuesday in the MS09-065 update. "I'm pretty close to having one working," Moore said.
The bug will be extremely attractive to hackers, Moore maintained, and not simply because it can be exploited in a classic "drive-by" attack that can silently hijack an unpatched Windows 2000 or Windows XP system when users visit a compromised or malicious Web site. On Vista, a successful exploit would give the attacker additional access to the machine, but could not be used to inject malware, Microsoft said.
"An EOT file can use both compression and encryption," noted Moore, referring to the font format that hackers will use to exploit the bug. Because the file can be compressed and encoded, most antivirus software will have a difficult, if not impossible, time detecting whether a Web page's fonts are being used to launch attacks. "They will blow past any line of user protection," he said.
And since the EOT file is rendered at the kernel level, not by Internet Explorer (IE) itself, browser-based defenses won't help. "There's no JavaScript required for an exploit," Moore said, talking about the scripting language that's a popular tool for hackers who target browsers. Those kinds of attacks can be deflected by restricting JavaScript, or disabling it entirely.
On Vista PCs, IE7's and IE8's "sandbox," which is designed to prevent attack code from escaping the browser and worming its way into, say, the operating system, also will be useless, Moore said.



- Excel 2010 Cheat Sheet
- Register for this Computerworld Insider Cheat Sheet and gain access to hundreds of premium content articles, guides, product reviews and more.
- Overcome Top 7 Admin Challenges of Active Directory
- As Active Directory's role in the enterprise has drastically increased, so has the need to secure the data. Gain insight on creating repeatable,...
- Insiders Can Ruin Your Company. Take Action.
- Did you know that 80 percent of threats to an organization come from the inside? The threat from insiders is often overlooked in...
- Top Solutions and Tools to Prevent Devastating Malware
- Custom malware frequently goes undetected. According to Forrester Research, the best way to reduce risk of breach is to deploy file integrity monitoring...
- X-Ray of the PCI Process-4 Proactive Steps
- This white paper from Forrester Research Inc., helps break PCI into understandable components. Security and risk professionals will gain knowledge and insight into...
- Identity Governance: The Business Imperatives
- This white paper describes the business challenges and opportunities that are driving interest in Identity Governance while discussing considerations your organization should make... All Security White Papers
- Live Webcast
Playing Defense: Staying on Top of Your Disaster Recovery Game - When it comes to disaster recovery, rapidly growing data volumes, distributed computing models, and new technologies all combine to present an ever-changing playing...
- Introduction to VMware vCenter Site Recovery Manager 5
- Traditional disaster recovery solutions are often too expensive, complex and unreliable to meet business requirements. As a result, IT departments are hesitant to...
- The Top Ten Secrets to Avoiding SAN Performance Problems
- Maintaining peak performance while simultaneously addressing the root cause of SAN errors is challenging. Learn the most common SAN problems and explore new...
- Deduplication Without Compromise
- Go inside Quantum's scalable, high-performance, multi-protocol new DXi deduplication appliances, designed to make backup much more effective. Discover how the new future-proof DXi6700...
- Director of Disk Products Discusses DXi6700
- Discover how the new DXi 6700 series of deduplication appliances provide investment protection and a future-proof feature set, all while delivering fast, scalable,...
- Playing Defense: Staying on Top of Your Disaster Recovery Game
- When it comes to disaster recovery, rapidly growing data volumes, distributed computing models, and new technologies all combine to present an ever-changing playing... All Security Webcasts