Researchers warn of likely attacks against Windows, PowerPoint

Computerworld - Some of the bugs Microsoft patched today will be exploited by hackers almost immediately, security researchers predicted.

Microsoft's massive update -- a record-tying 13 separate security bulletins that patched 26 vulnerabilities -- gives attackers all kinds of ways to compromise machines and hijack PCs.

Even Microsoft said so: 12 of the 26 vulnerabilities, or 46% of the total, were tagged with a "1" in the company's exploitability index, meaning that Microsoft figures they will be exploited with reliable attack code in the next 30 days.

But some of the flaws will be exploited long before others, said researchers interviewed today.

"The vulnerabilities in MS10-006 and MS10-012 will probably be exploited in just a few days," said Jason Avery, manager of TippingPoint's Digital Vaccine group. "I think exploits for the PowerPoint vulnerabilities [in MS10-004] will also be disclosed within a few days, based on the information we have from ZDI and what we've heard through MAPP."

TippingPoint's Zero Day Initiative (ZDI) -- one of the two major bug bounty programs in the U.S. -- reported information about two of the six PowerPoint flaws to Microsoft. MAPP (Microsoft Active Protection Program) provides technical information about the vulnerabilities it plans to patch to vetted security software developers prior to the release of those updates.

MS10-006 and MS10-012 both involve SMB (Server Message Block), Windows file- and print-sharing protocols, but are not related. Avery based his bet of quick exploitation on the fast hacker reaction to a patch in October 2008. Then, attacks quickly used an exploit of MS08-067, a patch to Windows Server service, to hijack millions of PCs with the Conficker malware.

The PowerPoint update, MS10-004, was also pegged today by Jason Miller, security and data team manager of patch management vendor Shavlik Technologies, as one that hackers will gravitate toward.

"PowerPoint Viewer 2003 is affected, but Microsoft's not patching it," said Miller, referring to the free viewing tool that lets people who don't have the presentation maker view slideshows. "Microsoft's finally putting its foot down and saying that [Viewer 2003] is past its lifecycle, and that everyone should upgrade to PowerPoint Viewer 2007." But if word doesn't get out, users running the older version of the utility can be attacked at will, something attackers will surely use, Miller added.

Microsoft seconded Miller's concern over the PowerPoint flaws. "It should be a priority for customers who have standalone installations of the PowerPoint Viewer 2003 to migrate to supported releases to prevent potential exposure to vulnerabilities," the company's accompanying bulletin read. "PowerPoint Viewer 2007 is not affected by the vulnerabilities described in this bulletin and is available from the Microsoft Download Center.