Adware-for-Hire Vector Underscores IE Holes

By Larry Seltzer  |  Posted 2005-06-14 Print this article Print

Opinion: Of all the vulnerabilities just patched by Microsoft, I predict we'll have the most trouble with the PNG bug.

Microsoft released a diverse and scary batch of vulnerability announcements and patches for them today. After actually reading the bulletins, I concluded that most of the vulnerabilities arent really that scary, but two caught my eye, and one of them in particular. The two bugs in this bunch that will cause the most real-world problems are MS05-027 ("Vulnerability in Server Message Block Could Allow Remote Code Execution") and MS05-025 (PNG Image Rendering Memory Corruption Vulnerability). MS05-027 is the worst kind of vulnerability: a network worm that requires no user intervention.
Since the SMB protocol is not routed over the Internet by any sane person, its not likely to be exploitable by another Internet user. But its easy to imagine malware using this hole to spread inside a corporate network once a client system had been exploited by other means.
So look for this to show up as a means of spreading in upcoming versions of Mytob, Sdbot and other broad-spectrum Windows threats. I think well be hearing more from MS05-025, which allows a specially constructed PNG (Portable Network Graphics) image to take control of the system. This report quickly reminded me of a report I had seen recently at the SANS Internet Storm Center about an advertising affiliate site that offers to pay Web site operators for installing a browser exploit on their site. Read more here about Microsofts patch for the PNG vulnerability. The exploit is part of an ad section on the site, but it also allows the installation of adware, spyware and all that good stuff. Why stop at making money off of ads when you can also control a botnet? MS05-025 is tailor-made for this sort of illicit application, and we can certainly expect to see it exploited not long after proofs of concept are made available. Microsoft hasnt released a whole lot of detail on this attack, but that just means exploit writers will have to reverse-engineer the patches and the code being patched to see where the flaw is and how to exploit it. This vulnerability is also interesting for what it says about Microsofts plans for Internet Explorer 7.0. The company hasnt succeeded with this yet, but its strategy for IE7, as I have already discussed at length, includes a plan to drastically reduce the privileges of IE in its normal operations. A recent report on Microsofts IE Blog added some new information on this: When running on Longhorn, IE7 is not just limited in terms of access to capabilities such as scripting. On Longhorn, IE will be running not in the context of the user, but in a specially crippled user context. Since the user context running IE wont have meaningful privileges, neither will malware running within it. Nowadays, malware has all the rights you have (and theres a decent chance youre running as administrator). Click here to read more about plans for reduced user privileges in Internet Explorer 7.0. Oh, what a shame such user-limitation capabilities havent been available for years! Undoubtedly theyre hard to implement on such a complex and popular system as Windows, but they really underscore how primitive our current protections are. Security Center Editor Larry Seltzer has worked in and written about the computer industry since 1983. He can be reached at Check out eWEEK.coms for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at Security Center Editor Larry Seltzers Weblog.
Larry Seltzer has been writing software for and English about computers ever since—,much to his own amazement—,he graduated from the University of Pennsylvania in 1983.

He was one of the authors of NPL and NPL-R, fourth-generation languages for microcomputers by the now-defunct DeskTop Software Corporation. (Larry is sad to find absolutely no hits on any of these +products on Google.) His work at Desktop Software included programming the UCSD p-System, a virtual machine-based operating system with portable binaries that pre-dated Java by more than 10 years.

For several years, he wrote corporate software for Mathematica Policy Research (they're still in business!) and Chase Econometrics (not so lucky) before being forcibly thrown into the consulting market. He bummed around the Philadelphia consulting and contract-programming scenes for a year or two before taking a job at NSTL (National Software Testing Labs) developing product tests and managing contract testing for the computer industry, governments and publication.

In 1991 Larry moved to Massachusetts to become Technical Director of PC Week Labs (now eWeek Labs). He moved within Ziff Davis to New York in 1994 to run testing at Windows Sources. In 1995, he became Technical Director for Internet product testing at PC Magazine and stayed there till 1998.

Since then, he has been writing for numerous other publications, including Fortune Small Business, Windows 2000 Magazine (now Windows and .NET Magazine), ZDNet and Sam Whitmore's Media Survey.

Submit a Comment

Loading Comments...
Manage your Newsletters: Login   Register My Newsletters

Rocket Fuel