Adware-for-Hire Vector Underscores IE Holes

Opinion: Of all the vulnerabilities just patched by Microsoft, I predict we'll have the most trouble with the PNG bug.

Microsoft released a diverse and scary batch of vulnerability announcements and patches for them today. After actually reading the bulletins, I concluded that most of the vulnerabilities arent really that scary, but two caught my eye, and one of them in particular.

The two bugs in this bunch that will cause the most real-world problems are MS05-027 ("Vulnerability in Server Message Block Could Allow Remote Code Execution") and MS05-025 (PNG Image Rendering Memory Corruption Vulnerability).

MS05-027 is the worst kind of vulnerability: a network worm that requires no user intervention.

Since the SMB protocol is not routed over the Internet by any sane person, its not likely to be exploitable by another Internet user. But its easy to imagine malware using this hole to spread inside a corporate network once a client system had been exploited by other means.

So look for this to show up as a means of spreading in upcoming versions of Mytob, Sdbot and other broad-spectrum Windows threats.

I think well be hearing more from MS05-025, which allows a specially constructed PNG (Portable Network Graphics) image to take control of the system. This report quickly reminded me of a report I had seen recently at the SANS Internet Storm Center about an advertising affiliate site that offers to pay Web site operators for installing a browser exploit on their site.

/zimages/6/28571.gifRead more here about Microsofts patch for the PNG vulnerability.

The exploit is part of an ad section on the site, but it also allows the installation of adware, spyware and all that good stuff. Why stop at making money off of ads when you can also control a botnet?

MS05-025 is tailor-made for this sort of illicit application, and we can certainly expect to see it exploited not long after proofs of concept are made available.

Microsoft hasnt released a whole lot of detail on this attack, but that just means exploit writers will have to reverse-engineer the patches and the code being patched to see where the flaw is and how to exploit it.

This vulnerability is also interesting for what it says about Microsofts plans for Internet Explorer 7.0. The company hasnt succeeded with this yet, but its strategy for IE7, as I have already discussed at length, includes a plan to drastically reduce the privileges of IE in its normal operations.

A recent report on Microsofts IE Blog added some new information on this: When running on Longhorn, IE7 is not just limited in terms of access to capabilities such as scripting. On Longhorn, IE will be running not in the context of the user, but in a specially crippled user context.

Since the user context running IE wont have meaningful privileges, neither will malware running within it. Nowadays, malware has all the rights you have (and theres a decent chance youre running as administrator).

/zimages/6/28571.gifClick here to read more about plans for reduced user privileges in Internet Explorer 7.0.

Oh, what a shame such user-limitation capabilities havent been available for years! Undoubtedly theyre hard to implement on such a complex and popular system as Windows, but they really underscore how primitive our current protections are.

Security Center Editor Larry Seltzer has worked in and written about the computer industry since 1983. He can be reached at

/zimages/6/28571.gifCheck out eWEEK.coms for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at Security Center Editor Larry Seltzers Weblog.