Microsoft Patches Tackle Evil Clippy

A hijacked "Clippy," along with a few zero days and public proof-of-concept code are at issue this Patch Tuesday.

Microsoft is throttling a potentially evil paperclip this Patch Tuesday: Namely, a critical vulnerability in its Microsoft Agent—aka "Clippy"—that can open a system up to hijacking.

The security advisory for Microsoft Agent, MS07-051, is the only critical release out of four security advisories the company put out on Sept. 11. It addresses a vulnerability whereby the Microsoft Agent—of which Clippy is one of multiple renditions—can get hoodwinked by a malicious URL and can then be used to take over a targeted system without ever appearing to the user.

Clippy—officially known as Clippit—met its demise in Office 2007, but this vulnerability still affects the agent as it exists in Microsoft Windows 2000 SP4.

Given that this vulnerability is rated critical and can lead to system takeover, some rank it at the top of the priority list for patching if users are running Windows 2000. "This one is critical, and its like a browser bug: You surf to an evil Web site and youll get hacked," said Eric Schultze, chief security architect at Shavlik Technologies.

Symantecs Security Response is considering the Agent flaw to be a high-priority fix given that its in Microsoft Agents ActiveX, which runs on a "significant number of systems," the company said in a release. Beyond its ubiquity, the vulnerability is yet another hallmark of a big bump in the number of ActiveX vulnerabilities being found this year.


To read more about the patches Micosoft is making in Windows, Messenger and Visual Studio on Sept. 11, click here.

"Attackers are targeting trusted Web brands, such as social networking sites, and then waiting for their victims to come to them so they can exploit the vulnerability and gain access to the individuals computer," Ben Greenbaum, senior research manager at Symantec, said in a release.

As for the remaining three security advisories, rated "important," the trio constitutes either zero days or flaws for which theres been publicly released proof of concept code.

One of the more interesting flaws from an attackers point of view is MS07-53, a privilege escalation in Windows Services for Unix 3.0, Windows Services for Unix 3.5, and Subsystem for Unix-based Applications.

The vulnerability has to do with running certain setuid binary files that could allow an attacker to gain elevation of privilege. With the ability to set a user ID to be that of an administrator, an attacker can call a file through the Unix services and then be able to execute it as if he or she were the files owner, rather than just a regular user calling the file.

Attackers like privilege escalation—a lot. "Hackers really like privilege escalation if theyve broken onto boxes and arent [already] administrators," Schultze said.

MS07-53 affects Vista, given that it is a built-in component on the operating systems. By contrast, users have to hunt down the Unix services products and install them on Windows 2000 and XP. It resides on the system in Windows 2003 R3 as well as Vista, but is not turned on by default.

A new-media vulnerability gets fixed in MS07-054, rated important, which patches a vulnerability in MSN Messenger and Windows Live Messenger that could allow a system to be taken over. Given that theres proof-of-concept code out for this one, researchers are pegging it as a high-urgency issue.

The vulnerability involves a victim being invited to a video chat. When the victim accepts an invitation to view the Webcam, he or she gets exploited, with the attacker able to gain complete control of a target system.

"[It reflects] the past few months, with a trend of new-media type of vulnerabilities that use social-engineering attacks to compromise victims," said Amol Sarwate, manager of Qualys Vulnerabilities Lab. "[Attackers are using] malicious code or malware in JPEG files or media files or today, in this case, in a video stream."

Another important advisory, MS07-052, addresses an important vulnerability that occurs when running Crystal Reports with Visual Studio present. This flaw, already publicly disclosed, can lead to remote code execution if a user opens a maliciously crafted RPT file. While this is a serious vulnerability, the affected user base is small, given that the two programs must both be running in order for an exploit to work.

Check out eWEEK.coms Security Center for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at eWEEKs Security Watch blog.