Virus researchers at Trend Micro Inc. are wiping eggs off their faces one day after jumping the gun with a warning that a Trojan in the wild was capable of exploiting newly patched Windows security flaws.
Just 24 hours after announcing the discovery of TROJ_EMFSPLOIT.A, a proof-of-concept Trojan that exploits a trio of image-rendering vulnerabilities patched by Microsoft Corp. earlier this week, Trend Micro is retreating from that claim.
The companys description of the Trojan has been modified to remove the contention that MS05-053 was being exploited.
A Trend Micro spokesperson told Ziff Davis Internet News that the erroneous reference to the image-rendering flaws was made because the Trojan exhibited behavior that suggested it “may well be classified” as an exploit for that vulnerability.
“Our Trend Labs team is currently working with Microsoft to resolve whether TROJ_EMFSPLOIT.A does indeed fall under the category of code exploiting the MS05-053 vulnerability or whether it is only a related piece of code but not totally exploiting MS05-053,” the spokesperson said.
Raimund Genes, chief technologist for anti-malware at Trend Micro, admitted that the companys initial assessment was flawed.
“Given the time we needed to react to this, we didnt analyze it thoroughly. We wanted to do something fast and perhaps we didnt spend sufficient time on it,” Genes said in an interview.
He said the company received the Trojan sample from a customer in Japan and, during the initial research, the code definitely crashed the “explorer.exe” and EMF File Viewer in unpatched Windows systems.
The “explorer.exe” process is a required file used to manage the Windows Graphical Shell, including the Start menu, taskbar, desktop and File Manager. A malicious attack that disrupts those essential services is considered very disruptive.
In systems running Windows XP without Service Pack 1, Genes said, the Trojan crashes the process but, under Windows XP with SP1 installed, there is no crash of “explorer.exe.”
When the company started working with the MSRC (Microsoft Security Response Center), Trend Micros researchers were told that a successful exploit of the flaw would have affected both Windows XP SP1 and SP2.
“Were still working with Microsoft to clarify what it is exactly and how it will be categorized in relation to MS05-053. But its not exactly as we originally described it,” he added.
A Microsoft spokesperson said the company is not aware of any active attacks that use this Trojan. “Microsoft continues to urge all customers to deploy MS05-053 and all recent security updates released by Microsoft to help ensure that their systems are protected from any attempted exploitation,” she said.
Microsofts patches, contained in the MS05-053 bulletin, addresses three separate image-rendering flaws in the Windows operating system. The flaws could be exploited via any software that displays images, including the widely used Microsoft Outlook, Microsoft Word and Internet Explorer programs.
The bugs are considered particularly dangerous because users could be at risk by merely browsing to a malicious rigged site with rigged image files or by displaying images in the preview pane of an e-mail program.