In-Depth

Vulnerability Roundup

It was a busy week for security alerts: more WMF flaws were exposed and two critical Microsoft vulnerabilities were revealed. Meanwhile, a review of 2005 IM threats gives a hint at what to expect this year.

• By Mathew Schwartz
• 01/17/2006

More WMF Problems

Despite Microsoft’s unusual out-of-cycle patch for two highly critical WMF vulnerabilities earlier this month, security researchers report the problem isn’t fully tackled yet.

A recent disclosure to Bugtraq says the Microsoft Graphics Rendering Engine has “multiple Unauthorized Memory Access vulnerabilities while rendering WMF format files.” In particular, “users who view the malicious WMF format file will bring a denial of service attack,” due to a forced explorer.exe restart.

Could this mean there’s another remotely exploitable WMF vulnerability? In a posting to the Microsoft Security Response Center Blog, the company’s Lennart Wistrand says no, there’s only a risk of an application crash.

“These crashes are not exploitable but are instead Windows performance issues that could cause some WMF applications to unexpectedly exit. These issues do not allow an attacker to run code or crash the operating system. They may cause the WMF application to crash, in which case the user may restart the application and resume activity.”

Microsoft expects to resolve the issue in a forthcoming service pack.

---

Font and Outlook Vulnerabilities in Windows

Microsoft recently patched two vulnerabilities rated “highly critical” by vulnerability information provider Secunia. The first involves Microsoft Windows Web fonts and is “caused due to a memory corruption error when handling malformed embedded Web fonts,” says Secunia.

Symantec explains the vulnerability this way: “Windows contains support for automatically downloading fonts from remote servers when instructed to do so from HTML pages. Systems dating back to Windows 98 are susceptible to a remotely exploitable buffer overflow vulnerability through malformed embedded Web fonts.”

Other products utilizing those Microsoft Windows operating systems may also be at risk. For example, the highly critical vulnerability also exists on Avaya’s Unified Communications Center S3400, Modular Messaging-Messaging Application Server, and S8100, DefinityOne, and IP600 Media Servers.

The second vulnerability involves Microsoft Exchange Server and Microsoft Outlook e-mail clients, and could allow an attacker to execute code remotely by using a specially crafted e-mail attachment. Opening or simply previewing the attachment could execute the malicious code.

In light of these vulnerabilities, “people should always be vigilant about not opening unexpected attachments or following links to Web sites that arrive via e-mail or instant messages,” notes Oliver Friedrichs, a senior manager for Symantec Security Response. Furthermore, always beware spam. “Increasingly, criminals are delivering crimeware—such as bots, Trojans, and spyware—onto unsuspecting users’ computers through spammed messages.”

---

Previewing IM Attacks for 2006

What were the top instant messaging related security risks for 2005, and how will they change in 2006?

“In 2005 we saw a steady increase in the threat volume and hacker sophistication of real-time communications security attacks,” notes Jon Sakoda, chief technology officer of IMlogic. “As we enter 2006, these threats will continue to increase in sophistication and agility and will result in increased intellectual property loss, increased IT support costs, and other cyber crimes.”

According to new research from IMlogic, 2005 saw a steady escalation in attacks over IM, with over 2,400 new attacks targeting IM and P2P networks, “including IM-specific attacks and blended threats which target IM and P2P applications,” says Sakoda. Whereas early IM attacks were mostly a nuisance, now “90 percent of IM-related security attacks include worm propagation; nine percent are known to deliver viruses; and one percent of reported incidents utilize known client vulnerabilities or exploits.”

In general, MSN Messenger Client, Windows Messenger Client and MSN Network are the most targeted IM networks (57 percent of all attacks), followed by AOL and ICQ (34 percent), and Yahoo (9 percent).

Going forward, IMlogic anticipates that “network interoperability and continued IM adoption will accelerate the volume of IM threats.” It also highlights the convergence of IM, voice over IP (VoIP), virtual conferencing, and similar capabilities as a potential security problem. Finally, it predicts more sophisticated worms, able to spread more covertly, will appear. “The increasing complexity and agility of IM threats will result in attacks being less likely to be immediately detected by an end-user, making these types of attacks more dangerous and costly,” he says.

Related Articles:

WMF Flaw Provokes Headaches, Workarounds
http://www.esj.com/news/article.aspx?EditorialsID=1586

Q&A: The 2006 Threat Landscape
http://www.esj.com/news/article.aspx?EditorialsID=1587