Microsoft has provided “important” updates for vulnerabilities in MSN Messenger, Windows Live Messenger and Windows Services for Unix 3.0 in its monthly Patch Tuesday release. Its most important fix — a critical vulnerability — is in its Windows Agent animation services. This is the agent that displays animated characters for internal use, such as the Microsoft Office “talking” paper clip.
While the number of fixes is relatively small, the vulnerabilities leave enterprises open to trouble in surprising ways, Paul Henry, vice president of technology evangelism for Secured Computing, told TechNewsWorld. With the Messenger issue, for example, “the code is out there in the wild, and the flaw allows a hacker to remotely execute code at the log-in user level.”
MS07-054 — Microsoft’s fix to the zero day vulnerability in MSN Messenger — belies its “important” status, remarked Amol Sarwate, manager of the vulnerability research lab at Qualys. If left unpatched, an MSN Messenger user’s machine can become compromised simply by viewing a hacker’s webcam.
“The MSN vulnerability comes on the heels of several recent new media attacks using social engineering to take advantage of end users,” Sarwate said, “including a Yahoo IM (instant messaging) webcam vulnerability patched with the release in July, as well as exploits based on graphics and video applications that popped up earlier this year.”
Sarbox Violation?
Indeed, the potential for exposure is so widespread and so high that some firms consider it a possible violation of the Sarbanes-Oxley Act, Henry said.
By contrast, the one critical vulnerability, MS07-051, only affects Windows 2000 Service Pack 4 (SP4) users, not those running Windows 2003, XP or Vista operating systems, according to Sarwate.
A system can be compromised if a user browses to a malicious Web site.
Also labeled “important” by Microsoft is MS07-053, a Windows services for Unix patch for users who integrate Windows with Unix — a relatively small universe.
One-Year Wait
Of more concern is MS07-052, which affects Crystal Reports files. “Social engineering tactics can be used here if a person is used to downloading an RPT file,” Henry said.
Even savvy computer users are still falling prey to these tactics, he commented, especially as hackers stay one step ahead of the vendor patch rollouts.
“We are continuously seeing the bad guys alter their strategies based on what patches have been released,” Henry said.
“What is important to remember is that most of these patches are based on code that has been out in the wild for some time,” he observed. Indeed, the time between a patch release and the malware code’s development is increasing — it’s now close to a year.