Microsoft fixed six vulnerabilities, three of them rated critical, with four patches in its May Patch Tuesday round this week. All were file-format vulnerabilities impacting client-side Windows machines rather than servers.
One of the flaws (MS08-028) is a zero-day vulnerability in a retired Microsoft database product, the Jet Database Engine, that has been publicly known about since March 31, 2005, Andre Protas, director of research and preview services for eEye Digital Security, told SCMagazineUS.com on Tuesday. "This, however, only became a big issue recently because of a new attack vector that resulted in targeted attacks using the zero-day flaw," he said.
The flaw allows attackers to craft a malicious file and take over the user's computer remotely, Jason Miller, security data team manager at Shavlik Technologies, told SCMagazineUS.com. In this situation, attackers can embed with a maliciously crafted .mdb file (the Jet database extension) within a Word or Publisher file and remotely execute code, he said.
Don Leatham, director of solutions and strategies at Lumension, told SCMagazineUS.com, that embedding the .mdb file within a Word or Publisher file is one of the more "inventive" techniques he's seen by hackers.
"This has been used in some low profile stealth attacks," he said. "I was a bit surprised it was not addressed in April, since it was seen in the wild. Because it was stealthy enough, it wasn't generating enough waves and there wasn't much press for Microsoft to get it out in April."
Security researchers are seeing more and more of this sort of stealth attack, Leatham said.
"We've seen a change in hacker mentality from public prey to profit motive, and in the profit environment, hackers want to keep their exploits hidden and away from public view so they can use them over and over in targeted attacks," he explained.
"The net effect is there may be exploits out there we may not find out about because they're used in these type of targeted attacks," Leatham added.
Also labeled as critical were vulnerabilities within Word (MS08-026) and Publisher (MS08-027) themselves. Both of these would allow an attacker to execute code remotely on the user's PC if the user opens a malicious Word or Publisher file.
In any case, security researchers urged security professionals within organizations to apply the patches (MS08-26, MS08-27 and MS08-028) as quickly as possible.
MS08-028, in particular, is one that administrators should install quickly, Amol Sarwate, manager of the vulnerabilities lab at Qualys, told SCMagazineUS.com.
"Not only because attackers can run code on users' desktop, but also because Microsoft has acknowledged it has seen attacks using this vulnerability to compromise peoples' machines," he said.
The remaining patch (MS08-029) caught the attention of several security researchers. This vulnerability impacts the Windows malware protection engine that is at the heart of many of Microsoft's anti-malware products, including Forefront, Live OneCare, Windows Defender and the anti-virus Anti-Gen for Exchange.
This vulnerability can cause a denial-of-service (DoS) attack. This would occur when the malware engine scans a specially crafted malicious file, Lumension'sLeatham said.
"This would cause the PC to crash then go through reboot loops," he explained.
Microsoft labeled this "moderate" because it does not involve remote code execution. But Shavlik's Miller said he considered this one "critical" because it can cause the malware protection engine to stop responding, leaving the system unprotected.
Leatham also pointed out that it would be difficult to spread the malicious file widely enough through a large organization to cause significant mischief.
"I could see where you could tie in a social engineering trick and get the malformed file into multiple computers," he said, adding that was an unlikely scenario.
"It is surprising that Microsoft decided to patch the denial-of-service vulnerability because it leads only to an unresponsive host or disk exhaustion, but in either case the service will restart itself," nCircle's Reguly said. "This denial-of-service is much less severe than others that have not been patched in the past. The only reason this one is being fixed is because it affects a security product."