Hackers will quickly jump on one of the 15 vulnerabilities Microsoft patched to build attack code that infects Internet Explorer users, security researchers agreed.
The bug, which Microsoft patched as part of a record-tying security update for the month of November, is in the Windows kernel, the heart of the operating system. The kernel improperly parses Embedded OpenType (EOT) fonts, a compact form of fonts designed for use on Web pages that can also be used in Microsoft Word and PowerPoint documents.
Microsoft rated the flaw as “critical,” its highest threat rating, and gave the bug an exploitability ranking of “1,” which means it expects a working exploit to appear in the next 30 days.
Outside researchers expect it much sooner than that.
“An exploit will appear sooner rather than later,” said Jason Miller, the security and data team manager for patch management vendor Shavlik Technologies. “The target is Internet Explorer, and browsing is the number one attack vector in the world right now. Users can be infected simply by browsing to a [malicious] site.”
Another researcher said an exploit may be imminent. HD Moore, the creator of the popular open-source Metasploit penetration testing framework and the chief security officer for security firm Rapid7, said he was already working on an exploit for the critical flaw Microsoft patched Tuesday in the MS09-065 update. “I'm pretty close to having one working,” Moore said.
The bug will be extremely attractive to hackers, Moore maintained, and not simply because it can be exploited in a classic “drive-by” attack that can silently hijack an unpatched Windows 2000 or Windows XP system when users visit a compromised or malicious Web site. On Vista, a successful exploit would give the attacker additional access to the machine, but could not be used to inject malware, Microsoft said.
“An EOT file can use both compression and encryption,” noted Moore, referring to the font format that hackers will use to exploit the bug. Because the file can be compressed and encoded, most antivirus software will have a difficult, if not impossible, time detecting whether a Web page's fonts are being used to launch attacks. “They will blow past any line of user protection,” he said.
And since the EOT file is rendered at the kernel level, not by Internet Explorer (IE) itself, browser-based defenses won't help. “There's no JavaScript required for an exploit,” Moore said, talking about the scripting language that's a popular tool for hackers who target browsers. Those kinds of attacks can be deflected by restricting JavaScript, or disabling it entirely.
On Vista PCs, IE7's and IE8's “sandbox,” which is designed to prevent attack code from escaping the browser and worming its way into, say, the operating system, also will be useless, Moore said
Top-notch hackers may also be able to leverage a treasure trove of bug fixes that Microsoft silently added to the MS09-065 update, Moore said. “There's a massive number of function fixes in the update,” he said, adding that the practice isn't unusual for Microsoft. Even though the company called out only three Windows kernel vulnerabilities in that bulletin, Moore said he had been able to find at least eight altogether.
Microsoft said the critical EOT vulnerability had been publicly disclosed prior to its Tuesday patch, which is never a good sign, Miller added. “If an exploit reaches a site like milw0rm.com, that's not a good thing,” Miller said, referring to a database of vulnerability disclosures, exploits and proof-of-concept code samples. Hackers often take the attack code samples posted on milw0rm and modify them to craft reliable exploits. “That place is a hotbed for exploit code,” said Miller.
Milw0rm lists an EOT exploit that was published Aug. 11, but Moore said the code only crashed Windows, and couldn't be used as is to compromise a PC.
But there is a silver lining, Moore said. Although he wouldn't hazard a guess as to when an exploit might go public — that will depend on who works on an attack and how much time they're willing to spend — he said that kernel exploits were notoriously difficult to craft. Researchers, including himself, who contribute to Metasploit, have typically had to hand-build exploits that work on only a small portion of PCs. “They often have slightly different kernels because of the different third-party software on each machine,” he said.
Moore declined to put a timetable to when he would wrap up work on his exploit for the EOT vulnerability.
Windows 7 and its server sibling, Windows Server 2008 R2, do not contain the vulnerability and so are immune from attack, Microsoft said Tuesday. Users still running the free Windows 7 Release Candidate (RC), however, might be, said Andrew Storms, director of security operations at nCircle Network Security, in an interview yesterday.
“Windows 7 RC is probably vulnerable,” said Storms, citing Microsoft's policy of not providing security updates for preview versions of an operating system when the final has been released. “That's why you don't see Microsoft patching Windows 7 RC [in MS09-065]. For anyone still running RC, they should take heed and upgrade to the RTM.”
Miller, Moore and Storms all recommended that users move MS09-065 to the top of the to-patch list. Microsoft agreed, and urged customers to deploy that security update first.
This month's security updates can be downloaded and installed via the Microsoft Update and Windows Update services, as well as through Windows Server Update Services.