Some of the bugs Microsoft patched will be exploited by hackers almost immediately, security researchers predicted.
Microsoft's massive update — a record-tying 13 separate security bulletins that patched 26 vulnerabilities — gives attackers all kinds of ways to compromise machines and hijack PCs.
Even Microsoft said so: 12 of the 26 vulnerabilities, or 46% of the total, were tagged with a “1” in the company's exploitability index, meaning that Microsoft figures they will be exploited with reliable attack code in the next 30 days.
But some of the flaws will be exploited long before others, said researchers interviewed today.
“The vulnerabilities in MS10-006 and MS10-012 will probably be exploited in just a few days,” said Jason Avery, manager of TippingPoint's Digital Vaccine group. “I think exploits for the PowerPoint vulnerabilities [in MS10-004] will also be disclosed within a few days, based on the information we have from ZDI and what we've heard through MAPP.”
TippingPoint's Zero Day Initiative (ZDI) — one of the two major bug bounty programs in the U.S. — reported information about two of the six PowerPoint flaws to Microsoft. MAPP (Microsoft Active Protection Program) provides technical information about the vulnerabilities it plans to patch to vetted security software developers prior to the release of those updates.
MS10-006 and MS10-012 both involve SMB (Server Message Block), Windows file- and print-sharing protocols, but are not related. Avery based his bet of quick exploitation on the fast hacker reaction to a patch in October 2008. Then, attacks quickly used an exploit of MS08-067, a patch to Windows Server service, to hijack millions of PCs with the Conficker malware.
The PowerPoint update, MS10-004, was also pegged today by Jason Miller, security and data team manager of patch management vendor Shavlik Technologies, as one that hackers will gravitate toward.
“PowerPoint Viewer 2003 is affected, but Microsoft's not patching it,” said Miller, referring to the free viewing tool that lets people who don't have the presentation maker view slideshows. “Microsoft's finally putting its foot down and saying that [Viewer 2003] is past its lifecycle, and that everyone should upgrade to PowerPoint Viewer 2007.” But if word doesn't get out, users running the older version of the utility can be attacked at will, something attackers will surely use, Miller added.
Microsoft seconded Miller's concern over the PowerPoint flaws. “It should be a priority for customers who have standalone installations of the PowerPoint Viewer 2003 to migrate to supported releases to prevent potential exposure to vulnerabilities,” the company's accompanying bulletin read. “PowerPoint Viewer 2007 is not affected by the vulnerabilities described in this bulletin and is available from the Microsoft Download Center.
Every researcher contacted today by Computerworld tapped MS10-013, which described a vulnerability in DirectShow, a component of Windows' DirectX graphics infrastructure, as worth careful watching. Not only was the bug rated “critical” in every version of Windows on the desktop, including Windows 7, but hijacking an unpatched PC will be laughably easy.
“Everyone is going to have [DirectShow],” said Amol Sarwate, manager of Qualys Inc.'s vulnerabilities research lab. All attackers have to do is convince users to visit malicious Web sites hosting malformed .avi-formatted movie files, he continued.
“Not that people do extracurricular browsing at work,” said Miller of Shavlik with a wink and a nod. “But the truth is that media is the big thing on the Internet, whether it's a link to YouTube someone sends you or a video of their dog. And we're not even talking about the extracurricular.”
Just watch, said Miller and Andrew Storms, director of security operations at nCircle Network Security: MS10-013 will be used by hackers. “The DirectShow vulnerability has the potential for a classic drive-by attack,” Storms said, talking about the kinds of attacks that compromise unpatched PCs which surf to unsafe sites.
Microsoft also weighed in with its own recommendations for patching priorities, labeling five of the updates — MS10-006, MS10-007, MS10-008, MS10-013 and MS10-015 — as the ones to deploy first.
MS10-015 patched a 17-year-old bug in the kernel of all 32-bit versions of Windows. Microsoft issued a security advisory last month on the vulnerability after a Google engineer publicized the flaw Jan. 21.
This month's security update can be downloaded and installed via the Microsoft Update and Windows Update services, as well as through Windows Server Update Services.