Subscribe / Unsubscribe Enewsletters | Login | Register

Pencil Banner

Microsoft patches critical Windows drive-by bug

Gregg Keizer | March 8, 2011
But leaves IE vulnerable at Pwn2Own, says unexpected update would be disruptive

"This is kind of an ongoing investigation for us," Bryant said today. "[Although] we think we've found all the ones in IE, we're still going through the rest of our product base."

Kandek and Storms both said that it was likely Microsoft would continue to roll out DLL load hijacking fixes for some time. "This will continue for years to come, not only from Microsoft, but also from third-party vendors," said Kandek.

Even though the alarm was raised in August and Microsoft rushed out a tool to block potential attacks, hackers have not used the technique to compromise Windows computers, or if they have, the efforts have gone undetected.

Storms wasn't surprised.

"These are very difficult to exploit," he said. "Last year, it was 'Oh my gosh,' but it turned out to be not so easy to exploit these because it required users to browse to the malicious location and open the file, and the attacker to plant a [malicious] DLL and a bad file. That's quite a few steps."

HD Moore, the chief security officer at Rapid7 and the creator of the popular Metasploit open-source hacking toolkit, today reminded enterprises that they can make it more difficult for attackers to exploit any DLL load hijacking bug by disabling the WebDAV client service on all Windows PCs, and blocking outbound ports 139 and 445.

Moore was one of the first to reveal the new class of DLL load hijacking vulnerabilities last year.

Microsoft did not patch IE before the Pwn2Own hacking challenge that kicks off Wednesday, however.

Pwn2Own, which pits security researchers against four browsers, including IE, Apple's Safari, Google's Chrome and Mozilla's Firefox, runs March 9-11 in Vancouver, British Columbia, at the CanSecWest security conference. The first researcher to take down IE, Safari or Firefox will receive a $15,000 prize, while $20,000 is at stake for Chrome.

Today, Bryant said it wasn't worth disrupting customers' patching schedules with an unexpected security update to boost IE's chance of surviving Pwn2Own.

"We don't see a reason to disrupt customers just for the contest," Bryant said. "Going out-of-band is a potential disruption, and we don't do that unless [a vulnerability] is actively being attacked."

Microsoft's declining to patch IE prior to Pwn2Own wasn't a surprise: The company now delivers IE updates in even-numbered months, and last patched the browser on Feb. 8.

In any case, Bryant added, there's no danger of any vulnerability exploited at Pwn2Own escaping into the wild. "Pwn2Own bugs are reported to vendors in a coordinated way," Bryant said.


Previous Page  1  2  3  Next Page 

Sign up for Computerworld eNewsletters.