Craig Schmugar, threat researcher at McAfee, reported that the first exploit was discovered on Friday, three days after the issue was patched by bulletin MS08-021.
On Monday, hackers publicly posted a basic exploit toolkit, which signals that the criminal underground may soon develop a more sophisticated and widespread way to take advantage of the bug.
"One method the bad guys use is to take the patch and reverse engineer it," Schmugar told SCMagazineUS.com on Tuesday. "They look at the files on the computer prior to installing the patch and then after, and try to compare the two and see how they can take advantage of the change."
The exploit – which can permit remote code execution if a user opens a specially crafted EMF or WMF image file – does not affect customers who have installed the updates detailed in MS08-021, said Bill Sisk, security response communications manager for Microsoft.
"By default, Microsoft Windows XP, Windows Vista, Windows Server 2003, and Windows Server 2008 customers will have this update applied automatically through Automatic Updates," Sisk said.
Microsoft encourages all customers to apply its most recent security updates to help ensure that their computers are protected from attempted criminal attacks.
Schmugar said that GDI has had vulnerability issues in the past. The fact that Microsoft credited three researchers with discovering the flaw suggests that multiple people were looking for potential problems and more problems could be on the way.
See original article on scmagazineus.com
Attackers exploit recent Microsoft fix
By Sue Marquette on Apr 16, 2008 10:33AM