One of the flaws (MS08-028) is a zero-day vulnerability in a retired Microsoft database product, the Jet Database Engine, that has been publicly known about since March 31, 2005, Andre Protas, director of research and preview services for eEye Digital Security, told SCMagazineUS.com today.
"This, however, only became a big issue recently because of a new attack vector that resulted in targeted attacks using the zero-day flaw," he said.
The flaw allows attackers to craft a malicious file and take over the user's computer remotely, Jason Miller, security data team manager at Shavlik Technologies, told SCMagazineUS.com.
In this situation, attackers can embed with a maliciously crafted .mdb file (the Jet database extension) within a Word or Publisher file and remotely execute code, he said.
Don Leatham, director of solutions and strategies at Lumension, told SCMagazineUS.com, that embedding the .mdb file within a Word or Publisher file is one of the more "inventive" techniques he's seen by hackers.
"This has been used in some low profile stealth attacks," he said. "I was a bit surprised it was not addressed in April, since it was seen in the wild. Because it was stealthy enough, it wasn't generating enough waves and there wasn't much press for Microsoft to get it out in April."
Security researchers are seeing more and more of this sort of stealth attack, Leatham said.
"We've seen a change in hacker mentality from public prey to profit motive, and in the profit environment, hackers want to keep their exploits hidden and away from public view so they can use them over and over in targeted attacks," he explained.
"The net effect is there may be exploits out there we may not find out about because they're used in these type of targeted attacks," Leatham added.
"Microsoft's initial response to this vulnerability was that they wouldn't patch," Tyler Reguly, a security researcher from nCircle, told SCMagazineUS.com in an email message.
"So, the original researcher released the vulnerability (noting that Microsoft said they wouldn't release a fix). Now they have released a fix, but refused to acknowledge the original researcher. This response flies in the face of their constant messaging about responsible disclosure."
Also labeled as critical were vulnerabilities within Word (MS08-026) and Publisher (MS08-027) themselves. Both of these would allow an attacker to execute code remotely on the user's PC if the user opens a malicious Word or Publisher file.
In any case, the security researchers we talked with urged security professionals within organisations to apply the patches (MS08-26, MS08-27 and MS08-028) as quickly as possible.
MS08-028, in particular, is one that administrators should install quickly, Amol Sarwate, manager of the vulnerabilities lab at Qualys, told SCMagazineUS.com.
"Not only because attackers can run code on users' desktop, but also because Microsoft has acknowledged it has seen attacks using this vulnerability to compromise peoples' machines."
The remaining patch (MS08-029) caught the attention of several security researchers. This vulnerability impacts the Windows malware protection engine that is at the heart of many of Microsoft's anti-malware products, including Forefront, Live OneCare, Windows Defender and the anti-virus Anti-Gen for Exchange.
This vulnerability can cause a denial of service (DoS) attack. This would occur when the malware engine scans a specially crafted malicious file, Lumension's Leatham said. "This would cause the PC to crash then go through reboot loops," he explained.
Microsoft labeled this "moderate" because it does not involve remote code execution. But Shavlik's Miller said he considered this one "critical" because it can cause the malware protection engine to stop responding, leaving the system unprotected.
Leatham also pointed out that it would be difficult to spread the malicious file widely enough through a large organization to cause significant mischief.
"I could see where you could tie in a social engineering trick and get the malformed file into multiple computers," he said, though that was an unlikely scenario.
"It is surprising that Microsoft decided to patch the denial of service vulnerability because it leads only to an unresponsive host or disk exhaustion, but in either case the service will restart itself," nCircle's Reguly said.
"This denial of service is much less severe than others that have not been patched in the past. The only reason this one is being fixed is because it affects a security product."
See original article on scmagazineus.com
Microsoft fixes six flaws, three critical in its May Patch Tuesday
By Jim Carr on May 14, 2008 10:15AM