Microsoft managed to capture a commanding amount of headline space in security news this week, increasing the workloads of harried administrators and giving IT managers some food for thought about future security software purchases.
On Tuesday, Microsoft’s February patch release landed on users with a dozen updates, of which nine were marked “critical.” The fixes included updates to COM and OLE components that would have allowed for the execution of remote code; patches to Internet Explorer, Windows Media Player, and MSN Messenger; a fix for a vulnerability in the Windows 2003 and Windows NT License Logging Service; a fix for a vulnerability in the ASP.NET service that could allow malicious users to bypass ASP security measures; and several others.
The update also included a tool designed to locate and eliminate malware, including Netsky and Zafi.
The patch dump was unusual in terms of how many updates Microsoft landed at once: The most ever since starting its monthly update routine, four times as many as January’s release.
Microsoft MSN Messenger Exploit in the Wild
At the same time users were busily downloading Microsoft’s lengthy list of updates, malicious users were busy targeting one of them: The so-called “avatar hole,” a bug in the way Microsoft’s Media Player and MSN Messenger applications handle PNG graphics files, opened users to remote attack and potential remote takeover of their computers.
One of the ways in which an attacker could target a vulnerable system includes the use of a specially crafted buddy icon, or “avatar,” in the PNG format. The attacker’s victim wouldn’t be required to download a file or open a link: They’d simply have to accept an incoming chat request from the malicious user to receive a copy of the avatar, which would induce a buffer overflow and open their system to compromise.
Though it was included in the list of updates Microsoft provided on Tuesday, within hours of the updates landing, exploits for the flaw began to appear on the Internet, including some from security firms themselves. Core Security, which first identified the vulnerability, provided a sample of a malformed PNG file to demonstrate the bug.
In response to the possibility that vulnerable users would fail to update their software, Microsoft made updates to MSN Messenger mandatory, and took aim at Core Security and other firms that released proof-of-concept demonstrations of the vulnerability with an advisory that hinted at corporate pique over the eagerness the firms displayed:
“Microsoft is concerned that the publishing of proof-of-concept code within hours of the security updates being made available has put customers at increased risk. A common practice among responsible researchers is to wait a reasonable period of time before publishing such code,” read the statement, which went on to say “Microsoft is disappointed computer users were not given a reasonable opportunity to safeguard their computing environments.”
Microsoft Anti-Spyware Software Under Attack
Microsoft also had a second front in the war against malware authors open up when a trojan attacked its recently released AntiSpyware offering.
According to security firm Sophos, the “Bankash-A” worm is deisgned to steal online banking passwords from users, and it also disables warning messages from Microsoft’s AntiSpyware beta and deletes the software from its folder on the victim’s hard drive.
A statement from Sophos said Bankash-A “it may be the first of many such future attacks.”
A report at EnterpriseITPlanet notes that while attacking Microsoft’s specific offering is relatively new, “worms have surfaced that target a variety of antispyware and antivirus apps, usually the most popular in their respective categories.”
Microsoft Buys Sybari, McAfee Braces for Impact
Microsoft roiled the waters of the security industry on Tuesday when it announced its plans to acquire Sybari Software, which produces anti-virus, anti-spam and content filtering applications.
If Microsoft follows its pattern of acquiring companies and gradually integrating their offerings into its existing product line, the move could bode ill for a number of companies prospering in Microsoft’s absence from the security software arena. Some of the biggest potential losers include McAfee and Symantec, both of which sell Windows-based security products, including McAfee’s VirusScan, and Symantec’s popular Norton AntiVirus. Both firms saw their stock price drop in the wake of the news, evidently as a reaction to fears that a Microsoft-bundled anti-virus solution would dry up demand for after-market security add-ons.
For now, though, McAfee is taking a more defiant stance both in terms of its acquired competitor Sybari, and with Microsoft.
McAfee president Gene Hodges said “the product Microsoft bought is one that we are familiar with. It’s a product we compete against and beat on a regular basis.”