News

Microsoft Not Giving Thanks for Vulnerabilities

Microsoft finds itself continuing to fend off two security threats, both coming about during the Thanksgiving holiday.

• By Jabulani Leffall
• 11/26/2007

On Sunday night Symantec and the U.S. Computer Emergency Readiness Team (CERT) revealed that a vulnerability in Apple Inc.'s QuickTime program could allow hackers to ride streaming video right into a network or workstation. The exploit, Symantec confirmed, is in the wild and could seep into Windows XP or Vista OS via a specially crafted video link.

Then on Monday a hacker named Beau Butler told Australian media that Microsoft did not respond to e-mails regarding the existence of a five year-old security bug that exploits Internet Explorer via Web Proxy Autodiscovery (WPAD) programs -- and, by extension, affects all versions of Windows, including the Vista OS.

In both cases, the flaws were uncovered by researchers, who are described by security experts as "ethical" hackers, meaning the disclosure was an attempt to alert the public to danger, instead of releasing the exploit into cyberspace. Security experts warn, though, that for every ethical person there are scores who aren't.

In the case of the QuickTime bug, which affects versions 7.2 and 7.3, Microsoft can't patch or check the application for the bug because it's an Apple product. For its part, Symantec said there is no indication that Krystian Kloskowski, the Polish researcher credited with reporting the exploit on Friday, had contacted Apple before releasing the information.

"We don't know whether this guy released this over Thanksgiving intentionally or if it was just bad timing with most companies having skeleton staffs, but we don't think he has bad intentions," said Marc Fossi, a manager at Symantec Security Response. "What we do know is that people tend to get video files and say 'Hey, take a look at this funny video,' and are a lot more willing to open these files."

Users are for the most part protected by authentication configurations in IE versions 6 and 7 as well as Apple's Safari browser; but even those program-level settings aren't foolproof once someone clicks on a Web page or e-mail attachment and opens a file.

Network administrators should consider taking precautions such as blocking network ports at the firewall level, and even disabling Active X and plug-in controls.

Fossi said he would go even further, asserting that enterprises shouldn't even have QuickTime installed on individual workstations for purposes other than corporate training videos and similar files.

He added that IT managers in general and network admins in particular should be proactive in seeing to it that the application is in a controlled environment, if it's installed at all.

Literally a world away from the Apple issue, Beau Butler, a New Zealander, revealed at a Kiwicon hacker conference in Wellington that a hacker can use Web Proxy Autodiscovery files to intercept and manipulate all Internet traffic on a given network. Butler said 160,000 computers in New Zealand alone could be seized with just one attack. Media reports claimed that U.S. computers were not vulnerable to the attack.

That issue, covered extensively in the Australian press on Monday, is particularly embarrasing for Microsoft as it deals with a vulnerability that Redmond supposedly fixed in 2005. It had engineers in Australia and the U.S. working on the problem through the Thanksgiving holiday.

Butler's presentation showed that although a minor technical renovation for Windows WPAD handling was in fact implemented, it only addressed the ".com" domain name, and not other suffixes such as ".org," ".tv," and non-U.S. country tags -- in this case, "nz."

Microsoft said Monday it was responding to the problem.

"Now that we understand the issue we're researching comprehensive mitigations and workarounds to protect customers," Microsoft's general manager of product security, George Stathakopoulos, said in an e-mail statement.

Both the Apple issue and the Web Proxy Autodiscovery problem underscore how Microsoft's security snafus continue to undermine the prospects of enterprise adoptions for Vista and other programs. But the bright side, said Eric Schultze, is that such problems are mainly the result of browser-based, client-side programs and not inherent flaws in Microsoft programs.

"In this case, boredom is the enemy of all IT security administrators," said Schultze, chief technology officer of St. Paul, Minn.-based Shavlik Technologies. "These types of exploits aren't self-propagating and can only happen as fast as people infect themselves. Plus users will do anything on their box if administrators let them do it."