First Microsoft had to rush out a patch for a zero-day exploit that couldn’t wait until October’s monthly “patch Tuesday.” Then came word that the pesky author of FairUse4WM had once again bypassed Microsoft’s Digital Rights Management. That would be more than bad enough for most weeks, but it turns out that it was just the beginning:
Attackers have been exploiting a newly discovered bug in Microsoft’s Office presentation software in extremely targeted attacks, McAfee Inc. reported Wednesday.
Researchers were made aware of the attacks when a customer submitted two different malicious PowerPoint files, both of which exploited the same vulnerability, said Craig Schmugar, a virus researcher at McAfee. Both files installed malicious remote access Trojan software that then attempted to connect to an outside Web server, he said.
Microsoft issued a security advisory on the matter Wednesday, saying that the issue affects users of Microsoft Office 2000, Microsoft Office 2003, and Microsoft Office XP, as well as Microsoft PowerPoint 2004 for Mac. Microsoft’s advisory can be found here.
It has become a familiar pattern: A hacker posts exploit code to a security Web site; Microsoft follows soon after with a warning to customers.
The pattern was repeated again Thursday, only this time Microsoft’s warning that it is investigating “new public reports” of a critical bug in Windows comes more than two months after sample code showing how to take advantage of the flaw was posted to the Web. Microsoft’s advisory can be found here.
The flaw that Microsoft warned about is in an ActiveX control (called WebViewFolderIcon) used by the Windows’ graphical user interface software. It was first disclosed on July 18 as part of a month-long project by hacker HD Moore to expose problems in browser software. Moore’s blog post on the flaw can be found here.
Moore called his project the “Month of Browser Bugs” and ended up disclosing a total of 22 Microsoft vulnerabilities during the period.
So far, Microsoft has patched only two of Moore’s flaws. In fact, Microsoft engineers haven’t even been able to investigate close to a third of the vulnerabilities, Moore said.
Microsoft has even more work ahead of it, according to Moore. In early August, he handed Microsoft another 70 bugs that he had not publicly disclosed.
Too bad exploits aren’t a cash crop.
On the other hand, patching them seems to be endless amusement – Microsoft Repatches Third August Patch:
The same day that Microsoft Corp. went out-of-cycle to issue a fix for a critical flaw in Internet Explorer, it also re-released a security update that had corrupted data on some users’ PCs. It was the third patch from August’s batch that has had to be re-issued.
Microsoft has recently had to regularly re-issue patches, occasionally multiple times, to fix newly introduced bugs or overlooked flaws.