| The year 2006 started with a bang for security professionals as we scrambled to deploy patches for zero-day exploits. |
Even as old security holes were closed by software vendors, more holes were discovered with exploits-to-go. They seem to be arriving at an ever-increasing rate.
WMF exploits still present after patch
Yes, here it is again, the ugly issue of exploits hidden within WMF files. Microsoft on Jan. 5 released MS06-001 to combat the first set of zero-day exploits that were discovered. But more problems showed up mere days after Microsoft released this out-of-cycle patch.
This issue is covered in great detail in Susan and Ryan’s columns in this newsletter, below. But I want to remind people of an additional point. These new exploits may “just cause Explorer to crash,” as Microsoft spokesmen have said. But this exploit, when combined with other patched or unpatched vulnerabilities in a Trojan or virus, could still pose a significant threat to computer security.
It’s amazing how soon people forget the first virus/worm that did that very thing: the infamous Nimda. With its multiple methods of propagation, using various vulnerabilities, it spread worldwide in a very short time. I remember having to shut down all Internet usage at the company where I worked just so we could figure out the best way to combat this threat. It’s already happened once, and it can happen again.
For more information, Trend Micro has descriptions of two Trojans that use this new vector in exploiting WMF files: TROJ_WMFCRASH.B and TROJ_WMFCRASH.C.
Symantec borrows page from Sony’s book
Symantec revealed this week that it has been using a rootkit-like method, similar to the Sony BMG rootkit, in Norton SystemWorks 2005 and 2006. This technique was used to hide a directory that protects items deleted from the Recycle Bin.
The “Norton Protected Recycle Bin” feature, which is built into recent versions of Norton SystemWorks, was designed to hide files from the Windows API, just as the Sony BMG rootkit did. A directory called “NProtect” could be used to recover deleted Recycle Bin files. This was supposed to prevent users from accidentally deleting those files while cleaning up their PC.