Microsoft on Tuesday released a security patch to fix a “critical” hole in its Internet Explorer Web browser.
Also on Tuesday, security researchers found yet another zero-day flaw in a Microsoft Office product.
The IE patch repairs a vulnerability in the software’s vector markup language (VML) component that could allow an attacker to take over control of a system without any user interaction.
Microsoft confirmed the zero-day exploit in IE last week and rushed to issue the out-of-cycle patch — MS06-055 — after it discovered a public attack leveraging the vulnerability. The software giant typically issues security patches at the beginning of each month on what is known as Patch Tuesday.
Now, McAfee is reporting a new exploit affecting Microsoft PowerPoint. Preliminary test results published Tuesday show Office 2000, Office XP and Office 2003 are affected. Like the other recent Microsoft Office zero-day discoveries, McAfee said it appears that this latest incident is a targeted attack.
First Things First
Microsoft has not yet indicated whether it will issue another out-of-cycle patch for the PowerPoint flaw, but analysts said it is unlikely with Patch Tuesday just around the corner. The new IE patch, however, marks the second time Microsoft has pre-empted its regular cycle because of a zero-day vulnerability with exploits in the wild.
“Out-of-cycle patches will become more commonplace in the future, due to the ever-growing backlog of unpatched vulnerabilities,” Chris Andrew, vice president of security technologies at PatchLink, told TechNewsWorld.
“While hackers are using automated tools to identify new vulnerabilities faster than ever before, software companies struggle to keep up with just the most critical known attack vectors,” he noted. “Breaking software is easy. However, fixing it properly takes time.”
The Rise of Zero-Day Exploits
Zero-day exploits are on the rise, according to the SANS Institute, and buffer overflows are becoming a common vulnerability these types of attacks rely on to open the door. Microsoft reported a buffer overflow was to blame for the just-patched IE flaw, for example.
Buffer overflows occur when more data is put into the holding area than the buffer can handle. The problem could either lead to a system crash or a backdoor for hacker access.
At this point customers who had already mitigated the zero-day threat using one of the published workarounds are in good shape, and the MS06-055 patch can be deployed with a normal best practice approach, Andrew said.
“IT organizations need to prepare for zero-day contingencies now, or risk the possibility of being taken out the next time around,” he warned. “If your processes and procedures still take weeks or months to deploy software updates — this is the wake up call you have been waiting for.”
July, the “Month of Browser Bugs” during which one new browser vulnerability was published each day by hacker HD Moore — provided a wake up call for many and roused overarching concerns about security patches.
“As the world’s largest software company, Microsoft is of course well prepared for any new type of attack — unfortunately other vendors’ applications are frequently much less agile in their response and development and testing cycle to publish a patch solution,” Andrew asserted.
Microsoft is getting another opportunity to prove its ability to respond quickly to new threats. McAfee is reporting an exploit affecting Microsoft PowerPoint.
This vulnerability comes at a particularly challenging time for Microsoft, according to Siobhan MacDermott, a spokesperson for McAfee.
“Not only has Microsoft just released an out-of-cycle patch for a recent VML Fill vulnerability, it is currently trying to convince consumers and businesses that it’s a credible provider of security software,” he said. “It’s like closing the stable door after the horse already bolted. Too little too late.”