As IT departments continue to grapple with malcode targeting Windows' Plug and Play flaw, vulnerability watchers are warning of fresh security holes in Internet Explorer and the widely used Adobe Acrobat and Reader programs.
Word of a new critical and unpatched vulnerability in Microsoft's browser came by way of an advisory from the French Security Incident Response Team (FrSIRT). The organization warned that exploit code is already available.
"This issue is due to a memory corruption error when instantiating the 'Msdds.dll' (Microsoft Design Tools Diagram Surface) object as an ActiveX control, which could be exploited by an attacker to take complete control of an affected system via a specially crafted Web page," the advisory said.
FrSIRT confirmed the flaw on a fully patched machine running Windows XP SP2, Internet Explorer 6 and Microsoft Office 2002. The advisory noted that the "Msdds.dll" library is installed with Microsoft Office and Visual Studio.
Microsoft offers workarounds
Microsoft said in an advisory that it is investigating the flaw. In the meantime, the software giant said users can protect their systems by:
- Setting Internet and local Intranet security zone settings to "high" to prompt before running ActiveX controls in these zones.
- Programming Internet Explorer to prompt before running or disable ActiveX controls in the Internet and local Intranet security zone.
- Disabling the Msdds.dll COM object from running in Internet Explorer.
- Unregistering the Msdds.dll COM object.
- Modifying the access control list on Msdds.dll to be more restrictive.
Fixes available for Adobe
Elsewhere, Adobe Systems Inc. urged users of its highly popular desktop applications Acrobat and Acrobat Reader to install a security update to fix two critical flaws that allow an attacker to remotely control a system.
Affected versions of Reader, which is used to read PDF files, or Acrobat, which creates the files, include Reader's 5.1, 6.0 to 6.0.3 and 7.0 to 7.0.2. Acrobat versions 5.0 to 5.0.5, 6.0 to 6.0.3 and 7.0 to 7.0.2 also are affected. According to the company's advisory, a flaw in a core application plug-in could be exploited if a user is duped into opening a malicious PDF file.
"If a malicious file were opened it could trigger a buffer overflow as the file is being loaded into Adobe Acrobat and Adobe Reader," Adobe said on its Web site. "A buffer overflow can cause the application to crash and increase the risk of malicious code execution."
The vulnerabilities impact Windows, Mac OS, Linux and Solaris platforms. The U.S. Computer Emergency Readiness Team (CERT), which operates out of the Department of Homeland Security, found the security holes serious enough to issue its own advisory.
Plug and Play attacks lead to spam uptick
The chaos that ensued Tuesday night and Wednesday as multiple pieces of malcode attacked systems affected by the Windows 2000 Plug and Play flaw appeared to die down by Friday morning. But variants of worms and bots like Zotob, IRCbot, Tpbot, Esbot and Rbot continued to swarm cyberspace in search of vulnerable networks.
To help infected IT shops clean up the mess, a Microsoft spokesperson said a no-cost, software-based cleaner tool is available to remove Zotob and its variants.
Researchers from Alpharetta, Ga.-based security firm CipherTrust found that hackers were able to expand their botnets during the attack. In one case, an army of 2,000 zombie PCs grew to about 4,000 in a four-hour stretch. The firm said these expanded botnets have lead to a 14% increase in spam traffic in the last 24 hours.
Dmitri Alperovitch, a research engineer at CipherTrust, said zombie machines have been key to the fast spread of the Plug and Play worms, and that the botnet growth he saw this week was unlike anything he had ever seen.
Who's to blame?
As IT shops pick up the pieces and security experts try to put the attacks in perspective, people are starting to play the blame game.
Lynnfield, Mass.-based antivirus firm Sophos conducted a Web poll of more than 1,000 business users and found that 35% of respondents blamed Microsoft for the attacks because of its flawed software code.
But another 45% said the virus writers deserve the most scorn, while 20% said their systems administrators didn't patch networks quickly enough.
"The majority of users believe that the virus writer has to take the ultimate blame for deliberately creating and unleashing this worm to wreak havoc on poorly protected businesses," Graham Cluley, Sophos' senior technology consultant, said in a statement. "But what is most surprising is that so many people blame Microsoft for having the software flaw in the first place. Users' anger is perhaps understandable as Microsoft's security problems and their consequences are felt by businesses the world over. Many respondents appear to be incredibly frustrated by the constant need to roll out emergency patches across their organizations."
Know your environment
The anger at Microsoft may be understandable, as Cluley said, but Boston-based IT consultant Wayne Pierce said IT departments share some responsibility for how this attack took off.
"From what I have seen and read there are still a lot of Windows 2000 systems out there," he said in an e-mail exchange. "It really doesn't surprise me that it took off. Most places won't patch that quickly and won't put in the effort to create defenses that mitigate the need for immediate patching, even though there are a lot of things that can be done to stop things like this from spreading. My favorite people are the ones that feel they are still beneath the radar."
He added, "You can't patch immediately without testing it. No developer is perfect and a broken patch can cause problems." He said companies have to do at least one of two things to keep up with the malcode writers:
1.) Shorten the patch cycle. "If a new critical patch comes out it needs to be tested and ready for deployment within 24 hours or you're probably not going to be protected when the next worm comes out," he said. "This requires a lot of coordination and may require a lot of coffee."
2.) Spend more time up-front learning your network and implementing better security. "A lot can be done to mitigate the attacks before they reach the vulnerable systems," he said. "This buys you time to test the patch."
This article originally appeared on SearchSecurity.com.