May 10, 2007 3:57 PM PDT
Cybercrooks add QuickTime, WinZip flaws to arsenal
The attacks involve malicious Web sites rigged with multiple exploits, Symantec said in a security alert. The sites appear to be that of a trusted financial institution, but instead attempt to silently install keystroke-logging software, according to Symantec. Links to the sites are likely advertised in spam, it said.
Symantec discovered the attacks when one of the PCs that it uses as bait was breached earlier this week.
"This compromise was especially interesting, because the site made use of a QuickTime vulnerability discovered in January 2007 and a WinZip vulnerability discovered in November 2006," Symantec said. "Before our analysis, it was not known that these issues were being exploited in the wild."
In addition to the QuickTime and WinZip flaws, the miscreants tried to breach the Symantec system via a pair of holes in Microsoft software, Symantec said. Fixes for all the vulnerabilities are available. Symantec's compromised machine was not patched, running Windows XP with Service Pack 1.
Online criminals typically use a variety of vulnerabilities in an attempt to break into a computer. There are even toolkits available to help attackers create malicious Web sites with a few mouse clicks.
"This discovery highlights both the importance of having a prompt patching schedule and the fact that attackers are keeping up with the times and constantly updating their attack strategies to help ensure ongoing success," Symantec said.