Cybercrooks add Windows flaw to arsenal

Attackers have added another, yet-to-be-patched Windows flaw to their arsenal, experts warned Saturday.

Cybercrooks have started exploiting a flaw in the Windows Shell only days after sample attack code for the vulnerability surfaced. Web sites that exploit the vulnerability are popping up and attempt to load malicious software onto vulnerable Windows PCs in a way that is undetectable to users, experts said.

"There are professionals at work using the exploit code," security firm Websense said in an alert. The miscreants taking advantage of the flaw appear to be part of the same group that in December used another Windows flaw to hoist spyware onto PCs, Websense said. That flaw stemmed from the way Windows handled Windows Metafile, or WMF images.

Microsoft warned of the Windows Shell flaw on Thursday. The flaw affects Windows 2000, Windows XP and Windows Server 2003, and could be exploited via the Internet Explorer Web browser through a component called WebViewFolderIcon, the company said. Windows Shell is the part of the operating system that presents the user interface.

"The fact that they are using the exploit code poses a significant risk" in particular, because these sophisticated attackers are known to attract users to their sites via search engines and e-mail spam campaigns, Websense said.

The CoolWebSearch gang has also adopted the new flaw as a way to compromise systems, said Roger Thompson, chief technology officer at security software maker Exploit Prevention Labs. "It's not the end of the world or anything but it's an interesting escalation," he said.

CoolWebSearch is notorious for installing spyware and other malicious programs onto people's PCs. The group lures people to their sites via links in other search engines as well as by persuading Web masters to adopt their search engine, promising a lot of site visitors.

The Windows Shell flaw was found almost two months ago, but sample attack code became available only recently. Microsoft plans to issue a fix for the problem on Oct. 10, its regularly scheduled patch day, it said in a security advisory on Thursday.

Windows users can protect themselves by following the guidance Microsoft gives in its advisory, switching to a non-Microsoft Web browser, or installing security software such as Exploit Prevention Labs' SocketShield.

Also, a group of security professionals, calling itself the Zeroday Emergency Response Team, or ZERT, is working on a third-party fix that should be available before Microsoft's official patch, Thompson said.

Meanwhile, there are several other security vulnerabilities in Microsoft products waiting to be fixed. Some of these flaws are already being used in cyberattacks, though not as widespread as the Windows Shell flaw or another Windows bug for which Microsoft rushed out a fix on Tuesday, according to security experts.

[georgiarat]

Windows Sigh

Still using Windows?

You get what you deserve.....

And how much money is being saved in your organization by
dealing with this issue? How much have you spent in the last
three years? Guess the cheaper hardware makes up for it.
NOT!!!

Of Course, it does provide a lot of employment for IT
professionals to repair and keep the Windows systems running.

[mjm01010101]

True, true

I'm a windows admin, and I can't stand it, but I also love it because of the extra cash it's brought me on the side.

I actually bill higher rates for repair for anyone using IE as their primary browser, and lower rates for users that run day to day as user-level accounts.

As for maintenance, we must dedicate one full server to WSUS, and I'd estimate One full workday a month is spend patching, verifying, testing security patches.

I doubt it would be much different on linux, but there sure would be far fewer reboots, which is the biggest annoyance currently with windows and whatever runs on top of windows.

[boyd087]

How much money saved?

How much money saved in my organization? Money isn't the issue here. Windows is the operating system that almost all applications and software, not to mention hardware, works on. Sure, there's a lot of alternative software made for other operating systems, but that's not what people want. They want the standard, and right now, the standard is windows and the applications that run on it. If you're keeping all of your windows systems patched and running something like enterprise Symantec Antivirus, plus have the proper permissions set on public machines, this isn't really a huge issue.

[imacpwr]

MS waits till Oct. 10 to issue fix..!!!!

WAIT..???? They are WAITING...?!?!

And this is the company that wants to be the sole provider of your
computer's security..!!!

Are Window user really that naive..???

[grandmasterdibbler]

Put you hand up if you're surprised!

Because you really shouldn't be.

[kamwmail-cnet1]

Simple Fix: make malicious hacking a DEATH PENALTY.

And one will be amazed at how fast this will stop after the first dozen execution or so.

It will also have the added benefit of remove the scum from the gene pool, preferrably before they spawned.

[lesfilip]

Simpler Fix: Don't be stupid.

Wouldn't it be a lot easier to use an operating system other than
Windows than to go around killing people? What other "crimes" will
warrant the death penalty once your plan is put into place?

Have a nice day!

[Mister C]

Yep!

Just look how well harsh penalties have worked with the drug problem!

Get a Clue.

[boyd087]

Prove it

Show me proof of companies that have saved money and resources by switching from Windows to Mac OSX. And yes, people DO want the standard software that runs on Windows. I work on a college campus. We have free CDs full of free software that we give to students (as well as a download site) and even though there is a free Open Source Office Suite on there and others we can suggest, they still spend the money on Micro$oft Office because they already know how to use it and it does everything they expect it to. People hate change and the last thing they want to do is learn how to use new technology. They want it all done for them. They want their machine to work with the devices they already have like printers, scanners, etc. Sorry, but networks are still easier to manage with Windows, even if some security is sacrificed. If that weren't the case, I'm sure almost every company in the US would be switching to open source right now. Do you think IT people everywhere are TRYING to take people's/companies' money or rip them off? That's ridiculous and you know it. Our IT department is given a budget just like most other departments and the better we utilize that money, the easier our jobs are and the happier people are and the better we look and the more job security we have. Guess what works for us right now? I'll give you a hint, it's NOT Linux or Mac OSX.

Don't get me wrong, Linux is a great OS. It's my OS of choice for running web servers, SQL, etc. I'm not as crazy about Mac OSX and I think its security is overrated, but just because these Operating Systems are better than Windows in some aspects doesn't mean that they have the answer for everything.

[lesfilip]

I'll prove it

I'll prove it by suggesting you ask anyone who has switched their
business over to Mac OSX. They almost never look back. Mac
OSX becomes their standard, and it is a very good one.

Students know Word because that is what Mommy and Daddy
have at home, and Mommy and Daddy are paying for their kid's
software. If you asked a teenager to shell out for the software
themselves, you bet they would learn to use something else.
Anyway, Word is available for the Mac in case you haven't heard.
I don't use linux myself but I'm sure anyone smart enough to use
it can probably figure out how to use OpenOffice.

People are scared of change, but guess what? Change
requires...CHANGE. When the pain of using Windows becomes
enough, people will look for other options. They are doing this
in droves right under your nose. Apple laptops are selling like
crazy.

Most common peripherals work perfectly fine with a Mac. If you
believe otherwise, you don't know what you are talking about. I
am not saying there is 100% compatibility, but I have rarely had
trouble installing peripherals on my Mac, including many that
did not even mention they were Mac compatible on the box.

Networks are not easier to manage on a PC. Networking with
Macs is simple, and you can do it without ANY security being
sacrificed. Mac security is not overrated. All you have to do is
look at the CERT website to see what operating systems are
under real, daily, unpatched threats. Need I mention that OSX
still has no viruses?

PC IT departments protect themselves. Who is going to tell their
own boss to switch to Macs when it would mean they will lose
their job because they are no longer needed? The total cost of
ownership of Macs is less than for PCs. End of story.

Operating systems are a personal choice, not a religion or a
political party. Use what works best for you, but do not spread
unwarranted fear, uncertainty, and doubt when you do not have
the facts on your side.

Have a nice day!

[jggpc]

Prove it

I know several companies that have made the switch as well as several government agencies in Europe, Asia, and South America. Prove what?, how's bout you prove it is a better decision to stick with M$ products? More compatibility issues from upgrade to upgrade, User information mining, and ALL the virus'. Tell me again how it is better to stay MS.

reading the replies and posts there seems to be some sort of idea the business and for that matter the general IT personnel out there wouldn't sell a bum deal, that they truly feel that MS is a better product.. LOL... Most of the business IT and the general IT out there are only trying to secure their jobs. Attempting to show that the $5000 they spent on those stupid tests after high school made them superior... what a rip! yeah, I am an IT professional, not a tech, a professional and that means something. I do not have to lie or mislead to keep my job secure, I am well trained, am degreed and have been doing the IT gig for well over 15 years. My corporation, 19 billion dollar liquid worth btw, listened to me in regards to using open source software, and currently we are evaulating replacing some 5000 to 7000 of our Windows desktops to Suse or RedHat.
The MS Kool-aid drinkers want to make everyone feel MS is the only game, how can OSS be secure. It is always the one with the most to lose that will re-direct direct questions and close inspection. 'You have a flaw you haven;t fixed in 6 months.. Yeah, well, umm... Linux has this gnome thingy, it;s evil I tell you, look at that foot!'.. get over yourselves Microsoft shills, and sheep your time is ending, move otuta the way so a real OS can finally take the helm...

[slim-1]

I closed the Windows Support portion of my business

I could no longer pretend to my clients that I wasn't wasting time on Windows.

Working Windows admins have a major conflict of interest and need to come clean.

Any of my clients that still use me have or will be converting to Linux.

I am recommending that users requiring advanced macros get Crossoffice to be able to continue to run MS Office. Otherwise I install Ubuntu with OpenOffice & Evolution.

This change in my business has cut my yearly income by at least 50% but I feel a lot better now. My high blood pressure is also doing much better.

So for your spirit and your health please join me as a former Windows support addict. You feel good about yourself.

Don't hide behind a "realistic" approach just because "it is what everyone wants". When you tell them you are moving from a Windows based business to a Linux, Mac or BSD busines they will be so surprised that I know you will hear "Oh, will that work for me".

[iwarp62]

The Answer!

And what does microsoft recomend??

"switching to a non-Microsoft Web browser"

AMEN

[wbenton]

%&$#`* Microsoft

The Windows Shell flaw was found almost two months ago.

Exploit Code is OUT for a few days already.

Today is Oct 3rd, 2006.

BUT

Microsoft still wants to wait until Oct 10, 2006?

We're way past when will Microsoft ever learn as this clearly shows that they WILL NEVER LEARN!!!

Walt

[Seaspray0]

Looking for blacklists

I'd like to find a good blacklist of all these websites that repeatedly attempt to exploit holes to install their garbage on computers. Perhaps Cnet will be willing to do a story on this, since they seem to mention these "miscreants" often.

[Penguinisto]

I wish you luck on that one.

This is a serious reply from a guy who has to admin email and HTTP usage, among other things...

A blacklist isn't going to work. If a single hosting service server is compromised, suddenly 100's of new domains are open to become exploiters.

Also, new domains pop up all the time.

There's no sane way to keep such a list current, even through third parties - it's hard enough to do when it comes to email blacklisting/greylisting, and at least in SMTP you have tell-tale signs that you can cue into. You get no such luck in HTTP at all.

There is also the nasty side effect of accidental/unintentional blacklisting, which is also a bad enough problem in e-mail... if a site you actually need to reach gets compromised (it can and does happen), or the blacklister accidentally included it, that inclusion will suddenly have adverse effects on your business.

Your best bet to avoid this little nightmare (seriously) is to simply banish MSIE usage within your organization wherever possible. Restrict it to windowsupdate.microsoft.com only, if you can. Replace MSIE usage with Firefox, Opera... basically something else.

/P