July 12, 2005 2:30 PM PDT

PCs falling victim to Windows flaws

Hackers are actively exploiting two serious security vulnerabilities in Windows, Microsoft warned on Tuesday as it released "critical" alerts about the flaws.

One of the problems affects the Microsoft Color Management Module, a component of Windows that handles colors. The other relates to the JView Profiler, part of Microsoft's Java Virtual Machine. The vulnerabilities could be used to commandeer a PC, Microsoft said.

"Attackers are already using the JView Profiler flaw to download and install Trojan horses on victims' machines," said Dan Hubbard, senior director at Websense Security Labs. The Trojan horses would let the miscreants remotely control the hijacked PCs and make it part of a network of such computers known as a botnet, an increasing cyberthreat.

The Windows vulnerabilities are described in two bulletins issued as part of Microsoft's monthly patch cycle. A third alert deals with a bug affecting Word 2000 and Word 2002. The Word flaw could allow an attacker to take control of a vulnerable PC, the software maker said.

All three bulletins get Microsoft's highest security rating, but only the Windows flaws are actively being used to attack users, Microsoft said. The company is encouraging all customers to apply its updates. Security software vendor Symantec said in a statement that the JView Profiler and Color Managament Module issued that affect Windows are "the most serious" of Microsoft's three new security bulletins.

Modes of attack
An intruder could take advantage of the JView Profiler flaw by crafting a malicious Web page and persuading a user to visit the site, Microsoft said. The vulnerability has been publicly known since late last month, and Microsoft last week offered a fix for the problem, but did not send it out via its automatic patching services. The patch will now go out on Automatic Updates and on other services from Microsoft.

As for the Color Management Module vulnerability, people could fall victim to an attack by viewing a malicious image, said Stephen Toulouse, a security program manager at Microsoft.

"You could visit a Web page, and if you have not applied the update, malicious code could execute," Toulouse said. "You could click on a maliciously formed image attached to an e-mail, or you could just preview an image in an e-mail."

Because attackers have more than one way of enticing potential victims, Microsoft deemed the Color Management flaw critical, he noted.

Although the vulnerability was privately reported, Microsoft said, it is already being used in attempts to attack users.

"We have not seen a public posting detailing how to exploit the vulnerability," Toulouse said. "However we have been made aware that there are people attempting to exploit it."

Neel Mehta, a team lead at Internet Security Systems, said he expects a public exploit for the image problem within the week. "It is being analyzed by the underground. Exploitation of this issue will likely be widespread when a public exploit appears," he said.

The JView Profiler and the Color Management flaw affect all current Windows and Windows Server operating systems, including Windows XP with Service Pack 2 and Windows Server 2003 with Service Pack 1, the most recent versions that Microsoft has promoted as its most secure releases ever.

14 comments

Join the conversation!
Add your comment
Nothing new?
Wasn't MS forced to dump it's version of Java? He was sued by SUN if I remember right.
Posted by (92 comments )
Reply Link Flag
Hmm
I see no reason to download a over 90MB JAVA Installer just to browse VERY FEW JAVA-enabled sites :)
Posted by 201293546946733175101343322673 (722 comments )
Link Flag
microsoft infected
looks like billy and the boys caught another bad case of FOOT IN MOUTH disease!!!
Posted by Luke_Cage (33 comments )
Reply Link Flag
I see
SO what about Stevie gets choked by an apple? :)
Posted by 201293546946733175101343322673 (722 comments )
Link Flag
THEY INDEED INFECTED
The issue of invading microsoft is as a result of technology and that implies that as the technology improves so likewise the hackers.

Microsoft have to understand that the hackers are across the continent and hence would make it difficult to contend unless they recruit young talented ones and train them on redesigning and hacking stopped or else be invaded.
Posted by (6 comments )
Link Flag
The criminals (and they are criminals) are
just doing what comes naturally.

They are exploiting whatever weaknesses exist to 'game' the system to their advantage. (It doesn't matter what kind of advantage or for what purpose.)

They are constantly probing, because probing is perceived as 'safe,' and then they exploit any crack that affords them a toe-hold.

They will do so until they CAN'T hide behind any form of anonimity.

That is just human nature. We all do things behind masks that we would never attempt face to face (unless we're sociopaths. Then you can expect a shot to, or in, the face.)

The internet needs to run from source to destination without the possibility of people hiding behind any form of anonimity of subtrefuge.

Until that happens, and prosecutions follow, there will be hacks.
Posted by CharlesRovira (97 comments )
Reply Link Flag
Restructing is the best option
The best way to stop hacking is the restructing programe that microsoft would implement across the continent since information networks are across the continent that would to combat them or else would soon take control and each business user would have to pay higher before he can granted acess.
Developing programs that are rigid and not user friendly would call for it and also ensuring database integrity by the members of this group.
Posted by (6 comments )
Link Flag
With all the patches,
I think windows should throw everything out, & start from scrach. Maybe they would come out better(?)
Posted by Earl (60 comments )
Reply Link Flag
Been saying that for years
Apple did with OSX and got a rock solid, top notch OS. Apple had the courage to take the chance and maybe **** a few user off that had to buy new versions of their software. M$ is very affaid of losing even one penny and therefor build upon old code to preserve legacy with older stuff. As a result we get a crap product that suffers from endless patches and updates.
Posted by Gerald Quaglia (72 comments )
Link Flag
THIS RAMPAGE CAN BE STOPPED
The issue of invading the microsoft windows color module and the JV viewer profile can be stopped and i still believe that the invasion is been allowed by microsoft because there are some many ways microsoft can use to lock up the hackers from the network but they may assume the effects on the users which is not true.
Furthermore, database interity should be continually checked by the members of the microsoft group though i am growing computer scientist who have innovation and creativity as my formost concern and i still believe that there are still more and when these ones are recruited by the hackers who implements, they would be infact be superflous wanting to be like the microsoft themselves.The issue now is as a result of improving technology, microsoft should set programmes across the continent that would train young scientist on implementation and designing hence breeding young ones with integrity so as limit hackers.
The issue of hacking started as a result of money monging which may be termed greed but i don't think becos they are just trying to make thier living thru it and if microsoft doesn't wake up on time they might be hitten unawares because these hackers are all across the continent and cannot be easily traced as the americans think they would.

Finally , as technology is improving so also the hackers .
Posted by (6 comments )
Reply Link Flag
ALPHA Flaw
Microsoft, in all its greatness, should take a step back and put some real thought and ingenuity into the release of Windows 2010 instead of turning out the same old flawed systems year after year (Windows 98, 98SE, 2000, ME, XP). The fact that their newest version has a nice blue menu bar does very little to reasure users when it eventually matches the nice blue screen of death.

I think a five year hiatus from yearly releases of flaws and the neverending patches and security updates, not to mention the patches for the flawed patches (ie: Windows 2000 - security update), might just create an OS which people will say is almost 'stable' and worthy of my hard earned money.

Granted, there are always going to be hackers around to breach any security or operating system. But if you are going to produce something which is used by the masses and profit handsomely from it, then atleast make it a challenge to hackers and not a challenge for users.

Perhaps one day people will be able to say the following phrase without breaking out into fits of laughter:

'Windows is a secure OS'

Bwahahahahaha !!!!

See it just isn't possible, right now.
Posted by (9 comments )
Reply Link Flag
 

Join the conversation

Add your comment

The posting of advertisements, profanity, or personal attacks is prohibited. Click here to review our Terms of Use.

What's Hot

Discussions

Shared

RSS Feeds

Add headlines from CNET News to your homepage or feedreader.