It points to a recent trend in how Windows vulnerabilities are being discovered, reported and fixed. The number of vulnerabilities that are being publicly disclosed and exploited before they can be patched is increasing.
The company has issued three patches for four vulnerabilities in Windows, on its regular monthly patch cycle. Three are critical, and some have been known about and actively exploited by the bad guys for at least three months.
Of the four vulnerabilities, the discovery of only one was credited to a researcher that practices responsible disclosure. That is, telling Microsoft about the bug, and keeping crucial details secret until a patch has been created.
Patch MS05-001 fixes a vulnerability in the HTML Help ActiveX control that enables remote code execution. Hackers have known about it and have been using it since October, when details and exploit code were published.
Patch MS05-002 fixes a bug in how versions of Windows handle cursor and icon files. It enables a cracker to execute code of his choice on vulnerable machines via a web page, and exploit code has been available for over two weeks.
Both of those patches are rated critical, meaning Microsoft believes the vulnerabilities could be exploited by a worm. A third patch, MS05-003, secures an important vulnerability, which enables remote compromise but not easy replication.
For most of last year, it was more common for Microsoft to patch a vulnerability that had been reported to it privately by a security researcher or vendor and was not widely known.
The people who find these vulnerabilities are different from those who traditionally found them, said Mike Murray, director of exposure and vulnerability research for nCircle Network Security Inc, a vulnerability management firm.
He said that in the past more vulnerability research happened at the server-side, but a different breed of hacker is searching instead for ways to break into end-user PCs.
A lot of the client-side stuff is coming from the black-hats, he said. These are people who are really after the compromise, rather than the interesting hack. A lot of people doing this are spammers. A lot of it is coming out of eastern European organized crime.
The urge to hack Windows clients is being driven by the trade in botnets, networks of compromised residential PCs on broadband connections. These botnets are used to send spam or phishing attacks, or to conduct denial-of-service attacks.
It’s a black-market business, and money is the objective. Murray said he has personal knowledge of phishing scams that have been traced to botnets that have in turn been traced to crime gangs in Europe.
With money at stake, one has to assume that for every vulnerability disclosed in an irresponsible way, there are others discovered that are not disclosed whatsoever.
Microsoft has staked its business on securing Windows and Internet Explorer. Windows XP Service Pack 2, released last year, was almost entirely designed to help IE users surf more securely.
Security problems, particularly the existence of IE exploits for which patches are not available, are believed to be a key reason why the Firefox browser is gaining the kind of market share that non-IE browsers have not seen for years.
The company says that its often-criticized patch response time is dictated by the need to develop and test a quality patch that will not cause more problems than it solves.
Details of the January batch of patches can be found at www.microsoft.com/security. They can be downloaded through Windows Update in IE or Automatic Update in Windows, or through Microsoft’s enterprise updates server.
