First Fallout from Code Leak Hits the Web

[InfoSec News <isn () c4i org>]

Forwarded from: William Knowles <wk () c4i org>

http://www.eweek.com/article2/0,4149,1528043,00.asp 

By David Morgenstern 
February 16, 2004 

A security company on Monday alerted clients of a new vulnerability to 
Internet Explorer 5, one attributed to the recent leak of Microsoft 
Corp. Windows source code. The quick attack appears to contradict some 
optimistic expectations that the recent leak of Windows 2000 and NT 
code would not pose a significant opportunity for hackers. 

According to a message posted by SecurityGlobal.net LLC's Security 
Tracker Web site, a vulnerability was reported in Microsoft Internet 
Explorer Version 5 that lets a "remote user execute arbitrary code on 
the target system." 

A hacked bitmap file can trigger an integer overflow and execute 
arbitrary code, the security bulletin said. 

The author of the warning said that this flaw was uncovered by 
reviewing the recently leaked Windows source code. 

"I downloaded the Microsoft source code. Easy enough. It's a lot 
bigger than Linux, but there were a lot of people mirroring it and so 
it didn't take long," observed the anonymous programmer in his 
warning. 

The code is a portion of source from Windows NT 4.0 and Windows 2000 
that made its way onto the Internet Thursday. 

"IE6 is not vulnerable, so I guess I'll get back to work. My Warhol 
worm will have to wait a bit..." wrote the author of the warning. 

No patch was available for download from Microsoft's Security Web site 
and the company was not available for comment. 

Several analysts had predicted no immediate threat from the source 
code leak, since the amount of code presented on the Internet was 
limited. 

However, in comments offered on Friday, Ken Dunham, malicious-code 
manager at iDefense Inc., based in Reston, Va., said that 
vulnerabilities in the older Windows would likely be much easier to 
discover and exploit now after the leak of the source code. 

"There are a lot of implications to this. The situation just got a lot 
worse, in terms of vulnerabilities," he said in an interview with an 
eWEEK reporter. "I imagine we'll be seeing a lot more this year 
because of this. There's certainly enough in [the leaked code] to play 
with." 

This warning follows a string of recent vulnerabilities concerning 
Internet Explorer. Earlier this month Microsoft released a cumulative 
patch covering a dangerous Internet Explorer vulnerability that let 
attackers trick customers into visiting malicious sites. 



*==============================================================*
"Communications without intelligence is noise;  Intelligence
without communications is irrelevant." Gen Alfred. M. Gray, USMC
----------------------------------------------------------------
C4I.org - Computer Security, & Intelligence - http://www.c4i.org
================================================================
Help C4I.org with a donation: http://www.c4i.org/contribute.html
*==============================================================*



-
ISN is currently hosted by Attrition.org

To unsubscribe email majordomo () attrition org with 'unsubscribe isn'
in the BODY of the mail.