Exploits appeared within hours for two of the bugs that Microsoft Corp. fixed Tuesday.
Microsoft's June set of security updates patched 15 separate vulnerabilities, nine of them labeled "critical," the company's most serious threat rating. Exploit code for two of the bugs -- one in Internet Explorer (IE), the other in Windows XP, Windows 2000 and Windows Server 2003 -- have been posted to the Bugtraq and Full-disclosure mailing lists by researchers.
A. Micalizzi went public with a pair of exploits -- one successful against Windows 2000, the other against Windows XP -- that leverage one of the six IE bugs patched Tuesday. A bug -- actually two because both the ActiveListen and ActiveVoice ActiveX controls are flawed -- was tagged "critical" in IE6 on Windows 2000 and Windows XP SP2, and "critical" in IE7 on both XP SP2 and Windows Vista. ActiveListen and ActiveVoice provide speech processing and text-to-speech to the browser.
Microsoft's MS07-033 security update fixed the flaw.
The exploits, co-authored by Micalizzi and Will Dorman, a vulnerability researcher at the Carnegie Mellon Software Engineering Institute's CERT Coordination Center, produce buffer overflows on IE6 and would let attackers run additional malicious code. In other words, a malicious hacker can hijack a PC. "Under XP, with predefined settings, Internet Explorer immediately crashes without warning the user, and it's still possible [to run] arbitrary code," said Micalizzi in the Bugtraq writeup accompanying one of the two exploits.
On Wednesday, another researcher posted proof-of-concept exploit code on Full Disclosure for the critical SChannel (Security Channel) vulnerability patched in MS07-031. Thomas Lim, CEO of Singapore-based COSEINC, said his exploit "may lead to an unrecoverable heap corruption condition, causing the application to terminate," or in some cases, repeatedly crash an application to cause a system reboot. His exploit wasn't able to inject remote code, however.
That limitation jibes with what security professionals said Tuesday about the SChannel bug. Although Microsoft ranked it as "critical," which usually means that the bug allows for remote code execution, David Dewey, research manager at IBM's Internet Security Systems X-Force team, downplayed the threat. "It's not exploitable," said Dewey, although he acknowledged it would be relatively easy to crash an application. "A working remote code exploit would take a new discovery in how exploits are made," he argued.
As proof-of-concept exploits popped up, Symantec Corp. predicted that attackers would quickly incorporate them into their kits. "Expect to see exploits for this added to the currently available browser attack tool kits in the near future," Symantec said of the SChannel flaw.
Symantec currently has its ThreatCon security status indicator set at "Level 2: Elevated," which is normal for the day after Microsoft posts patches.
Wednesday, June 20, 2007
Google may find it hard to prove that Vista's desktop search violates Microsoft's antitrust agreement.
Google Inc.'s claims that Microsoft Corp.'s built-in Vista desktop indexing and search tool violates its antitrust agreement could be difficult to prove even if the software does slow down the performance of Google's competitive Google Desktop offering.
As long as a user can run alternative software to Microsoft's Instant Search software, it's unlikely that U.S. federal antitrust officials would consider coming down on the software giant, analysts and users said.
Google's claims are far different than the ones posed by Netscape during the browser wars that led to the Department of Justice's antitrust suit in the 1990s, said Rob Helm, research director at Directions on Microsoft in Kirkland, Washington. "Microsoft beat Netscape in part by leveraging its relationship with PC manufacturers," he said. "This is a lot subtler."
Google seems to be alleging that "if two pieces of software don't play together, then it must be an anticompetitive tactic of Microsoft's," Helm said. "I don't recall any past antitrust cases asserting something so broad," he said.
The presence of Microsoft's Vista desktop search could be slowing down Google's product merely as an accident of product design, not because of any malicious intent by Microsoft, Helm said.
"Even if Microsoft's software was perfectly written, the way Google interacts with it might be bad, and either company might be at fault," he said. "They could have both done the right things in different ways that might conflict with each other."
According to a report in the Wall Street Journal Monday, Google sent a white paper to U.S. federal and state antitrust officials in April to try to convince them that Vista makes it difficult for consumers to use rival desktop search software.
In its white paper, Google claims that Vista's search boxes and bars -- available in several places in the OS, including the Start menu and in the Windows Explorer file manager -- work only with Microsoft's search and indexing tool. The company also said it is nearly impossible to turn off Vista's indexing, which means a competitor must add a second indexer that slows down a PC.
Google spokesman Ricardo Reyes confirmed the company's charge against Microsoft Monday.
Microsoft is disputing Google's charges and said that it has worked closely with federal officials to ensure its Vista OS, released to consumers in January, fosters rather than inhibits competition in the area of desktop search.
Users can disable Vista's desktop search service, but the company has not made it simple for them to do so, acknowledged Jack Evans, a Microsoft spokesman. He said this is because the company designed Vista's desktop search specifically "to not affect performance and back off any other programs running" -- including any third-party desktop search software -- in a way that should resolve any claims of anticompetitive behavior, Evans said.
Andrew Brust, chief, new technology of consulting firm Twentysix New York, said he used Google's desktop search when it first came out, but switched to Microsoft's product when it became available for Windows XP because he preferred it.
"Microsoft chose to integrate into Windows whereas Google decided to be browser-based," he said. "Plus, at least back then, Google installed their own local Web server as part of the product and I really didn't like all that baggage. Microsoft's was just more useful."
Brust, who has used Vista in beta form, said integrating desktop search into Vista is "common sense" and suggested that Google's complaints might be sour grapes over Microsoft's own antitrust charges against the search vendor when it unveiled plans to purchase online advertising and marketing powerhouse DoubleClick Inc.
Samir Bhavnani, research director for analyst firm Current Analysis West, said that Microsoft's integration of desktop search into Vista was a response to Apple Inc.'s inclusion of desktop search in their Mac OS, not a move against Google. He said it wouldn't be fair for Google to accuse Microsoft of being anticompetitive without leveling the same charge at Apple.
However, Helm contradicted this reasoning and said that Apple was not found in a U.S. court to have a monopoly on PC OSes, while Microsoft was in the DoJ case. "I don't have the impression that Google is worried about Apple," he said.
Written by: Elizabeth Montalbano, IDG News Service
Monday, June 11, 2007 4:00 PM PDT
As long as a user can run alternative software to Microsoft's Instant Search software, it's unlikely that U.S. federal antitrust officials would consider coming down on the software giant, analysts and users said.
Google's claims are far different than the ones posed by Netscape during the browser wars that led to the Department of Justice's antitrust suit in the 1990s, said Rob Helm, research director at Directions on Microsoft in Kirkland, Washington. "Microsoft beat Netscape in part by leveraging its relationship with PC manufacturers," he said. "This is a lot subtler."
Google seems to be alleging that "if two pieces of software don't play together, then it must be an anticompetitive tactic of Microsoft's," Helm said. "I don't recall any past antitrust cases asserting something so broad," he said.
The presence of Microsoft's Vista desktop search could be slowing down Google's product merely as an accident of product design, not because of any malicious intent by Microsoft, Helm said.
"Even if Microsoft's software was perfectly written, the way Google interacts with it might be bad, and either company might be at fault," he said. "They could have both done the right things in different ways that might conflict with each other."
According to a report in the Wall Street Journal Monday, Google sent a white paper to U.S. federal and state antitrust officials in April to try to convince them that Vista makes it difficult for consumers to use rival desktop search software.
In its white paper, Google claims that Vista's search boxes and bars -- available in several places in the OS, including the Start menu and in the Windows Explorer file manager -- work only with Microsoft's search and indexing tool. The company also said it is nearly impossible to turn off Vista's indexing, which means a competitor must add a second indexer that slows down a PC.
Google spokesman Ricardo Reyes confirmed the company's charge against Microsoft Monday.
Microsoft is disputing Google's charges and said that it has worked closely with federal officials to ensure its Vista OS, released to consumers in January, fosters rather than inhibits competition in the area of desktop search.
Users can disable Vista's desktop search service, but the company has not made it simple for them to do so, acknowledged Jack Evans, a Microsoft spokesman. He said this is because the company designed Vista's desktop search specifically "to not affect performance and back off any other programs running" -- including any third-party desktop search software -- in a way that should resolve any claims of anticompetitive behavior, Evans said.
Andrew Brust, chief, new technology of consulting firm Twentysix New York, said he used Google's desktop search when it first came out, but switched to Microsoft's product when it became available for Windows XP because he preferred it.
"Microsoft chose to integrate into Windows whereas Google decided to be browser-based," he said. "Plus, at least back then, Google installed their own local Web server as part of the product and I really didn't like all that baggage. Microsoft's was just more useful."
Brust, who has used Vista in beta form, said integrating desktop search into Vista is "common sense" and suggested that Google's complaints might be sour grapes over Microsoft's own antitrust charges against the search vendor when it unveiled plans to purchase online advertising and marketing powerhouse DoubleClick Inc.
Samir Bhavnani, research director for analyst firm Current Analysis West, said that Microsoft's integration of desktop search into Vista was a response to Apple Inc.'s inclusion of desktop search in their Mac OS, not a move against Google. He said it wouldn't be fair for Google to accuse Microsoft of being anticompetitive without leveling the same charge at Apple.
However, Helm contradicted this reasoning and said that Apple was not found in a U.S. court to have a monopoly on PC OSes, while Microsoft was in the DoJ case. "I don't have the impression that Google is worried about Apple," he said.
Written by: Elizabeth Montalbano, IDG News Service
Monday, June 11, 2007 4:00 PM PDT
Subscribe to:
Posts (Atom)
