McAfee Warns of Zero-Day Rash in Wake of Patch Tuesday

Even if today's most prominent malicious software writers aren't particularly clever - waiting until security engineers discover another Windows problem then going after it with a "zero-day exploit" - engineers at McAfee's Avert Labs believe they may actually be learning about how to use timing to maximize their impact on the public.

The team is saying they believe malicious writers now tend to release their code on Microsoft's regular Patch Tuesday, in order to maximize its window of opportunity to exploit systems before the next month's Patch Tuesday rolls around.

The team made its claim in a blog posting last night. There, they said they're investigating a number of denial-of-service packages based around Microsoft Office, that appear to have been released yesterday, on the same day Microsoft released patches for five other severe problems. What hasn't been divulged thus far is how many exploits are in the wild - engineers may be holding onto this information for the time being.

But the "inspiration" for these exploits appears to have been a posting on a grey-hat security site on Monday by an agent of a firm called Offensive Security, apparently presenting four proof-of-concept documents showing how document files - not software - can pose significant nuisances to Word 2007 users.

Two of these documents show how Word 2007 can trigger a "CPU exhaustion," during which the processor utilizes all of its time doing what appears to be nothing. Offensive Security's resources, the firm claims, are hosted by Secunia.

Some symptoms attributable to one of these exploits were exhibited by one of BetaNews' own systems late Tuesday, though our research has yet to absolutely confirm that a zero-day based on Monday's proof-of-concept was the culprit. What's particularly curious about our situation is that on our system, Word 2007 is hosted in a virtual machine, though the CPU exhaustion appears to be triggered in the host system, where Office 2007 is not installed.

The denial of service that Avert Labs claims affects the client system, not the server. However, there's no guarantee that a malicious package wouldn't use the CPU exhaustion trick as a smokescreen to cover up another malicious act. Our system appears to have been impacted by a "one-two punch," where the CPU exhaustion trick was #1.

Number two is something we've never seen happen before nor did we know was possible -- specifically, to Internet Explorer 7 -- though we'd prefer to try to recreate the circumstances before we report with certainty that our system was affected by one of the exploits Avert Labs may be researching.

The third discovery in the proof-of-concept package appears to be an exacerbation of a problem Microsoft acknowledged three weeks ago, where an old multi-level list written in Word for Windows 6.0 (a very old version), then imported directly into Word 2007, can cause a critical library (WWLIB.DLL) to crash, taking Word 2007 with it.

And the fourth item also has a very familiar ring to it: An intentionally contorted Windows Help file can trigger a heap overflow vulnerability by attempting to copy more user-supplied data into memory than the Help application typically allocates. A help file creation system can't generate such a file by accident or even design, though one can apparently be mangled out of shape using a general text editor.

Microsoft discovered the existence of this mangled Help file problem back in 1999, and the latest patch for it was issued in March 2003. So once again, this isn't exactly a "zero-day" flaw conceptually speaking, although the fact that the patch may not have completely solved the problem is indeed new. Microsoft has moved away from using Help files for its own applications, opting for embedded Web pages instead, though it continues to distribute the Help application with Windows for compatibility purposes.

The Offensive Security fellow claimed on Monday he discovered all four discrepancies himself through the use of something called a "7 line python fuzzer," which may either be a very small utility written in Python or a rejected techno-babble do-jigger from a sci-fi sequel.