Monday, April 2, 2007

Exploit, Vector, Scope

Robert's guys in the Virus Lab have had a busy weekend. The team has been working on patching a flaw currently being exploited in user32.dll - a file stored within the Windows System32 folder that is used to render animated cursors.

This flaw has been called many things by many vendors, but is currently best known as the "ANI exploit", or "animated cursor exploit".

The basic issue created by the potential exploit has been well-described by folks in the media, including several security experts, but in a nutshell, hackers have figured out a new way how to run malicious code using a Windows file commonly used to render cursors, and are using the user32.dll application located within the System32 folder as their engine of choice.

From the standpoint of propagation, the threat is pretty nasty: you can catch this virus simply by peering at an infected web page, or staring at the preview pane of your pre-2007 version of Outlook. It appears to infect IE and Firefox similarly.

The exploit is so nasty that Microsoft did something out of the ordinary - they brought forward Patch Tuesday by one week and a day, in order to provide a fix. Which is kind of strange, since they've known about it since December... which is when Determina says they first made them aware of it.

Anyway, back to Robert's post. He makes the point that the media often equates an exploit with a virus - or ignores exploits until they exhibit qualities that show they are propagating. The reason is obvious: media stories are not interesting until they involve risk. And when it comes to electronic threats, risk only becomes newsworthy when three attributes are present:

1. exploit
2. propagation vector
3. scope of damage

Back in December, all Microsoft knew was that the possibility of an exploit existed. It wasn't until weeks later - last week, in fact - that the first "propagation vector" was first identified in the wild, and barely three days ago that the global "scope of deprecation" first started to be quantified and understood.

Tomorrow, the fixes of various security companies will be firmly in place, the Microsoft patch will be available, and the ANI exploit will be history. And we will have learned nothing from the experience - except that security software company employees are expected to do in hours what most operating system developers are allowed to do in weeks.

No comments: