MDAC ... the new WMF?
(updated 10:46am PDT)
Last night, our Intelligence Network found a new version of a script
exploiting MDAC, a Windows vulnerability patched in April's Patch Tuesday release (MS06-014).
The first Interesting Thing about this is that, as far as I know, there
has been no published proof of concept for this exploit, so we are now aware of at least three groups that have independently worked out their own exploit, as opposed to their usual m.o. of simply copying someone else's work.
The second Interesting Thing is that this might be regarded as proof
that the Bad Guys have actually started trying to reverse engineer Patch
Tuesday's patches to look for exploit opportunities.
The third Interesting Thing is that this is the third instance of this
exploit we've found since the beginning of June ... just under a week. Not minor variants, but complete rewrites. This is really unusual, and is probably happening because the exploit is not relying on an application crash and buffer overflow, but simply using a feature in MDAC, a la
December's WMF (Windows Meta File) 0-day. What this means is that it's _easy_ to exploit this vulnerability and, if we can get three in a week, we can expect more. WMF was equally easy, and we had lots of variants of that within a few days.
And finally, the fourth Interesting Thing is that, if you're patched
(or running SocketShield, of course), you're safe, but if you're not,
because this is web exploitable, you need to be careful ... your firewall
won't protect you. And if you work in a corporate IT department, you _know_ that patches rarely get applies as soon as they're available - often because of potential inter-operability problems with existing applications.
If there's anyone out there who doesn't yet believe these exploits are a
_real_ problem, how's this for scalability:
Just a few days ago, there was a report that 38,500 web sites had been defaced in a single day by a Turkish hacker. Fortunately, he just defaced the sites, and did so openly and obviously, but if he'd been an exploiter and just added a single i-frame call out to an exploit server, voila .... 38,500 trusted, innocent websites are suddenly malicious.