Exploit code appears for Microsoft Agent bug

It took less than 24 hours for attackers to crank out proof-of-concept code targeting the one critical vulnerability disclosed -- and patched -- Tuesday morning by Microsoft, security researchers warned.

Early Wednesday, analysts with Symantec's DeepSight threat network alerted customers of JavaScript exploit code for the critical vulnerability in Windows 2000 that was revealed in Microsoft's monthly patch cycle. The proof-of-concept was posted to the Internet by someone with a Brazilian e-mail address. An hour-and-a-half later, Symantec updated its alert to say that additional exploit code was also available to users of Immunity's popular CANVAS penetration testing ("pentest") software.

To call attention to the added danger, Symantec also raised the vulnerability's threat score from Tuesday's initial 7.1 (out of a possible 10) to 8.5 today.

The Windows 2000 bug -- the only one rated critical of the four patched Tuesday -- is in Windows Agent, the component that drives the operating system's interactive animated help characters. The best known, and in its time, most detested, character was dubbed "Clippy," a.k.a. the Office Assistant, a bouncy paperclip designed to answer users' questions about Microsoft Office. The developer disabled Clippy by default as of Office XP and put it to rest when Office 2007 debuted earlier this year.

The JavaScript-based exploit fits nicely with analysis made yesterday by Tom Cross, a researcher with IBM Internet Security Systems' X-Force. The vulnerability, said Cross Tuesday, is in the Agent ActiveX control, which are typically exploited by duping users into visiting Web sites where malicious script code has been planted, and "attackers will use a pretty common attack vector," he said Tuesday. The quick appearance today of proof-of-concept also matches his initial impression. "This uses a pretty common attack vector, and it fits the profile of a lot of bugs."

Symantec advised users who were unable to immediately apply the patch to disable their browser's script-handling capabilities. "A successful exploit requires the execution of active content," its advisory said. "To mitigate against this and other latent vulnerabilities, disable support for active content in the browser."

VeriSign iDefense, which was credited by Microsoft for reporting the bug, also posted an advisory today; in it, the security vendor spells out how to set the "kill bit" in the Windows registry to disable the Agent ActiveX control.

Microsoft has posted its technical write-up of the Agent vulnerability in the MS07-051 security bulletin.

Tuesday's update is also a replacement for an earlier April fix of Agent, an indication that the company's developers didn't find all the bugs in the component five months ago.

Computerworld is an InfoWorld affiliate