Hackers will exploit Windows kernel bug

Drive-by attacks against IE users will come soon, experts say

Hackers will quickly jump on one of the 15 vulnerabilities Microsoft patched Tuesday to build attack code that infects Internet Explorer users, security researchers agreed today.

The bug, which Microsoft patched as part of a record-tying security update for the month of November, is in the Windows kernel, the heart of the operating system. The kernel improperly parses EOT (Embedded OpenType) fonts, a compact form of fonts designed for use on Web pages that can also be used in Microsoft Word and PowerPoint documents.

[ Learn how to secure your systems with Roger Grimes' Security Adviser blog and newsletter, both from InfoWorld. ]

Microsoft rated the flaw as "critical," its highest threat rating, and gave the bug an exploitability ranking of "1," which means it expects a working exploit to appear in the next 30 days.

Outside researchers expect it much sooner than that.

"An exploit will appear sooner rather than later," said Jason Miller, the security and data team manager for patch management vendor Shavlik Technologies. "The target is IE, and browsing is the number one attack vector in the world right now. Users can be infected simply by browsing to a [malicious] site."

Another researcher said an exploit may be imminent. HD Moore, the creator of the popular open-source Metasploit penetration testing framework and the chief security officer for security firm Rapid7, said he was already working on an exploit for the critical flaw Microsoft patched Tuesday in the MS09-065 update. "I'm pretty close to having one working," Moore said.

The bug will be extremely attractive to hackers, Moore maintained, and not simply because it can be exploited in a classic "drive-by" attack that can silently hijack an unpatched Windows 2000 or Windows XP system when users visit a compromised or malicious Web site. On Vista, a successful exploit would give the attacker additional access to the machine, but could not be used to inject malware, Microsoft said.

"An EOT file can use both compression and encryption," noted Moore, referring to the font format that hackers will use to exploit the bug. Because the file can be compressed and encoded, most antivirus software will have a difficult, if not impossible, time detecting whether a Web page's fonts are being used to launch attacks. "They will blow past any line of user protection," he said.

And since the EOT file is rendered at the kernel level, not by IE itself, browser-based defenses won't help. "There's no JavaScript required for an exploit," Moore said, talking about the scripting language that's a popular tool for hackers who target browsers. Those kinds of attacks can be deflected by restricting JavaScript, or disabling it entirely.

On Vista PCs, IE7's and IE8's "sandbox," which is designed to prevent attack code from escaping the browser and worming its way into, say, the operating system, also will be useless, Moore said.

Top-notch hackers may also be able to leverage a treasure trove of bug fixes that Microsoft silently added to the MS09-065 update, Moore said. "There's a massive number of function fixes in the update," he said, adding that the practice isn't unusual for Microsoft. Even though the company called out only three Windows kernel vulnerabilities in that bulletin, Moore said he had been able to find at least eight altogether.