A virus designed to exploit a recent disclosed hole in Internet Explorer is already doing the rounds on the Internet. Security experts have warned it could allow remote attackers to take full control of vulnerable Windows machines.
Two new "proof of concept" exploit programs were posted to French security website www.k-otik.com and the Full-Disclosure news group. The new code is more dangerous than an exploit for the vulnerability that appeared earlier in the week, since it allows malicious hackers to run their own code on vulnerable machines, instead of just freezing or crashing Windows systems, according to Johannes Ullrich, chief technology officer at The SANS Institute's Internet Storm Center.
The exploit takes advantage of a flaw in the way Microsoft applications process jpeg image files, a common format for displaying images on the Web. Microsoft designated the flaw a "critical" problem and released a software patch for it, MS04-028, on 14 September. A Windows user would have to open a jpeg file that had been modified to trigger the flaw using a wide range of applications, such as the Explorer browser or Outlook.
The exploits create a jpeg file formatted to trigger an overflow in a common Windows component called Gdiplus.dll, said Elia Florio, a computer engineer living in Rome who created the exploits and posted them to Full Disclosure.
The first exploit opens a command shell on a vulnerable Windows system when the rigged file is opened using Windows Explorer, an application for browsing file directories on Windows systems. While that, in itself, is not damaging, a remote attacker could easily add malicious commands to the script that would run on the affected system, Ullrich said.
The second exploit further modifies the attack code to add a new administrator-level account, named simply "X," to affected Windows systems when a jpeg file is opened through Explorer. The account could then be used by the attacker to log-in to the machine using standard Windows networking features, he said. In both cases, malicious commands could only be executed using the permission level of the user running Windows Explorer, he said.
The new exploits can be spread by a virus in corrupted jpeg images sent as e-mail attachments or served from websites. In fact, the scripts could be used to dynamically modify jpeg files as they are sent from a Web server, provided the attacker was able to access the Web server sending the images and place the attack script on it, Ullrich said.
Symantec has increased its severity rating on the jpeg vulnerability to 9.2 out of 10, noting the release of a new exploit that provides a command shell. Newly released virus signatures from anti-virus companies have been successful at spotting jpegs that attempt to trigger the MS04-028 flaw, Ullrich said. Windows users are encouraged to download and install the latest software patch from Microsoft and to update their anti-virus definitions as soon as possible, he said.
Despite releasing the exploits, Florio said he does not intend them to be used in a malicious way. The exploits are not suited to be used immediately by low-skilled computer hackers, commonly known as "script kiddies," and would need to be modified by a knowledgeable programmer before they could be used in widespread attacks, he said.