Monday, January 17, 2011

Windows zero day and small Snow Leopard update start off the new year


Windows zero day and small Snow Leopard update start off the new year
from WatchGuard Security Center by Corey Nachreiner

A fresh new year has begun and we already have security vulnerabilities in two of the most popular operating systems; Windows and OS X. Let’s start with the more worrisome one – Windows.

According to a recent Microsoft Security Advisory, the Graphics Rendering Engine that ships with most versions of Windows (one of the components that helps display graphics on your screen) suffers from a zero day vulnerability. Specifically, a flaw in how the Graphics Rendering engine parses specially crafted thumbnail images could result in a buffer overflow. By enticing you to preview a thumbnail image, perhaps hosted on a website or sent within an email, an attacker could exploit this flaw to execute code on your computer, with your privileges. If you’re a local administrator, the attacker gets the keys to your castle.

Microsoft doesn’t have a patch for this vulnerability, but they do describe a workaround that will mitigate some attacks. See the “Mitigating Factors and Suggested Actions” section of their advisory for more details. Unfortunately, they don’t say whether or not attackers are exploiting this zero day in the wild. Though Patch Day is coming up next week, I doubt Microsoft will get this fix out by then, so be sure to be careful handling thumbnail images.

Next up is Apple. Late yesterday, Apple released a security update for OS X 10.6.x (Snow Leopard). The update only seems to fix one marginally severe vulnerability. Apple’s alert doesn’t describe the flaw in much technical detail. They only say that a format string flaw in PackageKit could allow an attacker to execute code on your Mac. In order to exploit this flaw, the attacker would need to deliver a malicious package via Apple’s Software Update, which means he would need to complete a Man-in-the-Middle attack to gain control of where Software Update gets its package from. In short, attackers will have a hard time leveraging this flaw without local access to your network. Nonetheless, Snow Leopard users should download the 10.6.6 update or let Software Update do it for them.

In summary, if you’re a Windows user, be careful with thumbnails, and look for updates next Tuesday, and if you’re a Snow Leopard user, upgrade as soon as you can.

– Corey Nachreiner, CISSP
Posted by at
Labels: , , ,

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)