Exploits for Microsoft flaws circulating

14.06.2006
Security firms are warning about the availability of attack code targeting some of the flaws for which Microsoft Corp. released patches Tuesday.

Most of the exploits target flaws that were previously known but for which patches became available only as part of Microsoft's June monthly security update. But at least two publicly available exploits are directed at newly disclosed flaws in the company's products.

"Exploit code had already existed for three of the vulnerabilities prior to Tuesday, as they were already public issues," said Michael Sutton, director of VeriSign Inc.'s iDefense Labs. "Beyond that, we're seeing public exploit code emerge for some of the new vulnerabilities and are hearing rumors of private code existing for others."

The availability of such exploits heightens the risk for companies that have not yet been able to patch their systems and are important factors to consider when deciding which systems to patch first, he said.

"We believe that it is far more beneficial to withhold proof-of-concept code for an amount of time so that customers can get the vulnerabilities patched," said Stephen Toulouse, security program manager at Microsoft's security response center. "The public broadcasting of code so quickly after a bulletin release, we believe, tends to help attackers."

Microsoft is telling its cusomers to pay special attention to three key updates -- MS06-021, MS06-022 and MS06-023 -- because they could be particularly easy to exploit using Internet Explorer. "There are methods by which if you just browse to a Web site, there could be code execution," Toulouse said.