A Rash of Middleware Bugs Popping Up

Here we are again, confronted with yet another Yahoo Messenger security hole to shore up. Gregg Keizer over at sister publication Computerworld says it's the ninth zero-day flaw found in the instant messaging client this year. I've lost count but I believe him.

I do know that I wrote about two holes in one week ? here and here -- in Yahoo Messenger just last month.

To be fair, we're seeing a lot more holes being found in technologies and products that fit into the category of what's often called "middleware" these days because the operating system vendors and the browser purveyors ? often the same folks ? have done a pretty good job of plugging most of the holes in lower-level software. So we've seen a lot of exploits lately that take advantage of image files in Windows Media Player and Apple QuickTime, for instance.

It's no surprise that we're seeing more and more holes crop up in instant messenger and chat clients, as well as media playing technologies. They haven't been mined for security flaws as much as some of the other middleware though that's changing fast. And lately, middleware as a category has been yielding a new crop of security bugs that hackers of all stripes have been jumping on.

Indeed, hacker extraordinaire Petko Petkov just identified a new hole in Windows Media Player (WMP), according to another report by Keizer. And Petkov also found a flaw in PDF (Portable Document Format) file processing in Adobe Acrobat/Reader.

In all three cases, there are no patches yet.

So if there's nothing you can do to keep yourself safe, other than be careful where you click, why bother telling you?

I have been writing the Bugs & Fixes column for more than seven years now and that often means that I tread into Web territory where scary things can happen. Luckily, I've only been hit by drive-by-downloads a couple of times in all those years. Part of that is because I have my security set to what some folks might think is ridiculously high.

In the case of the WMP hole, I tried one of Petkov's proof-of-concept demonstrations ? expecting it to fail, as most such demos do on my PC. To my mild surprise ? the demo reported back that my computer had been successfully "pwnd" ? a hacker term meaning "completely compromised."

I was thankful that it was only a demo and not the real thing. What was even scarier is that it also shows how few warning signs there might be if you were actually pwnd by the bad guys. You could become part of a bot net -- or worse -- and not even know it.

These three so-far unresolved holes also illustrate the point that security bugs are going to be with us for a long time ? if not forever. And all three of these clearly show that both white and black hat hackers are moving up the system stack to find new avenues of attack to target. As patches come out for these problems, I'll let you know. In the meantime, try to practice safe surfing.

The point, however, is that in these days of our heightened interest and attention paid to staying secure, there are still plenty of opportunies for the bad guys to get at you and your data. All the better reason to keep your software patches up to date.

Comments

Post a comment Post a comment

0 / 1000 max characters