Palo Alto Networks Researcher Discovers Critical Microsoft Vulnerability

The Threat Research Team at Palo Alto Networks has been at it again, discovering yet another critical Microsoft vulnerability.  The vulnerability (MS11-038) is addressed in today’s patch Tuesday release, and you can read the Microsoft summary here. The vulnerability involves a weakness in Microsoft OLE automation that would allow an attacker to remotely execute code simply by luring a user to a page containing an infected WMF image. There are two points here that I think are very important and I want to make sure I give them both their due.

First, I want to give kudos to the researchers at Palo Alto Networks who have been quietly building one of the most impressive track records of any research team in the industry. Going back to when the company was founded in 2007, the team has found 18 Microsoft vulnerabilities. Just to put that into perspective, in that same time frame, McAfee found a total of 7 Microsoft vulnerabilities. Let that sink in for a minute, because it’s an important point. As much warranted concern as there is in the market regarding unknown threats, it’s worth keeping score of who is actually discovering previously unknown vulnerabilities. Furthermore, as we see applications, exploits and malware all becoming increasingly interconnected, it’s very significant that the leading next-generation firewall vendor (which controls all 3 of those components) also has one of the best and brightest threat research teams in the industry.

Secondly, I want to shift gears and talk about the vulnerability itself because it is precisely the type of vulnerability that attackers love to use as the first step of a modern attack. The old model of threats was that exploits were directed at servers and malware came into the network over email. Needless to say that model has changed. Today exploits and malware work hand in hand, where the attacker often first exploits a vulnerability on a user machine (allowing him to control the target machine) and then delivers malware to the exploited machine in the background. From there he can establish remote control of the user’s machine and begin digging deeper into the network or steal information that the user has access to.

In this case, all of this could begin simply by luring a user to a page containing a malicious Windows Metafile. The page could look perfectly benign, but all the while the user is being exploited, and malware delivered to the compromised user’s machine. This underscores just how increasingly interconnected applications, exploits and malware are today, and why it is crucial to have expertise in all of these areas. We also have to be able to address all phases of this infection lifecycle – research to find unknown threats, drive-by-download protection to keep hidden malware from being downloaded in the background, detection of command and control traffic, and behavioral analysis of traffic to find users that may be infected. All of these technologies are critical and we need all of them working together if we are going to protect our networks going forward.