The title is a mouthful, but I was trying to capture the irony of the problem. You know Microsoft still has not solved its core problems when they release security software that introduces security holes into the operating system it is meant to protect.
An attacker could exploit the vulnerability by constructing a specially crafted PDF File that could potentially allow remote code execution when the target computer system receives, and the Microsoft Malware Protection Engine scans, the PDF file.
They say there are no mitigating factors, which I find odd. They often say “do not read HTML-formatted text” is the mitigating factor for email flaws in Outlook. Perhaps they feel “block PDFs” is too strong a statement (stop the business?), but richly formatted email is merely a feature that can be turned off without losing content. Or maybe they do not want to upset their friends at Adobe yet there is no corporation to stand up for HTML formatted email. Interesting that the exploit apparently can escape the local user privileges and take over the complete system. Ooops.
This vulnerability, credited to Neel Mehta and Alex Wheeler, reminds me of a meeting I once had (well, dinner) with them. They are super nice guys and I found the message they sell very straightforward — don’t do dumb things like repeat simple mistakes when you write software. Quality, not quantity. That sort of stuff. It’s not rocket science, they said.
Did I mention that Vista is also affected?
Again we see that the stakes are so low in the rapid-release style of consumer software management that companies probably figure they can clean up things or tidy code later, perhaps even after it has reached millions of users. Bad for us, good for them as long as there is no backlash since the risks are captured mainly in externalities. Integer overflows on a rocket (speaking of science) may be a high profile explosive and expensive error, but my guess is that if you sum the number of incidents from an integer overflow mistake on desktop software you might come out with a similar total, just distributed. The cost accounting gets really messy when you find viruses written to spread via flaws in the antivirus tools themselves. Try to figure out the ROI on that one, Symantec.