Vulnerabilities

Operating systems and programs are complicated pieces of software with up to millions of lines of source code going into their development. While it might be nice to think that this code can be written without error that would largely be wishful thinking. So many different people are involved in writing most software that finding all errors or vulnerabilities under the pressure of release schedules and cost constraints is a virtual impossibility. That means you should assume that any software you get will have an error in it. Not all of these will be a vulnerability that makes the software a potential vector for malware but some will be.

As an example, some of the Bagle virus (2004) variants delivered themselves through a vulnerability in the Outlook mail program’s code. The virus would send a blank E-mail to random recipients. The message contained embedded code that did not display so the user, on opening or previewing the message saw a blank E-mail. While the user was scratching their head wondering what it was, the virus was silently using the Outlook vulnerability to actually run the embedded code and the rest of the virus was silently downloaded from a remote server through TCP port 81. Since this port is rarely used the bytes streaming through it were rarely monitored at the time (port 80 is used for web pages). The specific Outlook vulnerability and anti-virus software behavior has since changed but the exploitation of vulnerabilities has not.

Many Windows security fixes have been issued over the years that close holes malware writers have found and used to push exploits onto user systems. So, on “patch Tuesday” when Microsoft wants to update your version of Windows you should probably make a good backup and then let it.

Other software producers are not immune. Cross-site scripting (XSS) has become a serious concern when it comes to malware. This vulnerability in HTML code and client-side scripts can be exploited by attackers to bypass access controls. Vulnerabilities of this kind have been exploited to craft powerful phishing [obtaining personal information fraudulently] attacks and browser exploits. One user even reported loss of their Web domain via an XSS vulnerability in the Google Mail program (since fixed). If a certain malicious website was visited with GMail open the XSS vulnerability would put a filter into the user’s GMail account that directed all mail from the domain registrar to a different address and then the user would initiate a domain transfer and, through the normal process of domain transfer respond to all the confirmation requests. The end result was the loss of the domain. Cross-site scripting was originally referred to as CSS, although this usage has been largely discontinued as it became confused with Cascading Style Sheets.

Even hardware is not immune; witness Bluesnarfing and Bluebugging where a Bluetooth connection allows access to some models of mobile phones.

In short: All security patches issued for any software on your system should be applied as soon as possible after issue. Since not all vendors send out notices, users should be proactive in trying to find them. Sign up for all update/upgrade notice mailing lists you can find for software you own. See the update page for more details on how.

Summary

• Vulnerabilities in the operating system or program software or Web-based scripting can open holes that virus, worms, and other malware can exploit.
• While it’s impossible for a user to examine all such code, all security patches for such software should be applied as soon as possible after release. Users should actively search for such patches.

What Viruses Infect
Screensavers	How Viruses Infect