Security experts say a glitch in Vista and other Microsoft Corp. software products enables cyber crooks to steal online game log-in signatures.
Microsoft released, on Tuesday, an emergency patch to plug a security hole in Windows 2000, Windows Server 2003, Windows XP and Windows Vista.
The patch, MS07-017, addresses a vulnerability in the way the Microsoft products handle animated cursor (.ani) files.
The flaw, discovered last December, has a severity rating of “critical.”
Apart from allowing hackers to gain control of a user’s computer and install malicious code, it enables cyber crooks to steal log-in information for access to multi-player computer games, according to iDefense Labs, the security research division of VeriSign Inc. in Mountain View, Calif.
The theft of authentication information and subsequent stealing of virtual assets can have some serious real world repercussions if played out on a large scale, according to one online gaming expert.
Participants in “role-playing” games, such as World of Warcraft and EverQuest, often trade virtual goods online using real currency, according to Jason Della Rocca, executive director, International Game Developers Association (IGDA) based in Mt. Royal, New Jersey.
No one knows exactly how much the market is worth, but it is estimated that gamers spend upwards of $230 million (around US$200 million) on virtual goods.
Della Rocca said players spend long hours developing their online characters and amassing virtual property. The online items can be won by accomplishing certain tasks or challenges in the game, but they can also be bought using real currency. For instance, a two-handed sword used in World of Warcraft can be bought for $70.
“Taking into account that a game like World of Warcraft has six to seven million subscribers, a large-scale harvest of virtual assets can have a drastic effect on a real world market,” said the IDGA executive.
“Greed and desperation” are fueling the market for stolen log-in signatures, according to Ken Dunham, director of iDefense’s rapid response team. He said once a person gains access to a player’s virtual character, he or she also gains control of the player’s virtual possessions.
“Log-in data is being bought for $10 to $30 by people desperate to get ahead in the game, or by those who simply want to steal and sell another person’s virtual property.”
Dunham said VeriSign recently learned that a group of hackers based in China were using the Windows security hole to steal log-in signatures for access to World of Warcraft.
He also warned that the security flaw may be used to steal credit card information. Microsoft rolled out MS07-017 ahead of its regular monthly security update to protect customers and limit attacks, according to Bruce Cowper, senior program manager for security initiatives, Microsoft Canada.
He said the patch took several months to develop because Microsoft wanted to make sure the fix would work properly.
Cowper said attackers construct an animated cursor or icon file that’s designed to attract computer users. “These cute animal or animated character cursors are then sent out via broadcast spam or e-mail in the hope of baiting unsuspecting gamers or computer users.” Once inside a computer, the cursor controls that machine to visit a Web site or view a specially crafted e-mail message that will install key loggers or malicious code capable of stealing data.
The activity happens without the computer owner realizing someone else is in control of his or her machine.
However, there are some tell-tale signs that an attack is in progress, said Cowper. “If your machine begins to function erratically shortly after you’ve downloaded a file or opened an e-mail, you may be a victim of an attack.”
He said Microsoft customers who use Automatic Updates will receive the patch automatically and need not take additional action. Updates can also be downloaded manually by visiting the Microsoft update site at: http://www.microsoft.com/athome/security
Tips on protection against malicious attacks are available at: www.microsoft.com/protect
Cowper said Microsoft will be releasing additional security updates on April 10. Information on security releases is available at: http://www.microsoft.com/technet/security/bulletin/advance.mspx