|
Worm Threat High with Security Holes Patched by Microsoft
Published: January 9, 2008
by Alex Woodie
Microsoft issued two patches that address three vulnerabilities in Windows yesterday, a light start to the secure new year. However, the sole critical patch issued yesterday is a doozy: It fixes a flaw that could enable hackers to take complete control of computers, where the users' only offense was connecting them to the Internet. In other words, they're wormable.
The first patch of the year, Microsoft Security Bulletin MS08-001, fixes a pair of vulnerabilities in the Windows kernel related to TCP/IP processing that could allow attackers to gain full control of the operating system or launch a denial of service attack against the computer.
The two flaws affect all versions of Windows, although the flaws only constitute an important rating on Windows Server 2003 versions because multicasting is not turned on by default. The flaws, which were discovered by Alex Wheeler and Ryan Smith of IBM's Internet Security Systems, entail specific vulnerabilities in Windows processing of Internet Group Management Protocol (IGMP), Internet Control Message Protocol (ICMP), and Multicast Listener Discovery (MLD) queries, and do not require any user intervention for attackers to exploit.
"The user does not have to open an e-mail or browse to a malicious Web site or anything like that, the hacker can just send a malicious ICMP or IGMP packets to the machine and the consequences are fairly high," says Amol Sarwate, director of the Qualys vulnerability lab. "The user basically doesn't have to do anything. If the machine is on [and connected to the Internet] that's good enough for the hacker to just compromise it. This vulnerability is what we call wormable."
While the potential threat posed by this pair of newly disclosed vulnerabilities is high, they do not pose an immediate, near-term danger, Sarwate says. Without the specific technical details, which aren't available yet, malicious software writers won't be able to write a worm to exploit these vulnerabilities. However, over time, these details are expected to be available to malicious software writers, which is why it's a good idea to apply this patch sooner rather than later.
The second patch, Microsoft Security Bulletin MS08-002, fixes an elevation of privilege vulnerability in all recent versions of Windows except Vista. Microsoft has given an important rating. The flaw is the result of a problem in Windows Local Security Authority Subsystem Service (LSASS), and can be utilized by sending a malformed local procedure call (LPC) to a vulnerable computer. Thomas Garnier of SkyRecon is credited with finding the flaw and reporting it privately to Microsoft.
Sarwate was a little surprised to find that Microsoft had not yet patched the Web Proxy Auto-Discovery flaw, which Microsoft noted in an advisory about a month ago. That vulnerability, which exists in all versions of Windows, could allow attackers to redirect users to malicious Web sites.
"Microsoft acknowledged a problem with the Web proxy Auto-Discovery module and we thought they would address it this month," Sarwate says. This flaw is not yet being exploited, he says.
RELATED STORY
Microsoft Acknowledges Security Flaw in Windows
|
