California, October 24: It only took two hours for developers of Immunity, a company that specializes in penetration testing technology, to write code that could exploit a newly announced Windows bug.
Get original file (7KB)
The bug was disclosed on Thursday morning when Microsoft uncharacteristically issued an emergency patch for the flaw. This was two weeks after they started to notice a few targeted attacks that took advantage of the bug.
The disclosure immediately gave hackers and security researchers sufficient information to write code that took advantage of the flaw. Apparently, the flaw is easily exploitable, as evidenced by the short period of time needed by the Immunity developers to write an attack code.
The bug is found in the Windows Server service, which provides for the use of file and print sharing services over a network. An attacker who makes use of the flaw can craft a worm attack that can eventually enable him to view, edit, or even delete data on the vulnerable computer. Worse, it would then give him the capability to create new user accounts with full user rights, giving him practically total control of the computer.
Such an attack could be warded off by firewalls, thus preventing a widespread assault over the Internet. Computers connected via a local area network, however, are not as protected.
According to Immunity Security Researcher Bas Alberts, the main problem lies in “a very controllable stack overflow”.
Stack overflows are programming errors that expose portions of computer memory that would have been otherwise inaccessible. This vulnerability allows rogue programmers to write commands targeted to these exposed portions, eventually making such commands run by the victim’s computer.
Flaws similar to this are not new to Windows products. In fact, over the years, Microsoft has already spent millions of dollars in efforts to get rid of such bugs. According to one of the architects of Microsoft’s security testing program, the most recent bug should have been detected earlier by the company’s “fuzzing” testing tools.
As a result of this latest flaw, some modifications on Microsoft’s fuzzing test algorithms and libraries are being planned. This was confirmed by security program manager Michael Howard in one blog posting.
Also in the same blog posting, Howard admitted that having to hand review the code to find the bug “would require a great deal of skill and luck”. In the same breadth, he also acknowledged that using tools to analyze such code, mainly written in C or C++, is rather tricky, and that their current toolset is not capable of catching such a bug.
Post new comment