Security Watch

Keeping Track of patches and hacks in the IT security world.

MS08-001: Open Door for the Next Big Windows Worm?

MS08-001: Open Door for the Next Big Windows Worm?

If you haven't applied Microsoft's MS08-001 patch yet, now might be a good time to hit that 'Download and Apply' button.

According to computer security experts, the TCP/IP/IGMPv3 vulnerability fixed with this patch is theoretically ripe for an exploit that could turn into a nasty, Blaster-type worm attack.

Dave Aitel's Immunity, a penetration testing/exploit creation outfit, has already shipped a proof-of-concept exploit to its CANVAS Early Updates and, if history is a good guide, it's only a matter of time before a publicly available exploit starts circulating.

Once that happens, all bets are off.

"This is a severe vulnerability across the board. I agree with Microsoft that this is critical and wormable," said Alex Wheeler, the hacker who found and reported the bug to Microsoft last August. (Yes, it took Microsoft about five months to get a patch out the door).

Wheeler, who partnered with Ryan Smith at IBM's ISS X-Force on researching the IGMPv3 flaw, said the anti-exploitation mechanisms and firewalls turned on my default in both Windows XP SP2 and Windows Vista do


protect against a potential attack.

[ SEE: Sasser - The Last Big Network worm? ]

Wheeler, who has since left ISS to manage security research at 3Com TippingPoint's DVLabs, believes a reliable exploit could turn into a self-propagating network worm that does its damage without any user action.

It's been more than two years since the last two network worms -- Sasser and Zotob -- and more than four years since the summer of the worm, when Slammer and Blaster forced Microsoft into a monumental rethink of its security strategy.

Now, with its newly hardened Windows Vista operating system at the mercy of malicious hackers, the company is using the new Security Vulnerability Research & Defense blog to spell out the severity of the IGMPv3 flaw and argue that a number of mitigation factors "make exploitation of this issue difficult and unlikely in real-world conditions."

In other words, according to Microsoft spokesman Tim Rains, there's little chance we'll see a Blaster/Sasser-like worm attack. "Theoretically, it's wormable but we think it's really, really hard to do a reliable code execution attack," Rains said in an interview.

"On the SWI blog, we list four or five mitigations [that explain] why we think it's difficult. Yes, theoretically possible, but a lot harder to actually launch a reliable exploit without any user interaction," Rains added.

He, however, acknowledged that the firewalls built into XP SP2 and Windows Vista will (by default) allow traffic from the IGMPv3 protocol.

"That particular protocol is used for streaming media, multi-player games, any Live Meeting type of application. If we don't have an exception [for IGMPv3] in the firewalls, it won't be a good user experience by default," Rains said.

He also confirmed that the layers of anti-exploitation mechanisms built into Windows Vista -- things like Address Space Layout Randomization, will not block an exploit.

"From an attack point of view, the [critical] risk against XP SP2 is the same as it is for a Vista system. When the dust clears, it's theoretically a remote, unauthenticated, wormable vulnerability on both operating systems," he added.

[ ALSO SEE: Zotob Worm Could Squirm on Windows XP ]

Despite Microsoft's claims that there are enough mitigations to stop an exploit from firing remotely, the proof-of-concept from Immunity -- which blue-screens a Windows box -- is a sign that researchers are trying to prove Redmond wrong.

"This exploit is not affected by SafeSEH or a stack cookie, since it's a heap overflow. And it is not affected by the heap protections in the user land heap, since it's in the kernel," Aitel said in an interview.

"Microsoft makes triggering the issue sound a bit harder than it actually is in their weblog posting," Aitel said in a note posted to the Daily Dave mailing list. "You'll be able to trigger it every time, especially on a local LAN."

Aitel described the IGMPv3 hole as "one of the biggest of 2008," chalking up the absence of remote, unauthenticated bugs as "possibly due to the vulnerability marketplace sucking the air out of the publicly released vulnerabilities."

Wheeler, who used static binary analysis to find the flaw, agrees with Aitel that this is something that can be exploited reliably.

"It's somewhere in between trivial and difficult [to exploit] but it can be done. I'm actually surprised we haven't seen an exploit out for this yet," Wheeler said.


* Reverse engineering guru Halvar Flake rips apart the MS08-001 patch and makes a movie pinpointing the vulnerable code.

* ISS X-Force's Holly Stewart discusses how MS08-001 poses some "unique problems from a remediation and protection standpoint."

* CC 2.0 image via Luke Wisley's Flickr photostream.