"What we found is that there are some new attack vectors to exploit the same vulnerability that were not originally considered," says Core ST's CTO Ivan Arce. The new method of exploiting the known flaw "is a very efficient way of compromising the system."
By James Maguire
Enterprise Windows IT
A security firm has discovered new ways for hackers to exploit two known flaws in the Windows operating system -- both of which Microsoft (Nasdaq: MSFT) recently has patched -- to propagate worms similar to the SQL Slammer or the MSBlast attacks that infected computers across the globe earlier this year.
Core Security Technologies, a Boston-based firm specializing in large-enterprise information security , has found a vulnerability in the Windows Workstation service that could create a Slammer-style attack. Additionally, Core ST discovered a security flaw in the Windows Messenger service that could enable hackers to launch an attack similar to that of the MSBlast worm, which infected thousands of computers in August.
Microsoft has issued a patch for both of these flaws. "The patches are out there. They do work, and people should use them," Ivan Arce, Core ST's chief technology officer, told NewsFactor. "Last time we saw this sort of thing, it was patched, but people didn't seem to care much, and worms appeared -- we don't need to repeat that story."
Windows Workstation
Windows Workstation service, a software tool that enables a PC to access a wide variety of network resources, contains a serious memory error. The update that Microsoft issued to correct the problem was ranked "critical," the rating that indicates the greatest security threat.
"What we found is that there are some new attack vectors to exploit the same vulnerability that were not originally considered." Arce said. Although Core ST did not find a new flaw, the new method of exploiting the known flaw "is a very efficient way of compromising the system," he said.
Clearly, for those computers that have not been patched, a major security vulnerability exists. The SQL Slammer worm, though only 376 bytes of computer code, is estimated to have caused US$1 billion in damages.
Informing Microsoft
Core ST informed Microsoft of the new ways of exploiting the security flaws, Arce said.
Microsoft, according to Arce, said, "'You're right, the patch does fix the problem. The workarounds that we proposed should be reviewed, because there are new attack vectors.' And they reminded me that there's already a patch out there."
Microsoft representatives were not immediately available for comment.
Windows Messenger
Core ST also discovered that a security flaw in the Windows Messenger service could enable hackers to launch an attack similar to that of the MSBlast worm that infected thousands of computers in August. Microsoft has issued a patch for that flaw as well.
"This is another case of a known vulnerability," Arce said. "What we found was the same thing: a new way of attacking [by exploiting] this vulnerability."
A new worm could use the same user-datagram protocol (UDP) packets exploited by MSBlast. These UDP packets potentially could enable an even faster spreading worm than the SQL Slammer.
Unlike Transmission Protocol Packets (TCP) -- which require two computers to be connected to send information -- a single-source computer can rapidly send out UDP packets regardless of whether they reach their intended IP address. "UDP is a connectionless protocol," Arce said. "You just send packets, and you don't expect response from the computer that you are communicating with."
This would greatly speed a hacking attack, according to Core ST, because an attacker would not need to designate individual IP addresses to initiate a wide broadcast of a rapidly propagating worm.
Full Disclosure
As to whether the type of "after the patch release" security warning that Core ST and other firms issue provides a valuable contribution to security, experts are divided.
"There's an ongoing debate about full versus partial disclosure [of security flaws]," IDC analyst Chris Christensen told NewsFactor.
"The debate is tempered by the common recognition that 'security by obscurity' never works -- eventually somebody discovers it," he said. "So some disclosure is absolutely necessary.
"I think partial disclosure is probably preferable," he said. "It gives the security researchers and the targeted companies a chance to fix things before the inevitable full disclosure of the exploit."
However, he said, "disclosure is absolutely critical -- there's no debate about that."
Source: Newsfactor Network
http://www.newsfactor.com/perl/story/22831.html
