MS08-001
Am I being Chicken Little in thinking that remote kernel attacks such as one leveraging the MS08-001 vulnerability will be the next chapter in the arms race between hackers and network defenders?
Alex Wheeler, one of the two responsible for discovering and researching the vulnerability said this; “This is a severe vulnerability across the board. I agree with Microsoft that this is critical and wormable.”
Holly Stewart of ISS said the following on the X-force’s blog; Frequency X
These issues are kernel-level vulnerabilities in TCP/IP and are so low in the stack that most host-based protection products would miss them. Even if you have IPS in your host product, the standard APIs that protection vendors hook into on XP and Windows 2000 do not provide protection at this low level in TCP/IP.
I usually have a good FUD radar (FUD-ar?) and it isn’t picking up anything on recent chatter on MS08-001. So far I’m hearing specifics on why this is potentially a big deal, not to mention the caliber of analysts chiming in on the subject.
This week I’ve been sending emails to vendors of our various security applications, seeking clarification on what level of protection they provide. One prominent vendor replied with the following:
Based on the information contained in the MS bulletin we are unsure that [our HIPS product] would mitigate against an exploit targetting that vulnerability – that is why its not listed in that particular row [of a spreadsheet detailing protection levels].
The disclaimer in the [snip] document is because there has been no exploit testing. Just because there is a MS vulnerability does not mean an exploit will be written against it or available.
This despite the fact that Immunity has already publicly demonstrated a successful attack method.
Now I’d like to revisit what Holly said; “These issues are kernel-level vulnerabilities in TCP/IP and are so low in the stack that most host-based protection products would miss them.” (emphasis mine)
To me this indicates a significant threat and quite possibly the beginning of a new trend in remote attacks. If I were a hacker, this one would get a lot of attention from me because 1) both XP and Vista are ripe for the picking and 2) it likely gets my code in a position where most security software can’t see or touch it. I’d worm that sucker and use it to deliver my bot and grow a big, nearly bullet-proof bot net that could be diced up and rented to the highest bidders.
Or maybe I’m wrong and the vendor has it right and this is just another MS vulnerability that will come and go. I’m still digging bomb shelters, just in case.
I generally agree with you on this one. If reputable sources are already claiming POC code with 90% success rates, someone doing evil things “professionally” is probably already making real money with this.
On the other hand, it is so easy to get people to install malware willingly that maybe the extra effort to build these exploits isn’t necessary. But, I still think it is probably happening.
By Jack Daniel on 02.01.08 9:19 pm