Windows

Critical vulnerability for XP and Vista proven "highly exploitable"

On January 8, Microsoft released security bulletin MS08-001, calling it critical but stressing that it would be “difficult and unlikely” to be exploited.

On January 8, Microsoft released security bulletin MS08-001, calling it critical but stressing that it would be “difficult and unlikely” to be exploited.

Immunity Inc. updated a working exploit on January 29 for the TCP/IP flaw, as spelled out in the January 8 bulletin, and posted a Flash demonstration of the attack on its Web site. The exploit has only been released to customers of Immunity’s CANVAS penetration testing software and is not available to the public.

From ComputerWorld:

"This demonstrates conclusively that the MS08-001 IGMPv3 vulnerability is highly exploitable," said Dave Aitel, Immunity's chief technology officer, in a message to his Dailydave security mailing list.

Aitel's assertion challenged Microsoft's earlier assessment that "there are a number of factors that make exploitation of this issue difficult and unlikely in real-world conditions."

Immunity did acknowledge that its newest exploit was not 100% reliable, however.

Other security companies reacted to the revamped attack code and Flash proof by issuing new alerts. Symantec Corp., for instance, sent a new warning to customers of its DeepSight threat network. "The exploit demonstrates remote code execution," noted Symantec. "The exploit works against Windows XP SP2 English Default [and shows] two Windows XP SP2 computers on a local subnet with firewall enabled being compromised."

Also from ComputerWorld:

Successful attacks by the Immunity exploit -- and any similar to it developed by others -- allows arbitrary code to execute within the context of the Windows kernel, said Symantec, an especially egregious scenario for Windows Vista.

"This is especially critical on Vista, due to its enhanced kernel security mechanisms," said Symantec. "A local user, even an admin, may have difficultly introducing unsigned code into the kernel, but in this case, it can be done remotely without any authentication whatsoever.

"This vulnerability presents an opportunity to not only execute arbitrary code on the system, but also to install backdoors and other malicious tools as well as a rootkit, which may normally be more difficult with a typical remote userland vulnerability."

It is advised that if you have one of the versions of Windows that is impacted, you test and patch it immediately.

The intention here is not to raise the Windows security question or even the Vista security question. I wonder how many IT professionals get the security bulletins and take the Microsoft word as gospel when it rates a flaw. To be fair, Microsoft did rate this as “Critical” but appeared to soften the impact of that rating by stating that an exploit was “unlikely.” So, as a busy professional, how would you have read it, and what level of importance would you give it?

More information:

Microsoft Security Bulletin MS08-001

--------------------------------------------------------------------------------

Stay on top of the latest tech news

Get this news story and many more by subscribing to our free IT News Digest newsletter, delivered each weekday. Automatically sign up today!

24 comments
bfpower
bfpower

Calling something an "unlikely exploit" is just an invitation to hackers. On a scale of 1 to 10, I would give it an 8.

inami
inami

it is highly important since, you never know what somebody or something might be doing.

Jaqui
Jaqui

When they kept an exploit unpatched for 18 months and raised it's rating from low risk to highly critical over that same time period? and everyone else said it was highly critical from the start? why would ANYONE trust anything MS says when there is a [b]public record[/b] of them lying to their client base?

JCitizen
JCitizen

;even if you are patched; a test is in order. But I'm not going to pay Immunity Inc. money for the test software that is for sure.

BALTHOR
BALTHOR

There would have to be a 24 hour a day hostage situation.Computer manufacturing isn't saying anything.

Tig2
Tig2

The intention here is not to raise the Windows security question or even the Vista security question. I wonder how many IT professionals get the security bulletins and take the Microsoft word as gospel when it rates a flaw. To be fair, Microsoft did rate this as ?Critical? but appeared to soften the impact of that rating by stating that an exploit was ?unlikely.? So, as a busy professional, how would you have read it, and what level of importance would you give it?

seanferd
seanferd

Even if it isn't exploitable in a terribly commercial way, someone will probably exploit it just because MS says it is "unlikely".

seanferd
seanferd

When they keep a vulnerability unpatched for six years and counting? Hmmmm. Trust them as far as I can comfortably spit them.

xabyte
xabyte

For what it is worth, i think M$ are and have proven to be untrustworthy and unreliable when it comes to exploits. My two cents-

seanferd
seanferd

If there is a patch for the exploit, the exploit should be published so testing can be done without recourse to some expensive corporate testing mechanism. And yes, testing is always in order.

seanferd
seanferd

if anyone testing or pushing this update has encountered problems with it, or discovered that it creates a different vulnerability.

juan
juan

I AGREE, VERY IMPORTANT TO DOWNLOAD OR PATCH ALL PC'S AND SERVERS MOST IMPORTANT

seanferd
seanferd

I wouldn't leave that sucker unpatched. Also, I think Microsoft needs to speak up about this. Of course, MS expects that all their patches are applied automatically and successfully... but what if you run a corporate network and aren't going to be pushing updates for another two weeks?

Phil Haney
Phil Haney

I'm all about the ultimate question (heck, my stapler looks like the inspiration for "Deep Thought" in the movie), but where's Ambassador Kosh?

seanferd
seanferd

Methane or meth-m-fettameen?

seanferd
seanferd

I haven't been back to this thread 'til now, so I missed the question. Haven't had too much time on the 'net recently. No particular issue with Kosh, I was just using some of the different avatars that I bothered to resize and upload. Say "Hello" to the guys, Kosh.

ben@channells
ben@channells

installing Patches without testing them for stability or applying the right patch for the correct OS is like allowing the Borg to do your IT support. There has been plently of times i've been called in to fix an Exchange server that had an untested patch applied. the number of issues thrown up by a win2k patch applied to a win2k3 server. How many people do you know that have installed WGA and had to re-register PC's-servers or mistaken an IE6 security patch for and update to IE7. Homer may be stupid and make mistakes, but he is also very good at recovery from a disaster like a hero

JCitizen
JCitizen

in November and the controversy started later.(with my brain damage who knows) I hope you have an enjoyable experience here at Tech Republic; I just assumed you might have some inside joke issue with Tigger. I should shaddap and get out of the way. But I was missing that neato avatar as well so I just had to jump in I guess. Happy computing and have a nice day! :)

Phil Haney
Phil Haney

Nope. It wasn't me. Firstly, it's not my style ('cuz it's just plain rude). And second, I learned a long time ago that long after your anger subsides, your words continue to waft about the internet and embarass you. (And yes, if it was me I'd own up to it, hang my head in shame, and ask the moderators to remove my post.) When was this? I've only been on Tech Republic sisnce November. -Phil "Quini, quidi, quici" - I came, I saw, I played a little quidditch.

JCitizen
JCitizen

making sexist remarks; or do I have the wrong phillip? If I do I appologize~

Phil Haney
Phil Haney

TiggerTwo, I have no idea what "meth humor" is. I an sincerely curious as to why Seanfred changed his avatar from Ambassador Kosh to a reference to Hitchhiker's Guide to the Galaxy." I phrased my request with humor because that is my style. I put "Off Topic" in the title of my post so people would know it was such and could pass it buy and NOT READ IT if they didn't want to. I have not been a member of Tech Republic for long and so I'm not aware of all the rules, yet. It was not my intention to offend anyone. On the other hand, I would expect someone who has "Over ten years in IT specifically with an additional 10 of just playing with the toys...", whose father gave them their first pocket protector and taught them RPN, as well as supporting the fight against breast cancer to show a little more compassion toward their fellow man (or woman) especially another geek. I don't appreciate your snippy post. Show a little restraint and politely inform people when they break the rules. If you can't be polite, then push off. Thank you so much!

Tig2
Tig2

Your meth humour here. Speak to the issue or push off. Thank you so much!

JCitizen
JCitizen

Hope it isn't a sensitive issue seanfred!

Editor's Picks