Microsoft RPC exploit could be a packaged deal
While Microsoft has labeled Thursday's emergency patch MS08-067 as "critical" and provided a rareout-of-cycle fix because its exploit could easily be used as worm on a compromised network, one security researcher doesn't think it will happen that way.
"It's likely we're going to see this packaged with some other attack." said Ben Greenbaum, senior research manager at Symantec. "A Web-based attack, for example. We're looking out for are exploits of this being bundled with client-side exploits or Trojans so that the worm can get past corporate firewalls and get behind that firewall into the internal network."
Comparisons have been made to Zotob, an RPC worm that spread like wildfire in 2005. Remote Procedure Calls (RPC) allows programmers to run code either locally or remotely; a flaw within them is ideal for creating a worm.
"The potential is certainly there," Greenbaum said, adding that modern day attackers are "looking to create as much revenue for themselves as possible, and part of that equation means avoiding detection. What we're likely to see is that this will be added to a wide variety of attack tool kits already available."
"It's possible--but it's not likely--that we'll end up seeing a purpose-built worm that only exploits this one vulnerability," he said.
Since the patch came out Thursday morning, Symantec has seen increased scanning on ports 139 and 445, ports that exploits of MS08-067 would use.
There are some mitigating factors. Most firewalls, with default settings in place, should not allow an exploit of this penetrate that firewall, he said. However, home networks with File and Printer Sharing could fall victim to a bundled attack using this exploit.
The greatest danger is to systems running Windows XP and Windows 2000; Microsoft has ranked the patch as critical for these systems. On Windows Vista, Windows Server 2008, or Windows 7 pre-Beta, if the firewall is disabled, and File and Printer sharing enabled, an anonymous user could use this exploit to connect but would do so only at the lowest possible integrity setting, which would prevent successful exploitation, Greenbaum said. Microsoft has rated the patch only as important for those operating systems.
As CNET's resident security expert, Robert Vamosi has been interviewed on the BBC, CNN, MSNBC, and other outlets to share his knowledge about the latest online threats and to offer advice on personal and corporate security. Listen to his podcast at securitybites.cnet.com or e-mail Robert with your questions and comments. 
One thing they did right doesn't erase years of incompetence. Let's wait and see if it is really fixed. More then likely it broke something and introduced a new hole.
Ben's not the only researcher thinking the likelihood of a network worm is slim. We over at the Verizon Business RISK Team figure this will, like all malware these days, be used to line some criminal's pockets. We published our analysis to our blog yesterday...might want to keep and eye on it as we're going to try and get our analysis out in under an hour on future patches.
<a href="http://securityblog.verizonbusiness.com/2008/10/23/ms08-067-%e2%80%93-out-of-cycle-windows-patch/#more-151">SecurityBlog.VerizonBusiness.com analysis of MS08-067</a>
Cheers,
Russ
Symantec is a virus because it takes complete control of your system and does crap like delete files without asking. It also turns itself back on if you disable something.
- by fdunn3 October 27, 2008 4:05 PM PDT
- This will no doubt be added to the MetaSploit Framework which is used PRIMARILY for penetration testing but also to the supposedly defunct (NOT) NeoSpoit framework for which you pay for your exploit.
- Like this Reply to this comment
-
(5 Comments)So will there be a mass Internet worm? It depends on how stupid someone would be to let it loose.
Will there be targeted malicious releases? You bet. If there is money or intelligence to be had with this then it will be used in targeted attacks.