Get Smart about Business Spending
Kernel vulnerability found in Vista
A flaw in Vista's networking has been found that can crash the system, but no fix is expected until the next service pack
A flaw has been found in Windows Vista that could allow rootkits to be hidden or denial-of-service attacks to be executed on computers using the operating system.
The vulnerability was found by Thomas Unterleitner of Austrian security company Phion and was announced Friday. Unterleitner told ZDNet UK on Friday that Phion told Microsoft about the flaw in October but that he understood a fix would only be issued in the next Vista service pack.
According to Unterleitner's disclosure of the flaw, the issue lies in the network input/output subsystem of Vista. Certain requests sent to the iphlpapi.dll API can cause a buffer overflow that corrupts the Vista kernel memory, resulting in a blue-screen-of-death crash.
"This buffer overflow could (also) be exploited to inject code, hence compromising client security," Unterleitner said.
Unterleitner told ZDNet UK via e-mail that the "exploit can be used to turn off the computer using a (denial-of-service) attack." He also suggested that, because the exploit occurs in the Netio.sys component of Vista, it may make it possible to hide rootkits.
Using a sample program, Unterleitner and his colleagues ascertained that Vista Enterprise and Vista Ultimate were definitely affected by the flaw, with other versions of Microsoft's operating system "very likely" to be affected as well. Both 32-bit and 64-bit versions are vulnerable. Windows XP is not affected.
Asked about the severity of the flaw, Unterleitner pointed out that administrative rights were needed to execute a program calling the function that would cause the buffer overflow. However, he also said it was possible--but not yet confirmed--that someone could use a malformed DHCP packet to "take advantage of the exploit without administrative rights."
"We have worked together with Microsoft Security Response Center in Redmond since October 2008 to locate, classify and fix this bug," Unterleitner wrote. "Microsoft will ship a fix for this exploit with the next Vista service pack."
Microsoft told ZDNet UK on Friday that it had investigated the issue, but was "currently unaware of any attacks trying to use the vulnerability or of customer impact." It could not, however, confirm the inclusion of a fix for the problem in the next as-yet-unreleased service pack for Vista, nor give the release date for that service pack.
David Meyer of ZDNet UK reported from London.
"The final release date for Windows Vista SP2 will be based on quality. So we'll track customer and partner feedback from the beta program before setting a final date for the release."
http://windowsteamblog.com/blogs/windowsvista/archive/2008/10/24/windows-vista-service-pack-2-beta.aspx
Its sad though that features like Patch Guard on 64 bit and ASLR, Driver Signing won't be of any use.
Actually, none of the operating systems fell on the first day. The Mac fell on the second day when the judges relaxed the rules on the use exploits (needing social engineering).
You should make sure you update your kernels.
First of all, I am a Linux junkie. The time I've spent using Windows (Vista of all things) far exceeds my time with Linux. No where was I bashing Windows. Indeed, my greater time in Linux was due to project I am doing and not any fanaticism for the OS.
"Let's me put it so your small Linux-addled brain can understand it: LINUX MIGHT HAVE SOME OF THESE SAME VULNERABILITIES!"
Let me put this simple so you and knee jerk reactionary pea brain can understand, I DID NOT SAY LINUX WAS IMMUNE OR PERFECT IN ANYWAY. Work on your reading comprehension skills.
"And uh.... remind me which operating system was hacked first in that competition? Wasn't Windows!"
You'll have to a be little more specific, to what competition are you referring?
You're way to sensitive, you jump at even the slightest criticism, real or imagined. Lighten up before you have stroke or something, it's not healthy to get religious over software.
Also, can it be hit by something that came in via IE?
Either way, there's only 3 Vista users in the whole company where I work, so I'm not too awful worried about it... but I'd like to know why they think XP is not affected (or Win2k3?)
/P
I'm actually a bit surprised it took this long to find a serious flaw in something 100% new.
You do pose some good questions. Since they mentioned needing admin privilages my guess is that it would require user intervention. (Especially with the UAC warning for those with it enabled).
However, he also said it was possible--but not yet confirmed--that someone could use a malformed DCHP packet to "take advantage of the exploit without administrative rights."
Possible, but not yet confirmed.
DHCP packets go out over a broadcast ip address which are not routable unless the router is configured to forward bootp. Since the internet routers don't do this, I'm not overly concerned. The attack would have to come from the local area network.
If any corporate company has such a poor security team to allow this to happen internally. Well then they deserve what they get.
Although you are correct the majority of the issues that occur, do come form the inside. This type of issue is at its worst an annoyance, traceable. And the best way to get an exit interview.
While not perfect or as easy as, say, Blaster or Code Red, I can see it to be somewhat workable.
I've been reading your comments on various things...things you've never tried or owned...ever.
It's a Windows world, not a Mac or Linux world, and with the downfall of the traditional iPod lineup, it's going to be a Zune world.
This hack is barely worth the fix. Unless a close friend or family member initiates it on a loosely-secured intranet, the hack is completely pointless. I'm sick of the Vista haters. Macs are extremely proprietary, more so than Windows. It's a Linux distribution Steve Jobs and friends put up for sale and Bill Gates helped to write! haha, and Linux...oh christ...Linux is the exact opposite. Linux users basically sit around all day and update their system, only to have it fail one day...maybe then they'll get a life. Linux is old technology, and only those with no life...and no hopes at having a life...use them. End of Story.
I'm a PC, and I have a life. XD
Microsoft will fix it in time for Vista SP2, which I assume should come some time next year. If there is an exploit put into the wild, they'll fix it before then.
Apple had the infamous Applescript root vulnerability, that requires just one line of Applescript to be executed by any user in order to gain a root shell, inside the default install of its operating system for a couple of years.
From the release of Mac OS X 10.0 beta (some time in 2000?) until August of 2008 when the problem was finally fixed, you could get root by running that Applescript command against any setuid OS X application. In 2004, an Apple engineer warned the company of this security problem. In 2006, Apple helpfully started shipping a program as setuid inside a default install of OS X.
Castigate Microsoft if you want, but I don't believe their security flaw requires urgent action unless it can be triggered by DHCP as the article suggests might be possible. If you want to have a go at Microsoft, then maybe first you should take a look at Apple's insecurity history. A good place to start is Rixstep.com - they have a very good article about OS X's latest security flaws here: http://www.rixstep.com/2/20080702,00.shtml
really?
This is the same company that waited over 6 months to fix the blaster worm exploit. That worm used a flaw in a single line of code.
If fixing that single line affected the functionality of anything else, then MS coding practices are the worst in the world, so don't trot out this excuse. A well written program can deal with any changes inside a function without effecting anything else, as long as the function contract is fulfilled.
Typical FUD from The_Decider. The true account of that worm was that the fix was released prior to the worm. In fact the flaw that was used was found by reverse engineering the patch MS03-026 which was released about a month before any variation of the worm even showed up.
Keep trying though, one day something you say will be right, it has got to if for no other reason than the sheer volume.
http://marketshare.hitslink.com/report.aspx?qprid=10
(Information provided from this link changes over time.)
This leads one to wonder why so few seem to have so much to say about an OS they don't use.
Windows is the most hacked, because it is the easiest.
The problem is that MS response is the same as always. Wait to fix it. If they think no one will be able to exploit this without user intervention, they are dreaming.
It is not only the number of exploits found, it is how fast and how correctly they fix it. MS fails in this category time and time again.
Researchers from the Swiss Federal Institute of Technology looked at how many times over the past six years the two vendors were able to have a patch available on the day a vulnerability became publicly known, which they call the 0day (zero-day) patch rate.
They analyzed 658 vulnerabilities affecting Microsoft products and 738 affecting Apple. They looked at only high- and medium-risk bugs, according to the classification used by the National Vulnerability Database, said Stefan Frei, one of the researchers involved in the study (PDF format).
What they found is that, contrary to popular belief that Apple makes more secure products, Apple lags behind in patching.
"Apple was below 20 [unpatched vulnerabilities at disclosure] consistently before 2005," Frei said. "Since then, they are very often above. So if you have Apple and compare it to Microsoft, the number of unpatched vulnerabilities are higher at Apple."
It's generally good for vendors to have a software fix available when a vulnerability is disclosed, since hackers often try to find out where the problem is in order to write malicious software to hack a machine.
For a vendor to have a patch ready when the bug is detailed in public, it needs to get prior information from either its security analysts or from external sources. Otherwise, the vendor has to hurry to create a patch. But that process can be lengthy, given the rigorous testing needed to test the patch to ensure it does not conflict with other software.
Apple only started patching 0day vulnerabilities in late 2003, Frei said.
"We think that Apple had fewer vulnerabilities early on, and they were just surprised or not as ready or not as attentive," Frei said. "It looks like Microsoft had good relationships earlier with the security community."
Over the past few years, Microsoft has tried to cultivate a closer relationship with the security community in order to encourage researchers to give it a heads-up about software problems. Apple, however, doesn't appear to have that same sort of engagement yet, and, "based on our findings, this is hurting them," Frei said.
Curiously, both vendors' abilities to have 0day patches ready at disclosure seemed to dip in the six months before a major product release. That trend was most pronounced in 2004 and 2005. Frei theorized that the buildup to big software releases took away software engineering resources.
Andrew Cushman, director of Microsoft's Security and Research, said he couldn't pinpoint what might cause that trend. But in 2004 and 2005, Microsoft had a rash of vulnerabilities pop up in its Office products that it did not get advance notice of, which may have contributed to a higher percentage of unpatched publicly disclosed bugs.
However, the study proved to be such a glowing affirmation of Microsoft's increased focus on security in the past few years that it prompted Cushman to ask Frei, "Did Microsoft fund this research?"
"This is independent academic research," Frei replied.
Overcharge? I picked up Vista Ultimate 64 for $169. A copy of OS X Leopard is $149. Then again, if you are going by Linux standards, then both Windows and OS X are incredibly overpriced when compared against FREE!
I see updates, patches and security fixes come down the pipe for all 3 OS's! On my Ubuntu box, hardly a day goes by when there's not an update waiting. Does Apple set arbitrary dates for it's patches? Almost always seems like they are announced the day they are released. Microsoft almost always does the "patch Tuesday" every month. I would imagine if an exploit appears in the wild, a patch for this would be released, but until then what is wrong waiting for SP2?
I have used Vista from the very start and I still do not like it to this very day. Microsoft if you are listening... well then I would trade all my Vista complaints for just one fix... The File Management System. Fix that to a XP system dumbed down to a Windows 2000 and you can have my continued business. No? Well how about at least the option to dumb it down ourselves? Right now I simply can't work with Vista, it is just way too annoying to work with. On my computer I have two harddrives with XP on the other to get all my file management done. Please give me break, I really like you guys, but you are really letting me down in a very bad way.
-J. Thirlwell
- by sonounfrocione November 25, 2008 2:08 AM PST
- It's not critical, it's just a local crash (DoS):
- Reply to this comment
-
(59 Comments)secunia.com/advisories/32791/
Critical: Not critical
Impact: DoS
Where: Local system
It requires that the attacker is a member of the "Network Configuration Operators Group".