Security

Read all 'Ben Greenbaum' posts in Security
October 23, 2008 3:40 PM PDT

Microsoft RPC exploit could be a packaged deal

by Robert Vamosi
  • 5 comments

While Microsoft has labeled Thursday's emergency patch MS08-067 as "critical" and provided a rareout-of-cycle fix because its exploit could easily be used as worm on a compromised network, one security researcher doesn't think it will happen that way.

"It's likely we're going to see this packaged with some other attack." said Ben Greenbaum, senior research manager at Symantec. "A Web-based attack, for example. We're looking out for are exploits of this being bundled with client-side exploits or Trojans so that the worm can get past corporate firewalls and get behind that firewall into the internal network."

Comparisons have been made to Zotob, an RPC worm that spread like wildfire in 2005. Remote Procedure Calls (RPC) allows programmers to run code either locally or remotely; a flaw within them is ideal for creating a worm.

"The potential is certainly there," Greenbaum said, adding that modern day attackers are "looking to create as much revenue for themselves as possible, and part of that equation means avoiding detection. What we're likely to see is that this will be added to a wide variety of attack tool kits already available."

"It's possible--but it's not likely--that we'll end up seeing a purpose-built worm that only exploits this one vulnerability," he said.

Since the patch came out Thursday morning, Symantec has seen increased scanning on ports 139 and 445, ports that exploits of MS08-067 would use.

There are some mitigating factors. Most firewalls, with default settings in place, should not allow an exploit of this penetrate that firewall, he said. However, home networks with File and Printer Sharing could fall victim to a bundled attack using this exploit.

The greatest danger is to systems running Windows XP and Windows 2000; Microsoft has ranked the patch as critical for these systems. On Windows Vista, Windows Server 2008, or Windows 7 pre-Beta, if the firewall is disabled, and File and Printer sharing enabled, an anonymous user could use this exploit to connect but would do so only at the lowest possible integrity setting, which would prevent successful exploitation, Greenbaum said. Microsoft has rated the patch only as important for those operating systems.

Topics:
Vulnerabilities and attacks,
News
Tags:
security,
Microsoft,
MS08-067,
Ben Greenbaum,
Symantec,
File and Printer Sharing,
RPC,
exploit,
worm,
ports 139,
port 445
Share:
Digg
Del.icio.us
Reddit
  • prev
  • 1
  • next
advertisement

15 sites that went kaput in 2009

Web sites launch all the time, but they also shut their doors. We highlight 15 that bit the dust this year.

Top 10 news stories of the decade

Let the debate begin: Was the iPhone more important than iTunes? Was anything bigger than Google finding a great business model? CNET offers its list of the 10 most important stories of the '00s.

About Security

Online security is threatened by more than hacking and phishing attempts. Check here for the latest updates on software vulnerabilities, data leaks, and rapidly spreading viruses--and learn how to protect your systems.

Add this feed to your online news reader

Security topics

Most Discussed



advertisement

Inside CNET News

Scroll Left Scroll Right
News
News site map
Latest headlines
Contact News
News staff
Corrections
CNET blogs
Popular topics
Apple iPhone
Apple iPod
Cell phones
CES 2010
GPS
LCD TV
CNET sites
CNET Site map
CNET TV
Downloads
News
Reviews
Shopper.com
More information
Newsletters
CNET Mobile
Customer Help Center
RSS
CNET Widgets
About CNET