Microsoft: Flaw could lead to worm attack

Microsoft has patched three Windows bugs, including one that could be exploited by a computer worm attack.

Microsoft has fixed a critical flaw in the Windows operating system that could be used by criminals to create a self-copying computer worm attack.

The software vendor released its first set of patches for 2008 on Tuesday, fixing a pair of networking flaws in the Windows kernel. Microsoft also released a second update for a less-serious Windows flaw that would allow attackers to steal passwords or run Windows software with elevated privileges.

The critical bug lies in the way Windows processes networking traffic that uses IGMP (Internet Group Management Protocol) and MLD (Multicast Listener Discovery) protocols, which are used to send data to many systems at the same time. Microsoft says that an attacker could send specially crafted packets to a victim's machine, which could then allow the attacker to run unauthorized code on a system.

Security experts say that there is no known code that exploits this flaw, but now that the patch has been posted, hackers can reverse-engineer the fix and develop their own attack code.

Because IGMP is enabled in Windows XP and Vista by default, this bug could be used to create a self-copying worm attack, Microsoft said Tuesday.

"Theoretically this is wormable and that's why this is rated critical," said Tim Rains, security response communications lead with Microsoft. However, Microsoft does not believe that hackers will have an easy time developing attack code that will work reliably. "We've done a thorough analysis of the vulnerability and we've come to the conclusion that there are several technical mitigating factors that make it unlikely to get reliable remote code execution," Rains said.

Windows uses the IGMP protocol for many popular consumer applications such as streaming video, multiplayer games and universal plug-and-play, but the protocol is usually blocked at the router. A derivative of IGMP, MLD is the multicast protocol used by IPv6 systems and is enabled on Vista by default

"If it became a worm it could take over an internal network pretty quickly, or at least all the machines where multicast is enabled," said Eric Schultze, chief technology officer with Shavlik Technologies. "But this one is going to be mitigated because a lot of people have blocked multicast."

The critical MS08-001 update that fixes this flaw also patches a second, less-serious bug in the Windows networking stack that could be leveraged to launch a denial of service attack against a Windows system. This vulnerability lies in the Internet Control Message Protocol Router Discovery Protocol (ICMP RDP) which is used by Windows to find out how to communicate with the network. Because this capability is not turned on by default, Microsoft considers this to be merely an "important" bug.

Microsoft's other Tuesday update, MS08-002, fixes an elevation of privilege flaw in the Windows Local Security Authority Subsystem Service (LSASS), used to manage account credentials in Windows.

This flaw could be exploited by attackers to steal passwords or run their code with a higher level of privilege on Windows, said Schultze. "The primary concern is Johnny who is a user becoming Johnny admin," he said. But if attackers were to combine an attack that exploited this flaw with another exploit that would allow them to run code on the system, then "that could become a critical issue," he said.

Join the PC World newsletter!

Error: Please check your email address.

Our Back to Business guide highlights the best products for you to boost your productivity at home, on the road, at the office, or in the classroom.

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Robert McMillan

IDG News Service
Show Comments

Most Popular Reviews

Latest News Articles

Resources

PCW Evaluation Team

Azadeh Williams

HP OfficeJet Pro 8730

A smarter way to print for busy small business owners, combining speedy printing with scanning and copying, making it easier to produce high quality documents and images at a touch of a button.

Andrew Grant

HP OfficeJet Pro 8730

I've had a multifunction printer in the office going on 10 years now. It was a neat bit of kit back in the day -- print, copy, scan, fax -- when printing over WiFi felt a bit like magic. It’s seen better days though and an upgrade’s well overdue. This HP OfficeJet Pro 8730 looks like it ticks all the same boxes: print, copy, scan, and fax. (Really? Does anyone fax anything any more? I guess it's good to know the facility’s there, just in case.) Printing over WiFi is more-or- less standard these days.

Ed Dawson

HP OfficeJet Pro 8730

As a freelance writer who is always on the go, I like my technology to be both efficient and effective so I can do my job well. The HP OfficeJet Pro 8730 Inkjet Printer ticks all the boxes in terms of form factor, performance and user interface.

Michael Hargreaves

Windows 10 for Business / Dell XPS 13

I’d happily recommend this touchscreen laptop and Windows 10 as a great way to get serious work done at a desk or on the road.

Aysha Strobbe

Windows 10 / HP Spectre x360

Ultimately, I think the Windows 10 environment is excellent for me as it caters for so many different uses. The inclusion of the Xbox app is also great for when you need some downtime too!

Mark Escubio

Windows 10 / Lenovo Yoga 910

For me, the Xbox Play Anywhere is a great new feature as it allows you to play your current Xbox games with higher resolutions and better graphics without forking out extra cash for another copy. Although available titles are still scarce, but I’m sure it will grow in time.

Featured Content

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?