Microsoft: Flaw could lead to worm attack

Microsoft has patched three Windows bugs, including one that could be exploited by a computer worm attack.

Microsoft has fixed a critical flaw in the Windows operating system that could be used by criminals to create a self-copying computer worm attack.

The software vendor released its first set of patches for 2008 on Tuesday, fixing a pair of networking flaws in the Windows kernel. Microsoft also released a second update for a less-serious Windows flaw that would allow attackers to steal passwords or run Windows software with elevated privileges.

The critical bug lies in the way Windows processes networking traffic that uses IGMP (Internet Group Management Protocol) and MLD (Multicast Listener Discovery) protocols, which are used to send data to many systems at the same time. Microsoft says that an attacker could send specially crafted packets to a victim's machine, which could then allow the attacker to run unauthorized code on a system.

Security experts say that there is no known code that exploits this flaw, but now that the patch has been posted, hackers can reverse-engineer the fix and develop their own attack code.

Because IGMP is enabled in Windows XP and Vista by default, this bug could be used to create a self-copying worm attack, Microsoft said Tuesday.

"Theoretically this is wormable and that's why this is rated critical," said Tim Rains, security response communications lead with Microsoft. However, Microsoft does not believe that hackers will have an easy time developing attack code that will work reliably. "We've done a thorough analysis of the vulnerability and we've come to the conclusion that there are several technical mitigating factors that make it unlikely to get reliable remote code execution," Rains said.

Windows uses the IGMP protocol for many popular consumer applications such as streaming video, multiplayer games and universal plug-and-play, but the protocol is usually blocked at the router. A derivative of IGMP, MLD is the multicast protocol used by IPv6 systems and is enabled on Vista by default

"If it became a worm it could take over an internal network pretty quickly, or at least all the machines where multicast is enabled," said Eric Schultze, chief technology officer with Shavlik Technologies. "But this one is going to be mitigated because a lot of people have blocked multicast."

The critical MS08-001 update that fixes this flaw also patches a second, less-serious bug in the Windows networking stack that could be leveraged to launch a denial of service attack against a Windows system. This vulnerability lies in the Internet Control Message Protocol Router Discovery Protocol (ICMP RDP) which is used by Windows to find out how to communicate with the network. Because this capability is not turned on by default, Microsoft considers this to be merely an "important" bug.

Microsoft's other Tuesday update, MS08-002, fixes an elevation of privilege flaw in the Windows Local Security Authority Subsystem Service (LSASS), used to manage account credentials in Windows.

This flaw could be exploited by attackers to steal passwords or run their code with a higher level of privilege on Windows, said Schultze. "The primary concern is Johnny who is a user becoming Johnny admin," he said. But if attackers were to combine an attack that exploited this flaw with another exploit that would allow them to run code on the system, then "that could become a critical issue," he said.

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Robert McMillan

IDG News Service

Comments

Comments are now closed.

Most Popular Reviews

Follow Us

GGG Evaluation Team

Kathy Cassidy

STYLISTIC Q702

First impression on unpacking the Q702 test unit was the solid feel and clean, minimalist styling.

Anthony Grifoni

STYLISTIC Q572

For work use, Microsoft Word and Excel programs pre-installed on the device are adequate for preparing short documents.

Steph Mundell

LIFEBOOK UH574

The Fujitsu LifeBook UH574 allowed for great mobility without being obnoxiously heavy or clunky. Its twelve hours of battery life did not disappoint.

Andrew Mitsi

STYLISTIC Q702

The screen was particularly good. It is bright and visible from most angles, however heat is an issue, particularly around the Windows button on the front, and on the back where the battery housing is located.

Simon Harriott

STYLISTIC Q702

My first impression after unboxing the Q702 is that it is a nice looking unit. Styling is somewhat minimalist but very effective. The tablet part, once detached, has a nice weight, and no buttons or switches are located in awkward or intrusive positions.

Latest News Articles

Resources

Best Deals on GoodGearGuide

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?