New Windows Vulnerability

There's a new Windows 2000 vulnerability:

A serious flaw has been discovered in a core component of Windows 2000, with no possible work-around until it gets fixed, a security company said.

The vulnerability in Microsoft's operating system could enable remote intruders to enter a PC via its Internet Protocol address, Marc Maiffret, chief hacking officer at eEye Digital Security, said on Wednesday. As no action on the part of the computer user is required, the flaw could easily be exploited to create a worm attack, he noted.

What may be particularly problematic with this unpatched security hole is that a work-around is unlikely, he said.

"You can't turn this (vulnerable) component off," Maiffret said. "It's always on. You can't disable it. You can't uninstall."

Don't fail to notice the sensationalist explanation from eEye. This is what I call a "publicity attack" (note that the particular example in that essay is wrong): it's an attempt by eEye Digital Security to get publicity for their company. Yes, I'm sure it's a bad vulnerability. Yes, I'm sure Microsoft should have done more to secure their systems. But eEye isn't blameless in this; they're searching for vulnerabilities that make good press releases.

Posted on August 5, 2005 at 2:25 PM • 13 Comments

Comments

Davi OttenheimerAugust 5, 2005 2:40 PM

Ok, another vulnerability, but what do these companies do to clarify the threat of attack? Microsoft's rating system basically classifies anything remotely possible (pun intended) as critical.

This was the point I was trying to make with regard to the pressure on Lynn from ISS during the discussions here:

http://www.schneier.com/blog/archives/2005/08/more_lynncisco.html

and here:

http://www.schneier.com/blog/archives/2005/07/cisco_harasses.html

So does this mean you are saying that ISS was attempting the same "publicity attack", which then became Lynn's solo effort? And does that mean you disagree with these companies trying to make money by discovering flaws in technology? By comparison, is that more/less ethical than medical research labs actively trying to find flaws in widely used medicine or treatments?

SamAugust 5, 2005 2:46 PM

"enable remote intruders to enter a PC via its Internet Protocol address"

I love this line. It is both true and misleading at the same time.

While all internet activity must use IP, and therefore the IP address, this line makes it sound like this is IP's fault.

DonAugust 5, 2005 3:44 PM

No better way to question the wisdom of limited disclosure than this quote: "As part of company policy, it does not release technical details of the vulnerabilities it finds until the software's maker has released either a patch or an advisory."

I don't think you have to be a rocket scientist to figure out that there's other possible [in]actions beyond patch or advise.

ArikAugust 5, 2005 4:17 PM

It would be nice if they'd specify that a personal firewall can mitigate this attack (assuming it does).

JohnJAugust 5, 2005 4:25 PM

So, since it uses the IP address, would a NATted address defeat attacks from outside the network? If so, it's still a problem but not nearly as bad as if the machine was exposed to the Internet.

Davi OttenheimerAugust 5, 2005 6:58 PM

@ Chuck

I actually think the eEye report is one of the better summaries I have seen, aside from the unnecessarily arrogant tone ("Of course those that have played in the network device security world for some time will already be aware").

They still do not address the threat scenario sufficiently for my taste, but they do emphasize that this is a new twist on a known vulnerability that raises the overall risk factor:

"it is estimated that out of all currently known Cisco IOS vulnerabilities, one in ten provides the necessary criteria for this type of exploitation"

The closest thing I have seen to what I'm really talking about is Arbor Network's (note the authors) "Wormability Index":

http://www.arbornetworks.com/downloads/research129/wormability_researchOct04.pdf

This attempts to show the real threat of a worm developing from a vulnerability disclosure.

Smog FarmAugust 6, 2005 8:29 AM

Until Microsoft, Cisco, et al start offering cash rewards to report vulnerabilities directly to them, companies and individuals will publish them to gain cash money and recognition. Or sell them to bad people.

huameiAugust 6, 2005 3:10 PM

I think most of you missed his point. He is not referring to releasing info on vulns... but merely stating the vague'ness of their attempts to gain the market. They say, "enter a PC via its Internet Protocol address" (eEye) and the point is how else do you expect them to get in ? If most of you don't know the internet is basically IP addresses only. NEWSFLASH - This just in, a burglar can break into your home by driving down a street, this flaw could allow them to break into your house with no thinking required, no further information will be released until the government can patch this problem although we don't think there can be a solution at this time...

Davi OttenheimerAugust 6, 2005 10:48 PM

@ huamei

No, the sensationalist explanation part is here:

"You can't turn this (vulnerable) component off," Maiffret said. "It's always on. You can't disable it. You can't uninstall."

In other words, if you believe eEye, there's nothing you can do to fix Windows 2000 right now. That's about as extreme a statement as they could make. Of course, no one is addressing the threat scenario, but I'll stop beating that horse...

Whether this is via an Internet Protocol address (network-based) or via an account already on the system (host-based) just means it meets one of two typical classifications of vulnerabilities.

CCAugust 8, 2005 2:44 PM

Well, eEye's behavior might be a little sensationalistic, but consider this: The very fact that there are so many security holes in Microsoft's products that it will sustain a small industry (to the point where security companies have to get sensationalistic to distinguish themselves from others in their industry), paired with the fact that a very large percentage of users run Microsoft's operating systems, is of far greater concern than how shameless of a plug eEye puts out for their particular discovery.

What we *should* be asking is: since Microsoft's products are so closely tied to our infrastructure, shouldn't security companies have a better means with which to force Microsoft to patch security holes than to simply shame them into it?

zahidAugust 16, 2005 8:27 AM

At times i wonder what your blogs are about? Everyone likes publicity and so do you.

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of Co3 Systems, Inc..