Last week, I wrote a LiveSecurity alert (subscription required) warning our customers of an extremely critical out-of-cycle patch released by Microsoft. This patch fixes what has to be the most severe Windows networking vulnerability that I have seen in the past few years. Simply put, by sending specially crafted RPC packets, a remote, anonymous attacker can exploit this flaw to gain complete control of your Windows 2000, XP and Server 2003 computers. If he has valid Windows credentials for your network, an attacker could even leverage this flaw against Vista and Server 2008 machines. If you haven't heard about this flaw yet, I highly recommend you read Microsoft's bulletin, and patch it immediately.
When Microsoft's bulletin first came out, attackers were already exploiting this flaw on the Internet in what Microsoft described as limited, targeted attacks. Shortly after posting our own alert, Scott and I recorded our Security Story of the Month segment for the November edition of Radio Free Security, during which I predicted that attackers would quickly add this vulnerability to a worm or bot client (the episode will come out the first week of November). That's one prediction I wish I had gotten wrong.
Unfortunately, my prediction was more accurate than even I would have guessed. Not even a day after our recording session, security companies reported a new worm called Gimmiv, that exploits this serious Windows vulnerability. If Gimmiv can infect one computer behind your network perimeter, it exploits the Server service flaw to automatically infect all unpatched machines on your network. It then loads software to steal passwords from the infected victims.
Besides the Gimmiv worm, hackers and greyhat researchers have also released Proof-of-Concept (PoC) code and exploit code that makes it easy for anyone to leverage this new vulnerability. One particular exploit on Milw0rm.com even includes a convenient binary file, so skript kiddies that don't know how to compile code already have an executable to launch against victims. Finally, I expect Metasploit, a free exploitation framework tool, to have an exploit module for this vulnerability any day now.
I point all this out not to freak you out, but to illustrate how important it is for you to install Microsoft's patch for this issue. If, God forbid, you could only install one Microsoft patch this year, this would be the one to install (at least so far). If you haven't installed it yet, stop reading -- for that matter stop whatever else you're doing -- and install Microsoft's patch! You'll be glad you did.
When Microsoft's bulletin first came out, attackers were already exploiting this flaw on the Internet in what Microsoft described as limited, targeted attacks. Shortly after posting our own alert, Scott and I recorded our Security Story of the Month segment for the November edition of Radio Free Security, during which I predicted that attackers would quickly add this vulnerability to a worm or bot client (the episode will come out the first week of November). That's one prediction I wish I had gotten wrong.
Unfortunately, my prediction was more accurate than even I would have guessed. Not even a day after our recording session, security companies reported a new worm called Gimmiv, that exploits this serious Windows vulnerability. If Gimmiv can infect one computer behind your network perimeter, it exploits the Server service flaw to automatically infect all unpatched machines on your network. It then loads software to steal passwords from the infected victims.
Besides the Gimmiv worm, hackers and greyhat researchers have also released Proof-of-Concept (PoC) code and exploit code that makes it easy for anyone to leverage this new vulnerability. One particular exploit on Milw0rm.com even includes a convenient binary file, so skript kiddies that don't know how to compile code already have an executable to launch against victims. Finally, I expect Metasploit, a free exploitation framework tool, to have an exploit module for this vulnerability any day now.
I point all this out not to freak you out, but to illustrate how important it is for you to install Microsoft's patch for this issue. If, God forbid, you could only install one Microsoft patch this year, this would be the one to install (at least so far). If you haven't installed it yet, stop reading -- for that matter stop whatever else you're doing -- and install Microsoft's patch! You'll be glad you did.
Corey Nachreiner, CISSP and Senior Network Security Analyst, is a computer security geek! He has ten years professional experience in the security industry, but first started exploring hacking when BBSs were still popular. When not uncovering the next big network threat, Corey tinkers with high tech gadgets, plays video games, and enjoys family life.
Scott Pinzon, CISSP and Information Security Analyst, has nearly 20 years of experience explaining high-tech products for clients both large (Weyerhaeuser IT) and small (Seattle's first cash machine network). He is the host of the network security podcast,
0 comments:
Post a Comment