[ISN] Security Experts Warn of New Way to Attack Windows

From: InfoSec News (isn@private)
Date: Thu Dec 11 2003 - 01:12:34 PST

Next message: InfoSec News: "[ISN] InfoSec 2003: 'Zero-day' attacks seen as growing threat"

Previous message: InfoSec News: "[ISN] No Skeletons in Howard Dean's Online Closet"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

http://www.eweek.com/article2/0,4149,1408909,00.asp

By Dennis Fisher 
December 10, 2003 

Security experts have found a new way to exploit a critical
vulnerability in Windows that evades a workaround and enables the
attacker to compromise a number of machines at one time. The new
attack could also lead to the creation of another fast-spreading
Windows worm, the experts warned.

The workaround in question is for the buffer overrun flaw in the
Windows Workstation Service, which is enabled by default in Windows
2000 and XP. An attacker who successfully exploits the weakness could
run any code of choice on the vulnerable machine.

Microsoft Corp. issued a patch for the vulnerability in November, but
the security bulletin also listed several workarounds for the flaw,
including disabling the Workstation Service and using a firewall to
block specific UDP and TCP ports. But penetration testers at Core
Security Technologies, a Boston-based security company, discovered a
new attack vector that uses a different UDP port. This attack still
allows the malicious packets to reach the vulnerable Workstation
Service.

The attack takes advantage of several characteristics of the UDP
protocol. Unlike TCP, UDP is "connectionless," meaning that there is
no TCP-style handshake, and you need not establish a connection with a
remote machine in order to send a UDP packet. Also, because the
Internet's DNS service uses the protocol, UDP packets usually have no
trouble traversing firewalls.

These factors combine to make it possible for an attacker to send a
broadcast UDP packet containing the malicious code to multiple
machines on a given network. The traffic can be disguised to look like
DNS packets, further obscuring the attack.

"If someone hasn't applied the patch but blocked the ports as they
should have, they're still vulnerable," said Max Caceres, a product
manager at Core Impact.

The patch for the Workstation Service vulnerability does protect
against this latest attack, Caceres said. Core Security notified
Microsoft of its findings earlier this week.



-
ISN is currently hosted by Attrition.org

To unsubscribe email majordomo@private with 'unsubscribe isn'
in the BODY of the mail.

Next message: InfoSec News: "[ISN] InfoSec 2003: 'Zero-day' attacks seen as growing threat"
Previous message: InfoSec News: "[ISN] No Skeletons in Howard Dean's Online Closet"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Thu Dec 11 2003 - 04:09:48 PST