[ISN] More attack code surfaces for recent MS security holes

From: InfoSec News (isn@private)
Date: Tue Apr 27 2004 - 04:13:57 PDT

  • Next message: William Knowles: "[ISN] DHS, NSA team on cybersecurity"

    http://www.computerworld.com/securitytopics/security/story/0,10801,92696,00.html
    
    By Paul Roberts
    APRIL 26, 2004 
    IDG NEWS SERVICE
    
    Just days after Microsoft Corp. warned its customers about the release
    of code that can exploit a hole in its Secure Sockets Layer (SSL)  
    library, new code that claims to exploit another recently disclosed
    hole surfaced on a French-language Web site.
    
    The computer code can be used by a remote attacker to trigger a buffer
    overrun vulnerability in the Local Security Authority Subsystem
    (LSASS), according to a message posted to www.k-otik.com. Microsoft
    released a patch for the LSASS vulnerability, MS04-011, on April 13,
    along with fixes for the SSL problem and a number of other
    vulnerabilities.
    
    The code was released on Saturday, according to the K-Otik Web site,
    which hosts the exploit. It was unclear today whether the exploit code
    works, but notes attached by its author say some modifications may be
    necessary before the code can be used by a remote attacker to
    compromise Windows machines.
    
    LSASS is used to authenticate users locally and in client/server
    environments. LSASS also has features used by Active Directory
    utilities. An attacker who could exploit the LSASS vulnerability could
    remotely attack and take total control of Windows 2000 and Windows XP
    systems, according to Microsoft.
    
    Unlike e-mail worms and viruses, no user interaction would be
    necessary to trigger the LSASS buffer overflow, according to Johannes
    Ullrich, chief technology officer at the SANS Institute's Internet
    Storm Center.
    
    The Internet Storm Center hasn't received any reports of the LSASS
    exploit code being used to compromise Windows systems on the Internet,
    he said.
    
    Internet Security Systems Inc. is also aware of the new code but said
    it doesn't pose an immediate threat because it requires modification
    to work on computer networks. "The exploit is unreliable and not for
    use in the wild," said Neel Mehta, a research engineer at ISS.
    
    But that's not true for exploit code that targets the Microsoft SSL
    hole, which was released last week. ISS has seen a significant number
    of exploits using that flaw since Wednesday, Mehta said -- activity
    that is often a precursor to an exploit being used by a worm.
    
    The Internet Storm Center has received "a couple" of reports from
    organizations that had Windows systems attacked using that code, which
    leaves a unique signature in computer logs on compromised machines.  
    The attacks were isolated and don't appear to be linked to a worm or
    virus outbreak. However, there is evidence that malicious hackers have
    coupled the SSL exploit code with automated scanning tools, Ullrich
    said.
    
    "It looks like, in some cases, all affected servers in part of a
    company got attacked. It seems like somebody picked a netblock [of
    network IP addresses] and started scanning those addresses and hitting
    all the affected systems," he said.
    
    On Thursday, Microsoft warned customers to "immediately install"  
    MS04-011, citing "credible and serious" reports of the release of
    exploit code.
    
    Any Windows XP, 2000 or Windows Server 2003 machine that runs
    applications that use SSL are vulnerable, including Microsoft Internet
    Information Server, Microsoft Exchange Server and third-party
    products, the company said.
    
    ISS released an advisory Friday that warned customers of the SSL
    exploit and cautioned that the severity of the Microsoft vulnerability
    was compounded by the fact that SSL is used to secure communications
    involving confidential or valuable financial information. Also,
    companies that use SSL must leave Port 443, the port that is targeted
    by the exploit, open.
    
    Systems that use SSL for secure communications are often
    "production-critical" machines. Organizations take longer to patch
    such systems because of fears that applying the patch will interfere
    with critical services, Ullrich said.
    
    Microsoft, ISS and other companies also have published work-arounds
    for the SSL vulnerability for organizations that can't patch systems
    immediately, Mehta said.
    
    
    
    _________________________________________
    ISN mailing list
    Sponsored by: OSVDB.org
    



    This archive was generated by hypermail 2b30 : Tue Apr 27 2004 - 09:03:06 PDT