Exploit Released for Critical PC Hijack FlawBy Ryan Naraine | Posted 2007-01-11 Email Print
The fully working exploit, which allows PC takeover attacks on Windows XP SP2, has been published to Immunity's paid partners program.
A fully working exploit for a worm hole fixed by Microsoft two days ago has been put into limited release, prompting new "patch now" warnings from computer security experts.
The exploit, which allows PC takeover attacks on Windows XP SP2, has been published to Immunity's partners program, which offers up-to-the minute information on new vulnerabilities and exploits to IDS (intrusion detection companies) and larger penetrating testing firms.
Immunity, based in Miami Beach, Fla., sells access to the partners program for around $40,000, according to founder Dave Aitel.
The company's exploit takes aim at a "critical" bug in the way VML (Vector Markup Language) is implemented in Windows. It has been successfully tested on Windows XP SP2 and Windows 2000, with default installations of Internet Explorer 6.0.
"This is a fully working exploit, [it] will give you full access to do anything on the target machine," says Immunity researcher Kostya Kortchinsky.
The exploit was created and confirmed in less than three hours after Microsoft's Patch Tuesday release on Jan. 9, a fact that clearly illustrates just how much the gap has narrowed between patch release and full deployment on enterprise networks.
For consumers, Microsoft uses the Automatic Updates mechanism to push down updates but, in the enterprise, patches must go through rigorous test passes to ensure there are no conflicts with mission-critical applications.
On average, it could take a business a full month to fully test and deploy updates to every desktop, laptop, server or mobile device.
Kortchinsky said the exploit will be refined to try to get code execution on Internet Explorer 7.0, the newest version of Microsoft's dominant Web browser.
According to the MS01-004 bulletin that covers the VML flaw, IE 7.0 on Windows XP and Windows Server 2003 is indeed vulnerable.
Microsoft said the flaw was originally reported through its "responsible disclosure" process, but a note in the advisory says it was used in zero-day attacks before the Patch Day.
There is no public information available on those zero-day attacks. Microsoft did not release a pre-patch advisory to warn of the VML attacks.
Officials in the MSRC (Microsoft Security Response Center) are strongly urging Windows users to treat the VML fix and a "high-priority" update.
In an interview with eWEEK, Mark Griesi, security program manager in the MSRC, said the risk is high because there is a remote unauthenticated attack vector that gives an attacker a way to hijack a vulnerable system without any user action.
"That one should be your absolutely highest priority," Griesi declared.
Microsoft also warned users to pay special attention to MS01-003, a bulletin that addresses a trio of serious flaws in the Microsoft Outlook e-mail application.
One of the Outlook flaws, which carries a "critical" rating, allows an attacker to use malformed VEVENT records to launch executable code when Outlook handles file parsing routines.
Ominously, a successful attack only requires that an e-mail is sent to the target if a specially rigged .ICS (iCal) file is embedded into the body of a message.
Workstations and terminal servers are primarily at risk, according to Microsoft's advisory.
Microsoft shipped a total of four bulletins in January with patches for a least 10 holes in Outlook, Excel and Windows. However, there were no fixes for known code execution holes in Microsoft Word that have already been targeted in zero-day attacks.