Why do think this vulnerability is ripe for a Slammer-type attack? Can you give a general outline of what such a worm would do? What kind of damage? Strictly network slowdowns?
The new attack vectors we researched outline exploitation methods that are highly effective and have very low network overhead. They are ideal settings for a highly efficient worm that could compromise (gain privileged access to) vulnerable systems on a massive scale.
As demonstrated by Slammer and Blaster, a pervasive vulnerability can be exploited at an astonishing rate and cause a lot of damage. Some of that damage was the side effect of the network traffic generated by the worms, but the end goal of them was not network outages but actually gaining control of the vulnerable systems in order to use them for other malicious purposes -- launching DDoS attacks, laundering connections, sending spam, etc. Would installing the patch protect against such an attack?
Yes. The patches have been readily available from Microsoft for some time now. Users should install them. Also, it is interesting to note that other vulnerabilities have had patches available for months, and end users did not really deploy them until major security events took place.
For example, this was the case with Code Red in 2001 and particularly with Slammer, which exploited a 6-month-old vulnerability. Do you have any sense as to whether the Workstation patch was given priority in the enterprise and was immediately installed on most workstations?
I do not have a real sense of how much priority was given to patch this vulnerability, but I would expect [this] to be quite high on the top 10 infosec tactical issues to address ASAP. It took some programming skill to create SQL Slammer. Would someone need a lot of technical savvy to create a worm to exploit the Workstation flaw?
Not necessarily. It does require some degree of technical savvy, but most of the required components are already out there. The worm 'logic' (infection and spreading methodology) can be taken from previous worms and tweaked. Publicly available exploit code for the DCOM, Messenger or Workstation service vulnerabilities can be used and optimized for new attack vectors. The actual payload for such a worm can also be taken from previous ones, depending on the purpose of the attacker.
So, to sum it up, all the components to build another powerful worm are already out there. It does require some technical skills to do so, and even a bit more to do it in an efficient manner. But it is a certain possibility, and past history demonstrates, that we should not underestimate the would-be attackers. Workarounds include disabling the service and closing ports. Is that viable for enterprises that may need these for legitimate business uses? In that case, how exposed are companies?
We really recommend installing the patches and only think of workarounds as a very last resort. Disabling the service has several adverse and sometimes unaffordable side effects. Blocking ports at the perimeter or using personal firewalls is a workaround that must be studied very carefully to ensure that it covers the new attack vectors.
This includes blocking traffic to ports above 1024 (UDP and TCP), where the vulnerable services also listen for connections. And identifying the exact list of ports is not easily done, since they are dynamically assigned depending on what other services are run and in which order. Even then, it will be necessary to make sure that the workaround solution can distinguish and block malicious packets sent as if they were generated by legitimate systems trying to convey legitimate information. A way of doing such an attack is by using spoofed UDP packets, which we discovered as a viable attack vector.
FEEDBACK: How do you determine which patches get priority?
Send your feedback to the SearchSecurity.com news team.