Researchers trying to exploit latest Microsoft flaws

By Bill Brenner, Senior News Writer 14 Feb 2008 | SearchSecurity.com

Security Wire Daily News Digg This!     StumbleUpon     Del.icio.us

Pressure has increased for IT administrators to deploy Microsoft's February security patches, with vulnerability researchers poking around for ways to exploit some of the latest flaws.

With the power of Local System, an attacker could fully compromise an IIS host by installing a backdoor, rootkit or by using it as a trampoline to attack other hosts on the internal network. Andrey Kolishchak, chief technology officer, GentleSecurity

In particular, researchers have set their sights on the WebDAV Mini-Redirector flaw outlined in MS08-007 and the Internet Information Services (IIS) flaw addressed in MS08-006. The latter issue is of particular interest to researchers who say Microsoft is underplaying the risks.

MS08-006, which Microsoft rated "important," addressed local and remote flaws in IIS attackers could exploit to hijack a targeted machine. It affects Internet Information Services 5.0 on Windows 2000, Internet Information Services 5.1 on Windows XP; Internet Information Server 6.0 on Windows Server 2003; and Internet Information Services 7.0 on Windows Vista. In the "mitigating factors" section of the bulletin, Microsoft said that on supported editions of Windows Server 2003, if IIS is enabled and classic ASP is used, an attacker who successfully exploits the flaw can only obtain Network Service account privileges by default.

That statement is not entirely accurate, said Cesar Cerrudo, founder and owner of Argeniss Information Security.

"Microsoft should not mention as a mitigating factor that code execution is limited to Network Service account since it's known that it's easy to elevate privileges from Network Service to Local System account, and that allows full system compromise," he said, adding that he has personally discovered "many issues" in Windows XP, 2003, Vista and 2008 that allows elevation of privileges from the Network Service account to the Local System account.

In his opinion, Microsoft wrongly downplayed the ability for someone to elevate privileges from the Network Service account to the Local System account, and that IT shops need to be aware of the heightened risks they face, even though the flaw was not deemed critical by Microsoft.

Microsoft in the news: Install Microsoft Office and IE patches first, experts say After digesting 11 security updates Microsoft released Tuesday, security experts urged IT shops to act first on the patches for critical Office and IE flaws. Inside MSRC: Microsoft outlines Internet Explorer flaws: Microsoft's Bill Sisk explains the Internet Explorer critical flaws being addressed in this month's batch of security updates. Microsoft's completion of Vista SP1 fails to excite users Microsoft celebrated the release to manufacturing of Windows Vista SP1 Monday, but IT administrators say the service pack doesn't make them want to deploy the OS.

Andrey Kolishchak, chief technology officer and cofounder of GentleSecurity, shared that view in an email exchange, saying the privileges of Network Service could be elevated to Local System, which is the most powerful administrative account on Windows.

"With the power of Local System, an attacker could fully compromise an IIS host by installing a backdoor, rootkit or by using it as a trampoline to attack other hosts on the internal network," he said. What's more, he said, is that the issue outlined in MS08-006 is not just related to IIS. For example, he said, "the same problem would appear if an exploited vulnerability would be found one day in SQL server. The exploit would be able to elevate any non-privileged SQL server account up to Local System."

Among the researchers looking at the IIS issue is HD Moore, creator of the popular Metasploit Framework penetration-testing tool. He released an article Wednesday offering extensive details on how to find, investigate and exploit MS08-006.

Meanwhile, Moore and others are finding ways to exploit the WebDAV Mini-Redirector flaw outlined in MS08-007. More explored how the flaw could potentially be targeted in an article titled "Fun with WebDav," complete with a video demonstration.

Microsoft noted in its critical MS08-007 bulletin that attackers could exploit in the Windows WebDAV mini-redirector to hijack targeted machines and install programs; view, change, or delete data; or create new accounts with full user rights.

Also being targeted by researchers is the "important" Microsoft Works flaw outlined in MS08-011.

A researcher using the nickname "chujwamwdupe" posted an advisory on the MilwOrm site, saying, "A vulnerability exists in WPS to RTF convert filter that is part of Microsoft Office 2003. It could be exploited by [a] remote attacker to take complete control of an affected system. This issue is due to [a] stack overflow error in [a] function that read [sections] from [a] WPS file. When we change size of for example TEXT section to [a] number [larger] than 0×10, [a] stack overflow occurs -- very easy to exploit."

Tags: Security Patch Management,  Windows Security: Alerts, Updates and Best Practices,  VIEW ALL TAGS

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Security Patch Management Microsoft gives Internet Explorer a major security overhaul Information security book excerpts and reviews What patch management metrics does Project Quant use? Squad: Tokenization, Phishing and the Feds Should management processes change based on a patch release schedule? Should Windows Mobile updates come from Microsoft? Adobe updates ColdFusion, JRun, Flex Trusteer CEO criticizes Adobe, touts better patch deployments Patch management study shows IT taking significant risks Vulnerability mitigation study shows need for faster patching Windows Security: Alerts, Updates and Best Practices Microsoft to fix 26 flaws in Windows, Office Microsoft warns that IE zero-day vulnerability causes data leakage Microsoft issues critical security update, blocks IE 6 attacks Microsoft emergency IE update to block latest corporate attacks Latest zero-day attacks only target IE 6, Microsoft says Hackers used IE zero-day in Google, Adobe attacks, McAfee says Microsoft issues advisory on Internet Explorer zero-day Microsoft releases Windows OpenType Font Engine patch Microsoft to patch single Windows 2000 vulnerability IIS configuration error leads to increased threat, Microsoft says

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary attack vector  (SearchSecurity.com) back door  (SearchSecurity.com) ethical worm  (SearchSecurity.com) Patch Tuesday  (SearchSecurity.com) zero-day exploit  (SearchSecurity.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary