News Stay informed about the latest enterprise technology news and product updates.

Researchers trying to exploit latest Microsoft flaws

Researchers set their sights on flaws Microsoft addressed Tuesday in security bulletins MS08-006 and MS08-007. Risks of the first one in particular are underrated, they say.

Pressure has increased for IT administrators to deploy Microsoft's February security patches, with vulnerability researchers poking around for ways to exploit some of the latest flaws.

With the power of Local System, an attacker could fully compromise an IIS host by installing a backdoor, rootkit or by using it as a trampoline to attack other hosts on the internal network.
Andrey Kolishchak,
chief technology officerGentleSecurity

In particular, researchers have set their sights on the WebDAV Mini-Redirector flaw outlined in MS08-007 and the Internet Information Services (IIS) flaw addressed in MS08-006. The latter issue is of particular interest to researchers who say Microsoft is underplaying the risks.

MS08-006, which Microsoft rated "important," addressed local and remote flaws in IIS attackers could exploit to hijack a targeted machine. It affects Internet Information Services 5.0 on Windows 2000, Internet Information Services 5.1 on Windows XP; Internet Information Server 6.0 on Windows Server 2003; and Internet Information Services 7.0 on Windows Vista. In the "mitigating factors" section of the bulletin, Microsoft said that on supported editions of Windows Server 2003, if IIS is enabled and classic ASP is used, an attacker who successfully exploits the flaw can only obtain Network Service account privileges by default.

That statement is not entirely accurate, said Cesar Cerrudo, founder and owner of Argeniss Information Security.

"Microsoft should not mention as a mitigating factor that code execution is limited to Network Service account since it's known that it's easy to elevate privileges from Network Service to Local System account, and that allows full system compromise," he said, adding that he has personally discovered "many issues" in Windows XP, 2003, Vista and 2008 that allows elevation of privileges from the Network Service account to the Local System account.

In his opinion, Microsoft wrongly downplayed the ability for someone to elevate privileges from the Network Service account to the Local System account, and that IT shops need to be aware of the heightened risks they face, even though the flaw was not deemed critical by Microsoft.

Microsoft in the news:
Install Microsoft Office and IE patches first, experts say
After digesting 11 security updates Microsoft released Tuesday, security experts urged IT shops to act first on the patches for critical Office and IE flaws.

Inside MSRC: Microsoft outlines Internet Explorer flaws
: Microsoft's Bill Sisk explains the Internet Explorer critical flaws being addressed in this month's batch of security updates.

Microsoft's completion of Vista SP1 fails to excite users Microsoft celebrated the release to manufacturing of Windows Vista SP1 Monday, but IT administrators say the service pack doesn't make them want to deploy the OS.

Andrey Kolishchak, chief technology officer and cofounder of GentleSecurity, shared that view in an email exchange, saying the privileges of Network Service could be elevated to Local System, which is the most powerful administrative account on Windows.

"With the power of Local System, an attacker could fully compromise an IIS host by installing a backdoor, rootkit or by using it as a trampoline to attack other hosts on the internal network," he said. What's more, he said, is that the issue outlined in MS08-006 is not just related to IIS. For example, he said, "the same problem would appear if an exploited vulnerability would be found one day in SQL server. The exploit would be able to elevate any non-privileged SQL server account up to Local System."

Among the researchers looking at the IIS issue is HD Moore, creator of the popular Metasploit Framework penetration-testing tool. He released an article Wednesday offering extensive details on how to find, investigate and exploit MS08-006.

Meanwhile, Moore and others are finding ways to exploit the WebDAV Mini-Redirector flaw outlined in MS08-007. More explored how the flaw could potentially be targeted in an article titled "Fun with WebDav," complete with a video demonstration.

Microsoft noted in its critical MS08-007 bulletin that attackers could exploit in the Windows WebDAV mini-redirector to hijack targeted machines and install programs; view, change, or delete data; or create new accounts with full user rights.

Also being targeted by researchers is the "important" Microsoft Works flaw outlined in MS08-011.

A researcher using the nickname "chujwamwdupe" posted an advisory on the MilwOrm site, saying, "A vulnerability exists in WPS to RTF convert filter that is part of Microsoft Office 2003. It could be exploited by [a] remote attacker to take complete control of an affected system. This issue is due to [a] stack overflow error in [a] function that read [sections] from [a] WPS file. When we change size of for example TEXT section to [a] number [larger] than 0×10, [a] stack overflow occurs -- very easy to exploit."

Dig Deeper on Microsoft Patch Tuesday and patch management

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.