[iwar] Flaw could unleash another Slammer

Flaw could unleash another Slammer
Last modified: December 9, 2003, 6:39 PM PST
By Robert Lemos
Staff Writer, CNET News.com
       

A research company warned Tuesday that an attacker could use a recently
patched Microsoft flaw to create a fast-moving worm similar to SQL Slammer,
which spread rapidly across the Internet a year ago.

Core Security Technologies discovered that the Windows Workstation
vulnerability announced by Microsoft last month could be exploited using the
same type of data used by the SQL Slammer worm to spread across the Internet
in just minutes.

"We believe these new attack vectors make the vulnerability even more
dangerous and critical as the proposed workarounds are not sufficient to
close them and particularly because they outline a very plausible scenario
for a highly efficient worm," Ivan Arce, chief technology officer for
security software maker Core Security Technologies, wrote in an e-mail to
CNET News.com.

The company's report also found that flaws in the Windows Messenger service,
which allowed the MSBlast worm to spread this summer, could be exploited
using the same "fire-and-forget" user datagram protocol (UDP) packets. The
packets don't require two computers to establish a connection, which takes
time. Instead, the source computer can quickly send out the packets and not
worry about whether they reach their destination.

The research determined that an attacker doesn't have to individually
address computers on the network, but can broadcast an attack. Such a tactic
could actually create a worm that spreads faster than the SQL Slammer worm
did last year.

Core ST notified Microsoft of the increased seriousness of the vulnerability
on Tuesday, but hadn't heard back from the company by late in the day, Arce
said. Because a patch had already been released for the vulnerability, Core
ST didn't feel obligated to wait for a Microsoft reply before publicly
disclosing the vulnerability, he said.

When contacted by CNET News.com, Microsoft urged customers to apply the
patch and stressed that new ways of exploiting flaws are constantly
emerging.
        
"There is no caveat that there will never be another attack vector," said
Iain Mulholland, a security program manager for Microsoft. "It is rated as
critical because we believe it is critical. Applying the patch does correct
the problem."

Core ST acknowledged that the patches will prevent the attacks and also
urged people to apply the fixes. However, the company warned that the
workarounds that Microsoft had previously specified in its bulletins will
not protect against an attack via UDP packets. Such data also can be
configured in such a way to bypass most firewalls.

Microsoft's security site contains more information on the flaws and fixes.

-- This communication is confidential to the parties it is intended to serve --
Fred Cohen - http://all.net/ - fc@all.net - fc@unhca.com - tel/fax: 925-454-0171
Fred Cohen & Associates - University of New Haven - Security Posture

------------------------ Yahoo! Groups Sponsor ---------------------~-->
Buy Ink Cartridges or Refill Kits for your HP, Epson, Canon or Lexmark
Printer at MyInks.com. Free s/h on orders $50 or more to the US & Canada.
http://www.c1tracking.com/l.asp?cid=5511
http://us.click.yahoo.com/mOAaAA/3exGAA/qnsNAA/kgFolB/TM
---------------------------------------------------------------------~->

------------------
http://all.net/

Your use of Yahoo! Groups is subject to http://docs.yahoo.com/info/terms/
Received on Wed Dec 10 10:44:11 2003