Recipe for Disaster

What do you get when you mix malicious code developers, a newly reported vulnerability in the Windows 2000 and Windows NT kernel, and a dash of social engineering? A recipe for disaster.

Microsoft released Security Bulletin MS05-055 "Vulnerability in Windows Kernel Could Allow Elevation of Privilege (908523)" (URL below) and an associated patch for Windows 2000 on December 13. Due to the nature of the problem, any program could gain complete system level access to an affected system. No matter how you lock down the system or how many restrictions you place on user accounts, an exploit is possible, provided an intruder can cause code to run on the system. eEye Digital Security discovered the problem in May. In a press release issued the same day as Microsoft's security bulletin, eEye explained the problem in some amount of detail: "The vulnerability exists in the thread termination routine contained within NTOSKRNL.EXE. Through a specific series of steps, a local attacker can cause the code responsible for discarding queued Asynchronous Procedure Call (APC) entries to erroneously attempt to free a region of kernel data, producing a 'data free' vulnerability that may be exploited in order to alter arbitrary kernel memory, or even divert the flow of execution directly."

This sounds like a rootkit writer's dream come true except that the hacker must somehow cause a malicious program to run on the computer. That's where social engineering comes into play.

Because there's no direct point of attack, exploiting this vulnerability might require a blend of tactics. Blended attacks rely on the domino effect to work--an attack targets one vulnerability, which provides access to another vulnerability, in the hopes that the attacks will eventually compromise a system.

The initial exploit might rely on a weakness in a Web browser, email client, media player, or other piece of software. Or the hacker might take a more direct approach--such as packaging an exploit in a virus or worm--or a sneakier tactic, for example, putting an exploit in a software package that's hard to resist, such as in a new tool that claims to be the best thing since sliced bread.

Now that word is out about this vulnerability, undoubtedly people are already developing code to exploit it. In my opinion, there's only one adequate defense against a vulnerability such as this particular kernel problem. That defense is to install the patch on Windows 2000 machines. If you use Windows NT, there's no patch. In that case, your best defense is layered security that includes antivirus and antispyware tools and host-based Intrusion Prevention Systems (IPSs) along with reminders to yourself and your users to use extreme caution when deciding whether to install any third-party software elements.

Hide comments


  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.