Monday, August 14, 2006

Windows Users: Switching to Defcon 1

Defcon stands for DEFence readiness CONditions and is a model reflecting the current state of alert. Defcon1 is the highest state indicating an imminent attack.

Security Experts all over the world expect a large scale attack against a Windows vulnerability at any moment. Microsoft has released a patch codenamed MS06-40 but there are too many users out there who don't care to download such security updates. This is so serious that the U.S. Department of Homeland Security issued an official warning. The DHS usually worries about terrorist attacks or extreme weather conditions (hurricanes, etc.). So if *they* are worried about this then *you* should be worried too. People compare the possible side effects of this to the MSBlast worm in 2003.

In detail, there's a stack overflow exploit in NetApi32 CanonicalizePathName() function using the NetpwPathCanonicalize RPC call in the Server Service. The Server Service is a Windows NT 4.0, 2000 and XP service allowing users to share resources (files, printers etc. aka File and Printer Sharing) over a network. Using that exploit an attacker could successfuly write 370 bytes of code (payload).

Do you realise how big this is?

Do you know how many unpatched systems are out there?

Exploit code is already out taking advantage of this and causing a DoS attack to a system. Even a failed exploit attempt could result in a system restart.

It is a matter of time before someone turns the exploit code into a worm. This could be the next big thing to shock the Internet. If you still can't understand the potentials of this, shut down your PC - right now!

P.S.: As I've already mentioned a patch is available from Microsoft Windows Update. I suggest you update, if you haven't already done so.

Update: It's seems that I was left behind. Actually the first mass-exploit wave is happening right now. Attackers hijack unpatched Windows machines and use them in irc-controlled botnets. The attacks started on Sat 12 Aug 2006 and involve executing malicious code, using this exploit, install a trojan, modify security settings and connect to an irc server ready to receive commands. You will find here a detailed analysis of this tactic.

No comments: