It's been a while since we've seen the kind of alarmist talk
that followed Microsoft's release of
MS06-040, the security update that addressed
a critical flaw in the Windows Server Service.
Statements from researchers at vulnerability management firm
nCircle Network Security were probably the grimmest of all:
"This is no drill. And no, this isn't an overreaction. We've
always said that some day there would be another big, serious
vulnerability. Well, this is the one," warned Mike Murray, the
company's director of research.
"It is a certainty that malware creators will be working
overtime to make a worm out of this latest vulnerability… When that
happens, it will definitely test the ability of organisations to
effectively patch and protect systems," added Murray's colleague,
senior vulnerability researcher Minoo Hamilton. "This is as close
to the worst-case scenario as we've seen in the last three years -
a threat that is eminently wormable."
They may yet be proven right. But while the vulnerability has been
targeted by botnet masters, the crippling,
Blaster-sized worm attack some predicted has so far failed to
materialise.
Whatever happens from here, some in the infosec blogosphere wish
security suppliers would tone down their warnings.
Riker, an IT professional based in Canada, said in his
IT Security Journal blog that one of the
biggest challenges in the security industry is "knowing when to
panic and when to stay the course." As far as he's concerned,
the MS06-040 flaw is a "stay the course" kind of threat and IT
administrators should "keep patching and move on".
He praised security management firm Lurhq for not blowing the
threat out of proportion. Lurhq was among the first companies to
offer a comprehensive
analysis of the botnet malware that started
targeting the flaw.
"Thank you Lurhq for being a voice of reason when the inevitable
hype surrounding the latest MS06-040 exploit ensued," Riker
said.
Intrepid, a self-described business and technology consultant
based in India, brushed off the alarm in his
Everyday Entrepreneurs blog. In his opinion,
the MS06-040 flaw probably won't lead to the next Blaster for
several reasons:
- Security awareness levels are much higher than they were in
2003 and earlier;
- An increased number of medium and large organisations have
patch management systems in place, most of which automatically
download and push the patches through;
- On desktop systems, the Windows Automatic Update service,
desktop firewalls and updated antivirus software may combine to
significantly mitigate the threat; and
- The security industry has a natural tendency to overhype
vulnerabilities and hence its warnings should be taken with a grain
of salt.
Some security vendors were able to poke some fun at the MS06-040
hysteria.
In his
blog, Alan Shimel, chief strategy officer
for StillSecure, joked that after seeing the panicky comments of
Murray and others, he was certain that the latest Windows flaw
would mark the end of security as we know it.
But a week after Microsoft released MS06-040, Shimel noted, "The
sun still came up, the internet is still working and I have not
seen any reports of a major worm outbreak."
Why not? Shimel offered a couple of theories. For one, he said,
no one really wants to create a mass exploit any more because they
don't generate the profit of quieter, more targeted digital
assaults.
"Today's attacks are targeted at specific targets, which yield
financial gain," he said. "Whether you subscribe to the cybermafia
theory or not, there is too much money in play and hackers now will
use a valuable exploit like this to maximise their profit, not
waste it on a mass market attack."
Meanwhile, he said, security professionals have become more
adept at finding and patching flaws and getting the appropriate
warnings out.
"There is no doubt that with the regular Patch Tuesdays from
Microsoft, the proliferation of vulnerability management and patch
management programs [and] SP2's automatic updates, on the whole
computer users are much more protected against known
vulnerabilities like this than they were a few years ago," he
said.
It's a sure bet IT professionals are hoping Shimel's assessment
is closer to reality than that of Murray and Hamilton. Time will
tell.
Timed release of exploits worries Symantec
Exploits that emerge the day after Microsoft's monthly patch
release are becoming the norm, and researchers at Symantec see a
pattern forming.
As Symantec points out in its
Security Response blog, some in the digital
underground - including those who recently found multiple flaws
in Microsoft Office - seem to be deliberately holding back their
findings to maximise the period of time in which their
discoveries can harm unpatched systems. And the victim isn't
always Microsoft.
Symantec said the trend seems to be continuing in the form of an
exploit against Ichitaro, a word processing program widely used in
Japan and produced by Justsystems.
In this exploit, a malicious document uses a unicode stack
overflow to execute its code on a system, dropping and executing a
Trojan horse named Infostealer.Papi, Symantec said. When run,
Infostealer.Papi copies itself to the %system% directory, creates a
service named CAPAPI, and drops an ancillary .dll file that
contains its main functionality.
A copy of its .dll is then injected into each running process to
gather system information and relay it back to the Trojan's authors
at pop.lovenickel.com.
"We have only seen this threat utilised in a very limited,
targeted attack at the moment; however, if the speculations about
the timed releases of these exploits are indeed correct, we need to
be on alert and remain vigilant for when more appear," Symantec
said.