Security blog log: Fear and loathing in MS06-040's wake

This week, security bloggers wonder if some of the MS06-040 warnings have gone too far. Meanwhile, Symantec uses its blog to warn about the timed release of exploits.


It's been a while since we've seen the kind of alarmist talk that followed Microsoft's release of MS06-040, the security update that addressed a critical flaw in the Windows Server Service.

Statements from researchers at vulnerability management firm nCircle Network Security were probably the grimmest of all:

"This is no drill. And no, this isn't an overreaction. We've always said that some day there would be another big, serious vulnerability. Well, this is the one," warned Mike Murray, the company's director of research.

"It is a certainty that malware creators will be working overtime to make a worm out of this latest vulnerability… When that happens, it will definitely test the ability of organisations to effectively patch and protect systems," added Murray's colleague, senior vulnerability researcher Minoo Hamilton. "This is as close to the worst-case scenario as we've seen in the last three years - a threat that is eminently wormable."

About Security Blog Log

Bill Brenner peruses security blogs each day to see what's got the information security community buzzing. In this column he lists the weekly highlights. If you'd like to comment on the column or bring new security blogs to his attention, contact him at [email protected].

Recent articles:
Israeli-Hezbollah war spills into cyberspace

Has CSI/FBI survey jumped the shark?

Was the analyst a VA scapegoat?

They may yet be proven right. But while the vulnerability has been targeted by botnet masters, the crippling, Blaster-sized worm attack some predicted has so far failed to materialise.

Whatever happens from here, some in the infosec blogosphere wish security suppliers would tone down their warnings.

Riker, an IT professional based in Canada, said in his IT Security Journal blog that one of the biggest challenges in the security industry is "knowing when to panic and when to stay the course." As far as he's concerned, the MS06-040 flaw is a "stay the course" kind of threat and IT administrators should "keep patching and move on".

He praised security management firm Lurhq for not blowing the threat out of proportion. Lurhq was among the first companies to offer a comprehensive analysis of the botnet malware that started targeting the flaw.

"Thank you Lurhq for being a voice of reason when the inevitable hype surrounding the latest MS06-040 exploit ensued," Riker said.

Intrepid, a self-described business and technology consultant based in India, brushed off the alarm in his Everyday Entrepreneurs blog. In his opinion, the MS06-040 flaw probably won't lead to the next Blaster for several reasons:

  • Security awareness levels are much higher than they were in 2003 and earlier;
  • An increased number of medium and large organisations have patch management systems in place, most of which automatically download and push the patches through;
  • On desktop systems, the Windows Automatic Update service, desktop firewalls and updated antivirus software may combine to significantly mitigate the threat; and
  • The security industry has a natural tendency to overhype vulnerabilities and hence its warnings should be taken with a grain of salt.

    Some security vendors were able to poke some fun at the MS06-040 hysteria.

    In his blog, Alan Shimel, chief strategy officer for StillSecure, joked that after seeing the panicky comments of Murray and others, he was certain that the latest Windows flaw would mark the end of security as we know it.

    But a week after Microsoft released MS06-040, Shimel noted, "The sun still came up, the internet is still working and I have not seen any reports of a major worm outbreak."

    Why not? Shimel offered a couple of theories. For one, he said, no one really wants to create a mass exploit any more because they don't generate the profit of quieter, more targeted digital assaults.

    "Today's attacks are targeted at specific targets, which yield financial gain," he said. "Whether you subscribe to the cybermafia theory or not, there is too much money in play and hackers now will use a valuable exploit like this to maximise their profit, not waste it on a mass market attack."

    Meanwhile, he said, security professionals have become more adept at finding and patching flaws and getting the appropriate warnings out.

    "There is no doubt that with the regular Patch Tuesdays from Microsoft, the proliferation of vulnerability management and patch management programs [and] SP2's automatic updates, on the whole computer users are much more protected against known vulnerabilities like this than they were a few years ago," he said.

    It's a sure bet IT professionals are hoping Shimel's assessment is closer to reality than that of Murray and Hamilton. Time will tell.

    Timed release of exploits worries Symantec
    Exploits that emerge the day after Microsoft's monthly patch release are becoming the norm, and researchers at Symantec see a pattern forming.

    As Symantec points out in its Security Response blog, some in the digital underground - including those who recently found multiple flaws in Microsoft Office - seem to be deliberately holding back their findings to maximise the period of time in which their discoveries can harm unpatched systems. And the victim isn't always Microsoft.

    Symantec said the trend seems to be continuing in the form of an exploit against Ichitaro, a word processing program widely used in Japan and produced by Justsystems.

    In this exploit, a malicious document uses a unicode stack overflow to execute its code on a system, dropping and executing a Trojan horse named Infostealer.Papi, Symantec said. When run, Infostealer.Papi copies itself to the %system% directory, creates a service named CAPAPI, and drops an ancillary .dll file that contains its main functionality.

    A copy of its .dll is then injected into each running process to gather system information and relay it back to the Trojan's authors at pop.lovenickel.com.

    "We have only seen this threat utilised in a very limited, targeted attack at the moment; however, if the speculations about the timed releases of these exploits are indeed correct, we need to be on alert and remain vigilant for when more appear," Symantec said.

  • Read more on Hackers and cybercrime prevention