Microsoft Bug: Patch Now, Patch Fast

If there's anything that Microsoft is telling its users, it's to patch their systems, and fast.

After Microsoft released an out-of-band update for a critical Windows vulnerability that allows hackers to execute a malicious Internet worm on users' computers, security experts are strongly recommending that users apply patches immediately. Specifically, the remote execution vulnerability allows hackers to write worm code—malicious self-propagating code that doesn't require any user interaction—by crafting a special RPC request. A successful attack would enable the hacker to take complete control of a victim's computer, and ultimately steal sensitive financial information from their victims. In addition, once a user's system is affected, the malicious code has the ability to rapidly self-propagate and infect every other unpatched computer in the network.

The flaw, which affects almost every Windows operating system, is rated "critical" for many of the earlier versions of Windows, including Windows 2000, XP and Server 2003. However, the bug was given the less severe rating of "important" for Windows Vista and Server 2008.

Security experts maintain that the exploit code has actively been used in the wild, with exploits stemming from hackers who have already reverse-engineered the patch.

"The frightening thing to me is just how quickly the bad guys were able to turn out an exploit," said Paul Henry, security and forensic analyst at Lumension Security, Scottsdale, Ariz. "I really think that speaks volumes about the necessity to deploy your patches very quickly, and very widely."

Henry said that researchers detected malicious code designed to grab user credentials before encrypting them and sending them to a New Jersey-based server. Henry said that the malware has so far affected at least 3,600 users, but said that the number would likely increase significantly over the weekend.

Meanwhile, an advisory by San Diego-based Websense also alerted users that hackers have unleashed attacks by installing the Trojan Gimmiv. The alert noted that only 25 percent to 36 percent of antivirus vendors could detect the malicious exploit code.

In a blog posting, Microsoft security researcher Michael Howard contended that that the bug, which stems from a stack-based buffer overflow vulnerability, was difficult to detect due to its complexity.

"I'll be blunt; our fuzz tests did not catch this and they should have. So we are going back to our fuzzing algorithms and libraries to update them accordingly," he wrote. "In my opinion, hand reviewing this code and successfully finding this bug would require a great deal of skill and luck."

Howard said that in the last year he had noticed that many Windows bugs, like the recently detected Internet worm, fell into the category of "onesey-twosies"—that is, complex derivatives of existing vulnerabilities.

"First the good news; I think perhaps we have removed a good number of the low-hanging security vulnerabilities from many of our products, especially the newer code," he said. "The bad news is we'll continue to have vulnerabilities because you cannot train a developer to hunt for unique bugs, and creating tools to find such bugs is also hard to do without incurring an incredible volume of false positives."

Henry added that the severity of the flaw, emphasized by the out-of-band patch, underscores the need for enterprises to consider automated patch management technologies.

"The big gotcha is, unless you have automated methodology enterprise wide, you could be caught up in this because you're not going to have enough time to patch your systems."

Tweet

   

More Security