Microsoft's advisories giving clues to hackers

Microsoft's advisories giving clues to hackers

Summary: How's this for a new twist on the old responsible disclosure debate:  Hackers are taking advantage of information released in Microsoft's pre-patch security advisories to create exploits for zero-day vulnerabilities.The latest zero-day flaw in the Windows DNS Server RPC interface implementation is a perfect example of the tug-o-war within the MSRC (Microsoft Security Response Center) about how much information should be included in the pre-patch advisory.

SHARE:
TOPICS: Windows, Security
13

How's this for a new twist on the old responsible disclosure debate:  Hackers are taking advantage of information released in Microsoft's pre-patch security advisories to create exploits for zero-day vulnerabilities.

The latest zero-day flaw in the Windows DNS Server RPC interface implementation is a perfect example of the tug-o-war within the MSRC (Microsoft Security Response Center) about how much information should be included in the pre-patch advisory.

Using clues in the workarounds section of the advisory, Errata Security researcher David Maynor said he was able to pinpoint the source of the vulnerability without much trouble.

"It took about an hour from setup to shell on Windows 2000," Maynor said in an interview.  "On Windows 2000, there are only five functions accessible over RPC.  You combine combine that with their [Microsoft's] description of it being a stack overflow, it narrows the time to find down greatly."

"This is such an easy bug -- most of the people I talked to already had it figured out as well,"  Maynor added.  "It was simple to find and Microsoft screwed up by giving out too much information in the advisory."

Maynor wasn't the only hacker paying attention to Microsoft's description of the vulnerability.  Over the weekend, several different exploits providing step-by-step instructions to launch attacks surfaced on well-known security research sites and hacking tools.

An exploit module has already been added to the Metasploit point-and-click attack tool and Dave Aitel's Immunity CANVAS pen-testing platform now includes a reliable exploit for Windows 2000 and Windows Server 2003.

Over at Milw0rm.com, there are three different exploits (all remote) available for free, including one by hacker Andres Tarasco that pinpoints a brand new attack vector against Port 445.

The availability of these exploits have significantly changed the threat landscape, especially for businesses operating Intranets were domain controllers (which store passwords) are running DNS, says Ken Dunham, director of the rapid response team at Verisign's iDefense.

Dunham explains the potential risks:

These servers also store all the passwords for a Windows network.  It is feasible that a bot may  incorporate an Intranet spreading routine to exploit vulnerable computers within the network to help it spread. For example, a bot may be programmed to spread through the recent ANI exploit to infect clients with bots and then use the zombie to exploit DNS RPC against the local domain controller to gain complete control over the entire network.

Malicious actors that compromise DNS servers will likely reconfigure the server to silently redirect web traffic to compromised websites for monetary gain or corporate espionage.

In the wake of Maynor's comments above, I asked the MSRC if there's a legitimate gripe that about the level of details included in its advisories and was told that it's a "delicate balancing act" to avoid giving too much clues while ensuring customers have adequate pre-patch protections.

MSRC director Mark Miller said the company's priority is to provide a solid workaround that could help protect Windows users from exploitation.

"Whenever we publish an advisory or bulletin, we run into the reverse-engineering factor.  When we release the information, people start to look at defective code, components and surrounding areas. That's something we deal with all the time," Miller said in an interview.

"We have those internal conversations all the time... trying to strike the right balance.  In this particular case, we need to make sure that customers have these workarounds and this included all the possible attack vectors and vulnerable servers."

"The mitigations have to be easy to implement and they have to be fully effective," Miller said.

But, as the rash of public exploit code shows, the mitigation information provides too many clues for hackers -- and confirms that striking that perfect balance is near impossible.

Topics: Windows, Security

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

13 comments
Log in or register to join the discussion
  • Anyone have a preference on icing?

    I personally am a Vanilla guy, but Microsoft seems to just be taking the cake this month. Should have known that was coming. I honestly don't see why they would have released a detailed response like that. Poor Windows users, they now have to wait until next month to get the patch. But oh I am sure they will have another out of sequence update. I can see this one getting ugly if not.
    Brandon Dixon
    • 3rd party fixes

      In these cases, Windows user's will have the expertise of many 3rd party programmers who will temporarily fix the hole. Kind of an Open Source community effort for a proprietary product. It makes me wonder, if MS released details on the current crop of "zero day exploits" it knows about, (2, 20, 200?), how long would it take the non MS development community to make the internet a whole lot more secure than MS? A week?

      TripleII
      TripleII-21189418044173169409978279405827
  • Security through denial does not work either

    The gist of this is, as demonstrated by the .ani flaw, it was obviously already known and being exploited because once people knew what to look for, it was found, pervasive. Yes, disclosure leads to more crackers using it, but it is still better to know the Devil and mitigate exposure than to deny it's existence and let already exploited but unknown exploits to be used.

    There is a large segment of the population who won't be secure 2 years after the patch is deployed. Security is either not understood or they don't care, nothing bad will happen to them (despite innumerable re-installs or stolen information, they just don't get it). For those who are diligent, these DO make a difference.

    TripleII
    TripleII-21189418044173169409978279405827
    • Another Case of Lack of facts

      I see this all the time and it trips me out. I guess the more people say things the more they believe them. MS clearly stated that they did not deny the vulnerability, they stated they were tying to build the patch into a SP and it did not have priority. YOUR priority, or the consumers priority does not make it MS's priority. From a Director of Information Security's perspective, we measure the likelihood of exploit and the likelihood of attack as areas we focus on and determine if a higher priority needs to be placed on a specific vulnerability. MS does no different. Only the folks that lack the knowledge on how to determine priority have the unrealistic expectation that everything is a priority. NOT!
      andrej770
      • What does that have to do with the price of fish?

        I stated that disclosure is better than hiding it. Off topic, but on your point, how many CRITICAL ZERO DAY FLAWS does it take for you to concede that maybe, just sometimes, MS is NOT doing a great job. I, however, said nothing in my post about priority, when to do what, none of that. I stated sitting on them, security through DENIAL, is not a better option.

        TripleII
        TripleII-21189418044173169409978279405827
      • Evidently, yours and Microsoft's methods of measure

        Is NOT working properly,

        Witness, security as a whole is not
        getting better, it's getting worse.

        Simple facts that anyone SHOULD be able
        to see.
        Ole Man
  • Meaningless

    Why anyone would quote Maynor on the time of day is beyond me. The guy has zero
    credibility.
    frgough
  • An OS by the makers of the ZUNE!

    Need I say more?
    Reverend MacFellow
    • More?

      A better question is: Do you have anything meaningful to say?
      itpro_z
    • Please don't.

      You've already proven, on numerous occasions, that you can't come up with a half decent troll. You're pathetic and an embarrassment to real trollers like LinuxGeek and ITAnalyst.
      Hallowed are the Ori
  • what is this???

    Surfing the Web I have come across the http://www.infectedornot.com/ site, which includes two online scanners that apparently scan the PC in a very short time. They also claim to detect more malware than any other antivirus installed on the computer. Supposedly these tools can detect viruses running on the computer. I tried one of them and was actually quite surprised at how fast it was. It didn?t detect anything unusual, but asked me to use the second scanner which, so it says, can detect anything malicious on my PC, active or not.

    I was surprised at the distinction made between active and latent malware. Is it that there are viruses on computers waiting for a specific moment or action to activate?

    Also, the same page includes statistics showing how many scanned computers were actually infected. Not only that, it says that (about 40% of computers, or something like that) many of these had an antivirus installed. This makes me wonder: if, despite having an up-to-date antivirus installed you still have viruses, then, what purpose does the antivirus serve? The vendor says that it detects over 700,000 viruses, is this true or is it an exaggeration?

    Thanks and bye!!!
    Judas_Priest
    • Not So Sure

      1st, I Am Not An IT Or Computer Scientist. I Do Tinker And Read. I Went To Panda's Site And Found Their Online Scanner. It Is Not As Stated By Judas ( A Hint Possibly? ) . The Point Here Is That There Are Many Folk Who Try And Keep Up With The Real Professionals Here By Reading Posts Here And Finding This Confusing Message About Some Site Which Offers Free Detection Is, Well, Scary. As Mentioned There Are A Lot Of Folk Who Read Here Not Just For The Mudslinging But To Try And Keep Up. It Surprises Me That No One The Mighty That Dare To Speak Here Have Looked Into This As Some ( Maybe Lots of .. ) Poor Soul(s) May Find Themselves At A Thieves Watering Hole.
      Àvatar
      • You are wise to "not be sure"

        I haven't checked this particular site
        (I long ago quit checking such "free"
        offerings unless it's a well known site
        like AVG Antivirus or Zonalarm
        Firewall), but I have checked many of
        them in the past, and found every one
        that I checked to be a ruse. That is,
        they report false detections to dupe you
        into purchasing their over-priced
        products which actually does install a
        virus, and/or spyare, and/or trojan.

        Beware of anything that promises
        wonderful products for free. Doesn't it
        make you wonder why they are doing it?
        Some of the watering holes you speak of,
        I have to laugh at the guys who
        advertise that they want to make you a
        millionaire. They have discovered the
        secret and will send it to you for only
        $49.95. Yet there must be many people
        gullible enough to send them the money,
        or they couldn't afford to advertise it.
        Ole Man