New Code Demonstrates Exploitation of Critical Windows Flaw

The computer security company Immunity Inc. posted, on January 29, 2008, a Flash video to demonstrate how a proof of concept exploit takes advantage of the IGMPv3 networking protocol vulnerability described in Microsoft Security Bulletin MS08-001.

Chief Technology Officer Dave Aitel of Immunity said that the movie shows the exploit attack aiming at a local subsidiary network, which has a population of two systems running Windows XP SP2 with firewall activated. InformationWeek published Aitel's statement on January 30, 2008.

The MS08-001 Security Bulletin presents a patch for the flaw, which was updated during the week from January 21 to January 27, 2008 to correctly explain the influence of Windows Kernel MLDv2 and TCP/IP/IGMPv3 flaws on supporting versions, Windows Home Server and Windows Small Business Server 2003.

The explanation includes a correction of the danger of the flaw on the pair of settings by rating it "critical". Organizations that haven't implemented the patch are urged to take action.

Previously, Dave Aitel had described the Internet Group Management Protocol (IGMP) flaw as this year's potential blockbuster. In a thorough discussion of the vulnerability along with its exploitation, Symantec too accepted that hackers would be largely rewarded even if copying Immunity's work could prove to be tough.

The security company indicated that it is quite difficult to exploit a remote flaw in Windows kernel. Also, there have been exploits, which successfully influence such flaws. The exploits are publicly released. Today Immunity's exploit code allows execution of arbitrary code in Windows kernel.

On January 8, 2008, when Microsoft published its MS08-001 bulletin, it rated the IGMP vulnerability also to have "critical" impact on Windows Vista, Windows XP SP2, Windows Home Server and Windows Small Business Server.

The flaw is particularly more critical for Vista, because of its highly effective kernel security tools. A local end-user, even an administrator, may find it difficult to inject an unauthorized code into the Vista kernel, however, in the current case, the act is possible from a remote location without requiring any authentication.

The vulnerability not only allows arbitrary code execution but also lets installation of rootkits, backdoors etc. that are normally difficult with standard remote user vulnerability.

Related article: New Zealand Releases Code To Reduce Spam

» SPAMfighter News - 2/11/2008