
Subscribe to
Computerworld
or
Other Security Stories
April 26, 2004 (IDG News Service) -- Just days after Microsoft Corp. warned its customers about the release of code that can exploit a hole in its Secure Sockets Layer (SSL) library, new code that claims to exploit another recently disclosed hole surfaced on a French-language Web site.
The computer code can be used by a remote attacker to trigger a buffer overrun vulnerability in the Local Security Authority Subsystem (LSASS), according to a message posted to www.k-otik.com. Microsoft released a patch for the LSASS vulnerability, MS04-011, on April 13, along with fixes for the SSL problem and a number of other vulnerabilities (see story).
The code was released on Saturday, according to the K-Otik Web site, which hosts the exploit. It was unclear today whether the exploit code works, but notes attached by its author say some modifications may be necessary before the code can be used by a remote attacker to compromise Windows machines.
LSASS is used to authenticate users locally and in client/server environments. LSASS also has features used by Active Directory utilities. An attacker who could exploit the LSASS vulnerability could remotely attack and take total control of Windows 2000 and Windows XP systems, according to Microsoft.
Unlike e-mail worms and viruses, no user interaction would be necessary to trigger the LSASS buffer overflow, according to Johannes Ullrich, chief technology officer at the SANS Institute's Internet Storm Center.
The Internet Storm Center hasn't received any reports of the LSASS exploit code being used to compromise Windows systems on the Internet, he said.
Internet Security Systems Inc. is also aware of the new code but said it doesn't pose an immediate threat because it requires modification to work on computer networks. "The exploit is unreliable and not for use in the wild," said Neel Mehta, a research engineer at ISS.
But that's not true for exploit code that targets the Microsoft SSL hole, which was released last week. ISS has seen a significant number of exploits using that flaw since Wednesday, Mehta said -- activity that is often a precursor to an exploit being used by a worm.
The Internet Storm Center has received "a couple" of reports from organizations that had Windows systems attacked using that code, which leaves a unique signature in computer logs on compromised machines. The attacks were isolated and don't appear to be linked to a worm or virus outbreak. However, there is evidence that malicious hackers have coupled the SSL exploit code with automated scanning tools, Ullrich said.
"It looks like, in some cases, all affected servers in part of a company got attacked. It seems like somebody picked a netblock [of network IP addresses] and started scanning those addresses and hitting all the affected systems," he said.
On Thursday, Microsoft warned customers to "immediately install" MS04-011, citing "credible and serious" reports of the release of exploit code.
Any Windows XP, 2000 or Windows Server 2003 machine that runs applications that use SSL are vulnerable, including Microsoft Internet Information Server, Microsoft Exchange Server and third-party products, the company said.
ISS released an advisory Friday that warned customers of the SSL exploit and cautioned that the severity of the Microsoft vulnerability was compounded by the fact that SSL is used to secure communications involving confidential or valuable financial information. Also, companies that use SSL must leave Port 443, the port that is targeted by the exploit, open.
Systems that use SSL for secure communications are often "production-critical" machines. Organizations take longer to patch such systems because of fears that applying the patch will interfere with critical services, Ullrich said.
Microsoft, ISS and other companies also have published work-arounds for the SSL vulnerability for organizations that can't patch systems immediately, Mehta said.
|
|
Print this Story |
|
Send Us Feedback |
|
E-mail this Story |
|
Digg this Story |
|
Slashdot this Story |
|
|
|
|
|
|
|
|
All Zones Application Performance Zone Business Continuity Zone Data Center Management Zone Enterprise-Class Security Zone The File Data Management Zone Grid Computing on Windows Zone Security Management Zone ITIL Best Practices Zone The SAS Zone Storage Virtualization Zone Business Intelligence and Analytics Zone |
|
|
| ||||||||
| ||||||||
| ||||||||
|


Security Management ZoneSecurity management is the process of developing a comprehensive data protection plan. It takes into account all potential threats, the existing network environment, the future needs of the organization, and lays out a multi-tiered blueprint to integrate the security technology needed to combat these threats. CDW can help keep your network and data secure. Visit the CDW Security Management Zone now See All Zones
|
Fired up about IT? Join Sharkbait and share your true tales of IT. SharkBait is the place for you to sound off about everything IT the good, the bad, and the rest of the weird stuff you deal with every day.New baits |

"Security Directions" virtual trade show2008's Code-Red Security Issues for Protecting the EnterpriseWebcasts, white papers, demos, and more. Presented in a unique 3-d environment. Enter our show right now! Click here to enter
|

In SecuritySecurity's important, and risk must be addressed, right? Sure, but watch for four signs your policies go a bit overboard. Click here to read the latest column by Jon Espenschied |
| About Us Advertise Contacts Editorial Calendar Help Desk Jobs at IDG Privacy Policy Reprints Site Map |
|
CIO The Industry Standard |