Critical.
Authoritative.
Strategic.
Subscribe to CIO Magazine »

Windows attack code out, but not being used

Metasploit module is considered unreliable by security experts

It has been a week since hackers released software that could be used to attack a flaw in Windows Vista and Server 2008, but Microsoft and security companies say that criminals haven't done much with the attack.

Late Monday, Microsoft said it hadn't seen any attacks that used the vulnerability, an analysis that was echoed by security companies such as SecureWorks, Symantec and Verisign's iDefense unit.

While criminals jumped on a similar flaw a year ago, using it in widespread attacks that ultimately forced Microsoft to rush out a security patch ahead of its monthly set of security updates, that hasn't happened with this latest bug, which lies in the SMB v2 software used by Vista and Server 2008 to do file-and-printer sharing.

SecureWorks researcher Bow Sineath said Tuesday that there are several reasons why this latest attack has not been picked up. Perhaps the main reason is that the Metasploit code doesn't work as reliably as last year's MS08-067 attack, and often causes the computer to simply crash instead of running the hacker's software.

SMB v2 is typically blocked at the firewall, and it does not ship with Windows XP, meaning that the Metasploit attack will not work on the majority of PCs. Vista, the only Windows client that is vulnerable to the attack, is used on about 19 percent of computers that surf the Web, according to Web analytics firm Net Applications. Windows XP runs on 72 percent of PCs.

Because of all of these factors, the SMB v2 flaw is simply not "all that popular of a target," Sineath said.

Last week, Dave Aitel, CEO of security tool vendor Immunity, predicted that Microsoft would not need to patch the bug ahead of its scheduled Oct. 13 security patch date.

The Metasploit attack makes certain assumptions about the computer's memory that allow it to work in certain hardware configurations, but in many situations, it simply doesn't work, Aitel said.

"I asked the Immunity team to take a look into the new exploit to assess whether Microsoft would patch the SMB v2 bug early, and our initial assessment is 'No, they will not,'" he wrote in a discussion list post last Tuesday. "Working around this issue in the current public exploit is probably two weeks of work. At that point, we're nearing Microsoft Tuesday and the need for an out-of-band patch is moot."

The Metasploit team is still working on its attack, however. On Sunday, Metasploit posted details of a new way of exploiting the bug and said it was working on a module that takes advantage of this so-called trampoline technique.

If the trampoline method works and makes the Metasploit attack more reliable, criminals are likely to start using it, SecureWorks said.

Join the CIO Australia group on LinkedIn. The group is open to CIOs, IT Directors, COOs, CTOs and senior IT managers.

More about: iDefense, Microsoft, SecureWorks, Symantec
References show all

Comments

Post new comment

The content of this field is kept private and will not be shown publicly.
Users posting comments agree to the CIO comments policy.
Login or register to link comments to your user profile, or you may also post a comment without being logged in.
Related Coverage
Related Whitepapers
Latest Stories
Community Comments
Tags: metasploit, security, windows server 2008, Windows Vista
Latest Blog Posts
Whitepapers
  • Top Reasons to Implement an SOA Governance Strategy: A List for IT Executives
    Service-oriented architecture (SOA) has moved beyond hype to widespread acceptance as an IT strategy for delivering business value. SOA promotes the notion of modularity, providing overwhelming flexibility and superior economics for addressing business demands. However, undertaking the transformation to SOA is not without its challenges. If left unchecked, your inventory of SOA assets will become unmanageable; the reuse of services will diminish in favor of custom development; or even worse, modifications will be made to your existing services that break other business processes. The purpose of SOA governance is to help you ensure that this does not happen. This paper outlines the most compelling reasons for you to establish SOA governance within your organization.
    Learn more »
  • IDC Case Study - EMC IT Increasing Efficiency, Reducing Costs, and Optimising IT with Data Deduplication
    This IDC Buyers Case Study: Explores the benefits EMC realised from the use of a range of EMC's own backup and recovery solutions that leverage deduplication technology; Identifies the unique backup challenges for different computing environments and how data deduplication can address these environments; Highlight EMC's legacy backup environment and the changes EMC made as part of a transformation process to increase efficiency, reduce cost and optimise IT - as part of its journey to the private cloud.
    Learn more »
  • Backup and Recovery as we Know it is Changing
    Increasing complexity in the data centre, including the rapid deployment of virtual servers, ever-expanding compliance requirements, and increasing amounts of sensitive data on mobile devices has put more strain on backup and recovery. Read on.
    Learn more »
All whitepapers
rhs_login_lockGet exclusive access to Invitation only events CIO, reports & analysis.
Recent comments