Windows Kernel Flaw -- Critical But Not, Says Redmond
- By Jabulani Leffall
To some IT security gadflies, Microsoft's latest "unpatched patch" incident
involving a transfer protocol bug in the Windows kernel is a sign that Redmond
should change not only its security priorities but also the manner in which
it discloses vulnerabilities.
But from Microsoft's perspective, the impact of a flaw disclosed last week involving Windows Kernel TCP/IP/IGMPv3 and MLDv2 -- mainly affecting supported editions of Windows Small Business Server 2003 and Windows Home Server -- merely represents the cost of doing business.
Either way, the release of a proof
of concept flash video on Jan. 30 by Miami-based Immunity Inc. was one of
more than half a dozen incidents over the past six months that found Microsoft
playing defense against vulnerabilities surfacing soon after patch release announcements.
Not to mention the fact that it's yet another example of reoccurring kernel
overflow exploit issues.
"When you look at it from a patch management standpoint -- I mean from zero
to exploit -- the current patch release structure is like a Dutch boy with his
finger in the dyke trying not to drown," said Bas Alberts, senior security researcher
at Immunity. "Windows architecture goes patch by patch and really doesn't have
mechanisms to prevent whole types of bug classes in different areas, and therefore
has to fight the topsy-turvy battle between usability and security one patch
at a time."
According to Alberts, who led the team that released the video, the hole in
the system gives hackers the ability to send bad packets to a Web address and
embed malicious code via the subnet, which comprises of a range of addresses
assigned to a specific network or enterprise organization. The subnet addresses
usually feed up into one single network ID, over which a hacker would have control
if the exploit is successful. The hacker could then do a number of things: install programs; view,
change or delete data; or create new accounts with full user rights.
Reached this week for comment, Alfred Huger, Symantec's VP of engineering for
security response, said news of the exploit was relatively routine and that
Microsoft is doing as well as it can in disclosing vulnerabilities.
That said, Symantec still sent a warning to its customers via its DeepSight threat network. And the company still conceded that Immunity's demonstration of a Windows XP SP2 computer on a local subnet being compromised was still very possible.
"I don't think this is a huge deal," Huger said. "Companies such as [Immunity]
put out exploit concepts all the time; that's what they do. What's getting people's
attention is that Microsoft didn't think it could be exploited and said as much,
and then it happened."
For its part, Microsoft continues to downplay the severity of the breaches outlined in the flash video demonstration even after it said the Jan. 8 patch would render such incursions difficult and unlikely in the "real world."
MS08-001 included a fix for TCP/IP issues that involve bad code sent over
a stream of information packets used for jobs such as file transfer and e-mail
There is no word on whether the issue will be patched this week or some time
in the near future.
Both Huger and Immunity's Alberts agree that Microsoft has made some improvements
on overflow protection for Vista SP1, but that it's still a long haul for more
comprehensive, one-stop-shop security programs that can be found in the Linux
kernel and other Unix-based operating systems.
"The main thing to do is patch what you can but make sensible choices about
which third-party software you're using," Alberts. cautioned. "I would say,
look at Windows and then look at the security track record of the third-party
software you're using and plan accordingly because in that regard, patch management
just isn't enough."
Jabulani Leffall is a business consultant and an award-winning journalist whose work has appeared in the Financial Times of London, Investor's Business Daily, The Economist and CFO Magazine, among others. He consulted for Deloitte & Touche LLP and was a business and world affairs commentator on ABC and CNN.