Windows Kernel Flaw -- Critical But Not, Says Redmond

To some IT security gadflies, Microsoft's latest "unpatched patch" incident involving a transfer protocol bug in the Windows kernel is a sign that Redmond should change not only its security priorities but also the manner in which it discloses vulnerabilities.

But from Microsoft's perspective, the impact of a flaw disclosed last week involving Windows Kernel TCP/IP/IGMPv3 and MLDv2 -- mainly affecting supported editions of Windows Small Business Server 2003 and Windows Home Server -- merely represents the cost of doing business.

Either way, the release of a proof of concept flash video on Jan. 30 by Miami-based Immunity Inc. was one of more than half a dozen incidents over the past six months that found Microsoft playing defense against vulnerabilities surfacing soon after patch release announcements. Not to mention the fact that it's yet another example of reoccurring kernel overflow exploit issues.

"When you look at it from a patch management standpoint -- I mean from zero to exploit -- the current patch release structure is like a Dutch boy with his finger in the dyke trying not to drown," said Bas Alberts, senior security researcher at Immunity. "Windows architecture goes patch by patch and really doesn't have mechanisms to prevent whole types of bug classes in different areas, and therefore has to fight the topsy-turvy battle between usability and security one patch at a time."

According to Alberts, who led the team that released the video, the hole in the system gives hackers the ability to send bad packets to a Web address and embed malicious code via the subnet, which comprises of a range of addresses assigned to a specific network or enterprise organization. The subnet addresses usually feed up into one single network ID, over which a hacker would have control if the exploit is successful. The hacker could then do a number of things: install programs; view, change or delete data; or create new accounts with full user rights.

Reached this week for comment, Alfred Huger, Symantec's VP of engineering for security response, said news of the exploit was relatively routine and that Microsoft is doing as well as it can in disclosing vulnerabilities.

That said, Symantec still sent a warning to its customers via its DeepSight threat network. And the company still conceded that Immunity's demonstration of a Windows XP SP2 computer on a local subnet being compromised was still very possible.

"I don't think this is a huge deal," Huger said. "Companies such as [Immunity] put out exploit concepts all the time; that's what they do. What's getting people's attention is that Microsoft didn't think it could be exploited and said as much, and then it happened."

For its part, Microsoft continues to downplay the severity of the breaches outlined in the flash video demonstration even after it said the Jan. 8 patch would render such incursions difficult and unlikely in the "real world."

Indeed, Bulletin MS08-001 included a fix for TCP/IP issues that involve bad code sent over a stream of information packets used for jobs such as file transfer and e-mail transmissions.

There is no word on whether the issue will be patched this week or some time in the near future.

Both Huger and Immunity's Alberts agree that Microsoft has made some improvements on overflow protection for Vista SP1, but that it's still a long haul for more comprehensive, one-stop-shop security programs that can be found in the Linux kernel and other Unix-based operating systems.

"The main thing to do is patch what you can but make sensible choices about which third-party software you're using," Alberts. cautioned. "I would say, look at Windows and then look at the security track record of the third-party software you're using and plan accordingly because in that regard, patch management just isn't enough."

About the Author

Jabulani Leffall is a business consultant and an award-winning journalist whose work has appeared in the Financial Times of London, Investor's Business Daily, The Economist and CFO Magazine, among others. He consulted for Deloitte & Touche LLP and was a business and world affairs commentator on ABC and CNN.