[ISN] Exploit code puts Windows XP and 2000 at risk

InfoSec News isn at c4i.org
Fri Nov 18 02:15:47 EST 2005


http://news.com.com/Exploit+code+puts+Windows+XP+and+2000+at+risk/2100-1002_3-5958846.html

By Dawn Kawamoto 
Staff Writer, CNET News.com
November 17, 2005

Exploit code has been published that could take advantage of flaws in
Windows XP SP1 and Windows 2000 SP4, according to a warning issued
Thursday by Microsoft.

Although the exploit code could be used to launch a denial-of-service
attack in machines running XP SP1 and Windows 2000 with all service
pack versions, the threat is only moderately severe, said Stephen
Manzuik, a product manager at security research company eEye Digital
Security.

"On a scale of 10, it would be about a 4 or 5 on severity," said
Manzuik. "All it will do is crash some machines and not crash others."

The exploit code could allow an attacker to launch a remote
denial-of-service attack on Windows 2000 machines using all service
pack versions, but would require a user authentication on Windows XP
SP1 computers, Manzuik said.

The exploit poses only a moderate risk because it requires a user to
log on for Windows XP, and in the case of Windows 2000, the attacker
would have to get remote access to the Remote Procedure Code (RPC)  
port. That port is often behind a firewall, making it difficult to
penetrate remotely, Manzuik noted.

Microsoft has yet to develop a security patch for this exploit, but it
recommended that users enable their firewalls and download security
updates, according to its security advisory.

The exploit code was published by Winny Thomas of Nevis Labs in India,
who reverse-engineered a patch Microsoft issued in October, according
to a posting on FrSIRT's Web site. The patch, MS05-047, dealt with a
plug-and-play feature in the Windows software.

While working on an exploit for MS05-047, I came across a condition
where a specially crafted request to upnp-getdevicelist would cause
services.exe to consume memory to a point where the target machines
virtual memory gets exhausted. This exploit is not similar to the
MS05-047 exploit I published earlier," Thomas noted in his posting.

The October patch did not lead to the vulnerability in Windows, a
Microsoft representative said, adding that Microsoft encourages people
to "apply the MS05-047 update and all recent security updates released
by Microsoft."

Microsoft, however, reiterated its concerns over security researchers
who publish details on how to exploit vulnerabilities before the
software vendor has had time to create a patch.

"Microsoft is concerned that this new report of a vulnerability in
Windows 2000 SP4 and Windows XP SP1 was not disclosed responsibly,
potentially putting computer users at risk," the company said. "We
continue to encourage responsible disclosure of vulnerabilities."

Some security researchers, however, note that Microsoft has been known
to take at least 200 days or more to issue a security patch, once the
company has been notified of a problem.






More information about the ISN mailing list