The stage is set for a Vista worm, as Microsoft scrambles to ready SMB2 patch

September 9th, 2009

A strong dose of déjà vu enshrouds the heightened security advisory Microsoft issued today about the newly-disclosed SMB2 zero-day vulnerability in the Windows Vista and Windows Server 2008 operating systems.

conficker_img-150x1503It was one year ago today — September 2008 — that Chinese malware brokers were spotted selling a $37 tool kit that allowed anyone to exploit a newly-disclosed RPC-DCOM vulnerability in Windows XP and Windows Server 2000.

To its credit, Microsoft hustled to design, test and deliver a patch in just a couple of weeks — the company did not wait around for the  next Patch Tuesday. But security experts at the time didn’t express much concern. Early Conficker  exploits were circulating in the wild, but only sporadically. Corporations likewise were nonplussed; many took their sweet time installing the RPC-DCOM patch.

Accelerating the discussion

Fast forward to the present. LastWatchdog has stepped forward to accelerate the discussion about this latest Windows zero-day flaw. I’ve spent the day polling eight top security analysts and researchers about how the RPC-DCOM flaw was handled, and how the SMB2 flaw is being handled.

Let’s put aside the side-show of whether grey-hat researcher Laurent Gaffie disclosed the flaw responsibly or not. Microsoft says he was irresponsible; Garrie contends in this Security Focus interview that he was upholding tenets of full disclosure.

Consider that at its peak last January, Conficker searched out and infected some 10 million Windows XP machines worldwide. Keep in mind that the RPC-DCOM patch was made available by Microsoft three months earlier, in mid October. But corporations didn’t take the threat seriously, and were slow to patch.  What’s more, after spreading a few limited exploits,  Conficker’s creators busted out of the gate with new ways to spread infections once they gained a foothold inside a company’s network, via network shares and shared USB devices.

Vista worm scenarios

jason_miller_crop175pxSo what about this time around, with the SMB2 zero-day?

“The likelihood of hackers launching a worm is great,” says Shavlik researcher Jason Miller. “Any flaw that can be spread without user interaction is a gold mine.”

Conficker turned out to be so pervasive partly because it targeted a fresh flaw in Windows XP, which runs 65% of the Microsoft PCs in use. By contrast, Vista, introduced two years ago with much fanfare, has been largely shunned by corporate users. Vista runs on just 30% of PCs, according to this InforWorld report.

From a security perspective, that turns out to be a good thing. “Overall, fewer users are vulnerable,” says Purewire researcher Paul Royal. Still, Gartner estimates that there are one billion personal computers in use. That means there is something north of 200 million Vista PCs connected to the Internet and available as targets. That’s plenty of incentive for today’s top-tier botnet controllers who get rich amassing hundreds of thousands of infected PCs, which they use to spread spam, steal data and perform other lucrative criminal activities.

Symantec analyst Ben Greenbaum agrees that a fast-spreading Vista worm is plausible. But he notes that early proof-of-concept attacks have resulted “in a crash of the target,” triggering Microsoft’s infamous Blue Screen of Death.

“The possibility of reliable code execution via this vulnerability has not been proven,” says Greenbaum. “It is plausible, but the likelihood at this point is unknown.”

Pioneer hacker required

nidhi_kejriwal2_crop200pxHowever, Purewire research scientist Nidhi Kejriwal says that discussions are already taking place in hacker forums about new, more effective ways to launch a robust Vista worm.

“It has now been noted that this vulnerability does, indeed, have the potential to execute remote code, instead of just crashing (the targeted PC) as was disclosed in the original advisory,” says Kejriwal. “Instructions are available for anyone to try it.”

Microsoft acknowledged as much on Wednesday by inserting this warning into the FAQ section of its advisory describing the flaw: “An attacker who successfully exploited this vulnerability could take complete control of an affected system. ”

Microsoft spokesman Christopher Budd emphasizes that no hacker has accomplished that, yet.

SecureWorks researcher Bow Sineath says the challenge awaits a hacking pioneer. Sineath says it was trivial for the creator of Conficker to access the XP security hole and use it to execute a reliable program.

Buried in the kernel

By contrast, the Vista hole is buried deep inside of the Windows kernel — the core proprietary source code Microsoft guards so jealously.

“Theoretically yes, using this vulnerability, a hacker could take control of PCs running Vista, Windows Server 2008 and Windows 7 (release code),” says Sineath. “However, in practice, we don’t believe the threat is that high because the vulnerability is in the driver which runs in the kernel of the operating system — the deepest level of the operating system”

The RPC-DCOM vulnerability exploited by Conficker, on the other hand,  was in the “user space” of the operating system.

“The user space is where all your Word, Internet Explorer, Excel, etc. applications run. It is not where your drivers run,” he says. “The fact that the SMB2 vulnerability is running in the kernel makes the vulnerability critical because the kernel manages resources in the operating system. However, this also makes it difficult to exploit. ”

paul-ferguson_crop90pxTrend Micro senior analyst Paul Ferguson contends that “the ball is in Microsoft’s court to determine whether or not it’s an exploitable bug. Any time you’re dealing with a simple message block type of issue, if it can be exploited remotely, that’s a serious issue.”

Sophos senior analyst Chet Wisniewski deems it a matter of time before an astute hacker will go for the glory — and a big payday by coming up with a Vista worm, either for this SMB2 flaw, or another yet to be discovered.

“At some point it is inevitable this will occur. There have been worms that have already achieved reasonable success on Vista, so I am sure they will continue,” says Wisniewski. ” If Windows 7 gains popularity as quickly as predicted it will likely be the prime target, alongside XP, more than Vista. It’s a numbers game.”

Patch scheduling and work arounds

Arbor Networks analyst Jose Nazario is taking a wait-and-see posture. “In the absence of a reliable working exploit, I do not think this will be the next Conficker,” says Nazario. “However, I would not be surprised to see someone trying to make it the next Conficker.”

The ripest opportunity for hackers lies in the next few weeks — while Microsoft is scrambling to design, test and deliver a security patch. Microsoft’s next Patch Tuesday — the designated day each month for delivering security updates — is Oct. 13. Microsoft spokesman Christopher Budd declined to say whether Microsoft has set a goal of having the Vista patch ready by then.

“The only information we can currently share with regard to timing is that Microsoft is currently working to develop a security update to address this vulnerability and will release the security update once it has reached an appropriate level of quality for broad distribution,” says Budd.

Some, Shavlik’s Miller among them, are betting Microsoft will push the patch out early. “I can see Microsoft skimping a bit on their testing cycle to release the patch as soon as possible,” says Miller.

Meanwhile, Microsoft has issued this work around. It is advising Vista users to disable SMB2 or to block Port 139 and Port 445, which are used by several widely used services.

“The work around does not appear to completely disable file sharing,” says Kaspersky senior researcher Roel Schouwenberg.  “It appears that users will have to revert back to using SBM Version 1 instead of Version 2. SMB Version 1 is what is currently used on XP and Windows 2000 programs. Users should be able to continue to share files and print documents as long as they can revert back to SMB Version 1.”

–Byron Acohido