Security Watch
Old Attack Exposes Microsoft Shortcomings
One if by Land, two if by code, I on the opposite shore will be ... taking a nap.
Denial of Service
Windows Server 2003 and
Windows
XP, Service Pack 2 were both found to be vulnerable to a very old form
of Denial of Service attack known as a "
Land"
attack. The attack involves sending a packet to a
machine with the source host/port the same as the destination host/port. This
results in the system attempting to reply to itself, causing it to lock up.
Land attacks first came to light in 1997, and the flaw was fixed in all Windows
versions at the time. The vulnerability appears to have been re-introduced as
a result of the security hardening done during XP SP2 development.
The fact that the newest versions of Microsoft's OSes can be crashed by Land
attacks makes you realize how far Bill Gates' vaunted Trustworthy Computing
initiative still has to go. Some key failures this vulnerability exposes:
- This is an old and well-known form of attack.
How could Microsoft miss this during security testing of the new versions?
The likely answer is that they had routers which prevented the LAND attacks;
thus, they probably tested for the vulnerability and missed the problem because
the router blocked the attack, even though the OSes won't. This means the
criteria they used for determining the success or failure of the test was
completely off-base.
- Code was originally written, then subsequently found
to be vulnerable to an attack (in this case, the original LAND attack in 1997).
Such an occurrence should get logged in such a way as to ensure that the issue,
or the coding that led to the vulnerability in the first place, was double-checked
every time the modules containing the code were revised, updated or replaced.
Yet here we are again, so obviously there were no sticky notes on the vulnerable
modules saying "Hey, check and make sure we're not vulnerable to LAND
attacks!"
- We could simply attribute this to the age-old charge that Microsoft's code
is so huge and so diversely managed that it doesn't know what it's doing with—or
to—it.
- It could also be that its code is just too difficult
to do proper quality assurance (QA). It seems hardly fair to blame
Computer Associates for legacy issues in its code (as I did a few weeks ago)
and not call out Microsoft's QA people for re-introducing a previously patched
vulnerability. Holy Windows, Batman!
More information on the Land attack can be found here.
Hacking
Grsecurity, a group of security applications and infrastructure
for Linux, has a vulnerability in its Role-Based Access Control
(RBAC) sub-system. The vulnerability could allow someone operating as
the Root user to gain privileges over other processes, a situation grsecurity
is supposed to prevent.
Want
More Security? |
This
column was originally published in our weekly Security Watch
newsletter. To subscribe, click here. |
|
|
The issue here isn't so much the vulnerability itself; grsecurity provides
significant protection against so many forms of attack that this one vulnerability
is unlikely to result in a compromise. The real problem is that trust in the
grsecurity model is temporarily broken. Systems employing grsecurity are usually
highly sensitive, and should be patched immediately to reinstate the trust in
the grsecurity environment.
Malicious Code
Instant messenger worms are on the rise. Interestingly,
these aren't based on the graphic image vulnerabilities disclosed over the past
few months, as one might expect, but instead plain old get-the-user-to-click-on-this
type attacks. They're probably gaining traction because they almost always come
from someone you know, propagating via buddy lists in your instant messenger
program.
Here's a tip. If you get a link from someone via your instant messenger program,
simply send them a reply and say "Huh?" If they don't reply immediately,
don't click on the link—ever.
About the Author
Russ Cooper is a senior information security analyst with Verizon Business, Inc.
He's also founder and editor of NTBugtraq, www.ntbugtraq.com,
one of the industry's most influential mailing lists dedicated to Microsoft security.
One of the world's most-recognized security experts, he's often quoted by major
media outlets on security issues.