November 08, 2012, 7:49 PM — Consider this scene: it's October, 2011. Security researchers gathered in Louisville, Kentucky for the annual DerbyCon security conference. On the schedule that year, alongside presentations on “Advanced Nmap Scripting” and “anti forensic techniques,” was a humble birthday party for, of all things, a software vulnerability. But this wasn't just any software vulnerability. This was CVE-2008-4250, the dreaded Server Service vulnerability, which Microsoft patched in October, 2008, three years prior, when it released MS08-067, a software update for all affected Windows systems.
So why the party in Louisville? Why a supermarket sheet cake with the Microsoft logo, some shell script and an image of the super-evil Marvel hero Magneto launching an ICBM? Consider it a show of respect amongst the assembled - many of them IT security professionals and penetration testers - for a vulnerability that helped them bring home the bacon month after month.
Kaspersky Lab, third quarter Threat Evolution Report
The vulnerability patched by MS08-067 concerned a problem with the way the Server service on Windows handled certain kinds of requests sent using Remote Procedure Call (RPC), a commonly used application protocol. Attackers who could exploit the hole could remotely compromise and take full control of an affected Windows system. Nearly every supported version of Windows was affected, leaving them wide open to remote exploit. In October, 2011, a full three years after a fix for that vulnerability was released, enough of those systems were still around, and still vulnerable that the MS08-067 was considered alive and kicking.
“As a Penetration Tester, this vulnerability is sought out because it is highly reliable and very low risk,” the penetration testers at the firm SecureState observed at the time. “As an attacker, the simple fact is the attack still works.”
Follow Paul on Google+
