As Windows gets safer, old vulnerabilities still have bite

Microsoft Windows is harder to exploit than ever before, but despite the improvements in OS security, experts say it's the old wounds that hurt the most, as organizations continue to fall to cyber attacks that exploit vulnerabilities discovered - and patched - years earlier. Why?

By , ITworld |  Security

Consider this scene: it's October, 2011. Security researchers gathered in Louisville, Kentucky for the annual DerbyCon security conference. On the schedule that year, alongside presentations on “Advanced Nmap Scripting” and “anti forensic techniques,” was a humble birthday party for, of all things, a software vulnerability. But this wasn't just any software vulnerability. This was CVE-2008-4250, the dreaded Server Service vulnerability, which Microsoft patched in October, 2008, three years prior, when it released MS08-067, a software update for all affected Windows systems.

So why the party in Louisville? Why a supermarket sheet cake with the Microsoft logo, some shell script and an image of the super-evil Marvel hero Magneto launching an ICBM? Consider it a show of respect amongst the assembled - many of them IT security professionals and penetration testers - for a vulnerability that helped them bring home the bacon month after month.

Of the top 10 vulnerabilities detected on user systems, not one was for Microsoft's Windows operating system or Microsoft software.

Kaspersky Lab, third quarter Threat Evolution Report

The vulnerability patched by MS08-067 concerned a problem with the way the Server service on Windows handled certain kinds of requests sent using Remote Procedure Call (RPC), a commonly used application protocol. Attackers who could exploit the hole could remotely compromise and take full control of an affected Windows system. Nearly every supported version of Windows was affected, leaving them wide open to remote exploit. In October, 2011, a full three years after a fix for that vulnerability was released, enough of those systems were still around, and still vulnerable that the MS08-067 was considered alive and kicking.

“As a Penetration Tester, this vulnerability is sought out because it is highly reliable and very low risk,” the penetration testers at the firm SecureState observed at the time. “As an attacker, the simple fact is the attack still works.”

Join us:






Answers - Powered by ITworld

Ask a Question