Windows & .NET Magazine Security UPDATE--July 30, 2003

Security UPDATE, Web exclusive

1. In Focus: "Hacking" Contest and Demonstration Code

by Mark Joseph Edwards, News Editor, mark@ntsecurity.net

An interesting news story described a recent occurrence in Japan. The country's Ministry of Economy, Trade and Industry (METI) had scheduled a tournament in which students would compete against one another to exercise their computer security skills. Many small teams would try to penetrate the security of one another's computers while at the same time protecting their machines from intrusion. The defended machines were to use the Windows 2000 OS. Students were free to use other OSs as well in their attempts to breach security. The exercise sounds great to me. All teams would use their protection and penetration knowledge--and learn by observing the tactics used against them. However, the Japanese government canceled the contest after many Japanese citizens complained that such a tournament was the equivalent of promoting cybercrime. (I wonder whether those same people also think that teaching law-enforcement officers about the criminal mind will turn cops into criminals.) I think that the government might be limiting its chances of developing a better set of white-hat "hackers." In last week's Security UPDATE, I wrote about the Last Stage of Delirium Research Group, the Polish group that discovered the remote procedure call (RPC) buffer-overflow vulnerability that affects Windows Server 2003, Windows XP, Win2K, and Windows NT 4.0. The problem is serious because it lets intruders run the code of their choice on an unprotected system--and it affects many OSs. The group chose not to divulge technical details about the discovery at the time the vulnerability became public. I noted that the Last Stage of Delirium Research Group does routinely publish technical details along with code for problems it discovers. I recommended that because the group would eventually release demonstration code, users should patch their systems before a known exploit became available to the public. I thought users might have at least a few weeks for the patching process. However, another group published working demonstration code sooner. On Friday, July 25, Xfocus (which is based in China) published code that attackers can use to exploit the same vulnerability. The code, which appeared on mailing lists and on the group's Web site, is designed for demonstration against any of the affected OSs. When attackers launch the code against an unprotected system, the code gives them a remote command shell. Several security professionals worry that with working code now readily available, someone will use it to create a worm and release it on the Internet. That scenario certainly could occur. Patch your systems now or perform a workaround, such as blocking port 135 at your network borders or disabling Distributed COM (DCOM) by using dcomcnfg.exe. Also, spread the word about the vulnerability to business associates, family, and friends--any of whom might be using an affected system that isn't protected properly. The release of the exploit code was inevitable. As far as I know, no public notices provided Xfocus with specific details about the RPC problem, but the group might have gleaned more specific details from some source. However, Xfocus and other groups could easily test a system until they find a weakness--and develop working code from that point. Many companies currently frown on the release of demonstration code, even some companies that formerly released code but have ceased doing so. Nevertheless, such code releases will continue to occur as they have for the past decade--with the stakes increasingly higher. In any case, we should guard against attacks as best we can. Diligent knowledge gathering and action are required--and should lead to protection when the actions are adequate. We need to keep monitoring newsletters, mailing lists, and other information outlets--and acting on the knowledge. You're probably aware, for example, that Microsoft recently released three more security patches, one of which is critical and affects all Windows OSs. eEye Digital Security discovered the critical flaws, which involve Microsoft DirectX. An unchecked buffer lets intruders run a specially crafted MIDI file to run code of their choice on an unprotected system. You'll find patches linked through the section "Multiple Buffer Overruns in DirectX" in this edition of Security UPDATE. Be sure to patch your systems if necessary!