Microsoft RPC exploit could be a packaged deal
Potential attacks using the MS08-067 exploit won't be in the form of a single worm but will be bundled with other malware, says a security researcher.
While Microsoft has labeled Thursday's emergency patch MS08-067 as "critical" and provided a rare because its exploit could easily be used as worm on a compromised network, one security researcher doesn't think it will happen that way.
"It's likely we're going to see this packaged with some other attack." said Ben Greenbaum, senior research manager at Symantec. "A Web-based attack, for example. We're looking out for are exploits of this being bundled with client-side exploits or Trojans so that the worm can get past corporate firewalls and get behind that firewall into the internal network."
Comparisons have been made to Zotob, an RPC worm that spread like wildfire in 2005. Remote Procedure Calls (RPC) allows programmers to run code either locally or remotely; a flaw within them is ideal for creating a worm.
"The potential is certainly there," Greenbaum said, adding that modern day attackers are "looking to create as much revenue for themselves as possible, and part of that equation means avoiding detection. What we're likely to see is that this will be added to a wide variety of attack tool kits already available."
"It's possible--but it's not likely--that we'll end up seeing a purpose-built worm that only exploits this one vulnerability," he said.
Since the patch came out Thursday morning, Symantec has seen increased scanning on ports 139 and 445, ports that exploits of MS08-067 would use.
There are some mitigating factors. Most firewalls, with default settings in place, should not allow an exploit of this penetrate that firewall, he said. However, home networks with File and Printer Sharing could fall victim to a bundled attack using this exploit.
The greatest danger is to systems running Windows XP and Windows 2000; Microsoft has ranked the patch as critical for these systems. On Windows Vista, Windows Server 2008, or Windows 7 pre-Beta, if the firewall is disabled, and File and Printer sharing enabled, an anonymous user could use this exploit to connect but would do so only at the lowest possible integrity setting, which would prevent successful exploitation, Greenbaum said. Microsoft has rated the patch only as important for those operating systems.