Microsoft issues out-of-cycle fix for critical Windows RPC fault
If the Vista kernel can't be spoofed, it appears some of its key Internet Protocol kernel drivers can be. An IBM security division discovered the problem, and this morning, Microsoft issued what it hopes will be a fix.
A division of IBM involved with security research is being credited for having discovered a seriously exploitable vulnerability in both Windows XP and Windows Vista. The subject this time around deals with two critical components used by the TCP/IP stack: Internet Group Management Protocol (IGMP) and Multicast Listener Discovery (MLD) for IPv6, the latter applying only to Vista.
Neither of these components have been immune to vulnerabilities in the past, though the implication from both IBM and Microsoft today was that this particular exploit, discovered by ISS last August, may in fact be somewhat novel in its approach.
The basic concept is not new, though: Intentionally malformed packets for Source Specific Multicasting for MLD, or similarly malformed packets for IGMP, can trigger the TCP/IP kernel driver to execute arbitrary code. As if to drum the issue home, an ISS advisory stated that theoretically such arbitrary code could come in from the outside, and could potentially be one of the many variants of the dreaded Storm Worm.
Just the mention of that sends shivers through the security community, which is why some security engineering firms today issued press releases saying their products already protect against this vulnerability because they can detect the Storm Worm. Such is likely not the case.
"An attacker does not need to invoke any kind of user interaction to exploit this vulnerability," reads an ISS bulletin updated this morning. "The lack of user interaction, widespread availability of the protocols, and the possibility of complete compromise of targeted systems means that administrators should treat this vulnerability as highly critical."
Microsoft's security update for both vulnerabilities was posted this morning to TechNet.