Feeds

MS flips on new ‘global’ Windows remote-root vuln

Thanks for monitoring that

  • alert
  • submit to reddit

High performance access to file storage

A few days ago the rumours started: every currently-supported version of Windows -- that's -98 to -XP and everything in between -- can be rooted by a novel means which MS regarded as a mystery. It seemed to be an automated, malicious bot which makes it possible to control the target machine via IRC, but it seemed not to replicate itself as a worm would do. Exactly how it finds its way onto the victim's box was not known.

But the number of infections was said to be high, though it was not known if user interaction is required for the 'infection', if that's what it is, to occur, or if the means of dissemination leverages some security vulnerability common to all Windows versions other than users and admins.

In other words, it could have been a malicious payload in some common file archive or application, or it could be something installed remotely via some unknown glitch in a piece of IP client or server software common to every version of Windows. In that case there would be some sort of scanner which recognizes vulnerable hosts and some component which loads the malware.

Of course the IRC connection tempts one to speculate that the culprit is a malicious payload in some file commonly-traded in IRC along the lines of, say, younggirl_does_uncle.zip, but MS was unable to noodle out if that was the case.

The MS Product Support Services (PSS) security team wrote the bulletin. MS never said how many machines had been affected, but they did say that the rate of infection appeared to be slowing. Anti-virus programs were unable to detect the malware, they said; and because the infected files were named after common, harmless ones, there was no easy way to determine if you'd been infected.

It sounded like the Microsoft Final Solution for which we've all been waiting impatiently -- big news indeed, but I didn't cover it because it also sounded quite implausible.

What really happened

Well, it turns out that the original bulletin was so completely wrong that MS has replaced it. And those early news stories have been quietly updated to reflect reality, without actually copping to the fact that they'd been misleading.

It's got a name, finally. It's called the "mIRC Trojan-Related Attack." It turns out that Win-2K Server is the only product presently known to be vulnerable, and then only if the latest patches and hotfixes haven't been installed.

MS says it's 'related to' an IRC Trojan, apparently affecting the extremely popular mIRC client for Windows, as one would have guessed.

But there remain numerous details that need to be clarified. I'm not satisfied with the explanation that "the activity involves a coordinated series of individual hacking attempts that are manual in nature."

You see how this doesn't fit with the Trojan concept. By definition a Trojan is something the machine's user or owner welcomes, which turns out to be malicious. So those weasel words, "Trojan-Related," must have quite a bit of significance. I'm going to guess that what's going on here is the implantation of a known Trojan by means other than user interaction.

We get the same impression from the first sentence of the new, FUD-sanitized bulletin: "the mIRC Trojan-Related Attack is not a security vulnerability. Instead, it is an intrusion that takes advantage of situations where standard precautionary measures have not been put in place." [my emphasis]

So it really does sound like a remote compromise independent of user interaction. Naturally, MS steadfastly refuses to tell us anything useful, like how this is accomplished. 'Install your patches and quit asking impertinent questions' seems to be the subtext here. It's just that I can't quite noodle out how a remote compromise (i.e., one not requiring user interaction) is not a security issue. Perhaps the Redmond spin-meisters would like to walk me through that one.

I have the sickening feeling MS is trying to say that any security stuff-up of theirs for which a patch happens to exist is no longer a security issue.

Another day in the life of a company trying to sell Trustworthy Computing to a world that already knows better. ®

Combat fraud and increase customer satisfaction

More from The Register

next story
This time it's 'Personal': new Office 365 sub covers just two devices
Redmond also brings Office into Google's back yard
Oh no, Joe: WinPhone users already griping over 8.1 mega-update
Hang on. Which bit of Developer Preview don't you understand?
Inside the Hekaton: SQL Server 2014's database engine deconstructed
Nadella's database sqares the circle of cheap memory vs speed
Microsoft lobs pre-release Windows Phone 8.1 at devs who dare
App makers can load it before anyone else, but if they do they're stuck with it
Half of Twitter's 'active users' are SILENT STALKERS
Nearly 50% have NEVER tweeted a word
Internet-of-stuff startup dumps NoSQL for ... SQL?
NoSQL taste great at first but lacks proper nutrients, says startup cloud whiz
Batten down the hatches, Ubuntu 14.04 LTS due in TWO DAYS
Admins dab straining server brows in advance of Trusty Tahr's long-term support landing
IRS boss on XP migration: 'Classic fix the airplane while you're flying it attempt'
Plus: Condoleezza Rice at Dropbox 'maybe she can find ... weapons of mass destruction'
OpenSSL Heartbleed: Bloody nose for open-source bleeding hearts
Bloke behind the cockup says not enough people are helping crucial crypto project
prev story

Whitepapers

Top three mobile application threats
Learn about three of the top mobile application security threats facing businesses today and recommendations on how to mitigate the risk.
Combat fraud and increase customer satisfaction
Based on their experience using HP ArcSight Enterprise Security Manager for IT security operations, Finansbank moved to HP ArcSight ESM for fraud management.
The benefits of software based PBX
Why you should break free from your proprietary PBX and how to leverage your existing server hardware.
Five 3D headsets to be won!
We were so impressed by the Durovis Dive headset we’ve asked the company to give some away to Reg readers.
SANS - Survey on application security programs
In this whitepaper learn about the state of application security programs and practices of 488 surveyed respondents, and discover how mature and effective these programs are.