Feeds

MS flips on new ‘global’ Windows remote-root vuln

Thanks for monitoring that

  • alert
  • submit to reddit

Build a business case: developing custom apps

A few days ago the rumours started: every currently-supported version of Windows -- that's -98 to -XP and everything in between -- can be rooted by a novel means which MS regarded as a mystery. It seemed to be an automated, malicious bot which makes it possible to control the target machine via IRC, but it seemed not to replicate itself as a worm would do. Exactly how it finds its way onto the victim's box was not known.

But the number of infections was said to be high, though it was not known if user interaction is required for the 'infection', if that's what it is, to occur, or if the means of dissemination leverages some security vulnerability common to all Windows versions other than users and admins.

In other words, it could have been a malicious payload in some common file archive or application, or it could be something installed remotely via some unknown glitch in a piece of IP client or server software common to every version of Windows. In that case there would be some sort of scanner which recognizes vulnerable hosts and some component which loads the malware.

Of course the IRC connection tempts one to speculate that the culprit is a malicious payload in some file commonly-traded in IRC along the lines of, say, younggirl_does_uncle.zip, but MS was unable to noodle out if that was the case.

The MS Product Support Services (PSS) security team wrote the bulletin. MS never said how many machines had been affected, but they did say that the rate of infection appeared to be slowing. Anti-virus programs were unable to detect the malware, they said; and because the infected files were named after common, harmless ones, there was no easy way to determine if you'd been infected.

It sounded like the Microsoft Final Solution for which we've all been waiting impatiently -- big news indeed, but I didn't cover it because it also sounded quite implausible.

What really happened

Well, it turns out that the original bulletin was so completely wrong that MS has replaced it. And those early news stories have been quietly updated to reflect reality, without actually copping to the fact that they'd been misleading.

It's got a name, finally. It's called the "mIRC Trojan-Related Attack." It turns out that Win-2K Server is the only product presently known to be vulnerable, and then only if the latest patches and hotfixes haven't been installed.

MS says it's 'related to' an IRC Trojan, apparently affecting the extremely popular mIRC client for Windows, as one would have guessed.

But there remain numerous details that need to be clarified. I'm not satisfied with the explanation that "the activity involves a coordinated series of individual hacking attempts that are manual in nature."

You see how this doesn't fit with the Trojan concept. By definition a Trojan is something the machine's user or owner welcomes, which turns out to be malicious. So those weasel words, "Trojan-Related," must have quite a bit of significance. I'm going to guess that what's going on here is the implantation of a known Trojan by means other than user interaction.

We get the same impression from the first sentence of the new, FUD-sanitized bulletin: "the mIRC Trojan-Related Attack is not a security vulnerability. Instead, it is an intrusion that takes advantage of situations where standard precautionary measures have not been put in place." [my emphasis]

So it really does sound like a remote compromise independent of user interaction. Naturally, MS steadfastly refuses to tell us anything useful, like how this is accomplished. 'Install your patches and quit asking impertinent questions' seems to be the subtext here. It's just that I can't quite noodle out how a remote compromise (i.e., one not requiring user interaction) is not a security issue. Perhaps the Redmond spin-meisters would like to walk me through that one.

I have the sickening feeling MS is trying to say that any security stuff-up of theirs for which a patch happens to exist is no longer a security issue.

Another day in the life of a company trying to sell Trustworthy Computing to a world that already knows better. ®

The essential guide to IT transformation

More from The Register

next story
Munich considers dumping Linux for ... GULP ... Windows!
Give a penguinista a hug, the Outlook's not good for open source's poster child
The Return of BSOD: Does ANYONE trust Microsoft patches?
Sysadmins, you're either fighting fires or seen as incompetents now
Microsoft cries UNINSTALL in the wake of Blue Screens of Death™
Cache crash causes contained choloric calamity
Time to move away from Windows 7 ... whoa, whoa, who said anything about Windows 8?
Start migrating now to avoid another XPocalypse – Gartner
You'll find Yoda at the back of every IT conference
The piss always taking is he. Bastard the.
HANA has SAP cuddling up to 'smaller partners'
Wanted: algorithm wranglers, not systems giants
prev story

Whitepapers

Endpoint data privacy in the cloud is easier than you think
Innovations in encryption and storage resolve issues of data privacy and key requirements for companies to look for in a solution.
Implementing global e-invoicing with guaranteed legal certainty
Explaining the role local tax compliance plays in successful supply chain management and e-business and how leading global brands are addressing this.
Top 8 considerations to enable and simplify mobility
In this whitepaper learn how to successfully add mobile capabilities simply and cost effectively.
Solving today's distributed Big Data backup challenges
Enable IT efficiency and allow a firm to access and reuse corporate information for competitive advantage, ultimately changing business outcomes.
Reg Reader Research: SaaS based Email and Office Productivity Tools
Read this Reg reader report which provides advice and guidance for SMBs towards the use of SaaS based email and Office productivity tools.