Feeds

MS flips on new ‘global’ Windows remote-root vuln

Thanks for monitoring that

  • alert
  • submit to reddit

Secure remote control for conventional and virtual desktops

A few days ago the rumours started: every currently-supported version of Windows -- that's -98 to -XP and everything in between -- can be rooted by a novel means which MS regarded as a mystery. It seemed to be an automated, malicious bot which makes it possible to control the target machine via IRC, but it seemed not to replicate itself as a worm would do. Exactly how it finds its way onto the victim's box was not known.

But the number of infections was said to be high, though it was not known if user interaction is required for the 'infection', if that's what it is, to occur, or if the means of dissemination leverages some security vulnerability common to all Windows versions other than users and admins.

In other words, it could have been a malicious payload in some common file archive or application, or it could be something installed remotely via some unknown glitch in a piece of IP client or server software common to every version of Windows. In that case there would be some sort of scanner which recognizes vulnerable hosts and some component which loads the malware.

Of course the IRC connection tempts one to speculate that the culprit is a malicious payload in some file commonly-traded in IRC along the lines of, say, younggirl_does_uncle.zip, but MS was unable to noodle out if that was the case.

The MS Product Support Services (PSS) security team wrote the bulletin. MS never said how many machines had been affected, but they did say that the rate of infection appeared to be slowing. Anti-virus programs were unable to detect the malware, they said; and because the infected files were named after common, harmless ones, there was no easy way to determine if you'd been infected.

It sounded like the Microsoft Final Solution for which we've all been waiting impatiently -- big news indeed, but I didn't cover it because it also sounded quite implausible.

What really happened

Well, it turns out that the original bulletin was so completely wrong that MS has replaced it. And those early news stories have been quietly updated to reflect reality, without actually copping to the fact that they'd been misleading.

It's got a name, finally. It's called the "mIRC Trojan-Related Attack." It turns out that Win-2K Server is the only product presently known to be vulnerable, and then only if the latest patches and hotfixes haven't been installed.

MS says it's 'related to' an IRC Trojan, apparently affecting the extremely popular mIRC client for Windows, as one would have guessed.

But there remain numerous details that need to be clarified. I'm not satisfied with the explanation that "the activity involves a coordinated series of individual hacking attempts that are manual in nature."

You see how this doesn't fit with the Trojan concept. By definition a Trojan is something the machine's user or owner welcomes, which turns out to be malicious. So those weasel words, "Trojan-Related," must have quite a bit of significance. I'm going to guess that what's going on here is the implantation of a known Trojan by means other than user interaction.

We get the same impression from the first sentence of the new, FUD-sanitized bulletin: "the mIRC Trojan-Related Attack is not a security vulnerability. Instead, it is an intrusion that takes advantage of situations where standard precautionary measures have not been put in place." [my emphasis]

So it really does sound like a remote compromise independent of user interaction. Naturally, MS steadfastly refuses to tell us anything useful, like how this is accomplished. 'Install your patches and quit asking impertinent questions' seems to be the subtext here. It's just that I can't quite noodle out how a remote compromise (i.e., one not requiring user interaction) is not a security issue. Perhaps the Redmond spin-meisters would like to walk me through that one.

I have the sickening feeling MS is trying to say that any security stuff-up of theirs for which a patch happens to exist is no longer a security issue.

Another day in the life of a company trying to sell Trustworthy Computing to a world that already knows better. ®

Top 5 reasons to deploy VMware with Tegile

More from The Register

next story
Google+ goes TITSUP. But WHO knew? How long? Anyone ... Hello ...
Wobbly Gmail, Contacts, Calendar on the other hand ...
Preview redux: Microsoft ships new Windows 10 build with 7,000 changes
Latest bleeding-edge bits borrow Action Center from Windows Phone
Microsoft promises Windows 10 will mean two-factor auth for all
Sneak peek at security features Redmond's baking into new OS
Google opens Inbox – email for those too stupid to use email
Print this article out and give it to someone techy if you get stuck
UNIX greybeards threaten Debian fork over systemd plan
'Veteran Unix Admins' fear desktop emphasis is betraying open source
DEATH by PowerPoint: Microsoft warns of 0-day attack hidden in slides
Might put out patch in update, might chuck it out sooner
Redmond top man Satya Nadella: 'Microsoft LOVES Linux'
Open-source 'love' fairly runneth over at cloud event
prev story

Whitepapers

Cloud and hybrid-cloud data protection for VMware
Learn how quick and easy it is to configure backups and perform restores for VMware environments.
A strategic approach to identity relationship management
ForgeRock commissioned Forrester to evaluate companies’ IAM practices and requirements when it comes to customer-facing scenarios versus employee-facing ones.
High Performance for All
While HPC is not new, it has traditionally been seen as a specialist area – is it now geared up to meet more mainstream requirements?
Three 1TB solid state scorchers up for grabs
Big SSDs can be expensive but think big and think free because you could be the lucky winner of one of three 1TB Samsung SSD 840 EVO drives that we’re giving away worth over £300 apiece.
Security for virtualized datacentres
Legacy security solutions are inefficient due to the architectural differences between physical and virtual environments.