Feeds

MS flips on new ‘global’ Windows remote-root vuln

Thanks for monitoring that

  • alert
  • submit to reddit

Choosing a cloud hosting partner with confidence

A few days ago the rumours started: every currently-supported version of Windows -- that's -98 to -XP and everything in between -- can be rooted by a novel means which MS regarded as a mystery. It seemed to be an automated, malicious bot which makes it possible to control the target machine via IRC, but it seemed not to replicate itself as a worm would do. Exactly how it finds its way onto the victim's box was not known.

But the number of infections was said to be high, though it was not known if user interaction is required for the 'infection', if that's what it is, to occur, or if the means of dissemination leverages some security vulnerability common to all Windows versions other than users and admins.

In other words, it could have been a malicious payload in some common file archive or application, or it could be something installed remotely via some unknown glitch in a piece of IP client or server software common to every version of Windows. In that case there would be some sort of scanner which recognizes vulnerable hosts and some component which loads the malware.

Of course the IRC connection tempts one to speculate that the culprit is a malicious payload in some file commonly-traded in IRC along the lines of, say, younggirl_does_uncle.zip, but MS was unable to noodle out if that was the case.

The MS Product Support Services (PSS) security team wrote the bulletin. MS never said how many machines had been affected, but they did say that the rate of infection appeared to be slowing. Anti-virus programs were unable to detect the malware, they said; and because the infected files were named after common, harmless ones, there was no easy way to determine if you'd been infected.

It sounded like the Microsoft Final Solution for which we've all been waiting impatiently -- big news indeed, but I didn't cover it because it also sounded quite implausible.

What really happened

Well, it turns out that the original bulletin was so completely wrong that MS has replaced it. And those early news stories have been quietly updated to reflect reality, without actually copping to the fact that they'd been misleading.

It's got a name, finally. It's called the "mIRC Trojan-Related Attack." It turns out that Win-2K Server is the only product presently known to be vulnerable, and then only if the latest patches and hotfixes haven't been installed.

MS says it's 'related to' an IRC Trojan, apparently affecting the extremely popular mIRC client for Windows, as one would have guessed.

But there remain numerous details that need to be clarified. I'm not satisfied with the explanation that "the activity involves a coordinated series of individual hacking attempts that are manual in nature."

You see how this doesn't fit with the Trojan concept. By definition a Trojan is something the machine's user or owner welcomes, which turns out to be malicious. So those weasel words, "Trojan-Related," must have quite a bit of significance. I'm going to guess that what's going on here is the implantation of a known Trojan by means other than user interaction.

We get the same impression from the first sentence of the new, FUD-sanitized bulletin: "the mIRC Trojan-Related Attack is not a security vulnerability. Instead, it is an intrusion that takes advantage of situations where standard precautionary measures have not been put in place." [my emphasis]

So it really does sound like a remote compromise independent of user interaction. Naturally, MS steadfastly refuses to tell us anything useful, like how this is accomplished. 'Install your patches and quit asking impertinent questions' seems to be the subtext here. It's just that I can't quite noodle out how a remote compromise (i.e., one not requiring user interaction) is not a security issue. Perhaps the Redmond spin-meisters would like to walk me through that one.

I have the sickening feeling MS is trying to say that any security stuff-up of theirs for which a patch happens to exist is no longer a security issue.

Another day in the life of a company trying to sell Trustworthy Computing to a world that already knows better. ®

Top 5 reasons to deploy VMware with Tegile

More from The Register

next story
PEAK APPLE: iOS 8 is least popular Cupertino mobile OS in all of HUMAN HISTORY
'Nerd release' finally staggers past 50 per cent adoption
Microsoft to bake Skype into IE, without plugins
Redmond thinks the Object Real-Time Communications API for WebRTC is ready to roll
Microsoft promises Windows 10 will mean two-factor auth for all
Sneak peek at security features Redmond's baking into new OS
Mozilla: Spidermonkey ATE Apple's JavaScriptCore, THRASHED Google V8
Moz man claims the win on rivals' own benchmarks
Yes, Virginia, there IS a W3C HTML5 standard – as of now, that is
You asked for it! You begged for it! Then you gave up! And now it's HERE!
FTDI yanks chip-bricking driver from Windows Update, vows to fight on
Next driver to battle fake chips with 'non-invasive' methods
DEATH by PowerPoint: Microsoft warns of 0-day attack hidden in slides
Might put out patch in update, might chuck it out sooner
Ubuntu 14.10 tries pulling a Steve Ballmer on cloudy offerings
Oi, Windows, centOS and openSUSE – behave, we're all friends here
prev story

Whitepapers

Why cloud backup?
Combining the latest advancements in disk-based backup with secure, integrated, cloud technologies offer organizations fast and assured recovery of their critical enterprise data.
Getting started with customer-focused identity management
Learn why identity is a fundamental requirement to digital growth, and how without it there is no way to identify and engage customers in a meaningful way.
High Performance for All
While HPC is not new, it has traditionally been seen as a specialist area – is it now geared up to meet more mainstream requirements?
Storage capacity and performance optimization at Mizuno USA
Mizuno USA turn to Tegile storage technology to solve both their SAN and backup issues.
Simplify SSL certificate management across the enterprise
Simple steps to take control of SSL across the enterprise, and recommendations for a management platform for full visibility and single-point of control for these Certificates.