Feeds

MS flips on new ‘global’ Windows remote-root vuln

Thanks for monitoring that

  • alert
  • submit to reddit

The Power of One eBook: Top reasons to choose HP BladeSystem

A few days ago the rumours started: every currently-supported version of Windows -- that's -98 to -XP and everything in between -- can be rooted by a novel means which MS regarded as a mystery. It seemed to be an automated, malicious bot which makes it possible to control the target machine via IRC, but it seemed not to replicate itself as a worm would do. Exactly how it finds its way onto the victim's box was not known.

But the number of infections was said to be high, though it was not known if user interaction is required for the 'infection', if that's what it is, to occur, or if the means of dissemination leverages some security vulnerability common to all Windows versions other than users and admins.

In other words, it could have been a malicious payload in some common file archive or application, or it could be something installed remotely via some unknown glitch in a piece of IP client or server software common to every version of Windows. In that case there would be some sort of scanner which recognizes vulnerable hosts and some component which loads the malware.

Of course the IRC connection tempts one to speculate that the culprit is a malicious payload in some file commonly-traded in IRC along the lines of, say, younggirl_does_uncle.zip, but MS was unable to noodle out if that was the case.

The MS Product Support Services (PSS) security team wrote the bulletin. MS never said how many machines had been affected, but they did say that the rate of infection appeared to be slowing. Anti-virus programs were unable to detect the malware, they said; and because the infected files were named after common, harmless ones, there was no easy way to determine if you'd been infected.

It sounded like the Microsoft Final Solution for which we've all been waiting impatiently -- big news indeed, but I didn't cover it because it also sounded quite implausible.

What really happened

Well, it turns out that the original bulletin was so completely wrong that MS has replaced it. And those early news stories have been quietly updated to reflect reality, without actually copping to the fact that they'd been misleading.

It's got a name, finally. It's called the "mIRC Trojan-Related Attack." It turns out that Win-2K Server is the only product presently known to be vulnerable, and then only if the latest patches and hotfixes haven't been installed.

MS says it's 'related to' an IRC Trojan, apparently affecting the extremely popular mIRC client for Windows, as one would have guessed.

But there remain numerous details that need to be clarified. I'm not satisfied with the explanation that "the activity involves a coordinated series of individual hacking attempts that are manual in nature."

You see how this doesn't fit with the Trojan concept. By definition a Trojan is something the machine's user or owner welcomes, which turns out to be malicious. So those weasel words, "Trojan-Related," must have quite a bit of significance. I'm going to guess that what's going on here is the implantation of a known Trojan by means other than user interaction.

We get the same impression from the first sentence of the new, FUD-sanitized bulletin: "the mIRC Trojan-Related Attack is not a security vulnerability. Instead, it is an intrusion that takes advantage of situations where standard precautionary measures have not been put in place." [my emphasis]

So it really does sound like a remote compromise independent of user interaction. Naturally, MS steadfastly refuses to tell us anything useful, like how this is accomplished. 'Install your patches and quit asking impertinent questions' seems to be the subtext here. It's just that I can't quite noodle out how a remote compromise (i.e., one not requiring user interaction) is not a security issue. Perhaps the Redmond spin-meisters would like to walk me through that one.

I have the sickening feeling MS is trying to say that any security stuff-up of theirs for which a patch happens to exist is no longer a security issue.

Another day in the life of a company trying to sell Trustworthy Computing to a world that already knows better. ®

Reducing security risks from open source software

More from The Register

next story
NO MORE ALL CAPS and other pleasures of Visual Studio 14
Unpicking a packed preview that breaks down ASP.NET
Captain Kirk sets phaser to SLAUGHTER after trying new Facebook app
William Shatner less-than-impressed by Zuck's celebrity-only app
Apple fanbois SCREAM as update BRICKS their Macbook Airs
Ragegasm spills over as firmware upgrade kills machines
Cheer up, Nokia fans. It can start making mobes again in 18 months
The real winner of the Nokia sale is *drumroll* ... Nokia
Mozilla fixes CRITICAL security holes in Firefox, urges v31 upgrade
Misc memory hazards 'could be exploited' - and guess what, one's a Javascript vuln
Put down that Oracle database patch: It could cost $23,000 per CPU
On-by-default INMEMORY tech a boon for developers ... as long as they can afford it
Google shows off new Chrome OS look
Athena springs full-grown from Chromium project's head
prev story

Whitepapers

Top three mobile application threats
Prevent sensitive data leakage over insecure channels or stolen mobile devices.
Implementing global e-invoicing with guaranteed legal certainty
Explaining the role local tax compliance plays in successful supply chain management and e-business and how leading global brands are addressing this.
Boost IT visibility and business value
How building a great service catalog relieves pressure points and demonstrates the value of IT service management.
Designing a Defense for Mobile Applications
Learn about the various considerations for defending mobile applications - from the application architecture itself to the myriad testing technologies.
Build a business case: developing custom apps
Learn how to maximize the value of custom applications by accelerating and simplifying their development.