eEye Digital Security Discovers Important Security Flaw for Windows; Blended Attacks Could Turn Flaw Critical.ALISO VIEJO, Calif. -- Kernel-level Vulnerability Discovered by Security Leader eEye Represents a Growing Trend of Blended Security Threats Using Local and Remote Exploits to Attack Networks eEye Digital Security eEye Digital Security is a company that specialises in analysis and prevention of security vulnerabilities in software. Founded by Firas Bushnaq and Marc Maiffret in 1997, the company has been credited by Microsoft with bringing a number of security vulnerabilities to their (R), a leading developer of network security and vulnerability management software solutions, as well as the industry's foremost contributor to security research and education, today announced details for an important vulnerability it discovered related to Microsoft (NASDAQ NASDAQ in full National Association of Securities Dealers Automated Quotations U.S. market for over-the-counter securities. Established in 1971 by the National Association of Securities Dealers (NASD), NASDAQ is an automated quotation system that reports on :MSFT MSFT Microsoft (stock symbol) MSFT Movimento Sociale Fiamma Tricolore (Italy) MSFT Multi-Stage Fitness Test MSFT Master of Science in Family Therapy MSFT Macalester Students for Fair Trade ) Windows(R). If not immediately resolved, the Windows Kernel Elevation of Privilege Vulnerability allows any code executing on Windows 2000 SP4 and Windows NT (Windows New Technology) A 32-bit operating system from Microsoft for Intel x86 CPUs. NT is the core technology in Windows 2000 and Windows XP (see Windows). Available in separate client and server versions, it includes built-in networking and preemptive multitasking. 4.0 machines to elevate itself to the highest possible local privilege level The concept of privilege level refers to protecting resources on a CPU. Different execution threads can have different privilege levels that grant access to resources such as memory regions, I/O ports, and special instructions. . By doing so, this vulnerability could potentially be used in conjunction with a virus, worm or trojan to allow unprivileged code to subvert the operating system operating system (OS) Software that controls the operation of a computer, directs the input and output of data, keeps track of files, and controls the processing of computer programs. and provide the attacker with SYSTEM-level privileges, thus turning this vulnerability from an "important" security flaw to one that is "critical" or remotely exploitable. "A kernel-level vulnerability is by nature, harder to fix, so we understand the time it took Microsoft to issue a patch," said Marc Maiffret Marc Maiffret is the co-founder of eEye Digital Security along with Firas Bushnaq. He is currently serving as Chief Technology Officer, where he is responsible for both high-level product strategy, as well as setting the eEye research agenda. , eEye's co-founder and chief hacking officer. "This vulnerability is unusual in that it represents a growing trend of blended threats attackers are using to subvert systems remotely. These types of threats highlight the need for enterprises to focus on host-based solutions that enable them to make their networks zero-day immune." The flaw was discovered by eEye on May 23 - 204 days ago - and involves a locally exploitable kernel-level vulnerability. Although not remotely exploitable in-and-of itself, a malicious user, network worm or email virus See e-mail virus. could take advantage of this vulnerability in order to completely compromise a vulnerable system on which the exploit code is executing, regardless of that code's original privilege level. The subsequent blended attack has the potential to cause serious damage, allowing an attacker to take complete control of the affected system and execute harmful action remotely. Microsoft will resolve this vulnerability with one of two issued patches during its December update. The vulnerability exists in the thread termination routine contained within NTOSKRNL.EXE. Through a specific series of steps, a local attacker can cause the code responsible for discarding queued Asynchronous Refers to events that are not synchronized, or coordinated, in time. The following are considered asynchronous operations. The interval between transmitting A and B is not the same as between B and C. The ability to initiate a transmission at either end. Procedure Call (APC (1) (American Power Conversion Corporation, West Kingston, RI, www.apcc.com) The leading manufacturer of UPS systems and surge suppressors, founded in 1981 by Rodger Dowdell, Neil Rasmussen and Emanual Landsman, three electronic power engineers who had worked at MIT. ) entries to erroneously attempt to free a region of kernel data, producing a "data free" vulnerability that may be exploited in order to alter arbitrary kernel memory See kernel space. , or even divert the flow of execution directly. eEye Digital Security, a leading contributor to network security research, regularly identifies vulnerabilities and provides specific advisories on how enterprises can secure them. While Microsoft is only addressing one eEye-discovered vulnerability with this month's patch update, eEye's upcoming advisories page continues to list five other discovered flaws related to Microsoft platforms, including four that are considered high risk, as they can be remotely exploited. The oldest vulnerability in that list was discovered and reported 222 days ago. For more information about upcoming advisories, please visit http://www.eeye.com/ctrack.asp?ref=uvml. As a service to the network security community, eEye's Research Team, headed by Maiffret, conducts a Vulnerability Expert Forum web seminar during the second week of every month. These Vulnerability Expert Forums enable participants to stay current on the potential risks and remediation requirements, such as those announced today, by exploring the effect that high-risk vulnerabilities and exploits have on network environments and infrastructures. To register for the December Vulnerability Expert Forum, please visit http://www.eeye.com/html/company/events. About eEye's Security Research Team Over the last five years, eEye has been recognized by industry experts as the preeminent organization in the discovery of the most critical vulnerabilities in various platforms and applications, including the vulnerabilities subsequently leveraged by the Sasser, Witty, Code Red and Sapphire worms, as well as the Microsoft ASN (1) (Autonomous System Number) A unique identifier of an autonomous system on the Internet. Of the 65 thousand ASNs available, more than 30 thousand have been assigned to ISPs and NSPs. ISPs usually have only one ASN, but NSPs may have more than one. vulnerability and hundreds of other important discoveries. This expertise gives eEye a distinct advantage in designing services and software solutions for the assessment, remediation and prevention of vulnerabilities and the attacks that leverage them. eEye's integrated family of vulnerability management solutions helps IT and security professionals confidently safeguard their valuable digital assets. Working in conjunction with popular tools such as firewalls and intrusion detection systems, eEye's products include: Retina(R) Network Security Scanner Software that analyzes a network to determine its exposure to unwanted intruders. Also called "vulnerability scanners," such products check client PCs, servers, routers, firewalls, network appliances, system software and applications for vulnerabilities that include open ports, trapdoors, , REM(TM) Security Management Console, Iris(R) Network Traffic Analyzer, SecureIIS(TM) Web Server Protection, and Blink(R) Endpoint Intrusion Prevention System. About eEye Digital Security eEye Digital Security is a leading developer of network security software, and the foremost contributor to security research and education. eEye's award-winning software products provide a complete vulnerability management solution that addresses the full lifecycle of security threats: before, during and after attacks. eEye's customers, Citigroup and the U.S. Department of Defense, represent the largest deployments of vulnerability assessment and prevention technology in the private and public sector. eEye protects the networks and digital assets of more than 8,500 corporate and government deployments worldwide, including Avon, Continental Airlines, Dow Jones, Prudential, University of Miami This article is about the university in Coral Gables, Florida. For the university in Oxford, Ohio, see Miami University. The University of Miami (also known as Miami of Florida,[2] UM,[3] or just The U , Viacom, Vodafone, Warner Music and Wyeth. Founded in 1998, eEye Digital Security is a privately held, venture-backed firm with headquarters in Orange County, California Orange County is a county in Southern California, United States. Its county seat is Santa Ana. According to the 2000 Census, its population was 2,846,289, making it the second most populous county in the state of California, and the fifth most populous in the United States. . For more information, please visit www.eEye.com. All trademarks contained within this press release are the sole property of their respective owners and are hereby acknowledged. |
|
||||||||||||||||||
Printer friendly
Cite/link
Email
Feedback
Reader Opinion