eEye Digital Security Discovers Important Security Flaw for Windows; Blended Attacks Could Turn Flaw Critical.ALISO VIEJO, Calif. -- Kernel-level Vulnerability Discovered by Security Leader eEye Represents a Growing Trend of Blended Security Threats Using Local and Remote Exploits to Attack Networks eEye Digital Security(R), a leading developer of network security and vulnerability management software solutions, as well as the industry's foremost contributor to security research and education, today announced details for an important vulnerability it discovered related to Microsoft (NASDAQ:MSFT) Windows(R). If not immediately resolved, the Windows Kernel Elevation of Privilege Vulnerability allows any code executing on Windows 2000 SP4 SP4 - Security Protocol Layer 4 SP4 - Specialist, Grade E4 (US Army) and Windows NT 4.0 machines to elevate itself to the highest possible local privilege level. By doing so, this vulnerability could potentially be used in conjunction with a virus, worm or trojan to allow unprivileged code to subvert the operating system and provide the attacker with SYSTEM-level privileges, thus turning this vulnerability from an "important" security flaw to one that is "critical" or remotely exploitable. "A kernel-level vulnerability is by nature, harder to fix, so we understand the time it took Microsoft to issue a patch," said Marc Maiffret, eEye's co-founder and chief hacking officer. "This vulnerability is unusual in that it represents a growing trend of blended threats Using several techniques to attack a computer system or network. After all, why adopt just one method when viruses, worms, Trojans and software vulnerabilities See vulnerability. used in clever combinations can help to ensure that more systems are compromised and more people are harmed? See virus, worm, Trojan and vulnerability. attackers are using to subvert systems remotely. These types of threats highlight the need for enterprises to focus on host-based solutions that enable them to make their networks zero-day immune." The flaw was discovered by eEye on May 23 - 204 days ago - and involves a locally exploitable kernel-level vulnerability. Although not remotely exploitable in-and-of itself, a malicious user, network worm or email virus could take advantage of this vulnerability in order to completely compromise a vulnerable system on which the exploit code is executing, regardless of that code's original privilege level. The subsequent blended attack has the potential to cause serious damage, allowing an attacker to take complete control of the affected system and execute harmful action remotely. Microsoft will resolve this vulnerability with one of two issued patches during its December update. The vulnerability exists in the thread termination routine contained within NTOSKRNL.EXE. Through a specific series of steps, a local attacker can cause the code responsible for discarding queued Asynchronous Procedure Call (APC) entries to erroneously attempt to free a region of kernel data, producing a "data free" vulnerability that may be exploited in order to alter arbitrary kernel memory The memory used by the operating system, which is protected and cannot be accessed by regular applications. Virtual memory can be used to page some of the kernel in memory to disk. However, there is always a certain part of the kernel that must reside in physical memory at all times and cannot be swapped out. See kernel., or even divert the flow of execution directly. eEye Digital Security, a leading contributor to network security research, regularly identifies vulnerabilities and provides specific advisories on how enterprises can secure them. While Microsoft is only addressing one eEye-discovered vulnerability with this month's patch update, eEye's upcoming advisories page continues to list five other discovered flaws related to Microsoft platforms, including four that are considered high risk, as they can be remotely exploited. The oldest vulnerability in that list was discovered and reported 222 days ago. For more information about upcoming advisories, please visit http://www.eeye.com/ctrack.asp?ref=uvml. As a service to the network security community, eEye's Research Team, headed by Maiffret, conducts a Vulnerability Expert Forum web seminar during the second week of every month. These Vulnerability Expert Forums enable participants to stay current on the potential risks and remediation requirements, such as those announced today, by exploring the effect that high-risk vulnerabilities and exploits have on network environments and infrastructures. To register for the December Vulnerability Expert Forum, please visit http://www.eeye.com/html/company/events. About eEye's Security Research Team Over the last five years, eEye has been recognized by industry experts as the preeminent organization in the discovery of the most critical vulnerabilities in various platforms and applications, including the vulnerabilities subsequently leveraged by the Sasser, Witty, Code Red and Sapphire worms, as well as the Microsoft ASN vulnerability and hundreds of other important discoveries. This expertise gives eEye a distinct advantage in designing services and software solutions for the assessment, remediation and prevention of vulnerabilities and the attacks that leverage them. eEye's integrated family of vulnerability management solutions helps IT and security professionals confidently safeguard their valuable digital assets. Working in conjunction with popular tools such as firewalls and intrusion detection systems, eEye's products include: Retina(R) Network Security Scanner Software that analyzes a network to determine its exposure to unwanted intruders. Also called "vulnerability scanners," such products check client PCs, servers, routers, firewalls, network appliances, system software and applications for vulnerabilities that include open ports, trapdoors, poorly written scripts and unpatched operating systems., REM(TM) Security Management Console, Iris(R) Network Traffic Analyzer, SecureIIS(TM) Web Server Protection, and Blink(R) Endpoint Intrusion Prevention System. About eEye Digital Security eEye Digital Security is a leading developer of network security software, and the foremost contributor to security research and education. eEye's award-winning software products provide a complete vulnerability management solution that addresses the full lifecycle of security threats: before, during and after attacks. eEye's customers, Citigroup and the U.S. Department of Defense, represent the largest deployments of vulnerability assessment and prevention technology in the private and public sector. eEye protects the networks and digital assets of more than 8,500 corporate and government deployments worldwide, including Avon, Continental Airlines, Dow Jones, Prudential, University of Miami, Viacom, Vodafone, Warner Music and Wyeth. Founded in 1998, eEye Digital Security is a privately held, venture-backed firm with headquarters in Orange County, California. For more information, please visit www.eEye.com. All trademarks contained within this press release are the sole property of their respective owners and are hereby acknowledged. |
|
||||||||||||||||||
Printer friendly
Cite/link
Email
Feedback
Reader Opinion