From Microsoft Security Bulletin MS08-067 :

Microsoft has released an emergency security update for a broad swath of its users that patches a critical security hole that is already being exploited in the wild.

The vulnerability – which has been subjected to “limited, targeted attacks” – could allow miscreants to create wormable exploits that remotely execute malicious code on vulnerable machines, Microsoft said. No interaction is required from the end user. It was the first patch released outside Microsoft’s regular update cycle in 18 months.

“This is a remote code execution vulnerability,” Microsoft’s out-of-band advisory warned. “An attacker who successfully exploited this vulnerability could take complete control of an affected system remotely.”

As you may read from the following picture lots ( … ) of Windows distributions are affected:

Little bit more in detail:

On Vista and Windows Server 2008, the combination of Address Space Layout Randomization (ASLR) and Data Execution Protection (DEP ) will make the exploitation of this vulnerability more difficult. ASLR will randomize the base address of modules, heaps, stacks, PEB, TEBs, etc. making difficult the return into known locations. Known DEP bypass techniques will not be applicable on these platforms because of the presence of ASLR.

Regarding /GS protection, the stack frame of the function that contained the overflowed buffer was protected with a stack frame boundary cookie. However, due to the nature of this particular vulnerability, the exploit code is able to take advantage of another stack frame that was not meant to be protected by the /GS security cookie. The /GS security cookie is only emitted for functions meeting certain criteria.

F-Secure has already caught the malwares which use this kind of hole, it classified them as Trojan-Spy:W32/Gimmiv.A, with the following features:

On execution, the malware drops a DLL component ( which is also detected as Trojan-Spy:W32/Gimmiv.A ) as

[System Folder]\wbem\sysmgr.dll

and injects it to svchost.exe. The main executable file will then delete itself.

As part of its routine for connecting to a remote server, the trojan will take into account both the operating system version and the presence of any security applications in the system. The trojan checks for the following antivirus programs:

OneCare Protection

The trojan then connects to:…%5D.php?abc=1?def=2

The two parameters ‘abc=’ and ‘def=’ are determined by the antivirus program and the operating system version, respectively. For example, if avp.exe is installed on an infected machine that runs Windows XP, then abc=1 and def=2.

The trojan then harvests the following information from the infected machine:

MSN Credentials
Outlook Express Credentials
Protected Storage Information
Patches Installed
Browser Information
Username (web browsing)

The harvested information is encrypted using Advanced Encryption Standard (AES) and is sent to the remote server.

This time the upgrade is strongly required !

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.