|
Batton Down the Hatches, Thar' be a Packet Storm a Brewin'! |
|
|
|
Saturday, 02 August 2003 |
July 16th Microsoft released the following security bulletin describing a buffer overflow in the RPC service on all versions of Windows NT, 2000, XP, and 2003. I believe this has the greatest potential for damage of any software vulnerability ever found.
All the right factors of scope, privilege, stealth, and speed are there. The buffer overflow grants system level privileges. The potential to exploit the overflow through UDP provides both speed at stealth (no connection overhead, and you can forge the source address). Finally, the exploitable service is installed and running by default on all versions of Windows NT, 2000, and 2003 creating a virtually limitless domain of vulnerable hosts (my guess is it numbers over 20 million).
Previous worms provide a peek into the possibilities. SQL Slammer infected 90% of vulnerable hosts in 10 minutes. The speed came from the ability to travel via UDP and enabled forging the source of the packet. What SQL Slammer lacked was scope. CodeRed benefited from a larger scope by an order of magnitude. If I remember correctly, CodeRed targets were estimated at about 2 million, SQL Slammer at about 200,000.
This vulnerability could have the speed of Slammer and a scope an order of magnitude larger than CodeRed (I think 20 million vulnerable hosts is not an unreasonable guess). Packaged together into a worm, this could infect, and if the worm writer so chooses do significant damage, to millions of computers. The amount of traffic generated and the number of services knocked out of commission will make the Internet largely unusable for several days at a minimum.
The staying power of this worm would also be tremendous. I'm sure there's a correlation between the number of infectable hosts and how long the virus sticks around, the larger the host pool the harder it is to squash the worm completely. Heck, just yesterday my logs show three attempts to exploit the vulnerability CodeRed used on this server.
The economic repercussions of diminished productivity and direct losses could be staggering. My guess is a worm will be loose on the Internet soon (within a few weeks I think). Even if I'm wrong, the worm could come six months, a year, or two years from now and be just about as devastating. Computers just don't get patched, SQL Slammer exploited a six month old vulnerability.
Patch your machine, then just sit back and wait for packets to start flying...
Powered by AkoComment 2.0! and SecurityImage 3.0.4 |
