Microsoft  is warning consumers using Windows XP Service Pack 1 (SP1) and Windows 2000 SP4 that code has been published that could be used to launch denial-of-service (DoS) attacks.
According to the Microsoft security advisory, "the vulnerability could allow an attacker to levy a denial of service attack of limited duration" on Windows XP SP1 if the attacker has valid log-on credentials.
Although the flaw cannot be exploited remotely by an anonymous user, the company said that the affected component is available remotely to users who could gain access through a guest account. The advisory added that users with SP2 are not at risk.
Microsoft has rated the threat as "low" and has not yet developed a patch. In order to launch an attack on Windows 2000 users, the attacker would have to gain remote access to the Remote Procedure Call port. The RPC is generally located behind a firewall and therefore is difficult to access remotely.
Breach of Etiquette
The "proof-of-concept" code was discovered and published by Winny Thomas of Nevis Labs in India, on the FrSIRT Web site. Thomas reverse-engineered the MS05-047 patch, dealing with a plug-and-play flaw in Windows software that Microsoft issued in October, according to his post on the Web site. Microsoft learned of the flaw from the Web site.
"While working on the exploit for MS05-047, I came across a condition where a specially crafted request to upnp_getdevicelist would cause services.exe to consume memory to a point where the target machine's virtual memory gets exhausted," Thomas posted.
Thomas added that the exploit was not similar to the MS05-047 exploit he had previously published. He added that when continuously executed against a target, this code leads to a sustained DoS attack.
Playing by the Rules
While Microsoft does not quibble with the discovery of the security flaw, it does question the manner in which it was revealed. In the security advisory, the company said that it was "concerned that this new report … was not disclosed responsibly, potentially putting computer users at risk."
The company said it encourages responsible disclosure of potential vulnerabilities, but believes that the revelations should be made following established practices under which the vendor is notified before the rest of the world. (continued...)
|
