Is MS08-067 Wormable?

re: Is MS08-067 Wormable?

Yuhong Bao — Wed, 03 Dec 2008 02:52:31 GMT

"In addition to ASLR, the affected service on Windows Vista and Server 2008 would only restart twice before staying down indefinitely."

Assuming default settings, of course."

"However, I do not consider that as a defense against worms, because more than likely, the user would at that point either restart the computer or just the service. Given that the restart behavior would only serve to further slow the spreading rate. It would not change the exponential nature of the spread. Again, we arrive at the same conclusion: none of the defenses make a vulnerability non-wormable. They merely slow the spread down."

To 2/256 every reboot or other attempt at restarting, which usually isn't very often.

"Make no mistake, remotely exploitable vulnerabilities are still wormable, and within an hour, you could easily have your entire corporate network infected."

Not for this one, thanks to ASLR.

re: Is MS08-067 Wormable?

LonerVamp — Tue, 04 Nov 2008 21:21:34 GMT

Of course, all of the ASLR analysis is dependent on an organization using only Vista and Win2k8...

So that last statement should read, "In short, please do not use wormability, or lack thereof, as a decision factor in deciding whether to patch Windows Vista/Win2k8 or not."

As a side note, it doesn't take many infected systems spewing out garbage (depending on the worm behavior) to bring networks to a halt. Sure, not many systems may get infected, but the effect is similar: outage.

re: Is MS08-067 Wormable?

The Dave — Tue, 04 Nov 2008 17:17:45 GMT

There are a couple other interesting numbers here that might or might not change things.

For a small organization, say 10 PCs and 2 servers, ASLR combined with the need for authenticated sessions may be enough.

First the worm needs to get in the door, which needs an authenticated session. Lets assume a single worm that moves around in multiple fashions, one of which includes spreading by email and hoping some moron runs the EXE, and so the worm gets in the door.

One machine is already infected so that leaves us with 11 machines, or 22 tries before the targeted service crashes, which hopefully draws the attention of whatever passes for this organization's IT department.

22/256 aren't good odds, not enough to ensure exponential growth.

I'm not suggesting that you shouldn't patch, not at all, individually your risk is the same, regardless of the number of attackers your personal odds of getting hit are still 2/256 per reboot and it only takes a very small number of infected machines to make this happen. However, the smaller your organization is the less likely you are to have an issue and larger organizations are likely more equipped to deploy patches in a timely fashion.

re: Is MS08-067 Wormable?

PaulM — Tue, 04 Nov 2008 16:37:42 GMT

Great post Jesper! Thank you for the analysis of Microsoft's assertions that ASLR limits exploitability of this vuln.

But, don't you think the issue of "wormability" is still very much on the table? You're not really arguing that it doesn't matter, only that Microsoft is probably wrong about the degree to which this vulnerability is not "wormable."

PaulM

re: Is MS08-067 Wormable?

Larry Seltzer — Tue, 04 Nov 2008 13:13:17 GMT

Do enterprises typically shut off the firewall on Vista or XPSP2/SP3 systems? If not, then that is also a defense.

I'd also argue that if a Vista system with ASLR were to be attacked by this worm to the point of overflowing the stack it's overwhelmingly likely that it would generate an error on the system which would alert administrators. Certainly there would be many such errors at that point, definitely alerting them.

And wouldn't DEP/NX come into effect if the attack got past ASLR?