eEye Digital Security » News

News

eEye Digital Security Discovers Important Security Flaw for Windows; Blended Attacks Could Turn Flaw Critical

– Kernel-level vulnerability discovered by security leader eEye represents a growing trend of blended security threats using local and remote exploits to attack networks –

(ALISO VIEJO, CA) December 13, 2005 — eEye Digital Security®, a leading developer of network security and vulnerability management software solutions, as well as the industry’s foremost contributor to security research and education, today announced details for an important vulnerability it discovered related to Microsoft (NASDAQ: MSFT) Windows®. If not immediately resolved, the Windows Kernel Elevation of Privilege Vulnerability allows any code executing on Windows 2000 SP4 and Windows NT 4.0 machines to elevate itself to the highest possible local privilege level. By doing so, this vulnerability could potentially be used in conjunction with a virus, worm or trojan to allow unprivileged code to subvert the operating system and provide the attacker with SYSTEM-level privileges, thus turning this vulnerability from an “important” security flaw to one that is “critical” or remotely exploitable.

“A kernel-level vulnerability is by nature, harder to fix, so we understand the time it took Microsoft to issue a patch,” said Marc Maiffret, eEye’s co-founder and chief hacking officer. “This vulnerability is unusual in that it represents a growing trend of blended threats attackers are using to subvert systems remotely. These types of threats highlight the need for enterprises to focus on host-based solutions that enable them to make their networks zero-day immune.”

The flaw was discovered by eEye on May 23 – 204 days ago – and involves a locally exploitable kernel-level vulnerability. Although not remotely exploitable in-and-of itself, a malicious user, network worm or email virus could take advantage of this vulnerability in order to completely compromise a vulnerable system on which the exploit code is executing, regardless of that code's original privilege level. The subsequent blended attack has the potential to cause serious damage, allowing an attacker to take complete control of the affected system and execute harmful action remotely. Microsoft will resolve this vulnerability with one of two issued patches during its December update.

The vulnerability exists in the thread termination routine contained within NTOSKRNL.EXE. Through a specific series of steps, a local attacker can cause the code responsible for discarding queued Asynchronous Procedure Call (APC) entries to erroneously attempt to free a region of kernel data, producing a “data free” vulnerability that may be exploited in order to alter arbitrary kernel memory, or even divert the flow of execution directly.

eEye Digital Security, a leading contributor to network security research, regularly identifies vulnerabilities and provides specific advisories on how enterprises can secure them. While Microsoft is only addressing one eEye-discovered vulnerability with this month’s patch update, eEye’s upcoming advisories’ page continues to list five other discovered flaws related to Microsoft platforms, including four that are considered high risk, as they can be remotely exploited. The oldest vulnerability in that list was discovered and reported 222 days ago. For more information about upcoming advisories, please visit
http://www.eeye.com/html/research/upcoming/index.html.

As a service to the network security community, eEye's Research Team, headed by Maiffret, conducts a Vulnerability Expert Forum web seminar during the second week of every month. These Vulnerability Expert Forums enable participants to stay current on the potential risks and remediation requirements, such as those announced today, by exploring the effect that high-risk vulnerabilities and exploits have on network environments and infrastructures.

To register for the December Vulnerability Expert Forum, please visit http://www.eeye.com/html/company/events.

About eEye’s Security Research Team
Over the last five years, eEye has been recognized by industry experts as the preeminent organization in the discovery of the most critical vulnerabilities in various platforms and applications, including the vulnerabilities subsequently leveraged by the Sasser, Witty, Code Red and Sapphire worms, as well as the Microsoft ASN vulnerability and hundreds of other important discoveries. This expertise gives eEye a distinct advantage in designing services and software solutions for the assessment, remediation and prevention of vulnerabilities and the attacks that leverage them.

eEye's integrated family of vulnerability management solutions helps IT and security professionals confidently safeguard their valuable digital assets. Working in conjunction with popular tools such as firewalls and intrusion detection systems, eEye's products include: Retina® Network Security Scanner, REM™ Security Management Console, Iris® Network Traffic Analyzer, SecureIIS™ Web Server Protection, and Blink® Endpoint Intrusion Prevention System.

About eEye Digital Security

eEye Digital Security® is pioneering a new class of security products:integrated threat management. This next-generation of security detects vulnerabilities and threats, prevents intrusions, protects all of an enterprise’s key computing resources, from endpoints to network assets to web sites and web applications, all while providing a centralized point of security management and network visibility.eEye’s research team is consistently the first to identify new threats in the wild, and our products leverage that research to deliver on the goal of making network security as easy to use and reliable as networking itself. Founded in 1998 and headquartered in Orange County, California, eEye Digital Security protects more than 9,000 corporate and government organizations worldwide, including half of the Fortune 100. For more information, please visit www.eeye.com

About eEye Digital Security

Primary Agency Contact

EMEA Agency Contact

Corporate Contact