Patch Tuesday fixes “Dead Cow Cult” exploit
It's a quiet Microsoft patch month, but an expert reveals the history of one of the flaws that's being fixed.
An expert has claimed Patch Tuesday for November fixes a vulnerability found by a member of US hacker group Cult of The Dead Cow'.
According to Shavlik chief technology officer Eric Schultze, the important' MS08-068 patch addresses a vulnerability which is more than seven years old, found by a US hacker called Sir Dystic, better known as Josh Buchbinder.
He was a member of the Cult of the Dead Cow', a hacking organisation which was founded in 1984 in Texas, and claims on its website to be the "most elite people to ever walk the face of the earth."
Sir Dystic found a vulnerability in Microsoft Operating Systems that enabled attackers complete access to user's computers, and wrote a utility called SMBRelay to demonstrate the flaw.
Shavlik claimed that Microsoft knew about the problem since 2001, and was unable to - or chose not to - fix it until now. The MS08-068 patch now addresses it.
He gave an example of an attack: "The attacker sends the victim an HTML email - or convinces them to visit their website - where the code includes a reference like: 'file://evilserver/picturejpg'.
"When the victim machine goes to view this html, it attempts to display the 'picture' jpg. To do this, it needs to connect to the 'evilserver' machine over NetBIOS ports. The evilserver machine asks the victim machine to authenticate to it, so it can then serve up the picture.jpg file."
Get the ITPro. daily newsletter
Receive our latest news, industry updates, featured resources and more. Sign up today to receive our FREE report on AI cyber crime & security - newly updated for 2024.
"The victim machine performs NTLM challenge-response authentication process in order to connect to evilserver to get this picture file."
Shavlik said that whether the authentication succeeded or failed, it was already too late. The evil server now had the challenge-response data that it could use to reply back to the victim's machine. This would allow the attacker to simply connect to the victim's machine without providing any specific password.
He said: "The attacker has the same credentials as the user had on their system and can read and write files, modify the registry, delete objects, access emails, etc."
The other critical' MS08-069 patch addresses a vulnerability in Windows XML Core Services - a technology used in businesses to format and manipulate data.