Re: MS06-019 - How long before this develops into aself propagating email worm

["David Litchfield" <davidl () ngssoftware com>]

> > > "Thereeeeeees zero-day in the wild, you're going to get haaaaaxx3d"
> >
> > It's more like "We now know about a zero-day that's been on the loose
> > for some unknown amount of time, and you may already be hax0red. And if
> > you haven't, you probably will be as soon as the script kiddies who are
> > even more lame than our security professionals find the zero-day. HAND".

> Code alone is not a threat. Its obvious these security companies never
> have specific intelligence of worms being planned. All they can base
> their threat meters on is a generalization.

> Which one is the threat:

> "A gun store has opened on the corner, someone might buy a gun and shoot"

> or

> "I overheard a conversation that johnny average is annoyed at bob and
> spoke about revenge, he's really into .... snip


They both are. The first is, of course, more general and is based upon 
increased _opportunity_. The second is a specific threat based upon specific 
intelligence. Bringing this back to the world of computer security: most 
major Internet worms that use an overflow as their vector have exploit 
previously announced flaws - with a patch being available - for example 
Blaster, Slammer, Code Red. With the current situation, we have increased 
opportunity: that is, there is a pre-authentication attack vector in a 
commonly used product which is not commonly firewalled. In other words, 
almost all the right ingredients for an Internet worm. If passed experience 
is anything to go by the only missing ingredient is proof of concept code 
released by a well meaning security researcher!
Cheers,
David Litchfield 

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/