PaulDotCom mailing list archives
[Fwd: MS09-049: Vista Wireless LAN Autoconfig Service Code Execution Vulnerability]
From: jwright at hasborg.com (Joshua Wright)
Date: Fri, 11 Sep 2009 06:18:00 -0400
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 I sent this note to the WifiSec mailing list this morning. Reposting here, since I think this community appreciates a remote 0-day in Vista machines over wireless more than most. :) - -Josh - -------- Original Message -------- Subject: MS09-049: Vista Wireless LAN Autoconfig Service Code Execution Vulnerability Date: Fri, 11 Sep 2009 06:16:39 -0400 From: Joshua Wright <jwright at hasborg.com> To: wifisec at securityfocus.com <wifisec at securityfocus.com> I'm including a write-up from the SANS @RISK vulnerability alert system below. With Vista, Microsoft re-wrote the native wireless stack, reducing the amount of packet-handling code an independent hardware vendor (IHV) had to do and standardizing the functionality of wireless interface. One one hand, this was great, as it meant that we could quell the stream of vulnerabilities in wireless drivers from Atheros, Broadcom, Intel and more, relying instead on the Microsoft-native code for handling 802.11 frames. On the other hand, now every Vista client with a wireless card (that hasn't yet patched) is vulnerable to a drive-by wireless exploit. While wireless driver vulnerabilities have been known to affect XP, it was difficult to use them since targeting a vulnerable client is difficult (knowing what driver they are using, for example, is possible but hard and impractical today). With the Vista stack, that isn't an issue, as it's trivial to identify a Vista vs. XP box from observing the client activity over the air. I'm still supportive of Microsoft's change to unify the wireless stack on Vista since it has a lot of other practical benefits over the prior XP model, plus many users who take advantage of auto update will be patched shortly (much better than XP where drivers were almost never updated, unless done manually). Still, as a 0-day, this one is pretty scary. - -Josh p.s. Last chance to register for my SANS Institute course Ethical Hacking Wireless, where we cover wireless driver exploits and more wireless hacking than you can shake a stick at, delivered live at home (by me) once a week for 12 weeks. Class starts Wednesday night. Sign up now and get a free Kindle v2! http://www.sans.org/vlive/details.php?nid=19608 (enter "kindle" as the discount code). -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (MingW32) iEYEARECAAYFAkqqI9gACgkQapC4Te3oxYz6ggCfZiNe1SSzEfGS/dsSexrCVxyU 8jkAoIsC6hAVRUBLasHelGHUJLlcU4HB =/8R3 -----END PGP SIGNATURE-----
Current thread:
- [Fwd: MS09-049: Vista Wireless LAN Autoconfig Service Code Execution Vulnerability] Joshua Wright (Sep 11)
- [Fwd: MS09-049: Vista Wireless LAN Autoconfig Service Code Execution Vulnerability] Tim Mugherini (Sep 11)