[Fwd: MS09-049: Vista Wireless LAN Autoconfig Service Code Execution Vulnerability]

[gbugbear at gmail.com (Tim Mugherini)]

Thank you Josh - I enjoyed your insight

On Fri, Sep 11, 2009 at 6:18 AM, Joshua Wright <jwright at hasborg.com> wrote:

> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> I sent this note to the WifiSec mailing list this morning.  Reposting
> here, since I think this community appreciates a remote 0-day in Vista
> machines over wireless more than most. :)
>
> - -Josh
>
> - -------- Original Message --------
> Subject: MS09-049: Vista Wireless LAN Autoconfig Service Code Execution
> Vulnerability
> Date: Fri, 11 Sep 2009 06:16:39 -0400
> From: Joshua Wright <jwright at hasborg.com>
> To: wifisec at securityfocus.com <wifisec at securityfocus.com>
>
> I'm including a write-up from the SANS @RISK vulnerability alert system
> below.  With Vista, Microsoft re-wrote the native wireless stack,
> reducing the amount of packet-handling code an independent hardware
> vendor (IHV) had to do and standardizing the functionality of wireless
> interface.  One one hand, this was great, as it meant that we could
> quell the stream of vulnerabilities in wireless drivers from Atheros,
> Broadcom, Intel and more, relying instead on the Microsoft-native code
> for handling 802.11 frames.
>
> On the other hand, now every Vista client with a wireless card (that
> hasn't yet patched) is vulnerable to a drive-by wireless exploit.  While
> wireless driver vulnerabilities have been known to affect XP, it was
> difficult to use them since targeting a vulnerable client is difficult
> (knowing what driver they are using, for example, is possible but hard
> and impractical today).  With the Vista stack, that isn't an issue, as
> it's trivial to identify a Vista vs. XP box from observing the client
> activity over the air.
>
> I'm still supportive of Microsoft's change to unify the wireless stack
> on Vista since it has a lot of other practical benefits over the prior
> XP model, plus many users who take advantage of auto update will be
> patched shortly (much better than XP where drivers were almost never
> updated, unless done manually).  Still, as a 0-day, this one is pretty
> scary.
>
> - -Josh
>
> p.s. Last chance to register for my SANS Institute course Ethical
> Hacking Wireless, where we cover wireless driver exploits and more
> wireless hacking than you can shake a stick at, delivered live at home
> (by me) once a week for 12 weeks. Class starts Wednesday night.  Sign up
> now and get a free Kindle v2!
> http://www.sans.org/vlive/details.php?nid=19608 (enter "kindle" as the
> discount code).
>
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.9 (MingW32)
>
> iEYEARECAAYFAkqqI9gACgkQapC4Te3oxYz6ggCfZiNe1SSzEfGS/dsSexrCVxyU
> 8jkAoIsC6hAVRUBLasHelGHUJLlcU4HB
> =/8R3
> -----END PGP SIGNATURE-----
> _______________________________________________
> Pauldotcom mailing list
> Pauldotcom at mail.pauldotcom.com
> http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
> Main Web Site: http://pauldotcom.com
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mail.pauldotcom.com/pipermail/pauldotcom/attachments/20090911/77828693/attachment.htm