Security Samizdat

A new Solaris worm using the recent Telnet vulnerability seems to have been found in the wild:

This morning on ATLAS we saw a pair of hosts scanning for Telnet servers. While this may seem like a throwback to days gone by, and maybe someone is starting from scratch in their exploit activity, this is related to a recent Solaris bug, specifically CVE-2007-0882 (the telnet “-froot” bug). Two boxes in the same subnet scanning for it and hitting ATLAS; reports from another site indicate another box on that same subnet scanning them.

Last night a team member found what appears to a Sun Solaris telnet worm using this vulnerability.

Read it all at the Arbor Security Blog.

According to SANS, there is a spike in port tcp/23 scans.

UPDATE 1-Mar-2007: Symantec’s report on the issue and a write-up on the Solaris.Wanuk.Worm. The spread of the worm seems to be quite limited. After all not many Solaris boxes have telnet ports accesible from the Internet.

There is an article at ZDNet (”Hacker, Microsoft duke it out over Vista design flaw“) which describes the controversy between the hacker Joanna Rutkowska and Microsoft’s Mark Russinovich over an allegued design flaw of Vista UAC.

In a nutshell, Vista assumes automatically that all application installers should be executed with elevated privileges. There is no possibility of running installers with normal user privileges (for example, if no drivers need to be installed or changes to the system done)

Russinovich’s explanation sort of admits that a vector for sohisticated attack is technically possible.

Because elevations and ILs don’t define a security boundary, potential avenues of attack , regardless of ease or scope, are not security bugs. So if you aren’t guaranteed that your elevated processes aren’t susceptible to compromise by those running at a lower IL, why did Windows Vista go to the trouble of introducing elevations and ILs? To get us to a world where everyone runs as standard user by default and all software is written with that assumption.

According to Bruce Schneier,

What’s interesting is that Microsoft is positioning this as a trade-off between security and ease-of-use. That’s correct, of course, but it seems that someone made a bad decision in this regard.

Joanna posted another entry in her blog clarifying her position:

There are two things which should be distinguished:

1) The fact that UAC design assumes that every setup executable should be run elevated (and that a user doesn’t really have a choice to run it from a non-elevated account),

2) The fact that UAC implementation contains bug(s), like e.g. the bug I pointed out in my article, which allows a low integrity level process to send WM_KEYDOWN messages to a command prompt window running at high integrity level.

I was pissed off not because of #1, but because Microsoft employee - Mark Russinovich - declared that all implementation bugs in UAC are not to be considered as security bugs.

True, I also don’t like the fact that UAC forces users to run every setup program with elevated privileges (fact #1), but I can understand such a design decision (as being a compromise between usability and security) and this was not the reason why I wrote “The Joke Post”.