Microsoft is up in arms over a French security team’s decision to make a potential vulnerability in Windows 2000 Service Pack 4 and Microsoft Windows XP SP1 public. The French Security Incident Response Team published details about a proof-of-concept exploit that targets the vulnerability without first informing Microsoft.
Winny Thomas claims he came across a condition where a specially crafted request to upnp_getdevicelist would cause services.exe to exhaust a machine’s virtual memory. Thomas wrote in his report that the exploit is not similar to the MS05-47 exploit he published earlier.
MS05-47 caused a crash in services.exe and eventually shut down the system. However, Thomas claimed the new exploit causes virtual memory to be consumed to a point where there is a delay in servicing desktop requests, such as choosing “My Computer,” HTTP requests, and SMB requests.
“After some time the memory usage comes down and the target system would work as normal,” Thomas wrote in his report. “However, this code when continuously executed against a target, leads to a sustained DOS attack.”
Microsoft Expounds on Vulnerability
Microsoft published a security advisory on November 16, informing customers that it is aware of Thomas’ report of a vulnerability that could allow an attacker to perform a Denial of Service attack.
Microsoft admitted that an attacker could potentially exploit the Windows 2000 vulnerability anonymously. However, the software giant said an attacker must have valid logon credentials to exploit the XP Service Pack 1 vulnerability.
Microsoft said customers who have installed Windows XP Service Pack 2 are not affected by this vulnerability. Additionally, customers running Windows Server 2003 and Windows Server 2003 Service Pack 1 are not affected. Then Microsoft rebuked Thomas.
“Microsoft is concerned that this new report of a vulnerability in Windows 2000 Service Pack 4 and Windows XP Service Pack 1 was not disclosed responsibly, potentially putting computer users at risk,” Microsoft’s security bullet said. “We continue to encourage responsible disclosure of vulnerabilities. We believe the commonly accepted practice of reporting vulnerabilities directly to a vendor serves everyone’s best interests.”
Ed Moyle, president of SecurityCurve, told TechNewsWorld that the good news is the vulnerability itself is minimal from a risk perspective. The bad news, he added, is the manner in which the vulnerability was disclosed: without informing Microsoft so the company could develop a patch.
“This is an unusual occurrence, since it’s commonly recognized as bad form to put out this type of research without alerting the vendor,” Moyle said. “However, even more unusual is that Microsoft used the alert as a forum to comment on their frustration with the lack of advance notice.”
Moyle said most vulnerability researchers coordinate with the vendor when writing about a vulnerability in order to allow the vendor a time window within which to prepare a patch for the product and prepare a response to users. In this case, the researcher breached standard industry protocols.
“It’s not the first time it’s happened, and it’s unlikely to be the last,” Moyle said. “All in all, I think it’s important for vendors to be prepared for the eventuality that a researcher might alert the public without alerting them first.”