A serious flaw has been discovered in a core component of Windows 2000, with no possible work-around until it gets fixed, a security company said. The vulnerability in Microsoft's operating system could enable remote intruders to enter a PC via its Internet Protocol address,

Marc Maiffret, chief hacking officer at eEye Digital Security, said on Wednesday. As no action on the part of the computer user is required, the flaw could easily be exploited to create a worm attack, he noted. What may be particularly problematic with this unpatched security hole is that a work-around is unlikely,

he said. "You can't turn this (vulnerable) component off," Maiffret said. "It's always on. You can't disable it. You can't uninstall."

eEye declined to give more details on the flaw or the Windows 2000 component in question. As part of company policy, it does not release technical details of the vulnerabilities it finds until the software's maker has released either a patch or an advisory.

http://www.hackinthebox.org/modules.php?op=modload&name=News&file=article&sid=17660
Worm hole found in Windows 2000 :: Hack In The Box :: Keeping Knowledge Free

Eg ;)

Errr.... Their web site hasn't published any new vuln since June 23rd and there is no mention of this on the web site. Considering the potential harm that could be wreaked worldwide one would think that they'd be all over this......

I dunno.... Smacks of FUD to me..... Especially the phrase "The vulnerability in Microsoft's operating system could enable remote intruders to enter a PC via its Internet Protocol address". That's a bloody unusual way for a worm to travel, IP to IP..... :rolleyes:

Hi TS,

According to the date on CNET...

Worm hole found in Windows 2000
Published: August 3, 2005, 1:40 PM PDT

I assume this is new...

http://news.com.com/Worm+hole+found+in+Windows+2000/2100-1002_3-5817400.html
Worm hole found in Windows 2000 | CNET News.com

I normally check source links before posting.

Eg ;)

Yeah.... Wasn't there a Cisco flaw about a year ago that was going to bring the internet to it's knees?

They are implying that they have found a serious flaw in the underlying protocol stack that allows remote code execution. Since they say that this can't be turned off one has to wonder what component it could possibly be since I can disable the network card. Are they implying that disabling the card doesn't work? Or are they assuming that the card remains enabled and that the stack IP stack itself is flawed _even_ when no service is listening or that there is a service that can't be turned off that is vulnerable?

The plain lack of any usable information concerns me......

Hi TS,

Also found here...

http://news.zdnet.com/2100-1009_22-5817400.html
Worm hole found in Windows 2000 | Tech News on ZDNet

it's making it's rounds.

The plain lack of any usable information concerns me
But they did say that until there is a patch they do not want to release potentially detrimental information.

Eg ;)

Well...here's the page on the web...under upcoming advisories...guess whoever is responsible for maintaining their website is slow on the draw...

http://www.eeye.com/html/research/upcoming/20050801.html
eEye - Vulnerability Assessment and Intrusion Prevention Network Security Software

and it seems to be getting picked up by everyone...

http://software.silicon.com/security/0%2c39024655%2c39151021%2c00.htm
Windows 2000 open to IP attack - Security Strategy - Breaking Business and Technology News at silicon.com

http://www.vnunet.com/vnunet/news/2140780/windows-2000-wide-open
IP flaw leaves Windows 2000 wide open - vnunet.com

http://www.smoothwall.net/information/news/newsitem.php?id=819
SmoothWall

I can't imagine all these sites picking up on a story that is essentially flawed...but it's possible.

Eg ;)

Ahhh.... I see.....

I took a look through the rest of their advisories..... A pattern emerges.... The detection and fix is often EEye's products.... Funny huh? ;)

Unless someone gives me a bit more of a clue than "The sky is falling" I'm going to take the "pinch of salt routine".

Hi TS,

I noticed that too looking over their site...and I agree they do seem to be opportunists...probably why they look for vunerabilities in the first place ;)...

still doesn't make the information wrong. I doubt that all these other security sites picking this up are being duped...and as yet I haven't read any criticism from these sites in regards to the vunerability.

Eg ;)

and as yet I haven't read any criticism from these sites in regards to the vunerability.

Because there is nothing to criticize?..... ;)

I personally dislike this form of "disclosure/marketing". If you aren't going to tell me enough to determine whether or not I need to start planning action don't bother telling me anything. All they are doing is wasting my time and it smacks of playground oneupmanship of the "I know a secret and I'm not telling you" kind. The only person that might benefit from this type of disclosure is EEye. They should tell me how good they are later and leave me in peace right now..... :mad:

Hi TS,

Well..I suppose it's a wait-and-see until Microsoft checks it out and reports back...
A Microsoft representative said the software giant will issue a comment once it has had a chance to review the eEye advisory, which has yet to be posted on the security company's website.
from the silicon.com site posted above

I assume eEye will post not long after according to their release policy.

Eg ;)

"They are implying that they have found a serious flaw in the underlying protocol stack that allows remote code execution. Since they say that this can't be turned off one has to wonder what component it could possibly be since I can disable the network card. "

Another RPCss.exe overflow. Blaster v2


-Maestr0

Another RPCss.exe overflow. Blaster v2

... and who, in their right mind, leaves RPC open to the internet???????

If this is the case it's just what I thought it would be.... A non-entity....

Originally posted here (http://www.AntiOnline.com/showthread.php?threadid=269716#post852968) by Tiger Shark
... and who, in their right mind, leaves RPC open to the internet???????

If this is the case it's just what I thought it would be.... A non-entity....


If you think a worm can only make its way into your network through your firewall/internet connection that you are sadly mistaken. Nobody should have RPC open, but every worm that I've ever experienced at my current company came in over VPN or a laptop being carried into the office and connected to the internal network. A worm using another exploit similiar to the RPCss.exe issues, not saying that is the case now, would be just as bad as blaster and the other worms that have hit MS products.

If you think a worm can only make its way into your network through your firewall/internet connection that you are sadly mistaken

I'm not sadly mistaken.... :D

Like you my only worm came via a laptop.... Such a stink was caused by me, including threatening an entire agency with being cut off from the other agencies and therefore the net, that the policy is now being adhered to..... So far.... :rolleyes:

I'm still taking the pinch of salt till I have some real information on this.....



It seems like ISC is taking the same approach as me:-

Received from ISC after a query I sent this morning:-

I haven't seen or heard of anyone that can shed light on this yet. We're all waiting to see if its FUD or not.

Robert
ISC Handler on Duty

Could this have something to do with next week's MS patch release?

According to MS, we're talking 6 windows patches, max severity of critical.

No more details, but could be related.

Microsoft reported that this worm hole could also be used to travel time. Goooooo Microsoft!

Sorry, couldt resist....feel free to delete.

for anyone else who is curious, word on tha street is its NOT an IP attack or rpcss.exe.

-Maestr0

Hi Maestr0,

I've been checking the news and still no word from Microsoft...therefore I assume they are waiting either for a patch to be developed first...or...it will become part of the re-issue of the 2000 roll-up.

As a Windows 2000 user I was hoping they would provide at least a plan of action or an update as to where they are in resolving this issue.

Eg ;)

My god. And you guys call your self security experts.

Let me explain how this works.

Eeye find a flaw and report it to microsoft.
Microsoft do nothing.
eeye release their own fix and vuln protection for this flaw
someone reverse engineers the eeye fix to discover the flaw
they release a worm, virus or exploit for this flaw
microsoft release a critical patch. (usually to late)

History repeats its self in this fashion.

Microsoft do nothing.
eeye release their own fix and vuln protection for this flaw
someone reverse engineers the eeye fix to discover the flaw
they release a worm, virus or exploit for this flaw
microsoft release a critical patch. (usually to late)

Wow!

http://sfgate.com/cgi-bin/article.cgi?f=/n/a/2005/08/17/financial/f123616D07.DTL



"We seem to have a botwar on our hands," Hypponen said. "There appears to be three different virus-writing gangs turning out new worms at an alarming rate — as if they would be competing who would build the biggest network of infected machines."

Ya rite! The guys at Eeye asked you to patch it up and you missed it,now you call it a group of virus writer are up to it.