Microsoft’s advisories giving clues to hackers

April 16th, 2007

Ryan Naraine/ZDNet

How's this for a new twist on the old responsible disclosure debate:  Hackers are taking advantage of information released in Microsoft's pre-patch security advisories to create exploits for zero-day vulnerabilities.

The latest zero-day flaw in the Windows DNS Server RPC interface implementation is a perfect example of the tug-o-war within the MSRC (Microsoft Security Response Center) about how much information should be included in the pre-patch advisory.

Using clues in the workarounds section of the advisory, Errata Security researcher David Maynor said he was able to pinpoint the source of the vulnerability without much trouble.

"It took about an hour from setup to shell on Windows 2000," Maynor said in an interview.  "On Windows 2000, there are only five functions accessible over RPC.  You combine combine that with their [Microsoft's] description of it being a stack overflow, it narrows the time to find down greatly."

"This is such an easy bug — most of the people I talked to already had it figured out as well,"  Maynor added.  "It was simple to find and Microsoft screwed up by giving out too much information in the advisory."

Maynor wasn't the only hacker paying attention to Microsoft's description of the vulnerability.  Over the weekend, several different exploits providing step-by-step instructions to launch attacks surfaced on well-known security research sites and hacking tools.

An exploit module has already been added to the Metasploit point-and-click attack tool and Dave Aitel's Immunity CANVAS pen-testing platform now includes a reliable exploit for Windows 2000 and Windows Server 2003.

Over at, there are three different exploits (all remote) available for free, including one by hacker Andres Tarasco that pinpoints a brand new attack vector against Port 445.

The availability of these exploits have significantly changed the threat landscape, especially for businesses operating Intranets were domain controllers (which store passwords) are running DNS, says Ken Dunham, director of the rapid response team at Verisign's iDefense.

Dunham explains the potential risks:

These servers also store all the passwords for a Windows network.  It is feasible that a bot may  incorporate an Intranet spreading routine to exploit vulnerable computers within the network to help it spread. For example, a bot may be programmed to spread through the recent ANI exploit to infect clients with bots and then use the zombie to exploit DNS RPC against the local domain controller to gain complete control over the entire network.

Malicious actors that compromise DNS servers will likely reconfigure the server to silently redirect web traffic to compromised websites for monetary gain or corporate espionage.

In the wake of Maynor's comments above, I asked the MSRC if there's a legitimate gripe that about the level of details included in its advisories and was told that it's a "delicate balancing act" to avoid giving too much clues while ensuring customers have adequate pre-patch protections.

MSRC director Mark Miller said the company's priority is to provide a solid workaround that could help protect Windows users from exploitation.

"Whenever we publish an advisory or bulletin, we run into the reverse-engineering factor.  When we release the information, people start to look at defective code, components and surrounding areas. That's something we deal with all the time," Miller said in an interview.

"We have those internal conversations all the time… trying to strike the right balance.  In this particular case, we need to make sure that customers have these workarounds and this included all the possible attack vectors and vulnerable servers."

"The mitigations have to be easy to implement and they have to be fully effective," Miller said.

But, as the rash of public exploit code shows, the mitigation information provides too many clues for hackers — and confirms that striking that perfect balance is near impossible.

main page ATTRITION feedback