Sure it is very possible that the MS06-040 exploit could be used in a Sasser/MSBlast type of global worm...but I don't think it will happen. Why?
The LURHQ Threat Intelligence Group just released a great write-up on this exact issue and I see no reason to create the wheel again.
This make it very clear that botnet owners will add this exploit into their bots....it is would be silly on their part to not do it. This exploit could help them spread their botnets a bit more....but I don't see how they could get more than 5% or 10% growth, if even that much. LURHQ has already detected a Mocbot variant using MS06-040 to spread.
As LURHQ stated, machines with low service pack levels are most likely already owned by something or someone.
Let’s get down to the real issue however.
Why do holes like this exist in Windows?
It isn't because hackers find them…or because smart people make exploits for them....it is Microsoft shipped a product with vulnerable code and we all ran out to the store and got it. In essence, Microsoft put them there.
Hackers don’t inject buffer overflow or format string holes into code…they find what is already there. It would be easier to find these problems, since they have the source code…but it takes hackers looking around in binary code to find these issue and then they are the ones to blame? Interesting view…
Word around the campfire is that Microsoft has taken account of its faults and is attempting to reduce these threats with Vista. Good to hear and kudos to Microsoft for one of the largest security audits ever (or so I hear).
Of course, these issues are not just Microsoft’s problem. Software firms that build and release software for public or corporate use encounter the same issue on a daily basis. So in the end, it is in the hands of the programmers at these companies.
I know some companies have yearly security training for the programming staff, but sadly many do not. Times change and new things are discovered…so no code will ever be perfect but it is the duty of these companies to protect their customers and therefore it just makes sense to keep their programmers on the cutting edge of security.
I went to a fairly small college, but rarely did I hear the word “security” in any of my programming classes. I never saw a class called “Secure Coding Practices” or “Building Secure Software for the Future”. So perhaps some of the fault falls to the education system and to the teachers…but I can only assume things have changed since I finished college almost 4 years ago.
Some things change...and some things always stay the same...
No comments:
Post a Comment