Microsoft's First Roundup of Patches

The first set of patches for 2008 was released by Microsoft this Tuesday, fixing a pair of networking flaws in the Windows kernel.

Microsoft Releases a New Set of Patches


Microsoft has released a patch to fix a security flaw in Windows that could be used by criminals to create as self-copying computer worm attack. The patch fixed a pair of networking flaws in the Windows Kernel. Another patch was also released for a less-serious Windows flaw that would allow attackers to steal passwords or run Windows software with elevated privileges.

The critical bug lies in the way Windows processes networking traffic that uses IGMP (Internet Group Management Protocol) and MLD (Multicast Listener Discovery) protocols, which are used to send data to many systems at the same time. Microsoft says that an attacker could send specially crafted packets to a victim's machine, which could then allow the attacker to run unauthorized code on a system.

No known code exploits this flaw, security experts say, but now that the patch has been posted, hackers can reverse-engineer the fix and create their own attack code. Since IGMP is enabled both in Windows XP and Vista by default, the bug could be used to create a self-copying worm attack, Microsoft has disclosed.

"Theoretically this is wormable and that's why this is rated critical," said Tim Rains, security response communications lead with Microsoft. However, Microsoft does not believe that hackers will have an easy time developing attack code that will work reliably. "We've done a thorough analysis of the vulnerability and we've come to the conclusion that there are several technical mitigating factors that make it unlikely to get reliable remote code execution," Rains said.

Windows uses the IGMP protocol for many popular consumer applications such as streaming video, multiplayer games and universal plug-and-play, but the protocol is usually blocked at the router. A derivative of IGMP, MLD is the multicast protocol used by IPv6 systems and is enabled on Vista by default

"If it became a worm it could take over an internal network pretty quickly, or at least all the machines where multicast is enabled," said Eric Schultze, chief technology officer with Shavlik Technologies. "But this one is going to be mitigated because a lot of people have blocked multicast."