|
Bonk windows security hole Original Source Link: (May no longer be active)
http://www.wired.com/news/technology/0,1282,9581,00.htmlhttp://www.wired.com/news/technology/0,1282,9581,00.html
Bonk! A New Windows Security Hole
Michael Stutz | Also by this reporter Page 1 of 1
10:30 AM Jan. 09, 1998 PT
Microsoft scrambled today to fix a newly reopened security hole that can crash any Windows 95 or NT machine connected to the Internet or any other TCP/IP network. The attack, named "bonk" - after the program that unleashes it - is a variant of an earlier security hole that creates a "denial of service" attack and essentially freezes the system.
"In terms of what we're doing, we're doing what we always do - which takes any security issue very, very seriously," said Microsoft's Jonathan Roberts, director of product management for Windows. "We're testing this program and working on a fix very actively," he said.
When completed, Redmond's fix will be posted to their Security Advisor Web site. Until it comes - and system administrators implement it - networked Windows 95 and Windows NT machines will remain vulnerable.
Bonk is a variant of an older security exploit known as "teardrop," which was reported by the Computer Emergency Response Team on 16 Dec of last year. The teardrop exploit worked on many different systems, and vendors had to release software patches to make their systems immune to the attack. Bonk appears to work specifically around a loophole in Microsoft's teardrop patch, and thus only affects Windows95 and Windows NT.
"The extent to which this affects other systems, we don't [yet] know," said Jonathan Roberts, director of product management for Windows.
"Without having the source code to Windows 95, it is hard to say exactly how their [networking subsystem] is handling this," said Kit Knox, a Senior System Administrator for CONNECTnet INS Inc., and co-maintainer of rootshell.com, a full-disclosure resource for security enthusiasts.
In essence, teardrop fools a machine into performing lots of operations that it shouldn't, Knox said. Bonk does the same: it sends corrupt UDP (User Datagram Protocol) packets to the target machine - overwhelming and crashing the system.
"It results in a blue screen of death which kills the Windows TCP/IP stack and leaves everything else alone," he said. "System data is not at risk."
Jiva DeVoe, a systems engineer with Devware Systems, di scovered the exploit after one of his Windows NT machines was attacked several days ago, in an attack spree that seemed to be targeted at DeVoe and other frequenters of an online Windows-related chat area.
DeVoe noticed that it looked very similar to a teardrop attack, even though his machine was running the Microsoft patch for that exploit. After examining the subtle variations, he was able to modify the source code for the old teardrop exploit to reproduce it, and then contacted Microsoft last night with his findings.
Until Microsoft releases a software patch, nothing can be done to stop a bonk attack, short of taking the machine off the network. "Unless you've got a firewall or something like that, there's not a whole heck of a lot that you can do," DeVoe said.
His solution: run Linux, a free variant of UNIX.
"I dual-boot my workstation between Linux and Windows NT," he said. "I'm a Microsoft Certified Systems Engineer, so kind of have to have NT there - even though I prefer Linux."
DeVoe said that openly-developed operating systems, such as FreeBSD and Linux, had patches available for the teardrop exploit very early on. "Those patches have stood up to this new attack as well," he said. "Microsoft's patch - a closed patch that nobody could review - was susceptible to this."
Meanwhile, the creators of bonk are trying to ensure that Microsoft does a more thorough job this (second) time around of patching the hole. A security bulletin on rootshell.com this morning released a modified, more resilient version of bonk, called "boink."
|
|
