McAfee Host IPS and McAfee Entercept(R) protect users against code execution that may result from common classes of exploits targeted at the vulnerability in Microsoft LSASS
Also, when any of the Bobax worms exploits the LSASS
vulnerability, a buffer overrun is produced that causes the affected system to restart.
E or any of its variants, it is necessary to install the patch which Microsoft offers to correct the security flaw LSASS
, and which can be downloaded from http://www.
vulnerability was first reported on April 13, 2004, and was first utilized by a variant of the AGOBOT worm (WORM_AGOBOT.
The Bobax-H worm exploits the same LSASS
vulnerability first reported by Microsoft on 13 April 2004 in Microsoft Security Bulletin MS04-011, and later exploited by the widespread Sasser worm.
There is a buffer overflow in the Local Procedure Call (LPC) interface to the LSASS
which allows an attacker with local access to escalate their privileges to a higher level within the business-critical IT infrastructure.
It does this by exploiting several operating system vulnerabilities such as LSASS
The most prevalent attacks came from several worms, such as Sasser and Korgo, seeking to exploit a vulnerability located within LSASS
, a security component of the Microsoft Windows operating system.
Immediately following Microsoft's disclosure of the vulnerability on April 13, TippingPoint delivered a Virtual Software Patch in a Digital Vaccine update to UnityOne Intrusion Prevention Systems that guarded the entire LSASS
Microsoft Vulnerability Overview -- MSO4-041- Vulnerability in WordPad Could Allow Code Execution (885836) -- MS04-042- Vulnerability in DHCP Could Allow Remote Code Execution and Denial of Service (885249) -- MS04-043- Vulnerability in HyperTerminal Could Allow Code Execution (873339) -- MS04-044- Vulnerabilities in Window Kernel and LSASS
Could Allow Elevation of Privilege (885835) -- MS04-045- Vulnerability in WINS Could Allow Remote Code Execution (870763) Scope of Potential Compromises
Although Microsoft first issued a patch to protect against the LSASS
vulnerability on April 13th, many organizations were unable to patch their systems ahead of the rapidly spreading Sasser worm.
The Korgo worms, just like Sasser, exploit the LSASS
vulnerability to spread rapidly across the Internet.