A new, remotely executable, exploit for XP and Vista has been demonstrated and depending on upon how a worm will use it (a worm is sure to be developed for this), this could make Slammer and Sapphire look like cake-walks. I hope I'm wrong (but I'm probably not).

The vulnerability is in Windows' implementation of IGMP - a transport layer protocol used in IP multicast - or (when translated into english) a technology utilised by many video streaming applications and online games. Of particular concern is the fact that the exploit appears to go straight through the Windows firewall, and I rather suspect it will go through the default configuration of many other firewalls too because IGMP is not usually blocked by default.

It is worth noting that any exploit utilising this vulnerability will be running in kernel space, which means that it will be allowed to do anything it chooses to do.

I suspect that lots of column inches will be devoted to this vulnerability in the coming months.

To Microsoft's credit the vulnerability (MS08-001) has been patched (the patch was released a couple of weeks ago) but unless the patch has been applied then the likelihood of infection would seem to be high - when a virus or worm is eventually created for this.

Another interesting fact is how similar this vulnerability appear to be to an older denial of service vulnerability from last year (MS06-007) that appeared to be IGMP based. Could this be caused by a bad fix to MS06-007 or is this the tip of the iceberg in a whole new class of IP stack related vulnerability's?

Time will tell.

Futher reading:

• Computerworld - New attack proves critical Windows bug 'highly exploitable'
• Symantec - Microsoft Windows TCP/IP IGMP MLD Remote Code Execution Vulnerability