Tuesday, October 28, 2008

MS06-040 & MS08-067 Similarities

People reversing the vulnerable code have discovered that the new MS08-067 vulnerability was present right next to the MS06-040 vulnerable code but was never noticed. Interesting. Are we really supposed to believe that noone noticed this sooner other than the recent malware being blamed for it being outed? Alright, enough conspiracy theory.

There's an exploit for MS08-067 recently posted at Milw0rm that I was testing out tonight. Out of sheer curiosity, I uploaded the precompiled binary to VirusTotal and it had already been uploaded so there was an analysis waiting on me. The previous analysis showed 8 out 36 AV engines detecting it. Now, there's 9.

What I thought was most interesting is this:
eTrust-Vet 31.6.6176 2008.10.28 Win32/MS06-040!exploit
That seems pretty darn close to me. Since the source is available for the exploit, I'll leave it to someone to dig up the old source of exploits for MS06-040 and see if there was some code sharing between the two or if the similarity of the vulnerability is causing eTrust to identify it this way.