Attack code surfaces for latest Windows vulnerability
The exploit targets a 'critical' software vulnerability in Windows XP and Windows 2000
November 17, 2003 12:00 PM ETIDG News Service -
Computer code that exploits a critical new software vulnerability in the Windows XP and Windows 2000 operating systems is circulating on the Internet, according to security experts.
Two examples of exploit code for a buffer overrun in the Windows Workstation Service were posted to security-related Internet discussion groups on Friday and Saturday. Both exploits have been tested and work, according to Dan Ingevaldson, director of X-Force at Internet Security Systems Inc. (ISS) in Atlanta.
The Workstation Service vulnerability was disclosed by Microsoft Corp. in Security Bulletin MS03-049, which was released last Tuesday (see story). The service is turned on by default in Windows 2000 and XP systems and allows computers on a network to connect to file servers and network printers, Microsoft said.
Both the CERT Coordination Center at Carnegie Mellon University and ISS issued advisories last week regarding the Workstation vulnerability, warning that it was easy to exploit and well suited to use by self-spreading Internet worms.
One version of the exploit code is attributed to somebody using the online name "wirepair," and was first published in a private online forum at Russian security site forum.securitylab.ru, Ingevaldson said. A second exploit, dated Nov. 14, appeared on the French-language hacking Web site www.k-otik.net by someone using the online name "snooq."
The two pieces of code are early attempts to exploit the MS03-049 vulnerability and contain multiple bugs that make them difficult to run. Because of flaws in the way the code authors attempt to trigger the buffer overrun in the Workstation Service, attackers have only one chance to compromise vulnerable Windows systems, which crash when the exploit isn't successful, Ingevaldson said. Those faults make the code ill-suited to use in an Internet worm, he said.
"You need exploits that are robust and that work all the time to make an effective worm," Ingevaldson said.
However, virus writers and hackers worldwide will work diligently to refine the exploit code, finding ways to get the code to stop crashing systems and work on all versions of Windows XP and 2000, he said. Such a pattern of refinement preceded the release of the Blaster and Nachi worms in August, Ingevaldson said.
In addition, the two exploits that were publicly released might not be the only exploits for MS03-049 that have been created, he said. "[Exploits are] like cockroaches. If you see one or two, there are probably others as well," Ingevaldson said.
ISS encourages Windows users to download and apply the software patch for the Workstation Service on Windows XP and 2000 machines as soon as possible, he said.
Reprinted with permission from
Story copyright 2009 International Data Group. All rights reserved.
Security
Additional Resources



Learn the important issues you must consider before starting your next mobility initiative. Get your mobility white paper from IDC now, compliments of Sybase.
White Papers & Webcasts
Death to PST Files
Download Now
The Tangled Web: Silent Threats & Invisible Enemies
Download Now
Tape Killed the IT Guy
Watch Now
Forrester Consulting Mobility Study: Taking Control of Enterprise Mobile Device Diversity
Download Now
BRM: What You Can Do To Reduce Risk In Challenging Times
Watch this webcast now!
What IT Must Do to Support Employee-Owned BlackBerry, iPhone and Android Mobile Devices
Download Now
Web 2.0, Social Media and the Dark Web - A Web Criminals Paradise?
In this discussion, learn about the challenges of protecting your users from the potentially unsafe content hidden in the "Dark Web".
eGuide: Enterprise Security
Smart Security Strategies for 2010. Read now!
Disaster Recovery 2008: Reduced Costs and Improved Performance
How long can your Enterprise afford to be without your data? With an accelerated disaster recovery program, you never have to answer this...

