With a new version of the W32.Blaster worm on the loose and set to spawn a massive denial-of-service (DOS) attack on a Microsoft Corp. Web site tomorrow, the software maker released a set of security guidelines for users today in an effort to minimize the damage.
Ironically, the call for preventative measures came while the software maker was investigating another DOS attack on its site that occurred late yesterday. A spokeswoman for Microsoft said today that yesterday's attack wasn't due to Blaster, however, and that the company is still investigating the cause.
Meanwhile, the possibility of an attack from Blaster still looms. The current variation of the W32.Blaster worm could affect computers running the Windows 2000, Windows XP, Windows NT and Windows Server 2003 operating systems, Microsoft said. The worm takes advantage of a known vulnerability in a Windows component called the Distributed Component Object Model (DCOM), causing PCs to repeatedly crash, and could potentially use infected machines to launch the DOS attack on the Windowsupdate.com site.
The software maker advised users of the vulnerable software to update their computers with the latest patches and turn on Autoupdate to simplify the process for installing future updates. Users are instructed to install and use antivirus software and to use a firewall.
"Many resources have been deployed to help ensure that customers have the guidelines and tools they need to enhance their computer security," Microsoft's senior director of Trustworthy Computing, Jeff Jones, said in a statement.
Microsoft also released a new tool that customers can use to scan computer networks for machines that are vulnerable to attack by the Blaster worm.
The tool works on a variety of Windows operating systems and enables Windows customers to confirm that a necessary software patch has been applied, according to Jeff Sharpe, a Microsoft spokesman.
That patch, MS03-026, was released in July and prevents infection from Blaster.
The company provided a link to the free tool on a special Web page set up to respond to the Blaster worm outbreak, which has affected hundreds of thousands of Windows machines worldwide. The tool can be found at http://www.microsoft.com/security/incident/blast.asp.
Accessing that link proved to be difficult at midafternoon, however, since the response time reaching the Microsoft Web site was slow.
However, David Litchfield, a security expert and co-founder of Next Generation Security Software Ltd. in Surrey, England, said he was surprised that Microsoft didn't advise users to simply disable DCOM.
"DCOM is not needed by 99.9% of home users, but it is enabled by default," he said. According to Litchfield, DCOM allows users to access a program from another computer.
The new Blaster worm first appeared on the Internet Aug. 11 and quickly started to spread (see story). According to antivirus firm Network Associates Inc., the worm had infected between 250,000 and 1 million computers as of yesterday.
Now, Microsoft fears that the infected computers will launch a DOS attack against its Windows update site, causing the site to run slowly or be inaccessible to customers. As of 6 a.m. EDT today, IDG News Service staffers were still having trouble accessing the Windows update site in the wake of yesterday's DOS attack.
The software maker said it's taking aggressive steps to keep the site up, but if it becomes inaccessible, users will be able to access and download the Blaster patches at www.microsoft.com/security. More detailed instructions on how to take the preventative measures are also detailed at that Web address.