The vulnerability in the Windows Server Service that Microsoft patched in an emergency update last month is facing a new wave of attacks. Microsoft officials reported a spike in exploits targeting the vulnerability earlier this week. If you haven't patched, now is the time to put it on your schedule.
If you haven't patched the Windows Server Service
vulnerability fixed by Microsoft last month, it's time to make it a priority.
Though Microsoft issued a rare out-of-band patch for the issue in
October, a number of exploits taking advantage of the vulnerability
continue to be a problem. This past weekend, Microsoft began receiving
customer reports regarding increased malware attacks targeting the
flaw. The attacks continued to gain momentum as the days went on,
prompting Microsoft to post an advisory on its Security Response Center
The vulnerability attackers are targeting is due to the Windows
Server Service improperly handling remote protocol (RPC) requests. With
a specially-crafted RPC, an attacker can take advantage of the security
gap to take over a system.
The latest malware is detected by Microsoft as Win32/Conficker.A
, W32/Conficker by McAfee and W32.Downadup by Symantec.
"Once loaded in the service space, the worm attempts to download
files from the Internet-specifically, further malware from
trafficconverter.biz and data files from maxmind.com," wrote Alex
Hinchliffe, a researcher with McAfee's Avert Labs
in a recent post on the lab's blog. "The worm continues by setting up
an HTTP server that listens on a random port on the victim's system
while hosting a copy of the worm. It then scans for new vulnerable
victims to exploit, at which point the new victim will download the
worm from the previous victim and so on."
On the Microsoft's Malware Protection Center
blog, it was noted that the worm mostly spreads within corporations,
but has also infected several hundred home users. Most of the
reports of infections are coming from users in the United States, but
there are also reports from Germany, Spain, France and other countries.
Strangely, the worm patches the vulnerable API in memory - a move
that may be an attempt by attackers to prevent other malware from
taking over the computer as well.
The issue can be exploited without authentication on Windows 2000,
XP and Server 2003 platforms. Windows Vista and Windows Server 2008 are
also affected, but the vulnerable code path is only accessible to
As a workaround, enterprises can disable the computer browser
service. Directions on how to do this are included in the Microsoft
advisory. Windows Vista and Windows Server 2008 users can also filter
the affected RPC identifier.