Network Security & Hardware - eWeek


Is the Smart Grid a Dumb Idea?
Surgical Adhesive Offers Smarter Way to Mend Bones
Get Smarter Technology on Your Mobile!
  Network Security & Hardware


With Exploits Out, MS Braces for Worm Attack



 By: Ryan Naraine
2006-08-10
Article Rating:starstarstarstarstar / 1


There are 0 user comments on this Network Security & Hardware story.


Rate This Article:
Poor Best
Microsoft's security response unit says it is ready to react to the possibility of a network worm attack against unpatched Windows machines.

A network worm attack exploiting a critical Microsoft Windows vulnerability appears inevitable, security experts warned Aug. 10.

Just days after the Redmond, Wash., software maker issued the MS06-040 bulletin with patches for a "critical" Server Service flaw, Microsofts security response unit is bracing for the worst after exploit code that offers a blueprint for attacks began circulating on the Internet.

Even before the release of Microsofts patch, the US-CERT (Computer Emergency Readiness Team) warned that the flaw was being used in targeted attacks and that the appearance of public exploits is a sure sign that a worm attack is imminent.

An exploit module was added to the HD Moores Metasploit Framework that could launch attacks against all unpatched Windows 2000 systems and some versions of Windows XP.

Resource Library:

Two penetration testing companies, Immunity and Core Security Technologies, have already created and released "reliable exploits" for the flaw, which was deemed wormable on all Windows versions, including Windows XP SP2 and Windows Server 2003 SP1.

Homeland Security tells Windows users to apply MS06-040 patch. Click here to read more.

Dave Aitel, a researcher at Immunity, said his exploits are capable of launching attacks against firewall-protected Windows XP SP2. "A worm is coming. This bug is just too easy to exploit," Aitel said in an interview with eWEEK.

Aitels company was able to reverse-engineer Microsofts patch and create a working exploit in less than 24 hours.

Gartner Research security analyst John Pescatore said businesses should prepare for the worst.

"The nature of the vulnerability itself is something that should be taken very seriously. The fact that exploits were out even before Patch Day and now that public code is available for anyone to download and use, thats enough to treat this as a high-priority issue," Pescatore said.

In most enterprises, Pescatore said the use of firewalls and the automatic blocking of TCP ports 139 and 445 should help mitigate the risk. However, he cautioned against IT administrators letting their guards down.

"I think well definitely see exploits. It might not be as big as Blaster [in 2003] but it could still be disruptive. Although this vulnerability smells like Blaster, a lot has changed over the years," he said, citing increased use of Automatic Updates among home users and layered defense mechanisms at the enterprise level.

"If we see something, I think it will be more along the lines of Zotob," Pescatore said, referring to the Windows Plug and Play network worm that squirmed through Windows 2000 systems in August 2005.

Microsoft ships fixes for 23 security flaws. Click here to read more.

A spokesperson for Microsoft said it is difficult to predict the motives and actions of attackers but insisted the company is "watching round-the-clock" and actively encouraging customers to download the update immediately.

"We will mobilize if something does happen," the spokesperson said.

In the first 30 hours since the security updates were released, Microsoft program manager Christopher Budd said there were more than 100 million downloads of the MS06-040 patch.

"Thats nearly 3.5 million per hour," Budd said, stressing that the companys Emergency Response process teams are "watching for any possible malicious activity."

eEye Digital Security, a research outfit in Aliso Viejo, Calif., has released a free scanning utility to help IT administrators find potentially vulnerable machines on a network.

The eEye tool can be used to scan multiple addresses at once to determine if any are vulnerable to the Server Service flaw. If an IP address is found to be vulnerable, the scanner will flag that IP address.

Check out eWEEK.coms for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at eWEEK.com Security Center Editor Larry Seltzers Weblog.





  Reader Comments: With Exploits Out, MS Braces for Worm Attack
>>> Be the FIRST to comment on this article!
 

 
 
>>> More Network Security & Hardware Articles          >>> More By Ryan Naraine
 


x}r۸j9km]mGJɖkŲ,%^:U*J$)l+s'ˮO7t%dNflK@7F{{o~$riOH1%3t;D{{?&ЇP|oSo92t4I…N؎MEnOuؾtۉm=4.j.9acm S Ї@2t-2踖þɲn g32GyȺ=RP*qR,*cx>oچs[=0q*sșZ7](eUӻl_HQPw۷@ږVa(:n{'ݏ7~@.{A~$Vj;}& D%\.gI&0hMmdڽ~X}AFI?j;|#rX<,hvd(-bv=ӧ0Cƌ_8rrn򳹥uo]_]{-o\[g>ߙekfy3?b Jg3F~3G_:nΚ77fGκפ>m>9sِlnAZ|]kU[_lo!af; dP{pHjPRso~jvOZd[WN.ڧ$'MT&ysA {훨-tK[9K }!x-? ,_ fk7 J a" :sP;J}ښNmҔ 9B:%yW˝7>hr Ce)#8?S݃IhJq䰉c,XSl؅ RM4x ~^',)|YB* brݢPP3>ΧKdoF" 2#~B(:pHqbNbϑW ]zjNTʊ0Wr{熷,EށؓYpjUOVxׂ)WCKEhYf7-wIQM}{Qc1x+%YEPU _1p-~~j0B m] :V}< |0F;}F_{g0PP?: M/6G˥~nhj>'ݨäpV83uCuӹݰ=Wԇ9[i`I l"v|scм`yna23fC?F{7t( u,/{@`\@Z8`$8ʼE]q2>o  馥M L<ģ|D }p (~9-R;C/1tSt=JIA }At"AђF *4 gsX"C"'' `[X;;.VKŤ\*y"Jm':.3PKRx&,S,BV-KᗄPf%i2m<-&D7r"e.G wKᙖ6FlY,*ǚvX§c&csdfz{@ZWgޓiK0w?e!1s WQ'&s?{\ n;A뎒:\f335{00q}c] kwtӴ٤͙iÂqj$rTDhL˄r=6`]2'tuK-cys3t7Nm~|FpIN3_iy>g~9厬m4@>J|z[.z: %r% 5kb$T`CfL [ ҆|xku:.PCϱ鹞~o6*||0ː ;uM CO5,v&Vfj:Y[~2.|O V,'0{ gб3abea;k eC_Hq6Ϯ[- V!҇D+ه0`M EDwN6R^-!z0iTҗKJAUc/`k@Lf2,rƎe9لAٌ 4\}ZjtL{ \ipf^DZiIf~~~0*Ly.Jo>Fm`'z\sgIF}OДa˘34|q6L,*I՗bAQ OkMf٧7_gрah"pHE@xZh~x} *O$B\--UŨN=I=`q0$zmK&GGsݧ==1g匬3 ; dVBS{ZYUKZTp~W`sϏyO?"5t8x_ℯ/8ݩQk>)zCW>s}G>N-â-h'(0v O*JC2By^YhQ.Q9Ufj(87~Ɋ`3 خ crAmhv~9N(k0q;s;OM?bL%Jt( ֹB\U4UeGԻ5ubH#C`JEWFlH(Tg7gMEH]ac6U{z@n)ZMMӫU;4 ϢcIۛp#|5] |j9s#Op釛Lk 0sIl7xv@̬}#w56霎0 M`}G ϓ1W5f038ʃϣ epvN{69,3?t\쫇*ty{Wz&[wOܕ2A^m􁯍C-oc d&.ōfπïǖ mC L P;, `EO7DF3۝">{~jÄsqS))rL*H+ů 3Fˁ#_.ITz[VUe@5yJ3k % =EЋqc<u]ITY)(qg@Zf2U)+e"m=ϼ \X Z> &RrMuE;tЋ­7*6P#I(OU?"⣤j4 J7Ϣ C.͂FNpi-EB%36R-ܛ`@O|KO] 0%ezIMqza/;CnK-%. ^ذ:z6]6%Q讻h\n Zf$s, .i:-efF*ݐGUU :*ijARϢpӁ9t{@&l~" tDU2qy27(kMn@ &ݙadJP*5]*{ 1i#uL)j逌P9ɷwnh‰/lCXx|{ `?KXXD>Diz\{e">QP(\}?؇^?hUeqbE1 wcyJV~ZgZqRFYtW%pnϏHAcg˾t/>&~fm?<aa=&~`}܇?VH LЇ_e#R:&jy);w-~61%z˾NIM$(XNp_4q!s'^y{{h6ۗk6|v:72DH"rӸ~׾_>^tQcrѾlI^+΃ w"EKrBë<uxi)qڎ7M ,#L=\?ֈ4FD_!mBU\5g ^|%V}Xq!slP78]ּ   c@JA=oh{WOё{mE&-bT1 _RJMQ6=#ijf{Lg ')(9Q{_[aۗo1Mr!}J_cN/Ͳi<& ]l{pУ3YXJqf#^a~:)}AO-N9˙~LҼ"7*o <%E馺[7Gdj#N M5W"v=O[?G0 cl9Ga(1G|$z`ea#ݒ:h<5K:)!OOp|Nh'I^VR6T$4%!44QLNbC]A+Cg һj\nOpVHp._xvIn%yx4*k85(~qNHIJiIgԢᬖ^}+ ɏh8=Na.Oz/uϏm_wg=z@(O$ ؑq eީӊN|u +ɅNo͗W3k{R̵j 2aє{`ֳs@לπ(|s9xf"64Nlywy#KxESrcW}V3ʳ/q!~<,?4nڈbiveO5i\~ꟃ&'-_ |1$?[Н>5?z}l_ﯣ&=)sǣAlΜu9obJwjk_krO0#ݥV8'i?{޽Ҿ2CWq j:i)`*9$DhHn e_"2NIJn/:L9zdM#}%3 =яki^x̠t+gkf1vjP >Q>]bwP;_zŞYiIu/K\-"PnZZ|W%0.ր,0eRKbN/^|8/j$3Lض1ЧGJFS0\FMrP\YdN_RzU , _^sF=ͯMZRG#q bYxwc}~H 0b=צZ=hSyBqgM&h _y\d{6$\x/K/H&Ĕᵍ>㽄V-sK{ZLDxX'#h!tF H̢8c G&[L,&,;̰s^;-MV#Mt0W/C3mpe9bHvcXfj9ϭ֙vV{?Jf)+q#MM+i3&<%KR$]q$q;/.+q=4XnI%`xOpM+$ΡдB|mc^8F1O'6Dr-݋K1A?/g_,4lb3l?[ &n޵'q.Bim ťLbVQJ1ՊMyTߥvtL Vʛ7hďk>Pe<`@LjNsT~Z)%E'¯9*YuS .#d%Gveld:``x&,Yt?./փk9fK0[Kt/Oq͟PPxؐR##H g%A`–ZۈRiyєLyS(m5r}ګ&쯋gޯ.KJURɳ{̤=^ lDRDœW RV!K q ߏFY $W2 wp[)8D9qQ I`O;`k!A7-x ǐ?Raױ?u۱/Tj8c \<=cp"m FB6aQPDU% y=FsǢ,x[@ya:# 7~_x!ݞOAlɘp]#3/_g|FAr|вk#]핝;mx] {O?D}{[Wݒ cוJjt$%]!h[Dxǘc}j[rY[h\NgH}[97 9@"!$rWFw`%B"|}76yHywwww?,4L=~.ݱο6}0` d[wY`;b#H]PB\"3sGhok}ۚ_! T9n+H\Bq1Z_^G|=a{C%`DZoUk}뱧#̇#ӛV.ѭ` dy Dnw 0$hݭ-?qxwq)qPKRfK53]%]Qǵ(,cw }c7pHx(, ҷvERK{}7Sl0Lñ.W6TbI66QajH|Go'2sqñh?ߕЄ1u;ƛ}y0u<3\jf$Hq@ߞؙk&0—w[~e8w&0 ]_D~DC7!VPэfOfs gm\'5n\>ģ{6p&ΠRzJ\`;voNHO=_A BpW?2o+f/;iasq.nLhP!Jif5mNmLgc6S7{}m_r6lj[V(mR-~]U6e=:sJY,eeGbp,BӼ&9J:?_ӗK{~i[ *yoqjd0r|WSaY@{3IɋFP ъ#Ћgd!d3vExsl~K1P_`yZ~\`{䬼6~Yqc[RJBYIc4K":;M %t 3]smS? 3\:2u|G*%V¯mR9ʇ1f=00ZU5}Tbt¯*X?#ZNHx J;BixޜPxcLxa*1aV eզٝ$7zgX\}BA*[Y_D _M嗳h:&ʙ )<]Сܛ _r@JIgW4{}A6ڄykiDž$Yc r'/\IxcOm)׀gBUV"Ba=X :>IoRGP56W[:X'C}A.[7VߺU Cy|Q_3&:}GLnd8bkv36g9asH ]TWbֿ^#̃( [z.p5:&&'к|ɧtC_!m#!k^bΑf,vTkݼ)JsQ"ۗ'pp\`sj@KEL*2&Bs85{_{=&j&[ր aAJx>mDRPactkȚ1;Ŵ+$mO/hH"518k (aWU T-G,(ωpk%H0Z lnA X`ٞuA"\2v?]_ 1}!Ln 0YKW`C'[jE9Y|ob{LgA~.\b @Ԑ0(VIB uXRFB(6s 6-HLo12{xbRU+J)|U3ʰLXUK/Ͳg2VqV&JZ! `xZNrdhz?;Psx)\Sݾ嘫7.>5iV>NWv.7x Zӷptԝsm~:^}:k_ۗ\ă|jKym2/*v(P]6:-f)L=\h^Epɂw]%;飱</ĩ3^W(5ʯ76S](f#77VF)n.?e]F}۹y{syпvF?Ӿ(3eO/E|Ꝍ ;ɠoɠOev2O /?Bnjs(?(#坌rˌ̐KˌBf.n~+x*k  {/>_?m.!>BǬrc~~3w7Y7{dwɹN2!(odY NoT8'\$_JeYW@a uyQ~@yJ2,c2\. e{)[?[NBX\jzr+^fim4v+iA-{}yK/#ymoR7AQ8gG6+F.Э-'ވm]=g%Iy=0?%Mu{1پWߕ\~Sne+tVq&R2#s"qG\%Ün1'\vf[QǒGl]#=D>{?|k2Fs?`fE~@' @9DwMAw/[/:)7:=Mԍ}.omG;yh#62"T_;Yo%P/C"IsgeA:*k6:5tQ3[ ÈC?s HziG[zY)W͸QPc^u= !Y>Y"x|s&pN!3J8?0 fZ g8 a=CPN7nޣ97&3 P7#ɹT.jZQo\)Uʹ俓k$2 (8 "205ɪ"+Uw9 طV++b`" *s>P`26UJ` z!J1 =4c֭dKb(p EУoa˘V͛YʌN#^"_v3&mc(2)bb{ˈT`T|Jx Mq9m|LڸAÆ^Vٍv"nyhp䃿 t81ti;Ìsa܁zcc6H[8=ۺ9l؆"0w]Ww-k'/Հ&ߟ)$i#fB~ cwbX8]AՋpOaHzB=Xt(.Ph@oz^DltΖb.4szn%()%y+L9(م7x[*HFSeOTx/ē_| 3Obx`#Yұ ߚQ TDO2vy9=|En[~QڗE@1agG(HYUҎ_@BgTr$sDs݅ ߠ(b/ yJ>? T|- 5;\6LDR }F0~N]V0NA9DePޙiH@_v\4fR*4$NSPxcEzV?ĵ # |wخ;Oq^'dd9e7[ԘP1$+nvGD g>6'كl2pM!(Dْ0-9@/7Ak~ r@c]Tng`wDl .3./Y% hWa)*e71KLP`Ol3"w6G-: DGx kyf#ŧ3W<2ZP'jdVw@8̝-ӟ~H׶I5"`:Vڕ+zYL1e~}=3ӲG(q2,@zP݌5`y+@44zW qSgn)ZF#,c-ԭ<P0@~c.vz]nFQMF:®u4-ovѩߩnsQaW_<tcb3,LڙBX<ٰ޳sW=?5fl5Ɵ{0^5϶p2$82#" $8zIW{{a0&iE㨤t`C v_ʉ~ph;?҈>A wVǰ.XF!&ۅ7O80Ux|-h\};}r,s0#ŸEr g2ao?$;]2*玅A-F12Mo,gkV"K깘#gy^s3v=ǘ mr?u,r?],M c|Rc9bfrW`0M.<ȳ(`,Lv"VKjMΡmjqR!efƲ 7cP.X-%B@:S .x CG,$?ˋ}P byx ŧ$FS?X|ړT+ƕy@Xqө8Yo?]V.˛wByֽKgN *`g>!2D!6xVyhMi{CKғwM)h,-(ZNJ`)XFپ|C_%ȕ/2F#xoUAtMjez'14mEg,3lW'JZR۽7ߺ"f/On6%c|NKIkn^ͦG(5 wm&l2)v}ml-c6C-{.7'