August Patch Winds Fade

Opinion: The Next Great Worm may be coming some day, but it won't be based on MS05-039. It's just not a conducive bug.

At first glance, Microsofts August vulnerability and patch set seemed like a real killer set of vulnerabilities. One of them in particular, MS05-039 (Vulnerability in Plug and Play Could Allow Remote Code Execution and Elevation of Privilege), caught attention as a "wormable" hole.

Network-wormable vulnerabilities are the worst kind. They allow an attack to take place without any action on the part of the victim. They dont have to open an e-mail, run a program or do anything else proactive.

The attack comes through a network communication to the system and exploits a vulnerability in the handling of the network data. The most famous examples from Windows history are Slammer, Blaster, and Sasser. To give you a sense of them, all of them are old, years old in some cases, and yet they continue to exist at a certain level in the background of the Internet, and may continue to exist for years. When they were in their heyday, they made the front page; everyone dropped everything else they were doing and dealt with these problems.

And, indeed, it took about five days for MS05-039 to become "wormed." Weve had the Zotob worms out since the weekend. But while there has been a lot of talk about the potential for mass damage, its all either fallacious or based on worst-case thinking. The fact is that MS05-039 really isnt all that big a deal.

First, its important to review the differences in severity of MS05-039 depending on the operating system under attack:

  • Windows 2000

    : The vulnerability is remotely exploitable. Unpatched systems are vulnerable to Zotob and other attacks that come along.
  • Windows XP SP1

    : Remote users can attack the system, but only if they have a valid account on the system.
  • Windows XP SP2 and Windows Server 2003

    : Remote users can only exploit the vulnerability if they have a valid login and rights to log on locally.

As Microsoft notes in the write-up, the attack can also be prevented by blocking TCP ports 139 and 445 at the firewall, and these are pretty standard and obvious ports to block at a firewall. The other mitigating factors are pretty clear once you think about them.

With respect to Windows 2000 it is often said, and I think this is a fair assessment, that it is still popular in business. But it never had much traction in the consumer space, largely because it wasnt sold into that space. At the time Windows 2000 was most popular, Microsoft was selling consumers Windows ME which, for all its profound deficiencies, is not vulnerable to this particular problem.

How many businesses do you think are around today running Windows 2000 with no firewall? Surely any such business already has their systems utterly compromised. Theyre probably the ones producing all that background Sasser and Blaster traffic. But the vast majority of businesses, including those who have done nothing more than place their systems behind a router, are protected against the known remote forms of this attack.

So to go further, attackers either need to authenticate themselves on the system or get inside the network. The authentication route would probably involve a dictionary attack, which means that for each address it attempts to attack the worm needs to make hundreds or even thousands of guesses at username/password combinations, and probably would only try to guess at the administrator password. If the worm is able to do this then it will succeed, but its not an attack that is facilitated by MS05-039; its always been possible. I suspect its too conspicuous for an attacker to make potentially hundreds of connection attempts at the same target.

The worm could attempt to get on the inside of the network through what are now well-known routes, most famously the unprotected notebook. A user with a notebook computer, probably Windows 2000-based, unpatched and with no personal firewall, takes it home for the weekend and connects it to their broadband connection where it is infected with Zotob or whatever. Monday morning they bring it back into the office, plug it in to the LAN and log in, thereafter infecting systems on the LAN because the firewall no longer protects them.

This is a perfectly plausible scenario, but its not a recipe for widespread infection, and there have been products to protect against such infections for many years, and network access control systems such as Ciscos NAC can prevent unprotected notebooks from connecting to the LAN at all. Only an irresponsible company would get caught with its pants down in this way. And even if it did, it would still be unlikely that the Windows XP systems would be infected.

Its a good 48 hours now after Zotob hit the Internet and the major AV companies have lowered its severity, at worst, to a rating of "interesting, but not much of a threat." Even Panda, usually anxious to overstate matters, has the two Zotob worms at a 2 out of 5.

So patch your systems, but dont miss your kids play in order to do it. Weve seen a lot worse than this in the past.

Security Center Editor Larry Seltzer has worked in and written about the computer industry since 1983.


Check out eWEEK.coms for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at Security Center Editor Larry Seltzers Weblog.

More from Larry Seltzer