Security experts are monitoring what appears to be a coordinated effort to exploit a known vulnerability in the Secure Sockets Layer (SSL) implementation in Windows, and say that there may be a worm doing some of the work.
The vulnerability in the SSL library in Windows has been known for some time, and there is a patch available. However, experts say that on Wednesday someone released working exploit code for the flaw and there has been a marked increase in the amount of attacks against this vulnerability since then, according to experts at VeriSign Inc., based in Mountain View, Calif.
Typical attacks involve sending specially formed SSL traffic to vulnerable servers. This opens a Windows shell on the remote machine and allows attackers to run arbitrary code with system-level privileges.
The destination port for these attacks is 31337, according to an analysis of the attacks by Internet Security Systems Inc., based in Atlanta.
Among the products vulnerable to the SSL problem are Windows NT 4.0, 2000 and XP. The problem lies in Microsoft Corp.s Protected Communications Technology Version 1.0, which is somewhat akin to SSL.
“The vulnerability exists in a specific SSL processing routine. This vulnerability may result in a traditional stack overflow, and it can be exploited reliably over the Internet,” ISS said in its advisory on the attacks.
“The error causing a buffer overflow exists in a Windows system library, rather than in any single service, such as IIS or Exchange. Therefore, any service or application running on a vulnerable operating system that uses native Windows SSL functionality is vulnerable. This includes Microsoft services such as IIS, Active Directory and Exchange,” the ISS notice advised.
ISS said that its researchers also have seen evidence of a worm exploiting this vulnerability in the last day or so.
The advisory further warned IT managers that the severity of this vulnerability is “compounded by the fact that SSL is most often used to secure communications involving confidential or valuable financial information, and that Firewalls and packet filtering alone will not be able to stop attacks. X-Force believes that hackers will aggressively target this vulnerability given the high-value nature of Web sites protected by SSL.”