An exploit has begun circulating for another of the vulnerabilities in Windows revealed by Microsoft Corp. earlier this month. The vulnerability, a buffer overrun in the Local Security Authority Subsystem Service (LSASS), was patched as part of a large, cumulative update coded MS04-011.
The exploit takes the form of a new variant of the Gaobot worm. According to McAfees Avert research, this worm has had almost a thousand variations since its initial release, partly because the source to the worm has been released as well.
Once installed, the worm allows a remote attacker to perform a large number of dangerous operations, including installing and removing software, performing denial of service attacks, and shutting down the computer.
The MS04-011 patch that addresses this problem is the same one that addresses the SSL/PCT vulnerability that has received much attention in recent days because of separate exploits. Microsoft has admitted, however, that this patch has technical problems that can cause some systems to lock up and fail to reboot. Administrators should still install the patch, but only after testing.
In spite of the danger if a system is infected, McAfee has the worm, which it calls W32/Gaobot.worm.ali, rated as a “low” threat both to corporate and home users, because it has not spread far.