Exploits Circulate for Windows 2000 Worm Hole

Microsoft has released a security advisory with a blunt warning for Windows 2000 users: Patch now, or else...

Windows 2000 users, patch now or else...

Thats the blunt warning from Microsoft Corp.s security response center after "detailed exploit code" for a wormable flaw started circulating on underground security Web sites.

The software maker rushed out an advisory late Thursday night to warn that unpatched Windows 2000 users are at the biggest risk of a PC takeover attack.

Ziff Davis Internet News has confirmed the existence of at least five exploits targeting several different vulnerabilities patched by Microsoft earlier this week.

The one that worries Microsoft the most is the exploit for the Plug and Play vulnerability addressed in the MS05-039 bulletin.

The vulnerability is an unchecked buffer in the Plug and Play service that can be exploited as a privilege escalation or to run remote code as administrator. Plug and Play, or PnP, is a feature that allows the operating system to detect new hardware installed on a system. For example, when a user installs a new mouse on a PC, PnP allows Windows to detect it and load the needed drivers.

Microsofts patch updates the Plug and Play service code to validate the length of a message before it passes it to the allocated buffer and has been released for users of Windows 2000, Windows XP and Windows Server 2003 users.

Researchers at eEye Digital Security also raised the alarm after testing the published exploits. "Upon discovering two instances of exploit code online, [we] conducted thorough testing to confirm that both present a legitimate threat to Windows 2000 systems (completely patched SP 4 with all hotfixes). One exploit, released by an anonymous author, will bind a command prompt to TCP port 8721," the company warned.

In an alert, eEye stressed that users should consider the patch "highly critical" and apply the necessary updates as soon as possible.

/zimages/4/28571.gifMicrosoft corrects IE patch download glitch. Click here to read more.

For networks with multiple versions of Windows operating systems, eEye recommends that the Windows 2000 patch be applied before anything else.

Its a message being repeated by Microsoft. "Windows 2000 systems are primarily at risk from this vulnerability," the company warned, making it clear that the application of the MS05-039 security update will provide protection.

While the exploit code does not target users of Windows XP Service Pack 2 and Windows Server 2003, Microsoft is beating the drum for those patches to be applied as well. "The vulnerability could not be exploited remotely by anonymous users or by users who have standard user accounts on Windows XP Service Pack 2 or Windows Server 2003. However, the affected component is available remotely to users who have administrative permissions," the advisory explained.

This issue does not affect Windows 98, Windows 98 SE, or Windows Millennium Edition.

Microsoft said it was not currently aware of active attacks that use the exploit code. "[We are] actively monitoring this situation to keep customers informed and to provide customer guidance as necessary."

eEye has released a free scanning utility to help network administrators identify vulnerable systems. The tool also provides remediation instructions.

/zimages/4/28571.gifCheck out eWEEK.coms for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at eWEEK.com Security Center Editor Larry Seltzers Weblog.