Exploits Surface for MS Patch Day Flaws

Proof-of-concept and fully working exploits are already available for critical worm holes patched earlier this week by Microsoft.

Proof-of-concept exploit code offering step-by-step instructions to attack worm holes in Microsoft Windows have started appearing on the Internet, prompting a new round of "patch-now-or-else" warnings from computer security experts.

The exploits, publicly released on the Milw0rmWeb site and privately available to partners of penetrating testing firm Immunity, target a pair of critical vulnerabilities patched by Microsoft on Nov. 14.

The Milw0rm exploit, released by a hacker called "cocoruder," takes aim at the high-severity bug covered in the MS06-070 bulletin and can be used to launch a network worm against unpatched Windows 2000 systems.

Amol Sarwate, manager of the vulnerability research lab at Qualys, in Redwood Shores, Calif., is strongly urging businesses running Windows 2000 to test and deploy the MS06-070 patch because of the ease in which a hacker could launch an exploit.

"It [an attack] can be launched remotely over the Internet, without any user action whatsoever," Sarwate said in an interview with eWEEK.

The "cocoruder" exploit code has been tested against Chinese-language versions of Windows but, with minor tweaking, Sarwate said it can be expanded to hit other targets.

/zimages/2/28571.gifClick here to read more about Novembers Patch Tuesday release from Microsoft.

Immunity, based in Miami Beach, Fla., has also released a fully-functional exploit for the MS06-070 bug to IDS (intrusion detection companies) and larger penetrating testing firms as part of a partner program that shares up-to-the-minute information on new vulnerabilities and exploits.

"Our exploit works against English-language versions [of Windows]," says Kostya Kortchinsky, a senior researcher at Immunity. "Weve successfully tested it to launch code against Windows 2000 SP3 and SP4."

Since Microsofts Nov. 14 Patch Tuesday, Immunity has released a total of six proof-of-concept and working exploits against flaws covered in the updates.

On Nov. 13, the company also posted attack code for the Microsoft XML Core Services 4.0 flaw that was being used in targeted zero-day attacks.

In an interview with eWEEK, Kortchinsky said the company has also reverse-engineered the patches in Microsofts MS06-066 bulletin to a code-execution exploit for Windows XP SP2.

He said Immunitys MS06-066 exploit is also capable of defeating the software-enforced DEP (Data Execution Prevention) that is enabled by default in XP SP2 to reduce exploits of exception handling mechanisms in Windows.

The MS06-066 update, rated "critical," covers a pair of vulnerabilities in Client Service for NetWare, the feature that allows the client to access NetWare file, print and directory services.

Check out eWEEK.coms Security Center for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at Ryan Naraines eWEEK SecurityWatch blog.