Close
  • Latest News
  • Big Data and Analytics
  • Cloud
  • Networking
  • Cybersecurity
  • Applications
  • IT Management
  • Storage
  • Sponsored
  • Mobile
  • Small Business
  • Development
  • Database
  • Servers
  • Android
  • Apple
  • Innovation
  • Blogs
  • PC Hardware
  • Reviews
  • Search Engines
  • Virtualization
Read Down
Sign in
Close
Welcome!Log into your account
Forgot your password?
Read Down
Password recovery
Recover your password
Close
Search
Logo
Logo
  • Latest News
  • Big Data and Analytics
  • Cloud
  • Networking
  • Cybersecurity
  • Applications
  • IT Management
  • Storage
  • Sponsored
  • Mobile
  • Small Business
  • Development
  • Database
  • Servers
  • Android
  • Apple
  • Innovation
  • Blogs
  • PC Hardware
  • Reviews
  • Search Engines
  • Virtualization
More
    Home Cybersecurity
    • Cybersecurity

    Windows 2000 Exploits Raise Worm Attack Fears

    By
    Ryan Naraine
    -
    October 13, 2005
    Share
    Facebook
    Twitter
    Linkedin

      Fears of a network worm attack targeting unpatched Windows 2000 systems heightened on Thursday with news that private security researchers have already reverse-engineered Microsofts critical MS05-051 update to create proof-of-concept exploits.

      The MS05-051 bulletin, which shipped as part of Microsoft Corp.s October batch of patches, includes fixes for four different Windows flaws, one of which is considered a major worm hole in the enterprise-heavy Windows 2000 operating system.

      That bug, an unchecked buffer in the MSDTC (Microsoft Distributed Transaction Coordinator), could be exploited by a remote unauthenticated user to take complete control of an unpatched system.

      “That one is really easy to exploit,” said Marc Maiffret, co-founder and chief hacking officer at eEye Digital Security, the private research outfit that discovered and reported the vulnerability to Microsoft.

      “We are definitely going to see dangerous exploits for it because its not really technically challenging to write the exploit code,” Maiffret said in an interview with Ziff Davis Internet News.

      “Whether we see a worm or not will depend on whether anyone wants to write a worm. If someone wants to unleash a worm, its really not that hard with this vulnerability,” he added.

      Already, the underground chatter is triggering fears of an attack like the Zotob worm that crippled some big-name companies—CNN and the New York Times included—that were tardy in applying the patches released in August.

      Immunity Inc., a vulnerability research company with a handful of employees, has already reverse-engineered Microsofts patches to create proof-of-concept exploits for three vulnerabilities, including one for the MSDTC flaw.

      Immunity chief executive Justine Aitel said the proof-of-concept has been released to IDS (intrusion detection companies) and larger penetrating testing firms as part of a partner program that shares up-to-the-minute information on new vulnerabilities and exploits.

      /zimages/4/28571.gifClick here to read about how Microsoft handled the Zotob worm.

      “Typically, our partners have access to our research as we produce it. Like a lot of researchers, we focus on Patch Tuesday and, as we produce our research, we make those available to partners. In this case, we created an early-stage exploit and released that into the program,” Aitel said in an interview.

      “The minute Microsoft released the bulletins, we focused on creating proof-of-concepts for our partners and customers. Were still working on the reliability of that exploit before we distribute it to our CANVAS service,” Aitel said.

      She corrected a diary entry by incident handlers at the SANS ISC (Internet Storm Center), making it clear that the distribution of the exploit was limited to the partner program and not the CANVAS product.

      Aitel also stressed that theres a “big difference between a proof-of-concept and a reliable exploit.”

      “Theres a huge difference between something capable of crashing the victim machine and something that exploits the bug 100 percent of the time. We know the [proof-of-concept] we release can exploit the bug, but turning that into something reliable is something we have to keep working on,” she added.

      The SANS ISC also warned of “non-specific exploit warnings from managed security service providers.”

      Officials at the MSRC (Microsoft Security Response Center) said they plan to monitor the mailing lists and underground chatter to determine whether a worm attack is imminent.

      /zimages/4/28571.gifRead more here about the Microsoft Security Response Center and how it operates.

      If Redmond believes the proof-of-concepts circulating can be redeveloped into a working exploit, the company could issue a security advisory with pre-patch workarounds and other mitigation guidance.

      Just before the Zotob attack in August, the company used that mechanism to beat the drum for customers to download and apply the available patches, and its likely that an advisory could be released some time Thursday or Friday.

      Russ Cooper, senior information security analyst with Cybertrust Inc., is downplaying the risks. “Systems which are vulnerable to a MSDTC worm are wide open to the Internet, not blocking ports [at least] above 1024. Doesnt matter whether they are, or are not, listening on 3372,” Cooper said.

      “Such systems are ripe for attack of all sorts anyway. If theyre vulnerable to this, theyre already hosed. A worm is not going to get any more legs than Zotob did, and in fact, such a worm will get less legs as the attacker tries to figure out which of the higher ports MSDTC is actually on,” Cooper added.

      The message from Microsoft is for Windows 2000 users to treat MS05-051 as a high-priority update.

      “[We are] aware that exploit code for the vulnerabilities addressed by Microsoft security bulletin MS05-051 is available through third-party fee-based security offerings. Microsoft is not currently aware of active attacks that use this exploit code or of customer impact at this time,” MSRC program manager Stephen Toulouse said Thursday.

      He said Microsoft would actively monitor the situation to keep customers informed and to provide customer guidance as necessary.

      “Currently this exploit is not publicly available, but we continue to urge customers on older versions of our operating systems to deploy MS05-051 to help protect from attempted exploitation,” Toulouse said.

      “The MSRC is constantly monitoring the threat environment for any malicious activity. We are keeping an especially close eye on the newsgroups and vulnerability lists for exploits related to this months activities and will mobilize immediately to help protect customers against threats as necessary.”

      /zimages/4/28571.gifCheck out eWEEK.coms for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at eWEEK.com Security Center Editor Larry Seltzers Weblog.

      Ryan Naraine

      MOST POPULAR ARTICLES

      Big Data and Analytics

      Alteryx’s Suresh Vittal on the Democratization of...

      James Maguire - May 31, 2022 0
      I spoke with Suresh Vittal, Chief Product Officer at Alteryx, about the industry mega-shift toward making data analytics tools accessible to a company’s complete...
      Read more
      Cybersecurity

      Visa’s Michael Jabbara on Cybersecurity and Digital...

      James Maguire - May 17, 2022 0
      I spoke with Michael Jabbara, VP and Global Head of Fraud Services at Visa, about the cybersecurity technology used to ensure the safe transfer...
      Read more
      Applications

      Cisco’s Thimaya Subaiya on Customer Experience in...

      James Maguire - May 10, 2022 0
      I spoke with Thimaya Subaiya, SVP and GM of Global Customer Experience at Cisco, about the factors that create good customer experience – and...
      Read more
      Big Data and Analytics

      GoodData CEO Roman Stanek on Business Intelligence...

      James Maguire - May 4, 2022 0
      I spoke with Roman Stanek, CEO of GoodData, about business intelligence, data as a service, and the frustration that many executives have with data...
      Read more
      Cloud

      Yotascale CEO Asim Razzaq on Controlling Multicloud...

      James Maguire - May 5, 2022 0
      Asim Razzaq, CEO of Yotascale, provides guidance on understanding—and containing—the complex cost structure of multicloud computing. Among the topics we covered:  As you survey the...
      Read more
      Logo

      eWeek has the latest technology news and analysis, buying guides, and product reviews for IT professionals and technology buyers. The site’s focus is on innovative solutions and covering in-depth technical content. eWeek stays on the cutting edge of technology news and IT trends through interviews and expert analysis. Gain insight from top innovators and thought leaders in the fields of IT, business, enterprise software, startups, and more.

      Facebook
      Linkedin
      RSS
      Twitter
      Youtube

      Advertisers

      Advertise with TechnologyAdvice on eWeek and our other IT-focused platforms.

      Advertise with Us

      Menu

      • About eWeek
      • Subscribe to our Newsletter
      • Latest News

      Our Brands

      • Privacy Policy
      • Terms
      • About
      • Contact
      • Advertise
      • Sitemap
      • California – Do Not Sell My Information

      Property of TechnologyAdvice.
      © 2022 TechnologyAdvice. All Rights Reserved

      Advertiser Disclosure: Some of the products that appear on this site are from companies from which TechnologyAdvice receives compensation. This compensation may impact how and where products appear on this site including, for example, the order in which they appear. TechnologyAdvice does not include all companies or all types of products available in the marketplace.

      ×