With Exploits Out, MS Braces for Worm Attack

Microsoft's security response unit says it is ready to react to the possibility of a network worm attack against unpatched Windows machines.

A network worm attack exploiting a critical Microsoft Windows vulnerability appears inevitable, security experts warned Aug. 10.

Just days after the Redmond, Wash., software maker issued the MS06-040 bulletin with patches for a "critical" Server Service flaw, Microsofts security response unit is bracing for the worst after exploit code that offers a blueprint for attacks began circulating on the Internet.

Even before the release of Microsofts patch, the US-CERT (Computer Emergency Readiness Team) warned that the flaw was being used in targeted attacks and that the appearance of public exploits is a sure sign that a worm attack is imminent.

An exploit module was added to the HD Moores Metasploit Framework that could launch attacks against all unpatched Windows 2000 systems and some versions of Windows XP.

Two penetration testing companies, Immunity and Core Security Technologies, have already created and released "reliable exploits" for the flaw, which was deemed wormable on all Windows versions, including Windows XP SP2 and Windows Server 2003 SP1.

/zimages/3/28571.gifHomeland Security tells Windows users to apply MS06-040 patch. Click here to read more.

Dave Aitel, a researcher at Immunity, said his exploits are capable of launching attacks against firewall-protected Windows XP SP2. "A worm is coming. This bug is just too easy to exploit," Aitel said in an interview with eWEEK.

Aitels company was able to reverse-engineer Microsofts patch and create a working exploit in less than 24 hours.

Gartner Research security analyst John Pescatore said businesses should prepare for the worst.

"The nature of the vulnerability itself is something that should be taken very seriously. The fact that exploits were out even before Patch Day and now that public code is available for anyone to download and use, thats enough to treat this as a high-priority issue," Pescatore said.

In most enterprises, Pescatore said the use of firewalls and the automatic blocking of TCP ports 139 and 445 should help mitigate the risk. However, he cautioned against IT administrators letting their guards down.

"I think well definitely see exploits. It might not be as big as Blaster [in 2003] but it could still be disruptive. Although this vulnerability smells like Blaster, a lot has changed over the years," he said, citing increased use of Automatic Updates among home users and layered defense mechanisms at the enterprise level.

"If we see something, I think it will be more along the lines of Zotob," Pescatore said, referring to the Windows Plug and Play network worm that squirmed through Windows 2000 systems in August 2005.

/zimages/3/28571.gifMicrosoft ships fixes for 23 security flaws. Click here to read more.

A spokesperson for Microsoft said it is difficult to predict the motives and actions of attackers but insisted the company is "watching round-the-clock" and actively encouraging customers to download the update immediately.

"We will mobilize if something does happen," the spokesperson said.

In the first 30 hours since the security updates were released, Microsoft program manager Christopher Budd said there were more than 100 million downloads of the MS06-040 patch.

"Thats nearly 3.5 million per hour," Budd said, stressing that the companys Emergency Response process teams are "watching for any possible malicious activity."

eEye Digital Security, a research outfit in Aliso Viejo, Calif., has released a free scanning utility to help IT administrators find potentially vulnerable machines on a network.

The eEye tool can be used to scan multiple addresses at once to determine if any are vulnerable to the Server Service flaw. If an IP address is found to be vulnerable, the scanner will flag that IP address.

/zimages/3/28571.gifCheck out eWEEK.coms for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at eWEEK.com Security Center Editor Larry Seltzers Weblog.