Malicious code that exploits a "critical" Windows 2000 vulnerability has been released on the Internet, rising the probability of attacks, experts advised on Thursday.
The code makes use of a security vulnerability in a key operating system module that routes file system and print requests called the "Workstation Service." On Windows 2000 systems, the defect could be exploited via the Net by an unidentified aggressor without any user interaction, increasing the likelihood of the arrival of a Zotob-like worm.
"Somebody could write a piece of code that targets Windows 2000, and that replicates itself, and then you would have a worm go around the Internet," said Monty IJzerman, senior manager in McAfee's Global Threat Group.
The public release of the exploit code comes only two days after Microsoft provided a fix for the flaw. That means that many exposed systems might still be unpatched. While Windows 2000 is an older operating system, it is still largely used, primarily in big business, said vulnerability management company Qualys.
"We scan about 10 million hosts every month, and at least 25 percent of those still run Windows 2000," said Amol Sarwate, a research manager at Qualys. Usually, it takes IT departments between five and eight days to apply a critical patch because of compatibility testing, he said.
Worm risk
Both McAfee and Qualys say a Zotob-like worm attack is possible. In August last year, Zotob slithered into Windows 2000 systems throughout a hole in the plug-and-play feature in the operating system. Zotob surfaced only days after Microsoft offered a fix for the "critical" bug as part of its monthly patching cycle.
Microsoft is aware of the "detailed exploit code" for the Workstation Service vulnerability, which was fixed by security bulletin MS06-070, a company spokesperson said. The software manufacturer is studying the code and plans to publish a security advisory to inform customers, the representative said.
The Workstation Service is a key part of Windows that can't be turned off or easily protected by a firewall, Sarwate noted. "Really, the only solution is to apply the patch as soon as possible," he said. Microsoft does offer some workarounds for the flaw in its security bulletin.
Also on Thursday, security vendor Immunity said it has created exploit code for two other Windows flaws. However, these blueprints are private, meaning they are supplied to users of its penetration-testing tool and are not publicly available.
The two flaws are covered by Microsoft alert MS06-066, which deals with issues that could put Windows 2000 and Windows XP systems at risk from worms. The bugs affect Microsoft's Client Service for NetWare and the NetWare Driver, which let Windows systems access network services on servers running Novell NetWare.
Microsoft also provided fixes for these vulnerabilities on Tuesday, its monthly patch release day. It rated the issues as "important"--one step below its most severe "critical" rating--because the vulnerable components are not installed by default.
|
