Computer code that exploits a critical software
vulnerability in the Windows XP and Windows 2000 operating systems
is circulating on the internet, according to security
experts.
Two examples of "exploit" code for a buffer overrun in the
Windows Workstation Service were posted to security-related
internet discussion groups. Both exploits have been tested and
work, according to Dan Ingevaldson, director of X-Force at Internet
Security Systems (ISS).
The Workstation Service vulnerability was disclosed by Microsoft
in Security Bulletin MS03-049, which was released on 11 November.
The service is turned "on" by default in Windows 2000 and Windows
XP systems and allows computers on a network to connect to file
servers and network printers.
Both the Cert Co-ordination Centre and ISS issued advisories
last week regarding the Workstation vulnerability, warning that it
was easy to exploit and well suited to use by self-spreading
internet worms.
One version of the exploit code is attributed to somebody using
the online name "wirepair", and was first published in a private
online forum at Russian security site
forum.securitylab.ru,
Ingevaldson said.
A second exploit, dated 14 November, appeared on the French
language hacking website
www.k-otik.net by someone using
the online name "snooq".
The two pieces of code are early attempts to exploit the
MS03-049 vulnerability and contain multiple bugs that make them
difficult to run. Because of flaws in the way the code, authors
attempt to trigger the buffer overrun in the Workstation Service,
attackers have only one chance to compromise vulnerable Windows
systems, which crash when the exploit is unsuccessful, Ingevaldson
said. Those faults make the code ill-suited to use in an internet
worm.
"You need exploits that are robust and that work all the time to
make an effective worm," Ingevaldson said.
However, virus writers and hackers worldwide will work
diligently to refine the exploit code, finding ways to get the code
to stop crashing systems and work on all versions of Windows XP and
Windows 2000.
Such a pattern of refinement preceded the release of the Blaster
and Nachi worms in August, Ingevaldson said.
The two exploits that were publicly released might not be the
only exploits for MS03-049 that have been created.
ISS encourages Windows users to download and apply the software
patch for the Workstation Service on Windows XP and 2000 machines
as soon as possible. (
www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/ms03-049.asp)
Paul Roberts writes for IDG News Service