Proof-of-concept code that exploits newly-discovered vulnerabilities Microsoft warned of last week is floating in the wild. The Bethesda, Md.-based SANS Internet Storm Center said it's another reason not to put off those patching chores.
The concept code exploits security holes the software giant outlined in two of the 10 bulletins it issued last week. MS04-036 patches a vulnerability in the Network News Transfer Protocol (NNTP) and MS04-038 is a cumulative security update for Internet Explorer that patches several vulnerabilities. An attacker could exploit these "critical" security holes to take over machines and install programs; view, change or delete data or create new accounts with full privileges.
Boston-based Core Security Technologies discovered the NNTP flaw and reported it to Microsoft Aug. 16. Core CTO Ivan Arce said of the vulnerability last week: "This one is especially serious because if you're running the news service, you can be attacked by anyone in the network. Your server can be compromised internally or externally. It's an ideal attack vector."
The Internet Storm Center said in a Web site message over the weekend: "If you were wondering how quickly you needed to apply the patches that Microsoft released a couple of days ago, please keep in mind that proof-of-concept exploit code for the Windows NNTP vulnerability (MS04-036) is publicly available. The recent Core Security advisory includes the exploit code and provides detailed technical information about the vulnerability… [The advisory] was published just hours after the patches became publicly available [and] is a good illustration of the rapidly shrinking time window in which you need to apply security patches."
The storm center has made a PowerPoint briefing on this month's Microsoft bulletins available on its site. The presentation mentions that proof-of-concept code also exists for the IE vulnerabilities.
The bulletins issued last week aim to patch a total of 22 newly-discovered vulnerabilities -- a new record for the software maker's monthly Patch Tuesday program, a company spokesperson acknowledged last week. Seven of the bulletins were deemed critical, including the NNTP and IE vulnerabilities.
The software giant also re-issued MS04-028 from last month, outlining critical .jpg vulnerabilities an attacker could exploit to take over machines and do a variety of damage. Security experts have repeatedly warned in the past month that this vulnerability could be used to unleash a devastating attack. Such an attack has yet to materialize, though several small exploits that target the flaw through IM and e-mail have been seen in the wild.