Microsoft holes under further attack

Just days after Microsoft warned its customers about the release of code that can exploit a hole in its Secure Sockets Layer...

Just days after Microsoft warned its customers about the release of code that can exploit a hole in its Secure Sockets Layer (SSL) library, new code that claims to exploit another recently disclosed hole has surfaced on a French language website. 

The computer code can be used by a remote attacker to trigger a buffer overrun vulnerability in the Local Security Authority Subsystem Service (LSASS), according to a message posted to Microsoft released a patch for the LSASS vulnerability, MS04-011, on 13 April, along with fixes for the SSL problem and a number of other vulnerabilities.

The code was released on Saturday, according to the K-Otik website, which hosts the exploit. It was unclear whether the exploit code worked, but  notes attached by the exploit's author say that some modifications may be necessary before it could be used by a remote attacker to compromise Windows machines.

LSASS is used to authenticate users locally and also in client-server environments. LSASS also has features used by Active Directory utilities. An attacker who could exploit the LSASS vulnerability could attack and take total control of Windows 2000 and Windows XP systems remotely, according to Microsoft. 

Unlike e-mail worms and viruses, no user interaction would be necessary to trigger the LSASS buffer overflow, according to Johannes Ullrich, chief technology officer at the Sans Institute's Internet Storm Center.

The centre has not received any reports of the LSASS exploit code being used to compromise Windows systems on the internet.

Internet Security Systems is also aware of the new code, but says it does not pose an immediate threat because it requires modification to work on computer networks.

"The exploit is unreliable and not for use in the wild," said Neel Mehta, research engineer at ISS.

However, this is not the case for exploit code that targets the Microsoft SSL hole, which was released last week. ISS has seen a significant number of exploits using the SSL exploit since Wednesday.

Such activity is often a precursor to an exploit being used by a worm.
The Internet Storm Center has received "a couple" of reports from organisations that had Windows systems attacked using that code, which leaves a unique signature in computer logs on compromised machines. The attacks were isolated, and do not appear to be linked to a worm or virus outbreak. However, there is evidence that malicious hackers have coupled the SSL exploit code with automated scanning tools.

"It looks like, in some cases, all affected servers in part of a company got attacked. It seems like somebody picked a netblock [of network Internet Protocol addresses] and started scanning those addresses and hitting all the affected systems," said Ullrich.

Last Thursday, Microsoft warned customers to "immediately install" MS04-011, citing "credible and serious" reports of the release of exploit code.

Any Windows XP, 2000 or Windows Server 2003 machine that runs applications that use SSL are vulnerable, including Microsoft Internet Information Services, Microsoft Exchange Server and third party products, the company said. (See:

ISS released an advisory on Friday that warned customers of the SSL exploit and cautioned that the severity of the Microsoft vulnerability was compounded by the fact that SSL is used to secure communications involving confidential or valuable financial information and that companies that use SSL must leave port 443, the port that is targeted by the exploit, open.

Systems that use SSL for secure communications are often "production critical" machines. Organisations take longer to patch such systems because of fears that applying the patch will interfere with critical services.

Microsoft, ISS and other companies also have published work-arounds for the SSL vulnerability for organisations that cannot patch systems immediately.

Meanwhile, another major security hole has been found in Internet Explorer which makes system access possible across all Windows platforms through a boundary error when connecting to a file server. Windows Explorer is also affected.

Microsoft has issued an advisory in which it claims the problem was cottected in XP service pack 1 and service pack 4 for Windows 2000. However, security company Secunia claimed the vulnerability still existed in fully patched systems.

Secunia also said the vulnerability affects machines running Windows, 95, 98 and Me, as well as XP and 2000. The company is also investigating NT4 and 2003.

The hole is caused by setting up a malicious file server with a hugely long name (300 bytes). It can be used to cause a buffer overflow and then run code on the host machine.

Secunia advised users to watch firewalls and routers to check traffic and disable "client for Microsoft Networks" for network cards.

Paul Roberts writes for IDG News Service; Kieren McCarthy writes for

Read more on IT risk management