October 14th, 2005, 03:25 AM
Exploit already available for Windows vulnerability
The availability of an exploit that takes advantage of a critical vulnerability in Microsoft Corp.’s Windows 2000 software just a day after the flaw was disclosed is fueling concerns of another Zotob-like worm outbreak.
Immunity Inc. a Miami-based security research firm, yesterday released a proof-of-concept exploit taking advantage of a flaw in the Microsoft Distributed Transaction Coordinator (MSDTC) service within the Windows 2000 operating system. The flaw, which some analysts described as being “highly wormable,” allows attackers to take complete administrative control of compromised Windows 2000 servers.
Justine Aitel, the CEO of Immunity, said her company was able to develop a workable exploit against the flaw just a few hours after it was disclosed by Microsoft on Tuesday (see ”Update: Microsoft reports three 'critical' Windows security flaws ”). Immunity yesterday released the exploit code to members of its partner program, which includes vendors of security products such as intrusion-detection and -prevention systems.
“We make it a priority to focus only on high-risk vulnerabilties and those that are easily wormable,” she said.
Microsoft said in an e-mail statement this afternoon that it’s aware that exploit code for the vulnerability addressed by Security Bulletin MS05-051 is available through a third-party, fee-based security offering.
“Microsoft is not currently aware of active attacks that use this exploit code or of customer impact at this time,” the company said in the statement. “However, Microsoft is actively monitoring this situation to keep customers informed and to provide customer guidance as necessary.”
According to Microsoft, the exploit isn’t publicly available at the moment.
In addition to the exploit code for the MSDTC vulnerability, Immunity has also developed exploits for two other vulnerabilties disclosed by Microsoft on Tuesday, Aitel said. Immunity plans to make the exploit code also available to customers of the Canvas network penetration testing tool that it sells, she said.
While only Immunity’s customers and partners so far have access to the exploit code, companies can expect to see similar exploits for the MSDTC flaw become widely available possibly as early as this weekend, said Neel Mehta, leader of Atlanta-based Internet Security Systems Inc.’s X-Force research team.
That’s because the flaw can be exploited relatively easily. The vulnerability also presents a tempting target for hackers because it exists in a service that runs by default on Windows 2000 servers and can be taken advantage of without any user action required, he said.
“It’s almost certain that other hackers are working on the same thing right now,” Mehta said, adding that there have been no reports of systems actually being exploited so far.
“This is something that should be take very seriously by enterprises,” said Alfred Huger, senior director of engineering at Cupertino, Calif.-based Symantec Corp.’s security response team.
\"The only truly secure system is one that is powered off, cast in a block of concrete and sealed in a lead-lined room with armed guards - and even then I have my doubts\".....Spaf
Everytime I learn a new thing, I discover how ignorant I am.- ... Black Cluster
October 14th, 2005, 08:52 AM
Microsoft should start believeing it their products are 0-dayed almost every day and
pay more attention to security than buisness.
October 14th, 2005, 09:38 AM
Not quite 0-day, but getting closer!
Black Cluster , Thanks for the post. since most businesses have not migrated to XP, this could be big. Maybe this will wake some people up, at least admins who monitor AO so they update in a timely manner and not get bit!
" And maddest of all, to see life as it is and not as it should be" --Miguel Cervantes
October 14th, 2005, 09:44 AM
Thanks... I'll be putting this in an SDbot mod right away.