Billy Gates, stop making money! Make malware instead.Bug identifier: MS03-026
Description: Buffer overrun in RPC interface could allow code execution
Alias: The Blaster Worm bug
Date published: July 16, 2003
The DCOM RPC interface is a common component of NT-based Windows OSes, including NT, 2000, XP, and Server 2003. In the summer of 2003, it became the subject of intense scrutiny.
As Microsoft described in the bulletin that accompanied the patch, a successful exploit only required the attacker to send a "specially formed request" to a vulnerable PC -- a bit like dangling candy in front of a ravenously hungry baby.
By August 11, the Blaster worm arrived, and though it spread rapidly, it was fairly easy to block with a firewall.
Unfortunately, protecting home systems with firewalls wasn't common practice at the time. Home users' PCs -- connected directly to the Internet -- got whomped by the worm. When the worm's code crashed the infected computer's RPC service, the computer would display a message warning of imminent shutdown, and unceremoniously reboot itself.
The worm had another message, this one to Microsoft's founder, and embedded within its code: "billy gates why do you make this possible? Stop making money and fix your software!!"
But it was fixed. Or at least it would have been if people had patched their systems.
At the end of the summer, Microsoft released a second set of updates in MS03-039 that blocked additional ports that attackers could use to mess with the RPC service.
Upshot: We're all in better shape thanks to the wide adoption of firewalls in the home. Thanks in part to Blaster and its ilk, most broadband modems have one built in.
That sassy bug has a lot of spunkBug identifier: CVE-2003-0533, MS04-011
Description: Stack-based overflow in certain Active Directory service functions in LSASRV.DLL
Alias: The Sasser bug
Date published: April 13, 2004
In yet another example of ironic buffer-overflow goodness, this bug made the security subsystem of Windows the agent of evil itself. And, once again, malicious coders used Microsoft's own patch to figure out exactly where to target the OS.
As Windows XP's gatekeeper, LSASS (Local Security Authority Subsystem) manages the permissions of a PC's user accounts. So when eEye -- the same company that discovered the Code Red bug -- quietly disclosed the details of this flaw to Microsoft in October 2003, it touched off six months of furious coding in Redmond that culminated in a patch that fixed 13 other Windows 98, NT, 2000, XP, and Server 2003 flaws, as well as the LSASS bug.
And, within 18 days, the Sasser worm was cruising the Internet, hopping from one unpatched machine to another. The poorly coded worm wreaked havoc, shutting down networks around the world. Even though a fix was already available, many users -- in particular, corporate IT managers -- still had not applied MS04-011. By May 1, 2004, work on fixing the unintended damage caused by Sasser had become a round-the-clock operation, says then director of the Microsoft Security Response Center, Kevin Kean, with "a number of war rooms and rotating shifts" for MSRC staffers.
Upshot: What was that about patching as soon as the updates are available? Lessons that should have been learned three years earlier didn't really sink in until Sasser publicly pummeled patchless PCs to pulp.