Attack code surfaces for latest Windows vulnerability

Computer code that exploits a critical new software vulnerability in the Windows XP and Windows 2000 operating systems is circulating on the Internet, according to security experts.

Two examples of "exploit" code for a buffer overrun in the Windows Workstation Service were posted to security-related Internet discussion groups on Friday and Saturday. Both exploits have been tested and work, according to Dan Ingevaldson, director of X-Force at Internet Security Systems Inc. (ISS).

The Workstation Service vulnerability was disclosed by Microsoft in Security Bulletin MS03-049, which was released on November 11. The service is turned "on" by default in Windows 2000 and Windows XP systems and allows computers on a network to connect to file servers and network printers, Microsoft said.

Both the CERT Coordination Center at Carnegie Mellon University and ISS issued advisories last week regarding the Workstation vulnerability, warning that it was easy to exploit and well suited to use by self-spreading Internet worms.

One version of the exploit code is attributed to somebody using the online name "wirepair," and was first published in a private online forum at Russian security site forum.securitylab.ru, Ingevaldson said. A second exploit, dated November 14, appeared on the French language hacking Web site www.k-otik.net by someone using the online name "snooq."

The two pieces of code are early attempts to exploit the MS03-049 vulnerability and contain multiple bugs that make them difficult to run. Because of flaws in the way the code authors attempt to trigger the buffer overrun in the Workstation Service, attackers have only one chance to compromise vulnerable Windows systems, which crash when the exploit is not successful, Ingevaldson said. Those faults make the code ill-suited to use in an Internet worm, he said.

"You need exploits that are robust and that work all the time to make an effective worm," Ingevaldson said.

However, virus writers and hackers worldwide will work diligently to refine the exploit code, finding ways to get the code to stop crashing systems and work on all versions of Windows XP and Windows 2000, he said. Such a pattern of refinement preceded the release of the Blaster and Nachi worms in August, Ingevaldson said.

In addition, the two exploits that were publicly released might not be the only exploits for MS03-049 that have been created, he said. "(Exploits are) like cockroaches. If you see one or two, there are probably others as well," Ingevaldson said.

ISS encourages Windows users to download and apply the software patch for the Workstation Service on Windows XP and 2000 machines as soon as possible, he said. (See: http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/ms03-049.asp.)

Join the newsletter!

Error: Please check your email address.
Rocket to Success - Your 10 Tips for Smarter ERP System Selection
Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Paul Roberts

IDG News Service
Show Comments

Most Popular Reviews

Latest Articles

Resources

PCW Evaluation Team

Ben Ramsden

Sharp PN-40TC1 Huddle Board

Brainstorming, innovation, problem solving, and negotiation have all become much more productive and valuable if people can easily collaborate in real time with minimal friction.

Sarah Ieroianni

Brother QL-820NWB Professional Label Printer

The print quality also does not disappoint, it’s clear, bold, doesn’t smudge and the text is perfectly sized.

Ratchada Dunn

Sharp PN-40TC1 Huddle Board

The Huddle Board’s built in program; Sharp Touch Viewing software allows us to easily manipulate and edit our documents (jpegs and PDFs) all at the same time on the dashboard.

George Khoury

Sharp PN-40TC1 Huddle Board

The biggest perks for me would be that it comes with easy to use and comprehensive programs that make the collaboration process a whole lot more intuitive and organic

David Coyle

Brother PocketJet PJ-773 A4 Portable Thermal Printer

I rate the printer as a 5 out of 5 stars as it has been able to fit seamlessly into my busy and mobile lifestyle.

Kurt Hegetschweiler

Brother PocketJet PJ-773 A4 Portable Thermal Printer

It’s perfect for mobile workers. Just take it out — it’s small enough to sit anywhere — turn it on, load a sheet of paper, and start printing.

Featured Content

Product Launch Showcase

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?