[ISN] Attack code posted for latest Microsoft bugs

From: InfoSec News (alerts@private)
Date: Fri Nov 17 2006 - 02:09:53 PST


http://www.networkworld.com/news/2006/111606-attack-code-posted-for-latest.html

By Robert McMillan
IDG News Service
11/16/06

Hackers have posted code that could be used to target Microsoft's 
Windows operating system in a worm attack.

The code, which was published early Thursday on the Milw0rm Web site, 
works on the Windows 2000 operating system, according to Oliver 
Friedrichs, director of emerging technologies with Symantec's Security 
Response.

It takes advantage of a flaw in the Windows Workstation service, which 
Windows uses to do such things as file-sharing or printing over the 
network.

When Microsoft patched this flaw in its monthly batch of security fixes 
earlier this week, security vendors had warned that this was one of the 
most critical of the November updates, and could possibly be exploited 
in a self-replicating worm.

On Thursday, they reiterated this advice, though the odds of a 
widespread worm may not be great.

"If you run Windows 2000 systems in your environment, this flaw is the 
most critical one to patch, and even more so now that there's a live 
working exploit on the Internet," said Marc Maiffret, chief technology 
officer with eEye Digital Security Inc.

Maiffret said that while the Workstation flaw is "just as easy to 
exploit" as the flaws used by the Blaster and Zotob worms, the bad guys 
have realized that they can be more effective by using their malware in 
low-key, targeted attacks. "Nobody is going to dare to write a worm," he 
said. "Why would they, when they could target companies and make money 
off of them?"

"All worms do is create awareness," he added.

There is also a technical factor that may limit the spread of any worm 
based on this exploit code.

According to Friedrichs, the attack code must also be aware of a 
legitimate domain controller on the victim's network. "It limits 
somewhat the exposure of systems on the Internet," he said.

Symantec has not yet seen this malware being used in attacks, Friedrichs 
said Thursday.

Still, some security vendors think that a worm attack could be in the 
works. "If we are able to confirm that it does work ... then the 
possibility of a worm is really high," said Amol Sarwate, Vulnerability 
Research Lab manager with Qualys. "Once people get it working, it's only 
a matter of time for people to encapsulate it in worm behavior."

Qualys researchers are studying the exploit code and are still not sure 
which versions of Windows can be compromised by the attack, he said.

Sarwate noted that there is other attack code in circulation this week. 
Hackers have also posted malware targeting a critical flaw in the WinZip 
10 file compression software, which was also patched by Microsoft on 
Tuesday.

"It is a big deal for the people who have WinZip installed, but it's not 
as much of a big deal as [the Workstation exploit]," he said.

Symantec is now warning of attack code targeting a third Windows flaw. 
On Thursday it said that exploit code has also been published for a flaw 
in the Client Service for Netware, which was also patched Tuesday.


_________________________________
Subscribe to InfoSec News
http://www.infosecnews.org/mailman/listinfo/isn
 



This archive was generated by hypermail 2.1.3 : Fri Nov 17 2006 - 02:24:36 PST