Slashdot Mirror

← Back to Stories (view on slashdot.org)

Microsoft Bracing for Worm Attack

Posted by ryuzaki0 on from the red-alert dept.

10010010 writes "A network worm attack targeting a critical Microsoft Windows vulnerability appears inevitable. The flaw is easy to exploit, as evidenced by the quick release of an exploit module for HD Moore's Metasploit Framework. Within hours of the Patch Day release Tuesday, two pen testing companies (Immunity and Core) created and released 'reliable exploits' for the flaw, which was deemed wormable on all Windows versions, including Windows XP SP2 and Windows Server 2003 SP1."

11 of 256 comments (clear)

  1. File Servers by slidersv · · Score: 1, Informative

    Our enterprise file servers run w2k3sp1... Those ports are open on these machines. Basically we have to hope that noone brings infection inside.

    --
    there is no issue with my network
  2. Re:So, an Exploit For a Patch? by Anonymous Coward · · Score: 5, Informative

    It wasn't 23 patches: it was 12 patches that covered 23 vulnerabilities.

    Yes, it's worms exploiting the MS06-040 vulnerability that they're worried about.

    As long as you're properly firewalled from the rest of the world it can't get in but you should still get everything patched in case the worm gets inside your firewall e.g. as a trojan.

  3. The Patch by nherc · · Score: 2, Informative

    Here is the actual patch page for every version of Windows and further information.

    --
    'He was a dreamer, a thinker, a speculative philosopher... or, as his wife would have it, an idiot.' - Douglas Adams
  4. Not quite by jackmama · · Score: 5, Informative

    which was deemed wormable on all Windows versions, including Windows XP SP2 and Windows Server 2003 SP1

    HD Moore posted a followup to the Daily Dave mailing list admitting defeat on those two platforms:

    Time to eat my words. The wcscpy() destination pointer trick doesn't seem
    doable on XP SP2 or 2003 SP1. I don't believe you can exploit this bug
    for more than a DoS on 2003 SP2/XP SP1. If you have information to the
    contrary, please share.

    All other Windows platforms remain easily exploitable, though.

  5. Re:So, an Exploit For a Patch? by Anonymous Coward · · Score: 5, Informative

    They looked at the patch to find what is being patched, so now they know how to exploit the bug that is fixed by the patch. If your admin updated every Windows computer, you should be fine. The millions of unpatched systems on the internet however will most likely be wide open and added to botnets in a couple of days. Consequently even the users of well-administered Windows computers and other operating systems will feel the fallout of this vulnerability.

  6. Re:So, an Exploit For a Patch? by blowdart · · Score: 3, Informative

    So are they saying that Microsoft is preparing for fall out from a new exploit that utilizes hastily written code from the latest series of patches? Is that what the pen companies reverse engineered?

    Wrong conclusion I think. More likely the reverse engineering is comparing the patched and unpatched code and actually working out what the exploit is, then writing the code to use it. (this is why the behaviour of the Rails team holding back details of their exploit is rather weird; especially when the source is around)

  7. Re:Any comment from DHS? by DimGeo · · Score: 3, Informative

    Actually, the article is misleading. The patch *fixes* the bug, it doesn't introduce it.

  8. Re:Not really that serious by Corbets · · Score: 3, Informative

    Unfortunately, it's not that easy. You can (and most everyone does) block those ports at the firewall level. However, people that VPN in or connect via dialup, people who previously connected via the wireless at the local Panera, and either disabled their software firewall or just kept using their machine after that particular piece of software crashed.... they're infected, and when they VPN in, they go right through that precious firewall.

    Every.layer.Every.step.Every.machine.Must.be.secur ed.and.patched.

    It is, unfortunately, the only way.

  9. Re:So, an Exploit For a Patch? by tomstdenis · · Score: 2, Informative

    "going commando" means no underwear not no pants.

    I was trying to morph it into "browsing the net without anything in between".

    Tom
    [ I still hate Jon Callas ]

    --
    Someday, I'll have a real sig.
  10. Re:So, an Exploit For a Patch? by bwcarty · · Score: 2, Informative

    But to the British, pants are undergarments (worn under trousers.)

  11. Re:Not really that serious by mdarksbane · · Score: 3, Informative

    Yep, the company I used to work for made a product to stop just that.

    One of the emerging areas in enterprise security is so-called "endpoint" security solutions, that will verify whether a user plugging into a corporate network has
    1) approved virus software with updated definitions.
    2) an approved firewall
    3) Any software updates that the techies have deemed required.

    If you don't, you get shunted off to a quarantined part of the network with instructions on how to obtain the software to make you compliant.

    On the one hand, it sounds like a pain to set up and annoying for the users (and as it usually requires dhcp enforcement can be bypassed by someone who knows the network), and we didn't run in it at our own company, but on the other hand I bet that if they required it at the university I went to the virus problem there would have been much more controlled.