Microsoft Bracing for Worm Attack

10010010 writes "A network worm attack targeting a critical Microsoft Windows vulnerability appears inevitable. The flaw is easy to exploit, as evidenced by the quick release of an exploit module for HD Moore's Metasploit Framework. Within hours of the Patch Day release Tuesday, two pen testing companies (Immunity and Core) created and released 'reliable exploits' for the flaw, which was deemed wormable on all Windows versions, including Windows XP SP2 and Windows Server 2003 SP1."

So, an Exploit For a Patch?

This article mentions the 23 patches that Microsoft released. It then goes on to say:

Just days after the Redmond, Wash., software maker issued the MS06-040 bulletin with patches for a "critical" Server Service flaw, Microsoft's security response unit is bracing for the worst after exploit code that offers a blueprint for attacks began circulating on the Internet.

And mentions that

Aitel's company was able to reverse-engineer Microsoft's patch and create a working exploit in less than 24 hours.

So are they saying that Microsoft is preparing for fall out from a new exploit that utilizes hastily written code from the latest series of patches? Is that what the pen companies reverse engineered? Or is Microsoft waiting for all the people who didn't patch their systems to be hit with what the DHS warned about and Microsoft fixed?

I'm confused and I'd like to know if my building's Window's administrator needs to be put on suicide watch. He was up all night last night. From what it sounds like, he spent all that time trying to increase the security of our machines when he was really just altering the application so that the virus that came out 24 hours later would be able to attack the machines ... there is one non-Windows machine in my lab. I think I'll use that one today.

Re:So, an Exploit For a Patch?

The fix for MS06-040 is KB921883, which is part of the recent batch of critical updates from Microsoft.
TFA is confusing because it makes it appear as though the latest MS updates *cause* this vulnerability, while in actual fact they *fix* it.

Re:So, an Exploit For a Patch?

[OriginalArlen]

Immunity RE'd the patch to find the original vulnerability. The exploit attacks unpatched machines. Sorry if you were being sarcastic or weird or something (I find it hard to tell the difference.) Anyway, CANVAS (which costs mucho dineros) is not the problem. I'd be more enclined to worry about the (Free) Metasploit Framework exploit, by H D Moore - it only works on XP SP1 , W2K3 SP0 and W2K, but there are probably still lots of machines out there in those categories. You may remember Mr Moore, he it was who wrote the DCOM exploit in - when was it, January 2004 I think? - the exploit code which was subsequently ripped and repackaged as the Blaster worm.

Re:So, an Exploit For a Patch?

Consequently even the users of well-administered Windows computers and other operating systems will feel the fallout of this vulnerability.

 
Nope. well-administered machines don't have ports 139 and 445 open to public networks. This imminent danger requires many factors including people not patching machines, which means they would have had to configure auto-update to not update, they would also have to not have a firewall and specifically have those already bad ports open to the internet. If someone has an unpatched machine with those ports open to the internet, something has already happened to that PC, another worm is the least of their worries.

Not really that serious

[$RANDOMLUSER]

From TFA:

In most enterprises, Pescatore said the use of firewalls and the automatic blocking of TCP ports 139 and 445 should help mitigate the risk. However, he cautioned against IT administrators letting their guards down.

If you have 139 or 445 exposed to the Internet, you've already been infected with something.

Re:Not really that serious

[140Mandak262Jamuna]

Well, In almost all companies and most homes the ports 137-139 and 445 are blocked at the firewall. But internally these ports are open otherwise file sharing/printer sharing inside the network is impossible. True, it wont be serious as long as the firewall holds. But all it takes is one home user bringing an infected laptop to work and plug it in and all hell breaks loose. I had an old NT4.0 machine just to support old releases of our product and for debugging. A salesman from Taiwan came in plugged his laptop in and I was hosed. Worse, the worm was probing rest of the corporate network so seriously that network traffic slowed to crawl in the company. All the top management knew was that I had an unpatched old computer in the network and compromised the company intranet and lost half their work day.

How easy it is to bring an infected laptop and plug it in behind the firewall? Our salesmen travel all over the world, plug into untold number of hotel intranets and wi-fi cafes. They leave these two ports open when plugged into company intranet. Do they always remember to close these ports when they work in an untrustable network connection? Chances of infection are great. Chances of them bringing the infection behind the firewall into the corporate network is great. I would not hastily dismiss it nonchalantly.

Re:Not really that serious

[laffer1]

What? That's your solution? Flood the internet traffic even more! Besides a worm is spread by people who can't or don't know how to patch. You're not helping anything by doing that.

It's been a while

[ronanbear]

Since there's been any worms attacking new exploits. I'd even begun hearing from some people that the days of Blaster style attacks are over.

This should remind Windows users about complacency.

Ummm...

Tell your "neighbor" that if he doesn't want to pay for an OS, that he shouldn't be using Windows.

But if he's too fucking cheap to get an OEM copy or something and too fucking stupid to bypass the WGA, he should be prepared to have his ass handed to him when this shit hits.

I'd recommend him going to ubuntu.com, though.

Looking for fame and fortune

[brian23]

So companies like Immunity reverse-engineer an identified Microsoft patched vulnerability, release an exploit and expect kudos? Impressive as it may sound, I would be more interested to hear of a company discovering a vulnerability and releasing it to Microsoft so it can be patched. If I can't create a virus/worm to wreak havoc on Windows machines, what makes these companies able to reverse-engineer and release the "0-day" exploit? It almost seems unethical. Also, it seems like Immunity and others are trying to make a name for themselves rather than being interested in user security.

Re:Looking for fame and fortune

[OriginalArlen]

So companies like Immunity reverse-engineer an identified Microsoft patched vulnerability, release an exploit and expect kudos?

Nope, they do it to make money from selling the superb CANVAS product to penetration testers and other security professionals. They couldn't give a rat's ass what some random fucko on Slashdot thinks of it. Sorry to be the bearer of bad news... ;p

Re:File Servers

Our enterprise file servers run w2k3sp1... Those ports are open on these machines. Basically we have to hope that noone brings infection inside.

No, you have to patch them already. One at a time if you're that paranoid about breaking something.

Any comment from DHS?

[192939495969798999]

I wonder what the DHS has to say about this, having just the other day told us all to patch all our Windows systems.

maybe not so STUPID

[Gary+W.+Longsine]

Any netadmin that allows VPN connected networks full access to their internal nets are idiots who need to get fired VERY soon.

Your assertion seems obvious on the face of it, but it fails to consider the effects of bureaucracy and complexity, which are real and profound. Many systems administrators are restrained from improving the security posture of networks and systems in "obvious" ways because the business has "requirements" which prevent it. Many of these requirements are derived, in turn, from the tangled complexity of interlocking capability and limitations of various network, systems, and software. Suppose your VPN was established to allow 5000 employees scattered around the country access to hundreds of servers scattered around, too. You might say the architecture is flawed, and it might well be, but if you're the admin and you didn't get to make those decisions then you probably also don't get to just decide to shut down VPN access to Windows port 139, 445 and so forth.

Re:maybe not so STUPID

[lonecrow]

I am a freelancer and it is sometimes hard to get clients to pay for proper (secure) work. When I was starting out and a client asked me for a cheaper option I would lay out the options and the risks. I justified it by saying "Hey I told them the risks and its their system and their decision."

I don't do that anymore. Its like telling kids they can play in traffic if they really want to and are aware of the risks.

If they won't pay to have it built right they can hire someone else.