Slashdot Mirror

← Back to Stories (view on slashdot.org)

Microsoft Bracing for Worm Attack

Posted by ryuzaki0 on from the red-alert dept.

10010010 writes "A network worm attack targeting a critical Microsoft Windows vulnerability appears inevitable. The flaw is easy to exploit, as evidenced by the quick release of an exploit module for HD Moore's Metasploit Framework. Within hours of the Patch Day release Tuesday, two pen testing companies (Immunity and Core) created and released 'reliable exploits' for the flaw, which was deemed wormable on all Windows versions, including Windows XP SP2 and Windows Server 2003 SP1."

33 of 256 comments (clear)

  1. So, an Exploit For a Patch? by Anonymous Coward · · Score: 5, Insightful
    This article mentions the 23 patches that Microsoft released. It then goes on to say:
    Just days after the Redmond, Wash., software maker issued the MS06-040 bulletin with patches for a "critical" Server Service flaw, Microsoft's security response unit is bracing for the worst after exploit code that offers a blueprint for attacks began circulating on the Internet.
    And mentions that
    Aitel's company was able to reverse-engineer Microsoft's patch and create a working exploit in less than 24 hours.
    So are they saying that Microsoft is preparing for fall out from a new exploit that utilizes hastily written code from the latest series of patches? Is that what the pen companies reverse engineered? Or is Microsoft waiting for all the people who didn't patch their systems to be hit with what the DHS warned about and Microsoft fixed?

    I'm confused and I'd like to know if my building's Window's administrator needs to be put on suicide watch. He was up all night last night. From what it sounds like, he spent all that time trying to increase the security of our machines when he was really just altering the application so that the virus that came out 24 hours later would be able to attack the machines ... there is one non-Windows machine in my lab. I think I'll use that one today.
    1. Re:So, an Exploit For a Patch? by Anonymous Coward · · Score: 5, Funny

      you can get the patch for the patch here

    2. Re:So, an Exploit For a Patch? by Anonymous Coward · · Score: 5, Informative

      It wasn't 23 patches: it was 12 patches that covered 23 vulnerabilities.

      Yes, it's worms exploiting the MS06-040 vulnerability that they're worried about.

      As long as you're properly firewalled from the rest of the world it can't get in but you should still get everything patched in case the worm gets inside your firewall e.g. as a trojan.

    3. Re:So, an Exploit For a Patch? by Anonymous Coward · · Score: 5, Informative

      They looked at the patch to find what is being patched, so now they know how to exploit the bug that is fixed by the patch. If your admin updated every Windows computer, you should be fine. The millions of unpatched systems on the internet however will most likely be wide open and added to botnets in a couple of days. Consequently even the users of well-administered Windows computers and other operating systems will feel the fallout of this vulnerability.

    4. Re:So, an Exploit For a Patch? by Anonymous Coward · · Score: 5, Insightful

      The fix for MS06-040 is KB921883, which is part of the recent batch of critical updates from Microsoft.
      TFA is confusing because it makes it appear as though the latest MS updates *cause* this vulnerability, while in actual fact they *fix* it.

    5. Re:So, an Exploit For a Patch? by IAmTheDave · · Score: 5, Funny

      Look, whatever the article says, it probably makes sense to ban all liquid or gell substances from any building that has Windows PCs, make all people stand in rediculously long lines to have their pocket books and napsacks security-checked for 8.5" floppy disks carrying said exploit, and even perhaps start a secret list of people who are banned by name from actually accessing a PC at all. I recommend the first name be John Smith, that bastard.

      Further, we should probably ban anyone that has dirt on their shoes, because I hear worms like dirt.

      Saftey first people. It may be an inconvenience, but it's all about your saftey, and the saftey of democracy across the world. We will prevail over the security-exploiters.

      --
      Excuse my speling.
      Making The Bar Project
    6. Re:So, an Exploit For a Patch? by tomstdenis · · Score: 4, Interesting

      Sadly "properly firewalled" also means from your peers inside your network. When I was in College it was routine for viruses to spread almost instantly in the labs where we had our own system drives (e.g. not locked down). Similarly at any sufficiently large office there is bound to be at least one complete f'ing idiot who clicks on all email attachments and thinks "browsing the net commando style" is top shit.

      Tom

      --
      Someday, I'll have a real sig.
    7. Re:So, an Exploit For a Patch? by TheGhostOfDerrida · · Score: 5, Funny

      I tried to read the article, but it got a little confusing... is this a worm for a patch? A patch for a worm? A patch for a patch? A worm for a patch for a patch? a patch for a worm for a patch for a patch? A worm that patches? A patch that worms? Patches for worms? Does my dog (patches) have worms? I lost interest. And I think the TV is on...

      --
      Paul: If you're reading this, pick your shoes up out of the hallway. I keep tripping over them. Slob.
    8. Re:So, an Exploit For a Patch? by Anonymous Coward · · Score: 5, Funny

      That's your own fault. You were supposed to stay away from liquids.

    9. Re:So, an Exploit For a Patch? by jrockway · · Score: 4, Funny

      And you can get the patch for Ubuntu here.

      --
      My other car is first.
  2. Not really that serious by $RANDOMLUSER · · Score: 5, Insightful
    From TFA:
    In most enterprises, Pescatore said the use of firewalls and the automatic blocking of TCP ports 139 and 445 should help mitigate the risk. However, he cautioned against IT administrators letting their guards down.
    If you have 139 or 445 exposed to the Internet, you've already been infected with something.
    --
    No folly is more costly than the folly of intolerant idealism. - Winston Churchill
    1. Re:Not really that serious by 140Mandak262Jamuna · · Score: 5, Insightful
      Well, In almost all companies and most homes the ports 137-139 and 445 are blocked at the firewall. But internally these ports are open otherwise file sharing/printer sharing inside the network is impossible. True, it wont be serious as long as the firewall holds. But all it takes is one home user bringing an infected laptop to work and plug it in and all hell breaks loose. I had an old NT4.0 machine just to support old releases of our product and for debugging. A salesman from Taiwan came in plugged his laptop in and I was hosed. Worse, the worm was probing rest of the corporate network so seriously that network traffic slowed to crawl in the company. All the top management knew was that I had an unpatched old computer in the network and compromised the company intranet and lost half their work day.

      How easy it is to bring an infected laptop and plug it in behind the firewall? Our salesmen travel all over the world, plug into untold number of hotel intranets and wi-fi cafes. They leave these two ports open when plugged into company intranet. Do they always remember to close these ports when they work in an untrustable network connection? Chances of infection are great. Chances of them bringing the infection behind the firewall into the corporate network is great. I would not hastily dismiss it nonchalantly.

      --
      sed -e 's/Chuck Norris/Rajnikant/g' joke > fact
    2. Re:Not really that serious by telchine · · Score: 5, Funny

      I'm a Windows user.

      Can somebody please tell me what the hell a port is? :)

    3. Re:Not really that serious by walt-sjc · · Score: 4, Funny

      IMHO, you should not be blocking those ports at the firewall, but rather redirect them to a responder that floods the return path with copies of the Ubuntu ISO. Run QOS on your outbound and set it at a lower(est) priority than your normal traffic so it doesn't impact you.

    4. Re:Not really that serious by g-san · · Score: 4, Interesting

      Nah.... tarpit. Put a listener on those ports (you windows users will have to reboot into linux for this. try it, you'll like it.) Open the connection, read from the channel, then just sit there until the remote end times out. If the worm is stupid enough it will connect back to your PC a few times. That slows them down, and doesn't cause any harm to the net. Or send back three bytes of data every 20 seconds or so... the remote end will buffer it expecting more to come and stretch the timeout even further.

  3. It's been a while by ronanbear · · Score: 5, Insightful
    Since there's been any worms attacking new exploits. I'd even begun hearing from some people that the days of Blaster style attacks are over.

    This should remind Windows users about complacency.

    --
    the more they over-think the plumbing the easier it is to stop up the pipe
  4. Pen Testing? by devnullkac · · Score: 4, Funny

    OK, maybe I'm just missing an acronym/typo somewhere, but "pen testing?" Will the worms come through my Mont Blanc?

    --
    What do you mean they cut the power? How can they cut the power, man? They're animals!
    1. Re:Pen Testing? by 1_brown_mouse · · Score: 5, Funny

      Ha Ha! I use a PaperMate and they have never been cracked due to superior design and stylishness. Its the simple interface.

  5. Re:Penetration Testing? by Anonymous Coward · · Score: 5, Funny

    "Pen" is a commonly used short term for "penetration" so you could interchange "pen testing" with "penetration testing."

    Or, in your case, you would request full pen videos when you go to video rental store.

  6. The Cyber Gnome, Denouncer of Computer Myths by krell · · Score: 4, Funny

    "The Cyber Gnome here. Denouncer of computer myths. Who needs to download security patches? I don't, and I've never had any prob%$#@@@@#^_@_#@ NO CARRIER"

    --
    Where were you when the voynix came?
  7. Let's mobilize by ericlondaits · · Score: 5, Funny

    From TFA:

    <blockquote>A spokesperson for Microsoft said it is difficult to predict the motives and actions of attackers but insisted the company is "watching round-the-clock" and actively encouraging customers to download the update immediately.

    "We will mobilize if something does happen," the spokesperson said.
    </blockquote>
    They'll mobilize? Mobilize? As in "get the heck out of here"? Or are they calling the [GI]Joes?

    --
    As a Slashdot discussion grows longer, the probability of an analogy involving cars approaches one.
    1. Re:Let's mobilize by TheRaven64 · · Score: 5, Funny
      "launch all vista"

      I think you mean:

      Take off all Vista! For great profit!

      There should probably be a 'We get worm! Main firewall turn on!' in there somewhere too.

      --
      I am TheRaven on Soylent News
  8. Re:The power of Homeland Security compels you! by skoaldipper · · Score: 5, Funny

    I have a red shield and X in my systray so I'm safe. I think it's a warning symbol for anyone trying to hack my box, like a medieaval coat of arms or something saying my computer is stronger than them.

    --
    I hope, when they die, cartoon characters have to answer for their sins.
  9. Ummm... by Anonymous Coward · · Score: 5, Insightful

    Tell your "neighbor" that if he doesn't want to pay for an OS, that he shouldn't be using Windows.

    But if he's too fucking cheap to get an OEM copy or something and too fucking stupid to bypass the WGA, he should be prepared to have his ass handed to him when this shit hits.

    I'd recommend him going to ubuntu.com, though.

  10. Not quite by jackmama · · Score: 5, Informative

    which was deemed wormable on all Windows versions, including Windows XP SP2 and Windows Server 2003 SP1

    HD Moore posted a followup to the Daily Dave mailing list admitting defeat on those two platforms:

    Time to eat my words. The wcscpy() destination pointer trick doesn't seem
    doable on XP SP2 or 2003 SP1. I don't believe you can exploit this bug
    for more than a DoS on 2003 SP2/XP SP1. If you have information to the
    contrary, please share.

    All other Windows platforms remain easily exploitable, though.

    1. Re:Not quite by jackmama · · Score: 4, Funny

      Windows XP SP2 is the current version of Windows. Has been for almost two years. Aside from Windows XP SP1 all other versions of Windows are no longer supported by Microsoft.

      Well, that's a relief. I was worried that millions of PCs and servers might still be out there running Windows 2000 and NT, and might help propagate some sort of worm. As long as all computers are magically running the currently-supported versions of Windows, I guess we're OK.

  11. Re:How will this effect unpatched pirated versions by skoaldipper · · Score: 5, Funny

    Your pirate neighbor should be ok. I'm pretty sure the green parrot on his shoulder will eat any worms. If not, the patch over his right eye is probably the most current out there.

    --
    I hope, when they die, cartoon characters have to answer for their sins.
  12. New Microsoft Windows mascot suggestion. by krell · · Score: 5, Funny

    Here's my suggestion for a new Microsoft Windows mascot. She's old enough to be public domain, she's tanned, she's rested, she's ready, and she's all patched to hell. All the better that Redmond is located in the vicinity of America's "Emerald City". Please, pay no attention to the borg behind the curtain.

    --
    Where were you when the voynix came?
  13. Pirate loading windows. by krell · · Score: 5, Funny

    Your pirate neighbor (what, do you live on a WHARF???) should be able to get around this by launching his Windows in pirate mode. He has to boot to the command line, and then enter WIN.EXE -R -R -R. Also, has he considered the eyepatched system? It might be more useful to him than the "unpatched system" you mentioned.

    --
    Where were you when the voynix came?
  14. Looking for fame and fortune by brian23 · · Score: 5, Insightful

    So companies like Immunity reverse-engineer an identified Microsoft patched vulnerability, release an exploit and expect kudos? Impressive as it may sound, I would be more interested to hear of a company discovering a vulnerability and releasing it to Microsoft so it can be patched. If I can't create a virus/worm to wreak havoc on Windows machines, what makes these companies able to reverse-engineer and release the "0-day" exploit? It almost seems unethical. Also, it seems like Immunity and others are trying to make a name for themselves rather than being interested in user security.

    1. Re:Looking for fame and fortune by OriginalArlen · · Score: 4, Insightful
      So companies like Immunity reverse-engineer an identified Microsoft patched vulnerability, release an exploit and expect kudos?

      Nope, they do it to make money from selling the superb CANVAS product to penetration testers and other security professionals. They couldn't give a rat's ass what some random fucko on Slashdot thinks of it. Sorry to be the bearer of bad news... ;p

      --

      Everything I needed to know about life, I learnt from Blake's Seven
  15. Re:File Servers by Professor_UNIX · · Score: 4, Funny
    Our enterprise file servers run w2k3sp1... Those ports are open on these machines. Basically we have to hope that noone brings infection inside.
    That would be impossible unless you have users that have laptops that they take outside the office or users that browse the web or receive e-mail to their desktops or users that connect remotely from their homes via dialup or VPNs. All very unlikely scenarios in any modern business environment.
  16. Pen Testing explained by krell · · Score: 4, Funny

    The "pen test" is to see whether it much easier, faster, safer, and cheaper to create a document using a pen and paper compared to booting up the computer and doing it there.

    --
    Where were you when the voynix came?