July 17, 2003 1:24 PM PDT
Twin flaws have security pros worried
The two flaws--both made public on Wednesday--affect a large number of computers and devices connected to the Internet, and that could make the two weaknesses prime targets of attack, said Oliver Friedrichs, senior manager for incident response at security software firm Symantec.
"The ultimate concern is that we see something like Slammer or Code Red," he said. The Code Red worm and the Slammer worm were two of the worst Internet attacks in the past few years and disrupted corporate networks by infecting servers and inundating parts of the Internet with data.
The Microsoft flaw could lead to another such incident, warned Friedrichs. The software titan released an advisory on Wednesday warning that every computer running any version of Microsoft Windows, except for Windows ME, had a vulnerability that could allow an attacker to take control of the computer.
While the flaw is in a service that normally wouldn't be available over the Internet--if the system's owner followed strong security guidelines--many companies and home users may inadvertently have systems that are connected directly to the Internet and aren't protected by a firewall, said Marc Maiffret, chief hacking officer with security software firm eEye Digital Security.
"All it takes is for them to have one computer connected to the Internet," said Maiffret. "If one thing on the inside gets infected, then all hell is going to break loose."
In the past, such incidents haven't targeted the Internet infrastructure, but Maiffret worried that a combined attack could disrupt many networks.
"There is always the scare factor of two flaws coming out at the same time--that someone might create a worm that levels both," he said. "That sort of thing has happened before...but has never happened with two flaws this widespread."
Two years ago, a worm spread to thousands of servers, infecting Sun Microsystems computers and then leveling an attack against Microsoft Windows Web servers, defacing them. The worm, known as Sadmind, showed the potential for worms that used more than a single flaw to attack systems.
The flaw in Cisco's systems is a likely target for such an attack. The flaw, first reported by CNET News.com on Wednesday, could allow an attacker to stop traffic from flowing through vulnerable network hardware. After being advised of the flaw on Tuesday by Cisco, Internet service providers scrambled Wednesday and Thursday to plug the holes.
Telecommunications giant AT&T had many of its thousands of routers patched by early Thursday morning, AT&T spokesman David Johnson said.
"The ball is rolling," he said. "A good number of our routers have been checked off."
Telecommunications provider Sprint had jumped on the issue as well, working late Wednesday and finishing the updates by Thursday morning, spokesman Charles Fleckenstein said.
"We finished this morning, and everything seems to be chugging along as normal," he said.
With ISPs closing the security hole, the danger of any mass disruption is greatly lessened. Moreover, technical details of the flaws aren't yet readily available, eEye's Maiffret said.
"I don't think a lot of people will be able to figure out how to write exploits for these flaws, because there are so few details," he said, adding that, the more time that companies and ISPs have for patching flaws, the better.