- Related Stories
-
200 days to fix a broken Windows
February 13, 2004 -
Microsoft warns of widespread Windows flaw
February 10, 2004 -
MSBlast echoes across the Net
August 15, 2003
On Feb. 10, Microsoft released a patch that fixes a networking flaw that affects all Windows XP, NT, 2000 and Server 2003 systems. The company warned people to patch their systems, because the vulnerability could be exploited by virus and worm writers.
Four days after the patch was released, a piece of code was published on a French Web site that would let anyone exploit the vulnerability, meaning that unpatched customers could be hit with a worm similar to last summer's MSBlast, also known as Blaster.
Richard Starnes, director of incident response at telecommunications giant Cable & Wireless, told ZDNet UK that the code appears to work.
"We ran (the compiled code) against an unpatched XP and Windows 2000 SP3 system, and it took both systems down. It does a buffer overflow and immediately sends the PC into a reboot phase that you can't get out of," he said.
According to Starnes, the published attack could easily be turned into another MSBlast or Code Red type of "blended attack," in which the worm has two distinct modules: one for spreading and the other containing a payload.
"We have started seeing two-phase or two-tier worms--worms that have two attack vectors--one is a propagation vector and one is for launching an attack. The vast majority of worms we have seen only have a propagation payload. But with this one, you can have a propagation payload, and you can have a proper payload--being a DDoS (distributed denial-of-service) platform."
Jay Heiser, chief analyst at IT risk management company TruSecure, told ZDNet that the code on its own is simply a DDoS attack and can cause limited damage, but because it exploits a buffer overflow, it could be used to cause havoc. "A denial-of-service attack is the equivalent to letting the air out of a tire in a car. It is annoying to the driver and might be fun once or twice for the attacker, but it is not the same thing as allowing you to go for a joyride. The fact that the DoS attack works against the buffer overflow suggests a greater likelihood that a more sophisticated attack is possible," Heiser said.
Munir Kotadia of ZDNet UK reported from London.
