November 16, 2006 1:54 PM PST
Experts raise Windows security alarm
The code takes advantage of a security hole in a key operating system component that routes file system and print requests called the "Workstation Service." On Windows 2000 systems, the flaw could be exploited via the Net by an anonymous attacker without any user interaction, raising the possibility of the arrival of a Zotob-like worm.
"Somebody could write a piece of code that targets Windows 2000, and that replicates itself, and then you would have a worm go around the Internet," said Monty IJzerman, senior manager in McAfee's Global Threat Group.
The public release of the exploit code comes only two days after Microsoft provided a fix for the flaw. That means that many vulnerable systems might still be unpatched. While Windows 2000 is an older operating system, it is still broadly used, primarily in businesses, said vulnerability management company Qualys.
"We scan about 10 million hosts every month, and at least 25 percent of those still run Windows 2000," said Amol Sarwate, a research manager at Qualys. Typically, it takes IT departments between five and eight days to apply a critical patch because of compatibility testing, he said.
Both McAfee and Qualys say a Zotob-like worm attack is probable. In August last year, Zotob slithered into Windows 2000 systems through a hole in the plug-and-play feature in the operating system. Zotob surfaced only days after Microsoft offered a fix for the "critical" bug as part of its monthly patching cycle.
Microsoft is aware of the "detailed exploit code" for the Workstation Service vulnerability, which was addressed by security bulletin MS06-070, a company representative said. The software maker is studying the code and plans to publish a security advisory to inform customers, the representative said.
The Workstation Service is a key part of Windows that can't be turned off or easily protected by a firewall, Sarwate noted. "Really, the only solution is to apply the patch as soon as possible," he said. Microsoft does offer some workarounds for the flaw in its security bulletin.
Also on Thursday, security vendor Immunity said it has created exploit code for two other Windows flaws. However, these blueprints are private, meaning they are supplied to users of its penetration-testing tool and are not publicly available.
The two flaws are covered by Microsoft alert MS06-066, which deals with issues that could put Windows 2000 and Windows XP systems at risk from worms. The bugs affect Microsoft's Client Service for NetWare and the NetWare Driver, which let Windows systems access network services on servers running Novell NetWare.
Microsoft also provided fixes for these vulnerabilities on Tuesday, its monthly patch release day. It rated the issues as "important"--one step below its most severe "critical" rating--because the vulnerable components are not installed by default.