Exploit out for Zotob-like Windows flaw

Exploit code was published Friday for a Windows flaw similar to the vulnerability that led to the Zotob worm that wreaked havoc in August.

The code takes advantage of a bug related to plug-and-play technology in Windows 2000 and Windows XP. Microsoft provided a patch for the flaw on Oct. 11 in security bulletin MS05-047, along with fixes for 13 other Windows flaws. The software maker rated the issue "important."

The plug-and-play exploit code is not the first to surface for a flaw that was fixed in Microsoft's October patch cycle. Other exploits have been published on the Internet or reported privately. Release of such code typically is a prelude to an attack. However, while some experts have raised the worm alarm, attacks have yet to appear.

The exploit causes a vulnerable system to crash, but it's unlikely to be used for a worm, a Symantec representative said. "It does not gain local access to machines," the representative said.

A Microsoft representative said Friday that the company is aware of the latest exploit code, but noted that no attacks were reported. "Microsoft is actively monitoring this situation to keep customers informed," the representative said in an e-mailed statement.

The vulnerability lies in the same Windows component that Microsoft provided a patch for two months ago. That flaw led to the spread of the Zotob worm, which took down systems across the U.S., including at cable news station CNN, television network ABC and The New York Times.

Microsoft urges users to apply the MS05-047 patch. Users who updated their system with the MS05-039 fix delivered in August are somewhat protected against this flaw as well, the company said. However, if that patch is not installed, the latest flaw could be exploited remotely by an anonymous user on Windows 2000 systems, the company said.

[bytehead]

Already exploited?

I have either seen or heard of 4 machines, 1 Win2000, the rest WinXP that have suffered malicious attacks. The 2000 box was still able to boot, but the registry is so badly damaged that not much else can be done with it. The other three machines have registry errors so bad that they will not boot, regardless of what kind of boot, safe or normal, that is chosen.<br /><br />The 2000 machine has GoBack running on it, and I discovered that it was rebooting constantly every 10 minutes when no one was at home to see what was going on. That machine was hit around 10/14. The machine also had a rootkit installed on it, which may be a factor as well. I was indeed reminded of Zotob when I tried to deal with it.<br /><br />The XP machines have all shown the same problem. They were running just fine, then they managed to be reset, and then the registry was damaged. It just amazes me that I'm seeing this problem so often right now, I figured it had to be something new.<br /><br />The last time I dealt with a new virus that was brand spanking new was the F---ing Butterflies virus from the early 90's. The biggest offender? A network administrator that got it to spread like fire among 4 different file servers (when she was really only supposed to have full access to one!)

Exploited Long Ago........

This is NOT the dawn of a new entry point, the browser is still <br />the open door to all those underlying Windows OS calls that are <br />getting used.<br /><br />The fact that critical business data, and the millions of private <br />and corporate users info is at stake makes the Internet Explorer <br />and Windows OS interconnect all the more sinister and ripe for <br />the underworld to prey on.<br /><br />As far as this current explot news, or the next one, or the last <br />15, dont you think that Microsoft has exploited its customers <br />long ago when it used this same IE OS integration to get rid of <br />the Netscape browser.<br /><br />count your nickels, cause you will be needing them for the daily <br />parking meter fees you are gonna pay to maintain that PC

[rbannon]

So what should we do?

Windows, as we all know is pervasive, and is not going away. At <br />work, I have my Mac OS X box connected to a very large <br />Windows network, I run snort on occasion and I am shocked at <br />how much malicious activity occurs. When I try to tell IT they <br />just act like it's normal. My box is self-managed and I believe it's <br />secure, my IT decided to leave my box pretty much wide open (I <br />can log on from anywhere) and I wonder why sometimes. They <br />certainly wouldn't do that to one of their managed Windows <br />boxes, but my unmanaged (I'm a teacher) Mac OS X box is a <br />target waiting for a savvy attacker. In many ways I think my IT <br />staff is waiting (years now) for me to announce that my box has <br />been hacked.<br /><br />Oh, I almost forgot, my IT staff can not, and will not, answer any <br />Mac questions. Fortunately, I have none.<br /><br />Any thoughts?<br /><br />Free iPods are here: <a class="jive-link-external" href="http://ipods.freepay.com/?r=22990096" target="_newWindow">http://ipods.freepay.com/?r=22990096</a>

why patch your os?

Running a firewall eliminates the ability to exploit the majority of vulnerabilities for an operating system.