Exploit For Worst Bug Of August On The Loose
Microsoft posted a dozen patches
According to an advisory issued Wednesday by US-CERT, the arm of the Department of Homeland Security that disseminates information about developing computer threats, an active exploit of the buffer overflow bug in Windows' Server service has been confirmed.
"If a remote attacker sends a specially crafted packet to a vulnerable Windows system, that attacker may be able to execute arbitrary code with system privileges," US-CERT said in the warning.
In its MS06-040 security bulletin, Microsoft spelled out the problem with Server service, a component responsible for sharing of local resources such as drives and printers, with others on the network. Attackers could exploit the buffer overflow vulnerability, Microsoft said, without any user intervention.
Tuesday, security experts agreed that the MS06-040 bug was the worst of the 23 patched by Microsoft. That feeling only intensified Wednesday, as others, including Microsoft itself, weighed in.
"Potentially, there a lot of folks who could be vulnerable [to this vulnerability]," said Patrick Martin, senior product manager with Symantec's security response team. Add that to a hands-off exploitation of the bug and you have "a pretty potent combination," he added.
"Users may not even know [an attack] has happened."
For its part, Microsoft took the unusual step of highlighting the Server service flaw as the most critical of 16 critical bugs patched Tuesday. In an entry to the Microsoft Security Response Center's official blog, the team called out the vulnerability as first among equals.
"While we always recommend applying any updates rated "Critical" as soon as possible, we are recommending that customers give priority to MS06-040 for testing and deployment due to technical specifics around the vulnerability," the MSRC advised.
To emphasize the point, users who retrieved Tuesday's fixes via Windows or Microsoft Update were greeted with an additional "Addresses a critical security problem" notation below the listing for the MS06-040 update. The new line was color-coded in red.
Microsoft declined to elaborate further about the red-lettered warning or why it decided to debut the feature.
From comments made by other security analysts, the in-your-face alert was justified. "This is remotely exploitable," said Jonathan Bitle, product manager at security vendor Qualys. "We've seen this service exploited before with other worms, so it's definitely a concern."
Although large-scale worm attacks are almost a distant memory -- MSBlast, for instance, which exploited a similar Windows bug, broke three years ago this month -- Bitle said a worm attacking the newly-disclosed vulnerability was certainly possible. "There could be code out and available as we speak," he said. "It might be on the Web somewhere, though we haven't seen any yet."
The SANS Institute's Internet Storm Center made mention of impending threats, too. "[There has been] a lot of speculations about a possible worm," wrote Johannes Ullrich, the chief research officer for the ISC, on the organization's site. "But then again, worms are so 2004."
Maybe not.
"Criminals are in business to make money, and they'll try anything to get into your machine," said Symantec's Martin. "If they think this will work, they'll use it."
Microsoft offered alternatives for those who couldn't immediately deploy the patch, including blocking TCP ports 139 and 445 at the firewall.
"You should also watch the network traffic," advised Patrick. "If your security software is up to date, it should be able to spot the 'fingerprint' of the attack in the packet traffic."
Also on Tuesday, Microsoft posted a document to its support site that offers guidance on what update mechanisms can be used to deploy the August patches, including the one spelled out for MS06-040. The ISC urged enterprise users to turn to the document if they had trouble installing the fix.