, SecurityFocus 2005-10-14
Security researchers published three code snippets on Thursday to exploit vulnerabilities in Microsoft's Windows, but none of the attacks were a blueprint for taking advantage of the flaw that some experts believe will lead to the next widespread worm.
On Tuesday, Microsoft announced nine patches for a variety of security vulnerabilities in its Windows operating system. Among the flaws highlighted by the software giant was an issue in the Microsoft Distributed Transaction Coordinator, or MSDTC. Similar to the flaw that allowed the Zotob worm to spread through networks, the MSDTC vulnerability mainly affects Windows 2000 and could be exploited by a remote system. Several security researchers flagged the issue as a potential transmission vector for an Internet worm.
"The vulnerability itself is almost identical to the (Zotob) vulnerability," said Marc Maiffret, chief hacking officer for eEye Digital Security, the security firm that originally notified Microsoft of the flaw. "There is enough code out there that people can easily figure out how to exploit it."
The MSDTC vulnerability is the latest flaw that has network administrators and security researchers worried about a coming worm. Five days after Microsoft released a patch for a hole in its Windows operating system's Plug-and-Play capability, the Zotob worm used the flaw to spread throughout the Internet. The Sasser worm started spreading at the end of April 2004, about three weeks after Microsoft released patches for the Local Security Authority Subsystem Service, or LSASS, flaw used by the worm to spread.
As of Friday afternoon, no exploit for the security issue in the Microsoft Distributed Transaction Coordinator had been made public.
"Currently we've been told the exploit code is only available through third-party fee-based security offerings," Stephen Toulouse, program manager for Microsoft's Security Response Center, said in a posting to the company's security blog. "We're not currently aware of active attacks that use this exploit code or of customer impact at this time."
Microsoft has urged Windows users to apply the patch for the flaw, MS05-051.
Yet, not everyone believes that Internet users need to worry, at least not right now. A security researcher for a company that has privately created an exploit for the MSDTC flaw maintained that any code would likely only work part of the time. In order to exploit the flaw, the attacker has to guess a particular address in memory, thus making the attack hit or miss, said David Aitel, chief technology officer and principal researcher for security software firm Immunity.
"It is easy to create something, but how easy is it to create a good, reliable exploit--that's the question," Aitel said. "Worms tend to use the most reliable, stupid exploits. With the (Zotob) bug, it was really easy to create a good exploit."
A worm writer will not want an exploit that repeatedly crashes potential victims, he said.
Yet, a worm created to exploit the MSDTC security hole would have another advantage, according to Johannes Ullrich, chief technology officer for the Internet Storm Center, a group of volunteers that monitor Internet threats for the SANS Institute.
"The problem with (any MSDTC worm) is that it hits a nonstandard port which is not typically firewalled by Internet service providers, where the Zotob worm hit port 135, which typically is," Ullrich said. "So this could be more serious for home users."
Internet service providers regularly stop certain applications from sending data over the Internet. Windows file sharing has been a major security issue in the past, for example, so most ISPs stop file sharing data by blocking that protocol's port number at the network firewall. The Zotob worm spread using a protocol that many ISPs block, but the Microsoft Distributed Transaction Coordinator is not a protocol for which many ISPs are looking out, Ullrich said.
Moreover, the latest worm programs are typically created from bot software that allow modular add-ons, such as the ability to use new vulnerabilities to spread. Bot herders may only need to spread a worm to a few thousand machines, and so a low-impact vulnerability, such as the MSDTC flaw, might actually be desirable, said eEye's Maiffret.
"There are still millions of Windows 2000 computers out there," he said. "Depending on how fast a worm comes out, a significant number may not be able to patch in time."