Microsoft: Windows XP PCs Could Be Vulnerable To Zotob-Like Attack - InformationWeek

InformationWeek is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

03:31 PM

Microsoft: Windows XP PCs Could Be Vulnerable To Zotob-Like Attack

Microsoft advises XP users to be sure to upgrade to SP2, or at least apply the appropriate patch.

The Plug and Play vulnerability that led to last week's Zotob blitz on Windows 2000 machines poses a major risk to some Windows XP systems, Microsoft confirmed early Wednesday.

PCs running Windows XP or Windows XP SP1 in certain non-default configurations are open to Zotob-style attack, the Redmond, Wash.-based developer said in a new security advisory posted on its Web site.

Originally, Microsoft said that all Windows XP machines, including those running the first service pack (SP1) were immune from remote attack, and were only vulnerable if the attacker had valid log-on credentials. "The vulnerability could not be exploited remotely by anonymous users," Microsoft said in the bulletin issued on August 9.

Apparently not true.

"We are now aware of a very narrow and limited case on Windows XP SP1 whereby an unauthenticated attack might be possible," said Debby Fry Wilson, the director of Microsoft's Security Response Center, in a blog entry Wednesday.

"It's pretty specific (and to reiterate, if you are on Windows XP SP2 or have applied MS05-039, you are not impacted by this). But in the interests of making sure people have the right information to assess their risk we are providing an advisory as a precaution."

The potential attack vector lies in how some Windows XP and XP SP1 machines are configured, Wilson added. If users have enabled "Simple File and Print Sharing" at home or in a workgroup, the "Guest" account could be used by hackers to attack the machine.

"Domain users of Windows XP SP1 aren't impacted by this scenario at all," Wilson went on. "This is very specific to the 'Guest' account when 'Simple File and Print Sharing' has been enabled on Windows XP SP1 in a home or workgroup environment."

Because most enterprise machines are joined to an Active Directory domain -- and these machines are not vulnerable to such an attack -- it's unlikely corporate computers would be targeted.

Symantec's research arm said Wednesday in several customer alerts that it had discovered the Windows XP vulnerability, and had been able to "perform anonymous remote exploitation" against Windows XP and XP SP1 systems when Simple File and Print Sharing had been enabled on a PC not connected to an Active Directory domain.

It also noted that there was an exception to the no-problem rule for PCs linked to a domain, however. "Configuring a Windows XP host to share network resources prior to joining an Active Directory Domain will leave it in the vulnerable state even after the Domain is joined," the Symantec advisory stated.

PCs that have had the August 9 patch deployed are immune to the new threat, as are Windows XP SP2 and Windows Server 2003 boxes.

Several workarounds can be used if patching isn't possible, Microsoft and Symantec noted. They include blocking TCP ports 139 and 445 at the firewall and disabling the Guest account. Instructions are available in the "Suggested Actions" section of the Microsoft security advisory.

Last week, a series of bot worms -- the first of which were named "Zotob" -- attacked and took down a significant number of Windows 2000 PCs around the world. The current crop of Zotob and Zotob-esque bots, however, would need to be tweaked or rewritten to take advantage of this latest security hole in Windows.

Still, that doesn't mean users can take this alert lightly, said Symantec.

"[We] strongly encourage system administrators to patch all systems that are vulnerable to the Microsoft Windows Plug and Plug Buffer Overflow Vulnerability, including all Windows XP systems," the company advised. "Operating systems that require authentication in order for successful exploitation may still be at significant risk from this vulnerability through attacks carried out by trusted systems that can be exploited without authentication."

We welcome your comments on this topic on our social media channels, or [contact us directly] with questions about the site.
Comment  | 
Print  | 
More Insights
State of the Cloud
State of the Cloud
Cloud has drastically changed how IT organizations consume and deploy services in the digital age. This research report will delve into public, private and hybrid cloud adoption trends, with a special focus on infrastructure as a service and its role in the enterprise. Find out the challenges organizations are experiencing, and the technologies and strategies they are using to manage and mitigate those challenges today.
What Digital Transformation Is (And Isn't)
Cynthia Harvey, Freelance Journalist, InformationWeek,  12/4/2019
Watch Out for New Barriers to Faster Software Development
Lisa Morgan, Freelance Writer,  12/3/2019
If DevOps Is So Awesome, Why Is Your Initiative Failing?
Guest Commentary, Guest Commentary,  12/2/2019
Register for InformationWeek Newsletters
Current Issue
Getting Started With Emerging Technologies
Looking to help your enterprise IT team ease the stress of putting new/emerging technologies such as AI, machine learning and IoT to work for their organizations? There are a few ways to get off on the right foot. In this report we share some expert advice on how to approach some of these seemingly daunting tech challenges.
White Papers
Twitter Feed
Sponsored Live Streaming Video
Everything You've Been Told About Mobility Is Wrong
Attend this video symposium with Sean Wisdom, Global Director of Mobility Solutions, and learn about how you can harness powerful new products to mobilize your business potential.
Sponsored Video
Flash Poll