01:21 PM
Connect Directly

Security Experts Disagree Over New Threats

Code to exploit Windows flaws may crash systems rather than infect them.

New code to take advantage of security weaknesses in Microsoft's Windows operating system was spotted on the Internet earlier this week. But at least one security expert says it doesn't pose much of a threat.

Two security firms, iDefense Inc. and Counterpane Internet Security Inc., discovered the "exploit code," which would make it easier for hackers to exploit a security weakness in an application or operating system. The code they discovered is aimed at the vulnerabilities in the Windows Remote Procedure Call Distributed Component Object Modeling interface, which Microsoft disclosed Sept. 10. The vulnerability affects nearly all current versions of Windows, including Windows Server 2003, and is very similar to the flaws revealed in July that led to the Blaster worm attack. That attack infected more than 500,000 systems in August.

Security experts are predicting a new worm will surface any day to take advantage of those flaws.

But Dan Ingevaldson, an engineering manager at X-Force, the security research group within Internet Security Systems Inc., says the exploit isn't that effective. "It crashes more systems than it will successfully infect. Crashed systems are the enemy of any effective worm," he says. Ingevaldson says it's been difficult to get this particular exploit to work.

Microsoft declined to comment on whether the newfound exploit works.

Both Counterpane and iDefense contend that the exploit works effectively against Windows 2000 systems running Service Pack 3 and 4. Ken Dunham, a malicious-code intelligence manager at iDefense, says message postings and chatter in the hacker underground suggest that several hundred systems may have already been attacked by the exploit and infected with a Trojan.

Creating a new worm to take advantage of the software flaws isn't as easy as cutting and pasting the newfound exploit into the already existing and widely available code for the Blaster worm, says Bruce Schneier, Counterpane's founder and chief technology officer. But "it wouldn't be difficult for someone with a little programming experience," he says.

Still, Ingevaldson says this exploit isn't worm-ready. "It just wouldn't make an effective worm as the exploit currently exists," he says.

That could change quickly. Schneier says one of the biggest trends he's noticed in exploit and worm development this year is how malicious-code authors are increasingly working together to build their lethal apps. "One will post a rough version of an exploit, and someone else will grab it and improve it. Another will then make improvements on that," he says.

And to make matters worse, Dunham says his team has spotted a screen shot of what appears to be an exploit that will work against Windows XP systems.

The new rash of exploits seem to be originating from a Chinese hacker group called XFocus, which has been developing exploits for the past few years, Ingevaldson says.

If a worm does surface in coming days, security experts are hopeful it won't be as devastating as the original Blaster. Internet service providers "have the filters they used against Blaster either still in place or ready to go," Ingevaldson says. "All of the attention on the need to patch may help any future worm not be as effective."

Comment  | 
Print  | 
More Insights
IT's Reputation: What the Data Says
IT's Reputation: What the Data Says
InformationWeek's IT Perception Survey seeks to quantify how IT thinks it's doing versus how the business really views IT's performance in delivering services - and, more important, powering innovation. Our results suggest IT leaders should worry less about whether they're getting enough resources and more about the relationships they have with business unit peers.
Register for InformationWeek Newsletters
White Papers
Current Issue
InformationWeek Must Reads Oct. 21, 2014
InformationWeek's new Must Reads is a compendium of our best recent coverage of digital strategy. Learn why you should learn to embrace DevOps, how to avoid roadblocks for digital projects, what the five steps to API management are, and more.
Twitter Feed
InformationWeek Radio
Archived InformationWeek Radio
A roundup of the top stories and trends on
Sponsored Live Streaming Video
Everything You've Been Told About Mobility Is Wrong
Attend this video symposium with Sean Wisdom, Global Director of Mobility Solutions, and learn about how you can harness powerful new products to mobilize your business potential.