The advisory, titled "Exploit Code Published Affecting the Server Service," spells out Microsoft's stance on the Server service bug outlined in security bulletin MS06-040.

Gregg Keizer, Contributor

August 11, 2006

3 Min Read

Microsoft Corp. put the pressure on users to patch against Tuesday's most dangerous vulnerability by issuing a rare post-release advisory that acknowledged attacks and detailed its dissection of exploit code.

The advisory, titled "Exploit Code Published Affecting the Server Service," spelled out Microsoft's stance on the Server service bug outlined in security bulletin MS6-040.

"While Microsoft was aware of very limited, targeted attacks that exploited the vulnerability prior to the release of the update, we are not currently aware of active attacks that use this newly posted exploit code nor are we aware of additional customer impact at this time," the advisory read.

But in the same advisory, Microsoft noted that its security team had confirmed the danger of some of the exploit code in circulation. "Microsoft has verified the published exploit code to work on Windows 2000 and Windows XP Service Pack 1," it said.

According to the Redmond, Wash. developer, the exploit code doesn't affect Windows XP SP 2, Windows Server 2003, or Windows Server 2003 SP 1.

That, however, runs counter to other researchers who have confirmed that the exploit code available through the Metasploit Framework (which is what Microsoft is referring to in its advisory) can bring Windows XP SP2 and Windows Server 2003 to their knees with a denial-of-service (DoS) attack.

"[We have] independently validated that public exploit does exist within the Metasploit Project to perform execution of code on popular versions of Windows," said Ken Dunham, director of VeriSign iDefense's rapid response team, in an e-mail to TechWeb Friday afternoon.

"MS06-040 should be immediately prioritized at the top of the list for any organization vulnerable to exploits against this flaw," Dunham continued. "Of all the vulnerabilities disclosed by Microsoft Corp. this last Tuesday, MS06-040 stands out with the highest risk due to the likelihood of attack."

In addition, Metasploit's HD Moore, who authored the code, claimed that the exploit worked successfully against Windows NT 4.0, which has slipped off Microsoft's lifespan chart and is no longer supported with security updates. It's also uncertain if other unsupported OSes are at risk, including Windows 98, 98 Second Edition, and Millennium, which went into unsupported mode as of July 11.

In any case, security experts continued to sound the alarm late Friday afternoon.

"A worm on the scale of MSBlaster will hit in the next two weeks, and could hit in the next several hours," said Mike Murray, director of vulnerability research at nCircle. "This threat is eminently wormable," he added.

To protect systems, Microsoft and others have recommended these precautions:

---- Identify PCs vulnerable to attack by running the free scanning tool offered by eEye Digital Security. The tool, which comes in two versions -- one capable of scanning 16 machines simultaneously, the other up to 256 computers -- can be downloaded free of charge from the eEye site.

---- Patch all vulnerable systems using Microsoft-based mechanisms -- including Windows Update and Windows Server Update Services (WSUS) -- or third-party patch managers such as Shavlik's HFNetChkPro, Patchlink's PatchLink Update, and BigFix Enterprise Suite Patch Management. Those manually downloading the patch will find it here.

---- If administrators or users are unable to patch, Microsoft recommended that they block TCP ports 139 and 445 at the firewall.

---- Additionally, Microsoft told users that they could defend unpatched systems by barring any unsolicited inbound traffic, or blocking the affected ports by applying Internet Protocol security (IPsec).

"Hacker activity has been light for the MS06-040 exploitation to date," said iDefense's Dunham, "but will likely increase with the advent of this coming weekend. Networks should be diligent to patch all Internet facing computers for MS06-040 ASAP."

About the Author(s)

Never Miss a Beat: Get a snapshot of the issues affecting the IT industry straight to your inbox.

You May Also Like

More Insights