Exploit For Worst Bug Of August On The Loose

Security experts said the MS06-040 bug was the worst of the 23 patched by Microsoft this week. Now they say it's being used in attacks.
To emphasize the point, users who retrieved Tuesday's fixes via Windows or Microsoft Update were greeted with an additional "Addresses a critical security problem" notation below the listing for the MS06-040 update. The new line was color-coded in red.

Microsoft declined to elaborate further about the red-lettered warning or why it decided to debut the feature.

From comments made by other security analysts, the in-your-face alert was justified. "This is remotely exploitable," said Jonathan Bitle, product manager at security vendor Qualys. "We've seen this service exploited before with other worms, so it's definitely a concern."

Although large-scale worm attacks are almost a distant memory -- MSBlast, for instance, which exploited a similar Windows bug, broke three years ago this month -- Bitle said a worm attacking the newly-disclosed vulnerability was certainly possible. "There could be code out and available as we speak," he said. "It might be on the Web somewhere, though we haven't seen any yet."

The SANS Institute's Internet Storm Center made mention of impending threats, too. "[There has been] a lot of speculations about a possible worm," wrote Johannes Ullrich, the chief research officer for the ISC, on the organization's site. "But then again, worms are so 2004."

Maybe not.

"Criminals are in business to make money, and they'll try anything to get into your machine," said Symantec's Martin. "If they think this will work, they'll use it."

Microsoft offered alternatives for those who couldn't immediately deploy the patch, including blocking TCP ports 139 and 445 at the firewall.

"You should also watch the network traffic," advised Patrick. "If your security software is up to date, it should be able to spot the 'fingerprint' of the attack in the packet traffic."

Also on Tuesday, Microsoft posted a document to its support site that offers guidance on what update mechanisms can be used to deploy the August patches, including the one spelled out for MS06-040. The ISC urged enterprise users to turn to the document if they had trouble installing the fix.

Editor's Choice
Brian T. Horowitz, Contributing Reporter
Samuel Greengard, Contributing Reporter
Nathan Eddy, Freelance Writer
Brandon Taylor, Digital Editorial Program Manager
Jessica Davis, Senior Editor
Cynthia Harvey, Freelance Journalist, InformationWeek
Sara Peters, Editor-in-Chief, InformationWeek / Network Computing