"I don't think [Windows 2000] users have an awful lot of time to patch," said Gunter Ollmann, the director of Internet Security Systems' (ISS) X-force research group. "We'll most certainly see a worm using this exploit," he added.
There's also evidence that hackers are trying to develop code that would successfully attack less-vulnerable Windows XP SP1 machines, Ollmann said. In any case, the clock is ticking. "What's out there now puts this on the level of script kiddies," said Ollmann, using the term for less experienced, less technically-astute hackers.
The patch for the Plug and Play bug was issued Tuesday as bulletin MS05-039 by Microsoft. The bulletin outlined how an anonymous user could grab control of a Windows 2000 machine by sending a specially-crafted message. No user interaction would be required, making the bug a potential hole that hackers could use to create a fast-spreading, destructive worm like earlier network attacks by Slammer or MSBlast.
Multiple security vendors rushed to alert customers and others of the new danger.
ISS, for instance, said it was aware of a trio of publicly-available exploits; the Atlanta-based firm's take was of special importance, since one of its researchers, Neel Mehta, was credited with the vulnerability's discovery.
"The code we've seen has some variations," said ISS' Ollmann. "That indicates several teams or groups have been working quite hard since [Tuesday] to write their own exploit and be the first one to get it out there."
eEye Digital Security, meanwhile, said that it had also found more than one exploit example. "Upon discovering two instances of exploit code online, [we] conducted thorough testing to confirm that both present a legitimate threat to Windows 2000 systems (completely patched SP 4 with all hot fixes)," the Aliso Viejo, Calif.-based company wrote in its alert.
Symantec also issued a full-scale alert, and dubbed the vulnerability a 9.6 threat, out of a possible 10, with criteria such as severity, threat, and ease of exploit all pegged at "10." It also confirmed that the one exploit it's discovered can successfully attack a fully patched installation of Windows 2000 Advanced Server.
Since Tuesday, security gurus have been warning that the aging operating system would be the most likely target for an exploit. On the day Microsoft released the Plug and Play patch, Mehta, the team leader for ISS' X-Force, said "I think it's the most serious and the easiest to exploit. We're very concerned that this could be exploited as part of a worm. "Windows 2000 users are really at risk, and should patch immediately," added Mehta.
Microsoft even jumped into the fray by issuing one of its relatively rare security advisories to confirm that exploits were in the wild, to remind users that a patch was available, and to say it had verified that this week's patch makes systems invulnerable to attack.
eEye's alert not only reiterated the need to patch pronto, but laid out the order that enterprises should fix their PCs. First in line, of course, should be Windows 2000, followed by, in order, Windows NT, Windows XP, and Windows 2003 Server.
That patching could come none too soon, since ISS is certain that the exploit will be quickly turned into a network worm.
"Once hackers have working code for a default service like Plug and Play, a worm normally appears within a week or at most, two weeks. It could be sooner, a matter of hours, we just don't know," said Ollmann.
Also on Friday, eEye posted a free tool, called Retina UMPNP Scanner, that can be downloaded free of charge (registration, however, with eEye is required) to scan for PCs vulnerable to the Plug and Play bug.