Windows 2000 Bug Could Mean Repeat Of Zotob

One of the nine bulletins Microsoft released Tuesday morning patches a vulnerability that could end up producing a very destructive worm.
One of the nine bulletins Microsoft released Tuesday morning patches a vulnerability that could end up producing a worm equal to August's Zotob, or even the earlier, and far more destructive Sasser or MSBlast, said a researcher from the security firm that discovered the bug.

"This one should be considered critical, and remotely wormable," said Marc Maiffret, the chief hacking officer at eEye Digital Security, the security company credited with the discovery.

"It's very similar to the vulnerabilities that ended up exploited by the Sasser worm or the MSBlast worm, or the Plug and Play vulnerability that led to Zotob. It's the same type of thing," said Maiffret.

The vulnerability, one of four in Microsoft's MSo5-051 bulletin, can be exploited without any user interaction, is contained within a Windows 2000 service that's enabled by default, and according to Maiffret, is "not technically challenging" to exploit.

August 2005's Zotob worm, which brought down some enterprise networks, also used a vulnerability in an enabled-by-default service in Windows 2000 to wreak havoc.

The bug is in the Microsoft Distributed Transaction Coordinator (MSDTC), a distributed transaction facility for Microsoft Windows, used by developers for such processes as updating data that resides in two more applications.

Microsoft was concerned enough about the bug to rate it "Critical," the highest warning ranking in its four-step scale, and to recommend "that Windows 2000 customer apply the update immediately."

Maiffret said that eEye had submitted several other bugs to Microsoft which were patched Tuesday. Unlike most security researchers, however, eEye tracks the time that's passed since it notified Microsoft, and posts the number of days for each vulnerability it uncovers.

The longest-running Microsoft bug, which was submitted to the Redmond, Wash.-based giant 196 days ago, was not included in the fixes offered up Tuesday. The flaw found in Windows 2000's MSDTC was first filed and acknowledged by Microsoft 95 days ago, on July 8.

"We have a good working relationship with Microsoft," said Maiffret. "We may disagree on a lot of things, especially how long it takes them to come up with a patch, but we agree on the most important thing, which is keeping customers protected."

Editor's Choice
Brandon Taylor, Digital Editorial Program Manager
Jessica Davis, Senior Editor
Cynthia Harvey, Freelance Journalist, InformationWeek
Terry White, Associate Chief Analyst, Omdia
John Abel, Technical Director, Google Cloud
Richard Pallardy, Freelance Writer
Cynthia Harvey, Freelance Journalist, InformationWeek
Pam Baker, Contributing Writer