Apr 26, 2004 (12:04 PM EDT)
Windows Vulnerability Exploited; Worm May Be Next

Read the Original Article at InformationWeek

Security experts are monitoring widespread use of exploit code that takes advantage of a recently disclosed vulnerability in Windows, but a worm, although anticipated, hasn't yet been spotted.

The vulnerability, which has been known for months but only disclosed on April 13 as part of Microsoft's monthly security updates, stems from a flaw in Windows Protected Communications Technology 1.0, a packet protocol within Microsoft's SSL library. Secure Sockets Layer is an encryption technology typically used to secure communications with Web sites, such as those for processing credit-card orders, and for locking down E-mail.

The April bulletin from Microsoft rated the vulnerability as critical, the highest threat warning that the company uses, for Windows NT and Windows 2000. At the time, it warned that an attacker could create a buffer overflow condition on vulnerable Windows servers, then follow by inserting its own code into the system to take control. Windows XP and Windows Server 2003 systems also are vulnerable.

"We're not seeing a worm yet, but we're seeing a large, large number of exploit attempts," said Neel Mehta, a research engineer at Internet Security Systems' X-Force research team. Mehta and Mark Dowd, another member of the X-Force group, first discovered the vulnerability last September. "The exploit code is fully functional, very friendly to hackers, and can be used by script kiddies,' said Mehta, referring to the less-than-technically-astute hackers who pick up tools created by others to launch attacks.

The first form of the exploit code was discovered within days of the disclosure of the SSL vulnerability, added Ken Dunham, director of malicious code research at iDefense Inc. That code was updated last week to include a "phone home" feature that allowed hackers using it to be notified when they'd compromised a server.

The next step, if previous patterns prove true, is for a worm to appear.

"It makes more sense that that will happen," Dunham said. "That's what we've seen with every other vulnerability in the past, where exploit code leads to a bot and that leads to a worm."

Mehta has the same take. "An exploit appears, and individual attackers use that to compromise servers," he said. "Once it begins to be less useful to them, they'll turn it into a worm." Although Mehta couldn't begin to guess an exact data when such a worm might appear, he thought it could be soon. "This activity is the natural precursor to a worm," he said.

Security professionals urged companies to patch their servers--the exploit primarily targets Microsoft Internet Information Server, although Exchange and Active Directory servers also can be exploited--as soon as possible to protect against the current exploit code and any possible worm. If that's not possible, workarounds are available. Microsoft has posted a document on its Knowledge Base site that outlines the steps IT staffs can take to disable PCT 1.0 or SSL 2.0, both of which must be active for the exploit to work.

The Microsoft security bulletin outlining this vulnerability and pointing to the patch can be found here.

In the end, said Dunham, this is but another skirmish in the battle between hackers on one side, and security pros and enterprise IT on the other.

"This is just one more blip," Dunham said, in the monthly cycle of vulnerabilities and ensuing exploitation. "Next month may be the same, as cumulative patches get released that result in multiple exploits and create a flurry of activity in enterprises."

Although most companies manage to patch relatively quickly, Dunham added, "and the heat turns off for a bit, in just a few weeks everyone will have to process all this information from Microsoft and decide which [vulnerability] is most important. We just have to brace ourselves again for the same next month. It's the nature of where we're at right now."