Nine days after Microsoft warned of a widespread Windows flaw, a program to exploit it has been published online by a group based in China, representing one of the shortest times between warning and worm.
The exploit code, published by a group known as Xfocus, is not technically a worm itself, but it could be used to create a malicious program that would quickly spread on the widely used Windows platform, much like Code Red, Nimda or Slammer, according to security experts.
Despite no reports of attacks using the posted program, Gartner vice president of research Richard Stiennon told TechNewsWorld that exploitation of the flaw is likely to touch all Windows and Internet users, regardless of whether or not they have patched systems.
“The vulnerability’s too widespread,” he said. “There are tens of millions of servers and hundreds of millions of PCs – they’re not all going to be patched. We’re not going to be protected at all from this.”
Security experts said the discovery and distribution of code to exploit the Windows flaw — which involves a Remote Procedure Call (RPC) protocol that allows execution of code from a remote machine in the Windows OS — is consistent with the pattern of vulnerability followed by exploit followed by attack.
Using the exploit, attackers could gain remote access and system privileges with malformed messages using the Distributed Component Object Model (DCOM) services, an RPC interface that listens on TCP/IP port 135, according to the research group that informed Microsoft of the vulnerability.
In a July 16th security bulletin, Microsoft described the flaw as critical for all of its recent operating systems, including Windows NT, Windows 2000, Windows XP and Windows Server 2003.
Race Is On
Stiennon, who warned the flaw also could affect UDP ports, said a worm that takes advantage of the issue might already be written and waiting.
“Somebody’s going to let it go, and it could be shorter [notice] than we’ve ever seen before,” he said. “This will change the face of the Internet just like Code Red and Nimda and Slammer.”
With all of the systems that will have to be patched and the integral ports that have to be blocked, Stiennon said, the Windows flaw will dictate changes in architecture for many IT networks and systems.
With the exploit program posted less than two weeks after the flaw was announced, security experts see a shrinking window of time between vulnerability and attack.
“Not only is the window shrinking, we have more advanced tools and more what you would call hackers – more people just dying to make a name for themselves,” Forrester director of research Michael Rasmussen told TechNewsWorld. “It makes it more serious because the window for patching gets smaller and smaller.”
Stiennon, who said Microsoft does not perceive the flaw as being as serious as it truly is, predicted even companies and users that are patched will suffer because the exploit likely will cause serious network outages.
With 30, 60 or even 90 days of lead time in the past, systems administrators could plan for outages during the installation of software patches, which can create problems themselves.
However, the task is being made ever more difficult with the addition of the time crunch, according to Rasmussen.
“The issue here is whether the patch is stable,” he said. “People don’t want to be guinea pigs, but as the timetable shrinks, they are being forced to test it.”