Exploit code raises Windows worm alarm

Code has been written to exploit the latest Windows flaws, but it isn't publicly available. Experts predict a public exploit and worm are near.

Joris Evers Staff Writer, CNET News.com

Joris Evers covers security.

See full bio

Joris Evers

Oct. 14, 2005 6:05 a.m. PT

2 min read

Computer code has already been written to take advantage of Windows flaws that were disclosed Tuesday, a sign that a worm attack could be near.

Exploit code exists for four of the 14 vulnerabilities for which Microsoft provided fixes this week, experts said Thursday. One of the exploits was written for a flaw which Microsoft tagged as "critical." The bug lies in a Windows component for transaction processing called the Microsoft Distributed Transaction Coordinator, or MSDTC.

"When we start to see exploits surfacing, we know there will shortly be malicious code," said Alfred Huger, a senior director at Symantec Security Response. "We expect at least the MSDTC vulnerability to be used in a worm in the short term."

After Microsoft released vulnerability information, the exploit code was written within 24 hours, noticeably quicker than the average time it takes for an exploit to appear, Huger said. "Over the last two years on average it has been between four and 5.8 days for an exploit to come out after a vulnerability was released," he said.

When Microsoft released its patches on Tuesday, experts had already warned that the MSDTC flaw could spawn an attack similar to the Zotob worm that wreaked havoc two months ago. Microsoft urged users of older operating systems, specifically Windows 2000 and Windows XP before Service Pack 2, to prioritize the update that fixes the flaw, which is addressed in security bulletin MS05-051.

The MSDTC exploit isn't publicly available, but experts predict a public exploit is not far off. The code was created by security vendor Immunity for users of its penetration testing product. Immunity also crafted exploits for a flaw that involves plug-and-play in Windows (MS05-047) and a bug in a component that supports Novell NetWare networks (MS05-046).

Furthermore, code that exploits a flaw in Microsoft's Windows FTP client (MS05-045) is available publicly on the Internet, said Michael Sutton, director at security intelligence company iDefense, a part of VeriSign.

"Patching is very urgent," Sutton said. "We expect public exploit code to become available, especially for the MSDTC issue."

Microsoft is aware of Immunity's exploit code, but has not seen any attacks that use the code, a company representative said. "Microsoft is actively monitoring this situation," the representative said in an e-mailed statement.

Symantec's Huger predicts a worm exploiting the MSDTC flaw will surface in the next several days. It is unknown how hard the worm will hit. "There are so many variables involved with that, it is tough to say," he said.