Why are criminals still exploiting an old patched vulnerability?
Nearly two years after Microsoft issued a patch, enough systems remain vulnerable that criminals are still including this exploit--and others--in their bag of tricks.
Within the last week, two large-scale releases of malicious code have included exploits for a vulnerability that Microsoft patched in April 2006. The weekend's defacement of more than 70,000 Web sites and the installation of an MBR rootkit both require exploitation of the number of older vulnerabilities, including MS06-014. Why bother?
The original security bulletin for MS06-014 was posted back in April 2006. It concerned a flaw within the Microsoft Data Access Components (MDAC), specifically within the RDS.Dataspace ActiveX control, that is part of the ActiveX Data Objects (ADO) distributed in MDAC. Shortly after the patch was available, an exploit was published to the Web.
Roger Thompson, chief research officer at Grisoft, said in an e-mail, "MS06-014 works really well, and it's really easy to use and modify. It's shocking that it's still producing enough to make it worth their while, but it must be so."
Shortly after MS06-014 was published, Microsoft released Windows XP SP2, which, among other things, includes all the previous Windows XP security patches.
Given the exploit's revival, there must be a large number of machines still running Windows with XP SP1 or before.
Thompson said the continued use of older exploits "underlines how hard it is to do a new exploit, as opposed to just using someone else's." Thompson, whose company makes the Linkscanner safe browsing application, said blocking these exploits is the best protection. Of course, keeping your Windows system up-to-date can't hurt either.