Nmap Security Scanner
*Intro
*Ref Guide
*Install Guide
*Download
*Changelog
*Book
*Docs
Security Lists
*Nmap Hackers
*Nmap Dev
*Bugtraq
*Full Disclosure
*Pen Test
*Basics
*More
Security Tools
*Pass crackers
*Sniffers
*Vuln Scanners
*Web scanners
*Wireless
*Exploitation
*Packet crafters
*More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:

isn logo Information Security News mailing list archives

Attack code surfaces for latest Windows vulnerability
From: InfoSec News <isn () c4i org>
Date: Tue, 18 Nov 2003 06:10:45 -0600 (CST)
http://www.nwfusion.com/news/2003/1117attaccode.html

By Paul Roberts
IDG News Service
11/17/03

Computer code that exploits a critical new software vulnerability in 
the Windows XP and Windows 2000 operating systems is circulating on 
the Internet, according to security experts. 

Two examples of "exploit" code for a buffer overrun in the Windows 
Workstation Service were posted to security-related Internet 
discussion groups on Friday and Saturday. Both exploits have been 
tested and work, according to Dan Ingevaldson, director of X-Force at 
Internet Security Systems Inc. (ISS). 

The Workstation Service vulnerability was disclosed by Microsoft in 
Security Bulletin MS03-049, which was released Nov. 11. The service is 
turned "on" by default in Windows 2000 and Windows XP systems and 
allows computers on a network to connect to file servers and network 
printers, Microsoft said. 

Both the CERT Coordination Center at Carnegie Mellon University and 
ISS issued advisories last week regarding the Workstation 
vulnerability, warning that it was easy to exploit and well suited to 
use by self-spreading Internet worms. 

One version of the exploit code is attributed to somebody using the 
online name "wirepair," and was first published in a private online 
forum at Russian security site forum.securitylab.ru, Ingevaldson said. 
A second exploit, dated Nov. 14, appeared on the French-language 
hacking Web site www.k-otik.net by someone using the online name 
"snooq." 

The two pieces of code are early attempts to exploit the MS03-049 
vulnerability and contain multiple bugs that make them difficult to 
run. Because of flaws in the way the code authors attempt to trigger 
the buffer overrun in the Workstation Service, attackers have only one 
chance to compromise vulnerable Windows systems, which crash when the 
exploit is not successful, Ingevaldson said. Those faults make the 
code ill-suited to use in an Internet worm, he said. 

"You need exploits that are robust and that work all the time to make 
an effective worm," Ingevaldson said.

However, virus writers and hackers worldwide will work diligently to 
refine the exploit code, finding ways to get the code to stop crashing 
systems and work on all versions of Windows XP and Windows 2000, he 
said. Such a pattern of refinement preceded the release of the Blaster 
and Nachi worms in August, Ingevaldson said. 

In addition, the two exploits that were publicly released might not be 
the only exploits for MS03-049 that have been created, he said. 
"(Exploits are) like cockroaches. If you see one or two, there are 
probably others as well," Ingevaldson said. 

ISS encourages Windows users to download and apply the software patch 
for the Workstation Service on Windows XP and 2000 machines as soon as 
possible, he said. 



-
ISN is currently hosted by Attrition.org

To unsubscribe email majordomo () attrition org with 'unsubscribe isn'
in the BODY of the mail.

  By Date           By Thread  

Current thread:
  • Attack code surfaces for latest Windows vulnerability InfoSec News (Nov 18)
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]