On CBSSports.com: Play Fantasy Football for FREE Now
BNET Business Network:
BNET
TechRepublic
ZDNet
57 TalkBacks

By Joris Evers, News.com
Posted on ZDNet News: Oct 13, 2005 10:20:00 PM

Computer code has already been written to take advantage of Windows flaws that were disclosed Tuesday, a sign that a worm attack could be near.

Exploit code exists for four of the 14 vulnerabilities for which Microsoft provided fixes this week, experts said Thursday. One of the exploits was written for a flaw which Microsoft tagged as "critical." The bug lies in a Windows component for transaction processing called the Microsoft Distributed Transaction Coordinator, or MSDTC.

"When we start to see exploits surfacing, we know there will shortly be malicious code," said Alfred Huger, a senior director at Symantec Security Response. "We expect at least the MSDTC vulnerability to be used in a worm in the short term."

After Microsoft released vulnerability information, the exploit code was written within 24 hours, noticeably quicker than the average time it takes for an exploit to appear, Huger said. "Over the last two years on average it has been between four and 5.8 days for an exploit to come out after a vulnerability was released," he said.

When Microsoft released its patches on Tuesday, experts had already warned that the MSDTC flaw could spawn an attack similar to the Zotob worm that wreaked havoc two months ago. Microsoft urged users of older operating systems, specifically Windows 2000 and Windows XP before Service Pack 2, to prioritize the update that fixes the flaw, which is addressed in security bulletin MS05-051.

The MSDTC exploit isn't publicly available, but experts predict a public exploit is not far off. The code was created by security vendor Immunity for users of its penetration testing product. Immunity also crafted exploits for a flaw that involves plug-and-play in Windows (MS05-047) and a bug in a component that supports Novell NetWare networks (MS05-046).

Furthermore, code that exploits a flaw in Microsoft's Windows FTP client (MS05-045) is available publicly on the Internet, said Michael Sutton, director at security intelligence company iDefense, a part of VeriSign.

"Patching is very urgent," Sutton said. "We expect public exploit code to become available, especially for the MSDTC issue."

Microsoft is aware of Immunity's exploit code, but has not seen any attacks that use the code, a company representative said. "Microsoft is actively monitoring this situation," the representative said in an e-mailed statement.

Symantec's Huger predicts a worm exploiting the MSDTC flaw will surface in the next several days. It is unknown how hard the worm will hit. "There are so many variables involved with that, it is tough to say," he said.

  • Talkback
  • Most Recent of 57 Talkback(s)
Thanks for taking the time.
I originally found other copies of that article. I find the discussion thread on your copy most interesting.

You note that toadlife qualifies with "home users" in "overwhealming majoity of hom... (Read the rest)
Posted by: LoCal Posted on: 10/22/05 You are currently: Logged In | Log out
Exploit code raises Windows worm alarm Loverock Davidson   | 10/13/05
Sorry please play again Linux User 147560   | 10/13/05
Message has been deleted. Judas I.   | 10/13/05
Why do you leave such juicy tid-bits... Linux User 147560   | 10/13/05
Lovey just brings the BEST in me, doesn't he? (NT) Judas I.   | 10/13/05
The joke's on you Loverock Davidson   | 10/13/05
Bwahahahahahaha! I'm not surprised! Judas I.   | 10/13/05
I figured! An_Axe_to_Grind   | 10/17/05
You are correct toadlife   | 10/13/05
Your possibly right... Linux User 147560   | 10/13/05
:-D LoCal   | 10/14/05
"overwhealming majoity"? Care to support that with LoCal   | 10/14/05
Care to you some common sense? toadlife   | 10/14/05
I did *use* common sense. I'll interpret your reply to mean you can't LoCal   | 10/17/05
Stats HiRezL   | 10/19/05
Thanks for taking the time. LoCal   | 10/22/05
eerr.. no... check the article Iain_Peters   | 10/16/05
"none of these exploits can work on XP or 2003" HiRezL   | 10/19/05
Good point, speaking of patches breaking software... olePigeon   | 10/14/05
Difficult time? HiRezL   | 10/19/05
The bad guys! An_Axe_to_Grind   | 10/17/05
First to post with some idiotic trolling bait again LoCal   | 10/14/05
What? Real World   | 10/14/05
Oh no, you mean... (:-o LoCal   | 10/14/05
Wrong. It's not that easy. olePigeon   | 10/14/05
Synchophant; spelt L-O-V-E-R-O-C-K... BanjoPaterson   | 10/17/05
Actually, it's spelt sycophant BanjoPaterson   | 10/17/05
Update Yourselves jimc52@...   | 10/13/05
And all these amazing patches explain... zkiwi   | 10/13/05
"Zombies" toadlife   | 10/13/05
Not true cburgess   | 10/14/05
Sure thing buddy toadlife   | 10/14/05
Count your blessings... cburgess   | 10/18/05
Better yet... poocow666   | 10/13/05
(nt)This isn't a zero day explot toadlife   | 10/13/05
never worry about worms and viruses again 3D0G   | 10/14/05
Ah--ha ha ha ha ha... Switch to Linux? Love your comment... Grayson Peddie   | 10/17/05
Right HiRezL   | 10/19/05
Article error: MS05-045 is not the FTP flaw PB_z   | 10/13/05
Childs play Boot_Agnostic   | 10/14/05
Patches don't matter Billosaur   | 10/14/05
Commodities Harry Bardal   | 10/14/05
People are stupid, Part 2 Billosaur   | 10/14/05
Bad Example Harry Bardal   | 10/14/05
Owning up Billosaur   | 10/17/05
Outbreak Express cburgess   | 10/14/05
.... toadlife   | 10/14/05
Good reason to use Thunderherd Boot_Agnostic   | 10/14/05
The Code is available Zombo   | 10/14/05
No_Ax, Loverock, Mike Cox Are On The Job itanalyst   | 10/14/05
Message has been deleted. itanal   | 10/16/05
No_Ax, Loverock - same person! An_Axe_to_Grind   | 10/17/05
Windows wadeprater   | 10/15/05
Sad but true - exploit is out and the patch is broken! Jiim_z   | 10/16/05
I am so relieved that Ch. Gates proclaimed war michael_t   | 10/17/05
Are you still using windows? teckk@...   | 10/17/05
That is why I switched to mac. bradlwlk   | 10/20/05

What do you think?

advertisement
advertisement
advertisement
Click Here