Exploit code for Microsoft vulnerability circulating
- By William Jackson
- Feb 16, 2004
Security researchers say code designed to exploit a recently announced critical vulnerability in Microsoft operating systems now is widespread on the Internet.
The code crashes targeted computers by exploiting a flaw in Microsoft's Abstract Syntax Notation 1 Library in Windows NT, 2000 and XP. The exploit code was discovered Saturday, four days after the vulnerability and a patch to correct it was announced by Microsoft.
'The exploit we discovered is fully functional and does cause targeted computers to crash,' said Ken Dunham, director of malicious code for iDefense Inc. of Reston, Va. 'The widespread distribution of this code has significantly increased the threat level for ASN.1.'
The code is available on several discussion groups and Web sites.
Dunham said there have been reports of denial-of-service attacks against specific targets using this exploit, but the attacks are not yet widespread.
'It may be a few days before we see anything beyond a DOD attack,' he said. 'Several attackers are actively working on an ASN.1 exploit to spread Trojans and 'bots. One attacker has expressed an interest in creating a worm that will 'take down the Internet.''
Dunham said the malicious actors are capable of 'weaponizing' the exploit, but have so far had little success in their tests.
The code causes the Microsoft Local Security Authority Subsystem process, LSASS.exe, to crash. It can be sent via Server Message Blocks or NetBIOS file sharing protocols to computers listening on ports 445 or 139. Blocking untrusted access to these ports and installing the Microsoft patch will protect against this exploit.
'Most large companies have already started to roll out patches,' Dunham said. 'It will take at least five to seven days for most to completely patch computers, and that is not including a comprehensive audit.'
That window could leave many computers vulnerable.
In other malicious-code news, Symantec Corp. of Cupertino, Calif., has raised the security level for the new Welchia worm because of increasing numbers of infections.
Welchia, also known as Nachi, first appeared last August in the wake of the MSBlaster worm. It automatically patched against the vulnerability exploited by Blaster. The new version, Welchia.b, appears to remove the MyDoom a and b worms from infected machines. Once installed on a machine, it tries successively to exploit three vulnerabilities against a random IP address.
(Posted 12:54 p.m. and updated 4:00 p.m.)
William Jackson is a Maryland-based freelance writer.