Exploits Surface For Critical Microsoft Bug
Both proof-of-concept exploit code and a public exploit have popped up for the bug fixed in MS06-070, a security update that patched Windows 2000's and Windows XP's Workstation Service, a routing service used by the operating system to determine if file or print requests originate locally or remotely. Microsoft pegged MS06-070 with its "critical" ranking, the highest threat warning it assigns updates.
"We've confirmed exploit code from two different sources," said Amol Sarwate, the manager of Qualys' vulnerability lab. "The window [of time] to exploit is definitely shrinking."
It's become common for exploits to crop up within days of Microsoft's monthly patch release. The trend has become routine enough to get its own moniker: "Exploit Wednesday."
Immunity's Canvas exploit framework -- a penetration testing tool somewhat like the Metasploit Framework -- has posted an exploit for the Workstation Service bug, Sarwate said. Although that exploit is available only to Immunity partners, a public exploit also has been published to the SecurityFocus Web site. According to security company Symantec, which on Thursday also warned customers of its DeepSight threat system that the code was out and about, the public exploit has been successfully tested only against the Chinese language version of Windows 2000.
"This was the number one vulnerability on Tuesday," Sarwate said, "because it was remotely exploitable." Hackers attacking Windows 2000 systems can do so remotely, and without needing to authenticate as a legitimate user, simply by sending a vulnerable PC malicious data packets. Windows XP users are considerably safer, as attacks cannot be carried out anonymously or remotely.
"On Patch Tuesday, Microsoft informed everyone that there was something wrong in the [Workstation] Service. As soon as the patches were available, hackers were looking for the magic bytes to exploit the bug," Sarwate said. "Companies definitely need to patch immediately. The concern is elevated because now we have proof-of-concept code."
Blocking ports 139 and 445, one of the workarounds Microsoft offered Tuesday in the MS06-070 bulletin, isn't really feasible, said Sarwarte. "There are maybe 15 different services that won't work if you close those ports," he said.
Symantec pegged another of the half-dozen updates -- the one spelled out in the MS06-066 bulletin -- as now sporting an exploit against the disclosed bug. By Wednesday, Symantec said, Immunity came up with a commercial exploit for Canvas. "The exploit is only available to Immunity Partners, however the rapid development of this issue suggests that public exploits may soon surface for the issue as well," Symantec warned DeepSight users in a Thursday alert. Sarwate of Qualys was unable to confirm Symantec's claim.
"Time is the crucial element now," said Sarwate.