Microsoft: Windows XP PCs Subject To Zotob-like Attack

PCs running Windows XP or Windows XP SP1 in certain non-default configurations are open to Zotob-style attack, the Redmond, Wash.-based developer said in a new security advisory posted on its Web site.

Originally, Microsoft said that all Windows XP machines, including those running the first service pack (SP1) were immune from remote attack, and were only vulnerable if the attacker had valid log-on credentials. "The vulnerability could not be exploited remotely by anonymous users," Microsoft said in the bulletin issued on August 9.

Apparently not true.

"We are now aware of a very narrow and limited case on Windows XP SP1 whereby an unauthenticated attack might be possible," said Debby Fry Wilson, the director of Microsoft's Security Response Center, in a blog entry Wednesday.

"It's pretty specific (and to reiterate, if you are on Windows XP SP2 or have applied MS05-039, you are not impacted by this). But in the interests of making sure people have the right information to assess their risk we are providing an advisory as a precaution."

The potential attack vector lies in how some Windows XP and XP SP1 machines are configured, Wilson added. If users have enabled "Simple File and Print Sharing" at home or in a workgroup, the "Guest" account could be used by hackers to attack the machine.

"Domain users of Windows XP SP1 aren't impacted by this scenario at all," Wilson went on. "This is very specific to the 'Guest' account when 'Simple File and Print Sharing' has been enabled on Windows XP SP1 in a home or workgroup environment."

Because most enterprise machines are joined to an Active Directory domain -- and these machines are not vulnerable to such an attack -- it's unlikely corporate computers would be targeted.

Symantec's research arm said Wednesday in several customer alerts that it had discovered the Windows XP vulnerability, and had been able to "perform anonymous remote exploitation" against Windows XP and XP SP1 systems when Simple File and Print Sharing had been enabled on a PC not connected to an Active Directory domain.

It also noted that there was an exception to the no-problem rule for PCs linked to a domain, however. "Configuring a Windows XP host to share network resources prior to joining an Active Directory Domain will leave it in the vulnerable state even after the Domain is joined," the Symantec advisory stated.

PCs that have had the August 9 patch deployed are immune to the new threat, as are Windows XP SP2 and Windows Server 2003 boxes.

Several workarounds can be used if patching isn't possible, Microsoft and Symantec noted. They include blocking TCP ports 139 and 445 at the firewall and disabling the Guest account. Instructions are available in the "Suggested Actions" section of the Microsoft security advisory.

Last week, a series of bot worms -- the first of which were named "Zotob" -- attacked and took down a significant number of Windows 2000 PCs around the world. The current crop of Zotob and Zotob-esque bots, however, would need to be tweaked or rewritten to take advantage of this latest security hole in Windows.

Still, that doesn't mean users can take this alert lightly, said Symantec.

"[We] strongly encourage system administrators to patch all systems that are vulnerable to the Microsoft Windows Plug and Plug Buffer Overflow Vulnerability, including all Windows XP systems," the company advised. "Operating systems that require authentication in order for successful exploitation may still be at significant risk from this vulnerability through attacks carried out by trusted systems that can be exploited without authentication."