Windows Worm Warnings No Joke

"This is no drill," said Mike Murray, director of research at vulnerability management vendor nCircle. "And no, this isn't an overreaction. We've always said that some day there would be another big, serious vulnerability.

"Well, this is the one."

The bug in question is one of 23 patched Tuesday by Microsoft, and one of 16 tagged by the Redmond, Wash. software developer as "critical." It affects all currently-supported versions of Windows, can be exploited without end users lifting a finger, and in some experts' eyes, rivals the bug that led to 2003's destructive MSBlast attack.

Recent developments have turned up the heat over the vulnerability spelled out in Microsoft's MS06-040 security bulletin. Wednesday, Department of Homeland Defense (DHS) called out a rare warning, and Microsoft acknowledged that the patch should be at the top of every computer user's or administrator's to-do list.

Wednesday, the DHS, which also operates the United States Computer Emergency Readiness Team (US-CERT), took the unusual step of issuing its own warning. "Windows users are encouraged to avoid delay in applying this security patch," said the DHS release. "This vulnerability could impact government systems, private industry, and critical infrastructure, as well as individual and home users."

Earlier that day, Microsoft said "we are recommending that customers give priority to MS06-040."

Thursday's deepening concern was fueled by several releases of new exploit code. HD Moore, co-creator of the Metasploit Framework, took his exploit for the MS06-040 vulnerability public early in the day. Later, after Symantec's research team confirmed that Moore's code, which targets Windows 2000, XP, and Server 2003, results in a denial-of-service (DoS) attack, repeated its previous warning to "patch as soon as possible."

Other analysts agreed, and more.

"Because it's been added to the Metasploit Framework, a lot of hackers will be look at [Moore's exploit code]," said Ken Dunham, the rapid response team director at security intelligence firm VeriSign iDefense. "With some tweaking, his code could potentially be turned into a worm."

The availability of exploit code, even rudimentary code that doesn't yet let an attacker hijack a PC, along with the scope of the vulnerability, means that it's guaranteed MS06-040 will get lots of attention. But whether it ends up as a worm ala 2003's MSBlast is still uncertain, Dunham said. "There will be a lot of [attacker] activity around this, but we'll have to watch how this matures in the next few days to know whether a worm's probable." nCircle's Murray was more sure.

"We'll see proof-of-concept code that takes over the system within 48 hours," Murray said.

"It's only a matter of time or luck before this turns into the scale of MSBlast. Essentially, every Windows system is vulnerable. This is one of those worst-case 'pull the plug on the Ethernet cable' events."

Exploits have also been released for commercial customers of Core Security's Core Impact testing tool and Immunity 's Canvas software, Dunham noted.

Early Thursday, Christopher Budd, security program manager at Microsoft's Security Response Center (MSRC), affirmed the company's patch-now stance on MS06-040. "We've got our Emergency Response process teams watching for any possible malicious activity," wrote Budd on the center's blog. More than 100 million copies of the MS06-040 patch were downloaded in the first 30 hours after its Tuesday release, he added.

The next two to four days should tell the tale of the bug.

"It's very important to patch right now," said Dunham, "because most exploits are developed in the first week after the vulnerability is disclosed. It not by then, then four or five days later, but by then most people are patched."

"This is the real thing," said Murray. "It's not a false alarm."

The Windows 2000, XP, and Server 2003 patches for the MS06-040 Server service flaw can be obtained via Microsoft and Windows Update services, or directly from this Microsoft site. Additionally, on Wednesday eEye Digital Security posted a free-of-charge tool that scans networks and its Windows systems to identify those at risk. The tool can be downloaded from here.