Microsoft Ups Exploit Code Warning
It looks like Redmond's hunch was correct when it issued an out-of-cycle security patch late last week. On Wednesday Microsoft identified publicly available exploit code related to that vulnerability.
Mike Reavey, operations manager of Microsoft's Security Response Center, wrote in a post to the MSRC blog that the "exploit code has been shown to result in remote code execution (RCE) execution on Windows Server 2003, Windows XP and Windows 2000," the same operating systems covered in the software giant's MS08-67 bulletin published on October 23.
The vulnerability relates to the Windows Server service program not properly handling "specially crafted" remote procedure call (RPC) requests. Because Windows Server service provides RPC support, file, and print support, and named-pipe sharing over the network, it is vulnerable to such attacks. If the exploit were to be executed properly, it could allow a masked or almost automatic remote interaction between CPUs in a shared processing environment.
The bug has been indentified as a Trojan virus but Microsoft said it is still investigating the matter and, therefore, has yet to specify where it found the exploits. Redmond simply said it was "aware of detailed, reliable public exploit code."
Third-party security vendors such as Symantec indentified the bug as "Trojan Gimmiv." Symantec stresses that Windows users who haven't already patched their systems need to do so as soon as possible.
"This flaw definitely has potential to be used as a propagation vector for a worm and in reality affects everything from Windows 2000 to Windows 7 pre-beta," said Ben Greenbaum, senior research manager for Symantec Security Response, in an e-mail message. "All it takes is one client-side exploit or Trojan that includes this exploit as a payload to get such a worm into a corporate network, where the affected ports are typically exposed to other internal computers."
Meanwhile, in his own post, Microsoft's Mike Reavey reiterated previous announcements by Redmond that attacks relate to this vulnerability are still sporadic and isolated.
"Attacks are still limited and targeted, even with the release of this new exploit code," he wrote. "The malware situation remains the same, as we've not seen any self-replicating worms, but instead malware that would be classified as Trojans, specifically the malware we discussed when we released the security update (last Thursday.)"
-- Jabulani Leffall