Security researchers have already come up with a working exploit for a Windows 2000 bug patched on Tuesday, raising the spectre of another worm outbreak along the lines of Zotob in August.
The hole relates to Microsoft's bulletin MS05-051, which details a "remote, unauthenticated attack vector" on Windows 2000 systems, the same as that exploited by Zotob. The vulnerabilies are in Microsoft Distributed Transaction Coordinator (MSDTC) and COM+, an iteration of the Microsoft Component Object Model, and could allow an attacker to execute malicious code on Windows 2000 systems.
Newer versions of Windows are also affected, but the flaw can only allow relatively minor attacks. Microsoft is trying to wean enterprises off of Windows 2000, but it is still very widely used by businesses.
In August, a plug-and-play vulnerability patched in bulletin MS05-039 was turned into an active exploit in a matter of days, and then formed the basis for the Zotob series of worms.
Experts fear a similar scenario is about to arise. On Wednesday, Immunity Security began distributing a working exploit for the flaw to customers of its Canvas compliance-testing service. While the exploit is still being carefully kept under wraps, its very existence appears ominous to some.
The release was enough for Symantec to publish an alert to customers of its DeepSight Threat Management System, warning that an exploit is likely to appear in the wild in short order.
"If (Immunity) can write it, others will, too," said Alfred Huger, head of Symantec's security response team, according to a report.