Microsoft has warned Windows users that detailed exploit code has been released for a recently patched "critical" bug in the operating system, potentially paving the way for an automated attack on some systems.
The company also rebuked the security researchers responsible for disclosing the exploit, the Metasploit Project. A Metasploit researcher responded that Microsoft is attempting to suppress the circulation of important security information.
"Detailed exploit code has been published on the Internet for the vulnerability that is addressed by Microsoft security bulletin MS06-025," Microsoft said in an advisory late on Friday. "Microsoft is not currently aware of active attacks that use this exploit code or of customer impact at this time."
MS06-025, part of the company's latest monthly round of patches, was released two weeks ago. It addresses two related, critical flaws in the Remote Access Connection Manager (RASMAN) service. On Windows 2000 Service Pack 4 and Windows XP Service Pack 1, the bug could be exploited by anonymous users to take over a system.
It is more difficult to carry out attacks on Windows XP SP2 and Windows Server 2003, requiring the use of valid login credentials, Microsoft said. Users who have applied the patch aren't affected, Microsoft said.
However, the patch may cover more than has been officially disclosed, according to Metasploit researcher HD Moore. In creating the exploit - used for research purposes - Metasploit discovered additional vulnerabilities had been patched, Moore wrote in the Metasploit blog.
That means while the patch may be effective, intrusion detection system signatures based on the official patch were unable to detect the Metasploit exploit, Moore said.
"No intrusion detection systems were able to detect the Metasploit module at the time of this writing," he wrote. "Microsoft never mentioned this specific vulnerability in the advisory or to the Microsoft 0-Day Club (Microsoft Security Support Alliance)."
As usual, Microsoft criticised the release of the exploit code, which it said breaks established industry practice. "We continue to urge security researchers to disclose vulnerability information responsibly and allow customers time to deploy updates so they do not aid criminals in their attempt to take advantage of software vulnerabilities," the company stated.
Moore responded that, in fact, what Microsoft calls a "commonly accepted industry practice" is a fiction. He cited the fact that companies such as Verisign, Digital Armaments and Immunity sell access to exploits, often before a patch has been released.
Vulnerability information is also disclosed in other ways, Moore said. "A vulnerability scanner can disclose vulnerability details through the act of checking for the flaw. IDS vendors that provide user-visible signatures disclose the exploit vector through the structure and content of their signatures," he wrote.
Moore said the period of nine days between the patch and the exploit release was a sufficient delay to protect users.