The latest Windows vulnerability still has the potential to be as devastating as January's SQL Slammer worm, in spite of Microsoft's patching, and has put security vendor ISS on AlertCon 3.
Gunter Ollmann, ISS X-Force Security Assessment Services EMEA, said he has discovered three pieces of exploit code over the last weekend that are freely available. Exploit codes allow writers of malicious code to use them as templates around which to build worms.
Ollmann reckoned that most machines -- desktops and servers -- running Windows would be vulnerable, though he was careful to note that Microsoft quickly developed and distributed patches, and that IT managers would have hardened servers at the edge of the network as a matter of priority. He added that firewalls should catch most attempts at exploiting this vulnerability which could allow complete admin-level control of the machine. Via TCP port 135, it exploits a buffer overflow vuln in the Windows RPC interface, a service that's enabled by default.
However, internal machines are likely to remain vulnerable since updating them all in a large enterprise is not an overnight task. As one researcher pointed out, it can take weeks to remediate a whole Class B network which would consist of about 65,000 addresses, and then check that none has been missed.
Ollmann said that it would only take one unprotected server to bring down an enterprise network, and that it is likely to take only a week or less to develop a worm that could propagate itself throughout the organisation. "We're on Alertcon3 which means large parts of the organisation could be affected and suffer direct consequences," he said. Researcher and hacker HD Moore of Metasploit agreed, and is reported as saying that the code could easily be turned into a worm.