Microsoft has fixed a critical Windows bug, saying that it is being exploited by online criminals and that it could eventually be used in a widespread "worm" attack.
As reported yesterday, Microsoft took the unusual step of issuing an emergency patch for the flaw, several weeks ahead of its regularly scheduled November security updates, saying that it is being exploited in "limited targeted attacks."
"It is possible that this vulnerability could be used in the crafting of a wormable exploit. If successfully exploited, an attacker could then install programs or view, change, or delete data; or create new accounts with full user rights," Microsoft said in a bulletin released Thursday morning.
The flaw lies in the Windows Server service, used to connect different network resources such as file and print servers over a network. By sending malicious messages to a Windows machine that uses Windows Server, an attacker could take control of the computer, Microsoft said.
In a blog posting, Microsoft spokesman Christopher Budd said his team became aware of the attacks about two weeks ago, when it found a small number of "targeted" attacks against XP systems. Because the flaw was wormable, and since the patch could be worked up quickly, Microsoft decided to rush out its update ahead of the company's 11 November security release, Budd said.
Microsoft has not rushed out an emergency patch in this fashion since April 2007, but it has done this a handful of times since 2003, when the company moved to monthly security updates. Typically, these fixes are rushed out when attackers have already begun to exploit the vulnerability in widespread attacks.
Although firewalls would typically prevent this latest attack from spreading across the Internet, it could wreak havoc within corporate local area networks, much as the Zotob computer worm did back in 2005.
Users whose firewalls block TCP ports 139 and 445 (these ports are usually blocked by home firewalls) could not be hit via the Internet, Microsoft said in a note on the problem. "In this scenario, only the machines in your local LAN will have the ability to exploit this vulnerability."
Zotob affected Windows 2000 systems, but this bug is rated critical for three versions of Windows: Windows 2000, Windows XP and Windows Server 2003 systems. It is rated as a less-serious flaw for the Windows Vista and Server 2008 systems, which require additional authentication from computers on the network.
Although the attack code used to exploit this flaw has not been publicly released, Microsoft felt that the bug was serious enough that it needed to rush out a patch, said Andrew Storms, director of security operations at nCircle, who has been briefed on the issue with Microsoft's security team.
"The exploits that Microsoft found were found on systems running their Microsoft security software. This is how they became aware of it," he said. "It is a successful attack, but it is not spreading like a worm at this point."
However, security vendor Symantec thinks this is likely to happen.
"Given the nature of this vulnerability, the number of vulnerable systems, and the fact that it is already being exploited in the wild, the chances of a worm and/or bots leveraging this issue are extremely high," Symantec said in an alert on its website.
Although the attack code is used only in very targeted attacks, it could become a more widespread problem, said Marc Maiffret, director of professional services with The DigiTrust Group. "It will really depend on whether or not someone wants to cause a bit of chaos and make a ... name for themselves," he said via instant message. "The reality is that bad guys do not like worms because they cause more people to patch."