Security Watch: New Worm Hits Windows Hole in Record Time
Windows Security Alerts and Updates
Of the three critical vulnerabilities revealed by Microsoft last week, the most attention has gone to MS05-039 (Vulnerability in Plug and Play Could Allow Remote Code Execution and Elevation of Privilege).
Under Windows 2000 this hole allows an anonymous remote user to execute arbitrary code in the context of the SYSTEM user. Exploiting the vulnerability has been reported as "easy," and in fact more than one proof-of-concept exploit is available in the usual places on the Internet. On Friday we heard the first reports of actual exploits in the wild, so Windows 2000 users need to take this seriously.
What distinguishes this hole from the others announced is that this one lends itself to "worming." One could write a program, and such a program is undoubtedly being written now, to exploit systems on the network using this hole, and from there to spread further.
On Windows XP systems prior to service pack 2, only an authenticated (logged on) user could exploit the hole. On Windows XP Service Pack 2 and Windows Server 2003, we have seen varying reports: some say that only an Administrator could exploit it, others that an authenticated user who has rights to log on locally can exploit it. Since there's little point in an administrator mounting an attack to gain SYSTEM privileges, Microsoft's designation of its impact as "Important" might be an overstatement, and even if only "Log on locally" rights are required, this will likely be a difficult exploit.
But there are a lot of Windows 2000 systems out there and many of them are likely to be vulnerable. Don't spend too much time thinking about this problem before applying the patch.
As a workaround, you can block ports TCP 139 and 445 at your firewall. These are ports that any reasonable business firewall would block anyway, but an internally-compromised system could still launch attacks.
