Microsoft this week announced 23 security vulnerabilities related to various Microsoft products in its monthly Patch Tuesday release. It’s the vulnerability in Windows Server Service, however, that has security analysts talking.
The U.S. Department of Homeland Security (DHS) warned Wednesday that the Microsoft Windows Server flaw could put the nation’s critical infrastructure at risk. The vulnerability could impact government systems, private industry and critical infrastructure, as well as individual and home users, the government said.
The Big One?
The growing concern stems from multiple releases of new exploit code. HD Moore, co-creator of the Metasploit Framework, publicly released his exploit on Thursday. Symantec has confirmed that Moore’s code, which targets Windows 2000, XP, and Server 2003, results in a denial-of-service (DoS) attack.
Moore’s code could be turned into a worm that some security analysts are comparing to the bug that led to 2003’s destructive MSBlast attack that turned up on an estimated 120,000 computers worldwide in the first 24 hours since its release.
Since many home users and corporate IT departments failed to heed Microsoft’s warning to install the patch, thousands of computers were damaged.
Christopher Budd, security program manager at Microsoft’s Security Response Center, reiterated the need for Windows users to patch their computers immediately in his Thursday morning blog post. More than 100 million copes of the MS06-040 patch were downloaded in the first 30 hours after the Patch Tuesday announcement.
A Zero-Day Year
2006 may be remembered as the year of the zero-day attack. There have been over 35 different zero-day exploits or attacks in the last 90 days alone. Now, the world waits to see what will happen with the MS06-040 situation.
VeriSign iDefense Rapid Response Team Director Ken Dunham has been keeping a close eye on the developments of the past 24 hours. He told TechNewsWorld that today’s threat landscape is characterized by criminally motivated, stealth, targeted attacks, not widespread worms that were prevalent in 2003. That means this threat may not resemble the MSBlast attack at all.
“The reality is we don’t see a lot of hacker talk around this new exploit in the underground,” Dunham noted. “I think if we are going to see something automated, it will probably eventually make its way into bot code. It’s likely that we will see some Trojan activity, but the likelihood of a widespread worm attack still remains to be seen. We just don’t know.”
Criminal Motivation
Dunham looks at it this way: Would a hacker be more likely to spread a worm all over the world, bring attention to himself, and risk getting arrested? Or would the hacker rather attack computers silently and laugh all the way to the bank?
Since today’s hackers are not primarily motivated by notoriety, Dunham is betting on the latter scenario. That means networks are still at risk, though perhaps not from a denial-of-service attack.
“MS06-040 should be implemented right away,” Dunham stressed. “That active exploitation is out there and the likelihood of targeted attacks is much higher for MS06-040 than any other vulnerability in this last Patch Tuesday. By the time the weekend rolls around and the hackers have more time on their hands, the risk increases.”