Interim patched Windows leak is already being exploited

The patch released by Microsoft on Thursday evening closes a vulnerability in the Server Service that could theoretically be exploited for worm attacks. The first attacks that exploit the vulnerability have already taken place.

Attackers can take over a vulnerable system by means of a specially crafted RPC. However, an enabled firewall can fend off an attack, writes Microsoft in its Security Bulletin MS08-067, as well as systems with file sharing disabled, are not susceptible.

For Microsoft Windows 2000, Windows XP and Windows Server 2003, the manufacturer nevertheless labels the leak as ‘critical’. For Windows Vista and Windows Server 2008, the vulnerability is “important” as well as for the pre-beta of Windows 7. A successful attack on these operating systems is less likely, as a user of these versions must be authenticated to access the vulnerability .

Microsoft decided to release the patch after discovering that the vulnerability was being exploited on a small scale two weeks ago created. These were the trojans Win32/Gimmiv.A and Win32/Gimmiv.A.dll. This malware removes itself after execution, without leaving any trace. When the patch was released, according to Microsoft, there was no malware that reproduces itself.

Within two hours of the details about the leak appearing popped up the first proof-of-concept for a new exploit, written by the makers of the security tool Immunity. “It is very good to abuse”, say Bas Alberts, Immunity security researcher. There is little chance that worms will appear that specifically target the leak, expected Symantec researcher Ben Greenbaum, because systems with a firewall enabled are not susceptible. He does think that worms will appear that will combine exploitation of the leak with other attacks. Symantec has seen an increase in scanning on TCP ports 139 and 445 since Thursday. The exploits of the vulnerability would use these ports.