Hackers Already Exploiting Microsoft VulnerabilitiesHackers Already Exploiting Microsoft Vulnerabilities

Hackers are beginning to successfully develop software that can be used to attack systems vulnerable to security holes Microsoft disclosed last week.

Less than 24 hours after Microsoft published its monthly roundup of security patches on Nov. 11, exploit code, a small app that can be used to attack a software vulnerability, began to surface on security mailing lists.

It began when exploit code that works against the "Windows Workstation Service" flaw revealed in Security Bulletin MS03-049 was posted to the Bugtraq mailing list. And during this past weekend more samples of exploit code were posted to various security mailing lists.

The flaw being targeted is the buffer-overflow vulnerability within the Windows Workstation Service; according to Microsoft's MS03-049 advisory, a remote attacker could gain complete control of an unpatched system.

On Nov. 11, the CERT Coordination Center, based out of the Software Engineering Institute at Carnegie Mellon University, issued an advisory that warns that worms aimed at this vulnerability are a possibility.

Dan Ingevaldson, director of X-Force, which conducts Internet security research at Internet Security Systems Inc., says the exploits that have surfaced so far are bug-ridden and not ready for someone to use as the platform for a worm.

That could change quickly. "One of the exploit writers put comments inside their code asking more help and how they could make the exploit more effective," he says.

It's common, security experts say, for software exploits to be tweaked and improved by hackers and security researchers over days and weeks until they're perfected. Ingevaldson is confident a new worm will surface soon. "While it's easy to predict that exploit code will appear in a matter of days and that it will be quickly improved, the actual release date of a worm is tough to predict," he says.

The release of the Blaster and Nachi worms followed the same pattern of vulnerability, quickly improved exploit code, and finally the actual worms, Ingevaldson says.

If a worm does hit, Windows 2000 users won't be hit as hard as users of Windows XP, he says, because Windows 2000 isn't exploitable by an anonymous or "null session" so any attacks, whether by a hacker or a worm, could come only from systems with the proper access rights.

Microsoft is urging customers to patch the vulnerabilities revealed in the Nov. 11 security bulletins. More information is available on its site.