Security Experts Disagree Over New ThreatsSecurity Experts Disagree Over New Threats

New code to take advantage of security weaknesses in Microsoft's Windows operating system was spotted on the Internet earlier this week. But at least one security expert says it doesn't pose much of a threat.

Two security firms, iDefense Inc. and Counterpane Internet Security Inc., discovered the "exploit code," which would make it easier for hackers to exploit a security weakness in an application or operating system. The code they discovered is aimed at the vulnerabilities in the Windows Remote Procedure Call Distributed Component Object Modeling interface, which Microsoft disclosed Sept. 10. The vulnerability affects nearly all current versions of Windows, including Windows Server 2003, and is very similar to the flaws revealed in July that led to the Blaster worm attack. That attack infected more than 500,000 systems in August.

Security experts are predicting a new worm will surface any day to take advantage of those flaws.

But Dan Ingevaldson, an engineering manager at X-Force, the security research group within Internet Security Systems Inc., says the exploit isn't that effective. "It crashes more systems than it will successfully infect. Crashed systems are the enemy of any effective worm," he says. Ingevaldson says it's been difficult to get this particular exploit to work.

Microsoft declined to comment on whether the newfound exploit works.

Both Counterpane and iDefense contend that the exploit works effectively against Windows 2000 systems running Service Pack 3 and 4. Ken Dunham, a malicious-code intelligence manager at iDefense, says message postings and chatter in the hacker underground suggest that several hundred systems may have already been attacked by the exploit and infected with a Trojan.

Creating a new worm to take advantage of the software flaws isn't as easy as cutting and pasting the newfound exploit into the already existing and widely available code for the Blaster worm, says Bruce Schneier, Counterpane's founder and chief technology officer. But "it wouldn't be difficult for someone with a little programming experience," he says.

Still, Ingevaldson says this exploit isn't worm-ready. "It just wouldn't make an effective worm as the exploit currently exists," he says.

That could change quickly. Schneier says one of the biggest trends he's noticed in exploit and worm development this year is how malicious-code authors are increasingly working together to build their lethal apps. "One will post a rough version of an exploit, and someone else will grab it and improve it. Another will then make improvements on that," he says.

And to make matters worse, Dunham says his team has spotted a screen shot of what appears to be an exploit that will work against Windows XP systems.

The new rash of exploits seem to be originating from a Chinese hacker group called XFocus, which has been developing exploits for the past few years, Ingevaldson says.

If a worm does surface in coming days, security experts are hopeful it won't be as devastating as the original Blaster. Internet service providers "have the filters they used against Blaster either still in place or ready to go," Ingevaldson says. "All of the attention on the need to patch may help any future worm not be as effective."