CERT: Windows Is Still VulnerableCERT: Windows Is Still Vulnerable

Adding its voice to the chorus of concern about potential exploits of a major flaw in Windows, the CERT Coordination Center has issued its own warning, noting that attackers are not only actively scanning systems and successfully compromising PCs, but that a new, as-yet-unpatched vulnerability exists.

"We're continuing to receive reports of sites that have been exploited," Jeff Havrilla, Internet security analyst with CERT/CC, said Friday. "And the activity is across a broad spectrum of users. It's imperative that systems be patched."

The original Windows vulnerability, first made public on July 16, involves the Remote Procedure Call protocol within Windows NT 4, Windows 2000, Windows XP, and Windows Server 2003. RPC is used within Windows to let an application running on one computer execute code on a remote machine. A patch for the vulnerability can be downloaded from Microsoft's TechNet Web site.

CERT/CC is also tracking reports that patched systems are still vulnerable to a denial-of-service attack. The denial-of-service vulnerability stems from the RPC interface, and code for this exploit has also been posted to various security mailing lists.

"This vulnerability only affects Windows 2000 machines," said Havrilla. "Microsoft says this vulnerability isn't related to the RPC vulnerability, so its patch doesn't address it." Havrilla said Microsoft was working on a new patch specifically for Windows 2000, "but until that's available, we recommend that users filter ports."

A Microsoft spokesperson confirmed the new vulnerability and said the company is investigating the issue and working on a patch, but could not provide an expected release date. Until Microsoft does issue a fix, CERT/CC recommends blocking ports 135, 139, and 445, both inbound and outbound, on all Windows 2000 machines.

On the original RPC vulnerability, CERT/CC noted that it had received reports of widespread scanning of Windows systems' ports, a possible prelude to an attack, and detailed three tools that hackers are using.

"These exploits have been public for almost two week, they have been proven to work, and they are being used," Havrilla said.

Earlier this week, security watchers noted that code for several possible exploits of the RPC vulnerability had been posted to Internet security mailing lists, such as Bugtraq and Full-Disclosure.

According to CERT/CC, one of the tools currently in use by attackers probes TCP port 135, and installs a privileged backdoor command shell on machines it compromises. The command shell can then be used by the hacker to wreck havoc by deleting files, creating new user accounts, or installing malware. A second tool scans for TCP port 4444, while a third scans for ports of the attacker's choice.

Dan Ingevaldson, the engineering manager of Internet Security Systems Inc.'s X-Force research and development team, confirmed that ports are being scanned.

"We're seeing widespread scanning on ports 134 and 445 for vulnerable systems," he said. "Attackers are scanning some machines and triggering some [intrusion detection] sensors."

The increased activity doesn't come as a surprise to Ingevaldson. "As expected, we're seeing the telltale signs of exploit experimentation by attackers." Hackers typically take exploit code that's been publicly posted, then refine it. One proof of ongoing enhancement of an exploit is increased scanning of TCP ports as attackers try out tweaks to their code.

A worm that uses any of the exploit code hasn't yet been discovered.

"We don't have any direct evidence of any automated code--a worm, in other words," said Havrilla. "It seems that individual attackers are going in and targeting specific sites. But the attacks are still broad enough in scope that sufficient numbers of people are reporting that they're being hurt by the exploits."

ISS's Ingevaldson reported much the same. "We've confirmed reports that some Windows XP machines at a certain university are rebooting in a manner that we would expect if an exploit was successful," Ingevaldson said. He declined to name the university, but noted that the PCs were outside the school's firewall.

Systems rebooting can be a sign of an improperly coded exploit, one written to attack only Windows NT machines, for instance, but that has been pointed at another platform, such as Windows XP.

The new denial-of-service vulnerability, increased port scanning, and evidence of successful attacks, couldn't come at a worse time: on the brink of the weekend.

"The weekend is a good time to launch an attack, when no one's around, watching the screens," said Ingevaldson. "We hope that everyone addresses the issue before the weekend."