Exploit Looks For Unpatched Windows Servers

This is why Microsoft never gives out the details on vulnerabilities before Patch Tuesday.

Since issuing a patch for a serious vulnerability last Tuesday, a number of exploits have hit the Internet, hoping to take advantage of computers that have not yet been patched to close the vulnerability.

Bulletin MS06-040 is a buffer overflow exploit that allows for remote code execution vulnerability in the Server Service that could allow an attacker to take complete control of the affected system.

Microsoft  labeled the flaw as “critical,” which was something of an understatement. Exploitation of this flaw could allow for attacks as severe as the Blaster and Sasser worms.

The exploit was so severe that the U.S. Department of Homeland Security took the unusual step of issuing a press release urging everyone to install the patch.

Patch Tuesday for August was August 8, and by August 12 the first exploit appeared. As is the case, every antivirus vendor has given it a different name. It’s referred to by the names Win32/Graweg.B, IRC-Mocbot!MS06-040, W32.Wargbot and WORM_IRCBOT.JK.

This exploit is variant of a backdoor Trojan that installs itself on a system, modifies security settings, connects to an Internet Relay Chat server and starts listening for commands from a remote hacker, according to analysis from antivirus vendors.

The Microsoft Security Response Center (MSRC) describes the attack as “extremely targeted” and said it appears to be specifically targeted at Windows 2000 machines.

“Very few customers appear to be impacted, and we want to stress that if you have the MS06-040 update installed you are not affected,” wrote MSRC program manager Stephen Toulouse in a blog update.

Microsoft continues to urge customers to apply the August updates as soon as possible to get the MS06-040 patch installed.

“However, we are in no way underplaying the severity of the vulnerability addressed in MS06-040: we continue to urge customers to deploy and test the update with a heightened sense of urgency,” wrote Adrian Stone, a program manager at MSRC in a blog update.

Customers who believe that they are infected or are not sure whether they are infected are encouraged to visit Windows Live OneCare and choose “Protection Scan.”

News Around the Web