In a twist from their usual methods, virus writers have written an exploit to a patch that Microsoft issued this week, hoping to take advantage of IT shops that are slow on the draw.
The usual trick has been zero-day exploits, where they wait until Microsoft issues its monthly patches and then drop the viral bomb one or two days later, knowing full well Microsoft won’t be issuing a fix for a month.
In this case, hackers examined the fix in MS06-070 and whipped up their own worm in the hopes the hole won’t be plugged for several days.
“Typically, people are a little bit wary at applying patches because they want to see how it’s going to affect their environment,” said Jonathan Bitle, manager of the technical accounts team at Qualys, an on-demand security provider that learned of the exploit on Thursday.
“So most people have a pretty finely-tuned patch process that allows them to patch on pre-production computers, so they don’t risk the stability of their production networks,” he said.
It probably doesn’t help that Microsoft has had to issue patches to its own patches this year. Issuing a bad fix doesn’t help build confidence in the firm.
The exploit is what Bitle called “wormable.” It allow a worm to be applied remotely because it doesn’t require any direct user interaction. There’s two ways the vulnerability can be exploited: to install a worm or set up a botnet.
The exploit is in the Workstation service, which runs on most newer versions of Windows (post Windows 98) as it is a required service. The combination of being installed remotely and in a service that every computer runs makes it potentially very dangerous.
The good news? It’s only a real vulnerability to Windows 2000. Windows XP and Windows Server 2003 require authenticated access to take advantage of the host, which would lock out remote exploitation.
Microsoft said it’s examining the exploits and will issue guidance soon, but for now, it encourages application of all security patches.