Exploit code targeting at least one component of the Microsoft Windows ASN.1 flaw is circulating. Experts recommend...
applying the patch before it's too late.
"This exploit appears to work only against Windows 2000 Professional," said Marc Sachs, director of the SANS Internet Storm Center. "Windows XP is built from the same code base, and it may very well work against that as well."
Users should bear in mind that it wasn't long after the first exploit code for RPC-DCOM appeared that a universal shellcode for almost all Windows platforms came out, according to an advisory on the SANS Web site.
"This is the same [type of] prediction," Sachs said. "It's easy to build a worm around."
Microsoft last week released a patch for the pervasive flaw that can be used on all supported Windows operating systems.
The software giant was alerted to the vulnerability six months ago. Microsoft says it took quite a while to get the patch through its quality assurance process because the company had to make sure the fix wouldn't break other applications.
The denial-of-service exploit surfaced Saturday. It uses port 445, 139 and 135, which are open file shares. According to SANS, the exploit kills lsass.exe, fires an error message to the screen, and reboots the affected machine after about one minute. While this is just a DOS exploit, more serious exploits may follow.
"The widespread distribution of this new exploit code has significantly increased the threat level for ASN.1 possible attacks," said Ken Dunham, director of malicious code at Reston, Va.-based iDefense Inc., in a statement. "This new exploit code serves as a template for attackers who want to gain remote access to vulnerable computers, infect them with Trojans, or create a bot or worm."
Sachs said that normal firewall practices should protect systems from attacks coming from the Internet that use this particular exploit. Experts recommend applying the patch immediately.
On the brighter side, Sachs said, the release of Microsoft source code late last week may divert some interest from the ASN.1 flaw.
"If ASN.1 was the only thing on the plate, it would get more focus," Sachs said. "This divides the Microsoft bug-hunting force."