Just a day after Microsoft released multiple security patches, rumors were already swirling about an exploit code for one of the flaws.
Microsoft said the security issue in MSDTC could allow remote control and privilege escalation by attackers on several operating systems, including Windows XP with SP1 and SP2 and several versions of Windows Server including Windows 2000 Server with SP 4 and Windows Server 2003. By Wednesday, the SANS Institute Web site, which is a popular site for users to swap information, had posted a warning about the rumored code.
"The impact of this vulnerability is similar to the plug-and-play vulnerability exploited by Zotob," said Neel Mehta, the lead researcher with Internet Security System Inc.'s X-force team in Atlanta.
Just days after Microsoft released several critical patches last August, several bot worms began attacking unpatched systems using an exploit code. Mehta said users are not anxious for a repeat. "Most of the users I'm talking to are taking this seriously," he said.
Despite the exploit rumors, administrators were not alarmed. Robert Hawkins, who installs security patches for Landata Systems Inc., in Houston, said he had already applied all of the patches, but said it can take up to seven days for the fix to be effective.
Hawkins was confident his patch for the MSDTC problem would be working by Friday and was not concerned about getting hit by a worm in the meantime. "We've never been bitten before," he said.
Gary Boy, IT manager for Installed Building Products, Columbus, Ohio, echoed Hawkins opinion about the dangers of exploit codes. Boy had not yet addressed the latest fixes and said it was not a high priority. "We get to patches when we get to them," Boy said.
Boy did acknowledge that Microsoft's patch release in August was given immediate attention. "We got a heads up that it was going to be pretty nasty," he said. "We pushed that one out immediately. "
Mehta said that hackers don't yet have their hands on the exploit code but he expected it would become public within a few days. He said currently only customers using Immunity Inc's Canvas software had access to the code.