To print: Click here or Select File and then Print from your browser's menu

This story was printed from silicon.com, located at http://www.silicon.com/

Story URL: http://software.silicon.com/security/0,39024655,39154364,00.htm

Windows exploit code raises threat alert
And there ain't no patch on it...

By Dawn Kawamoto

Published: Friday 18 November 2005

Exploit code has been published that could take advantage of flaws in Windows XP SP1 and Windows 2000 SP4, according to a warning issued on Thursday by Microsoft.

Although the exploit code could be used to launch a denial of service attack in machines running XP SP1 and Windows 2000 with all service pack versions, the threat is only moderately severe, said Stephen Manzuik, a product manager at security research company eEye Digital Security.

Manzuik said: "On a scale of 10, it would be about a four or five on severity. All it will do is crash some machines and not crash others."

The exploit code could allow an attacker to launch a remote denial-of-service attack on Windows 2000 machines using all service pack versions but would require a user authentication on Windows XP SP1 computers, he added.

The exploit poses only a moderate risk because it requires a user to log on for Windows XP, and in the case of Windows 2000, the attacker would have to get remote access to the Remote Procedure Code (RPC) port. That port is often behind a firewall, making it difficult to penetrate remotely, Manzuik noted.

Microsoft has yet to develop a security patch for this exploit but it recommended that users enable their firewalls and download security updates, according to its security advisory.

The exploit code was published by Winny Thomas of Nevis Labs in India, who reverse-engineered a patch Microsoft issued in October, according to a posting on FrSIRT's website. The patch, MS05-047, dealt with a plug-and-play feature in the Windows software.

Thomas noted in his posting: "While working on an exploit for MS05-047, I came across a condition where a specially crafted request to upnp-getdevicelist would cause services.exe to consume memory to a point where the target machine's virtual memory gets exhausted. This exploit is not similar to the MS05-047 exploit I published earlier."

The October patch did not lead to the vulnerability in Windows, a Microsoft representative said, adding that Microsoft encourages people to "apply the MS05-047 update and all recent security updates released by Microsoft".

Microsoft, however, reiterated its concerns over security researchers who publish details on how to exploit vulnerabilities before the software vendor has had time to create a patch.

The company said: "Microsoft is concerned that this new report of a vulnerability in Windows 2000 SP4 and Windows XP SP1 was not disclosed responsibly, potentially putting computer users at risk. We continue to encourage responsible disclosure of vulnerabilities."

Some security researchers, however, note that Microsoft has been known to take at least 200 days or more to issue a security patch, once the company has been notified of a problem.

Dawn Kawamoto writes for CNET News.com