Discovery of a gaping security hole in all Windows XP, Windows 2000 and Windows Server 2003 computers prompted Microsoft on Thursday to issue a rare emergency security patch. The tech giant normally issues security fixes on the second Tuesday of the month. It did so on Oct. 14.But this newly discovered vulnerability is a whopper. It harks back to the type of yawing Windows flaws that made computing so dicey in 2003 and 2004. Back then bragging-rights hackers launched globe-spanning, headline-grabbing Internet worms such as MSBlast and Sasser.
In fact, the new flaw is in the same mundane Windows component -- Remote Procedure Call -- that was at the root of the infamous MSBlast worm. MSBlast, you may recall, corrupted at least 25 million PCs and probably exacerbated an Eastern seaboard blackout. MSBlast also contained an embedded message to "Billy Gates," chiding the world's most famous tech tycoon to "stop making money and fix your software."
Like the 2003 RPC flaw, the latest version doesn't require any user participation for a hacker to infect vulnerable machines, says Ben Greenbaum, senior research manager at Symantec security response. To be more precise, the machines at risk include any unpatched Windows PC -- XP vintage or earlier -- connected to the Internet with Port 139 and Port 449 ports left open. That's likely tens of millions of PCs.
"No action is required on the part of victim," says Greenbaum. Home PC users can count on Windows Auto Update to get them the patch quickly; just make sure you have Auto Update enabled. But corporations are notorious for taking weeks or longer to patch -- especially PCs running critical business applications. Meanwhile, hackers are getting better and better at quietly getting footholds inside corporate firewalls, as the recent hack of 18 computer servers at World Bank attests.
Sunbelt Software already has reversed engineered one of the early attacks-in-the-wild. The intruders taking advantage of the latest RPC flaw are polished and professional, Sunbelt researcher Eric Sites told me. These bad boys install a new Dynamic Link Library, or DLL, so that the next time the victim restarts his or her PC, a malicious Trojan takes root and continually runs in the background. Every 10 minutes, it copies all registry information, all logons stored by the Web browser and a bunch of other information and sends it back to the attacker.
"Right now this looks like something very customized, targeting very specific people. They could be after business intelligence or military secrets. These is not your average attackers," says Sites.
The major worry: Someone will take the self-replicating mechanism honed by MSBlast's author and create a new RPC worm that automatically finds and corrupts unpatched PCs. "If other bad people find out how to use this, we're big trouble," says Sites. "A Blaster-type worm could be created very easily, and wreak havoc."
By Byron Acohido Photo: Bill Gates speaks during the Centennial Global Business Summit at Harvard Business School Monday Oct. 13, 2008 in Boston. (Lisa Poole/AP)
Comments