The Month: Threat of the month – Flaw in Windows Server service

September 4, 2006

What is it?

A vulnerability in the Windows Server service on Windows 2000, XP and2003 allows remote attackers to take control of the system. It hasalready been exploited by malware authors, prompting the US Departmentof Homeland Security to issue a warning on its website.

How does it work?

A buffer overrun can be used to execute malicious code on a targetmachine. Botnet authors have been using it to install trojan backdoorson systems to expand their networks, but it could easily be used for anetwork worm.

Should I be worried?

This is a dangerous vulnerability that was already known beforeMicrosoft issued the bulletin (MS06-040) and patch in August. Althoughno exploit code was publicly available before the patch, malwarefollowed almost immediately. All versions of Windows are vulnerable andcan be exploited over the commonly used ports 139 and 445 (used forSMB).

What can I do about it?

Microsoft has issued a patch you should install as soon as possibleafter expedited testing. On critical machines, or those that cannot bepatched, blocking ports 139 and 445 will prevent remote exploit.Use ascanning tool like Microsoft's MBSA to identify vulnerable systems onyour network.

www.microsoft.com/technet/security/bulletin/ms06-040.mspx.

prestitial ad