The Windows Server service flaw, addressed on Thursday when Microsoft pushed out a rare, out-of-cycle fix, can be exploited by sending malicious Remote Procedure Calls (RPCs) to vulnerable systems. Microsoft said it was aware of limited attacks targeting the bug, which, if not patched quickly enough, could have resulted in a major worm attack.
"This is exactly the kind of bug that triggered the big RPC worms of old," said Bas Alberts, a senior researcher at Immunity, a Miami-based security consultancy, referring to attacks such as Blaster and Code Red.
Researchers at Immunity were the first known individuals to engineer attack code following the release of the patch; however, details were only available to customers of its CANVAS penetration testing tool.
Alberts described the exploit, created two hours after Microsoft released the fix on Thursday, as a "buffer underflow." It is fully functional on Windows 2000, and researchers were close to the same result on XP Service Pack 2, he said.
The attack resembled code that had been written for MS06-040, another Server service vulnerability patched in August 2006, Alberts said.
"We basically altered the input of the older exploit to work with the semantics of the new bug," he said.
He described what researchers did in an email (PDF) sent to SCMagazineUS.com on Friday.
Later on Thursday, researcher Stephen Lawler of Mandiant published the first known public proof-of-concept code. Exploit database Milw0rm posted it. Lawler described the exploit on his blog.
Alberts said he doubted the vulnerability would turn into a major worm because internet service providers (ISPs) have gotten better at filtering file-sharing ports that might have allowed the attack to spread in the past.
"The only way I see that happening is if they start combining attacks, like using a client-side bug to hop onto the internal network and then spread from there," he said. "But it's going to be fairly tricky to propagate like that automatically. You're talking about fairly complex scenarios."
But all bets are off if the worm gets on an internal network.
"It has the potential to wreak havoc," he said.
In a post on Microsoft's Software Development Lifecycle blog, the company said it has noticed a recent influx of server-side issues that are affecting lesser targeted components of the operating system. Microsoft termed these "one-off bugs."
"There is a good side and a bad side to this," according to the blog. "First the good news. I think perhaps we have removed a good number of the low-hanging security vulnerabilities from many of our products, especially the newer code. The bad news is we'll continue to have vulnerabilities because you cannot train a developer to hunt for unique bugs, and creating tools to find such bugs is also hard to do without incurring an incredible volume of false positives."