The availability of code capable of exploiting a critical vulnerability in Windows 2000—just one day after the flaw was disclosed as part of Microsoft Corp.'s monthly security updates last Tuesday—lent urgency to efforts by IT managers to patch their systems as quickly as possible.
For instance, the American Red Cross, which in August saw traffic on its networks become saturated by the Zotob worm, was already deploying Microsoft's latest patches last week, according to Ron Baklarz, chief information security officer at the Washington-based relief organization.
"We have dramatically improved our procedures to improve on our patch implementation time," Baklarz said without elaborating. He added that the Red Cross has also installed intrusion-prevention technology on "riskier segments" of its network perimeter to provide additional protection against attacks.
Satish Ajmani, CIO of Santa Clara County in California, said the county government was "aggressively" testing and deploying the patches from Microsoft.
"We are a very large and distributed organization, and we used to take several days to roll out patches," Ajmani said. But outbreaks such as the Zotob worm have "heightened awareness and understanding" of the need for more-effective patching strategies among county officials, he added.
Immunity Inc., a Miami-based security research firm, on Wednesday released a proof-of-concept exploit taking advantage of a flaw in the Microsoft Distributed Transaction Coordinator (MSDTC) service within Windows 2000. The flaw, which some analysts described as being relatively easy to exploit, could allow attackers to take complete administrative control of unprotected servers.
Justine Aitel, Immunity's CEO, said the firm was able to develop a workable exploit of the flaw in just a few hours. Immunity released the exploit code to members of its partner program, which includes vendors of security products such as intrusion-detection and -prevention systems, so they could use the information to update their tools to protect against the flaw.
In addition to the exploit code for the MSDTC vulnerability, Immunity has developed proof-of-concept exploits for two of the other flaws that were disclosed by Microsoft last week, Aitel said.
In an e-mail comment, a Microsoft spokeswoman said that the company knew about the exploit code's availability. But, she added, the software vendor "is not currently aware of active attacks that use this exploit code, or of customer impact at this time."
Nonetheless, similar exploits of the MSDTC flaw could quickly become widely available, said Neel Mehta, team leader of the X-Force research team at Internet Security Systems Inc. in Atlanta.
"It's almost certain that other hackers are working on the same thing right now," Mehta said. He noted that apart from the relative ease with which the flaw can be exploited, the vulnerability presents a tempting target for attackers because the MSDTC service runs by default on Windows 2000 servers and can be taken advantage of without users having to take any action.
Alfred Huger, senior director of engineering for Symantec Corp.'s security response team, said his company hadn't received any reports of systems being compromised via the MSDTC flaw as of Thursday. But he warned that the new vulnerability presents the same kind of opportunity for malicious hackers that led to the Zotob outbreak, which caused problems at several large companies.
Fenwick & West LLP managed to avoid getting hit by Zotob because its antivirus software was effective at filtering out the worm, said Matt Kesner, chief technology officer at the Mountain View, Calif.-based law firm.
Nonetheless, the firm has sped up its patching processes out of concerns about similar outbreaks. IT staffers now hold a meeting "immediately after Microsoft releases its patches" on the second Tuesday of each month, Kesner said. "Then we try to test and get the patches out by Friday." Last week, the firm finished deploying the new patches on Thursday night.