Two in-the-wild exploits for the Microsoft Workstation Service vulnerability appeared today, two days after the dangerous flaw was patched as part of the software giant's monthly fix cycle, researchers said.
IT security experts had predicted the memory corruption bug, which allows for attackers to assume control of an affected system and execute remote code just by gaining authentication, would soon be actively exploited after the fix. The flaw was not widely known until it was patched.
Many security firms agreed the bug was the most critical of the nine vulnerabilities patched because it affects Windows 2000 and XP platforms, leverages ports that are critical to organizations and could be used in a worm attack.
"It's not a client-side vulnerability," Jonathan Bitle, manager of technical accounts for Qualys' vulnerability research team, told SCMagazine.com today. "It's a true remotely exploitable vulnerability."
A Microsoft spokesperson said today in an email to SCMagazine.com that company researchers are aware of publicly published exploit code and they are attempting to confirm its validity before issuing an advisory.
The spokesperson added that the vulnerability is rated "critical" only on Windows 2000 and carries a "low" severity on Windows XP Service Pack 2 editions.
Enterprises are urged to patch their systems as soon as possible because an available work-around, blocking access to well-known ports 139 and 445, would block business functions such as data sharing, Bitle said.
One goal of attackers might be to add infected systems to their armies of botnets, he said.
Click here to email Dan Kaplan.