Companies will have even less time than usual to properly protect themselves against attackers attempting to take advantage of three critical flaws in Windows software that were revealed this week by Microsoft.
Because the flaws are nearly identical to the one that the Blaster worm exploited last month, users can expect to see copycat attacks in the very near future, according to several security experts. As a result, it's important for companies to patch their systems or otherwise protect themselves against the flaws as expeditiously as possible, they said.
That sentiment was echoed by the US Department of Homeland Security, which last week warned of the "potential for significant impact on internet operations" because of the vulnerabilities.
"DHS believes that exploits are being developed" for the new flaws, the agency said in a bulletin.
Some users took the warning seriously.
"I'm pretty certain that an attack will happen faster than it did with Blaster," said Mike Tindor, vice president of network operations at First USA, an internet service provider in St. Clairsville, Ohio. The company has already installed patches against the new threat and has also closed several ports that could be exploited in an attack.
"I think it's critical that people patch immediately when a new update comes out," said David Krauthamer, director of information systems at Advanced Fibre Communications in Petaluma, California. The telecommunications equipment manufacturer used Microsoft's automated Security Update Services to download and patch more than 200 servers against the new flaws last week.
The holes exist in the remote procedure call (RPC) protocol used by the Windows operating system. Two of them are buffer overrun vulnerabilities that could allow an attacker to take full administrative control of a victim's system. An attacker who exploited these flaws would be able to take a variety of actions, including installing malicious programs, deleting data or creating new accounts, according to Microsoft.
The third flaw is a denial-of-service vulnerability that could allow RPC services to hang and become unresponsive, according to Microsoft.
It's not difficult to develop exploits for the new holes, said Max Caceres, director of product management at Core Security Technologies, a Boston-based vendor of security software and services.
Core Security was able to write attack code capable of compromising systems in the manner described by Microsoft in a matter of hours after the bulletin was announced, he said.
"In this case, it was pretty fast because the vulnerabilities are very similar to the last one," Caceres said. "The attack vector is exactly the same. The only change is in where the vulnerabilities exist."
"We always assume that if we can do it, there are others out there who can do it," said Dan Ingevaldson, an engineering manager with the X-Force response team at Internet Security Systems (ISS) in Atlanta.
ISS was able to develop an exploit for the RPC vulnerability used by Blaster within 12 hours, using just the information gleaned from the patch Microsoft issued to deal with the flaw.
With the latest vulnerabilities, hackers have an existing code base to work with, security experts said. Consequently, the window of time that administrators usually have to test and patch systems before a malicious exploit is crafted is going to be smaller than usual, predicted Jerry Brady, chief technology officer at Guardent in Waltham, Massachusetts
"There's a lot of exploit code available for the last RPC vulnerability that would only require very small modifications" to be effective against the new flaws, Brady said.