Microsoft New Zealand is so concerned about the latest security vulnerability to threaten its operating systems, it's taking the unusual step of contacting channel partners to ensure they get in touch with as many end users as possible.
The MS03-026 flaw allows a would-be hacker to gain control of a Windows system through a security hole in the DCOM (distributed component object model) interface.
Microsoft released a relevant patch last month but at least three different versions of exploit code have been posted on the internet over the past few days, says Gunter Ollmann, manager of Atlanta-based X-Force security assessment services at Internet Security Systems (ISS). Some of the code is "quite elegant" and can be run by just about anyone with a compiler and some programming savvy, he says.
The greatest threat to networks comes from individuals who will use this code to create mass-mailer worms, the likes of which have created havoc on the internet several times in recent years, says Ollmann. ISS expects such a worm to appear before long.
Microsoft New Zealand enterprise and partner group director Terry Allen says the flaw is "critical enough that it required us taking this [channel] step", as well as notifying corporates via its security update subscription service.
"Microsoft has emailed all its managed partners in New Zealand. Many of those will be aware of it anyway through their own practice but we wanted to take that extra step."
Those partners are being encouraged to inform end users of the severity of the threat, which Allen likens to the Code Red virus that ran amok in 2001.
Allen says all users of Windows XP, 2000 and Windows NT 4.0 should patch their systems, along with the higher-end products NT 4 Terminal Services Edition and Windows Server 2003.
Allen says there is confusion between this flaw and another flaw that could lead to a denial of service attack, but the second is a separate issue and not as critical as this. "I am aware of another potential violation through the RPC [remote procedure call] core and this, but they are unrelated."
Questions have also been raised over incompatibilities between various Microsoft security patch checking processes that can lead some users to believe they are secure when they are not (Confusion over MS03-026 installation), though Allen says he has not had any feedback on that problem.
The patch can be found here.