Code for MSBlast variant posted online

Users who haven't deployed the critical security patch released by Microsoft last week are in imminent danger, after exploit code was posted online

A piece of code that exploits the critical vulnerability for which Microsoft issued a patch only last week has been posted online, raising fears of an imminent MSBlast-style attack

On 10 February, Microsoft released a patch that fixes a networking flaw affecting all Windows XP, NT, 2000 and Windows Server 2003 systems. The company warned users to patch their systems because the vulnerability could be exploited by virus and worm writers. Four days after the patch was released, a piece of code was published on a French Web site that allows anyone to exploit the vulnerability, which means unpatched users can expect to be hit with another MSBlast-type worm.

Richard Starnes, director of incident response at Cable & Wireless, told ZDNet UK that the code appears to work: "We ran [the compiled code] against an unpatched XP and Windows 2000 SP3 system and it took both systems down. It does a buffer overflow and immediately sends the PC into a reboot phase that you can't get out of," he said.

According to Starnes, the published attack could easily be turned into another MSBlast or Code Red type "blended attack", which is where the worm has two distinct modules, one for spreading and the other containing a payload: "We have started seeing two-phase or two-tier worms -- worms that have two attack vectors -- one is a propagation vector and one is for launching an attack. The vast majority of worms we have seen only have a propagation payload, but with this one, you can have a propagation payload and you can have a proper payload -- being a DDoS platform."

Jay Heiser, chief analyst at IT risk management company TruSecure, told ZDNet that the code on its own is simply a DDoS attack and can cause limited damage, but because it exploits a buffer overflow, it could be used to cause havoc: "A denial-of-service attack is the equivalent to letting the air out of a tire in a car. It is annoying to the driver and might be fun once or twice for the attacker, but it is not the same thing as allowing you to go for a joyride. The fact that the DoS attack works against the buffer overflow suggests a greater likelihood that a more sophisticated attack is possible," said Heiser.

Heiser said that if users made sure the patch is applied immediately, they would not be in any danger.

However, Starnes said that if the code is used to create an attack, it is bound to cause damage because both companies and end users are notoriously bad at patching their systems until after an exploit is released: "Take a look at Code Red -- the patch for that had been released for six months before we got a worm and look what that did. The only people that are worse at patching their systems than companies are individuals," he said.