Computer Crime Research Center


A bunch of bugs in Microsoft's hand

Date: August 12, 2005
Source: Computer Crime Research Center
By: CCRC staff

Windows 2000 users have had a hard week.

While they're still waiting for Microsoft to repair and re-release the last official update to the aging operating system -- dubbed Update Rollup 1 -- they also found out this week that they're the most at risk to a pair of critical vulnerabilities disclosed by Microsoft.

Windows 2000 systems present the easiest target for the Plug and Play and print spooler vulnerabilities, Microsoft acknowledged in Tuesday's security bulletins. "Windows 2000 systems are primarily at risk from this vulnerability," the Redmond, Wash.-based developer said in the Plug and Play bulletin, and repeated the warning in the bulletin dedicated to the print spooler bug. (For the latter flaw, Windows XP SP1, which has been superseded by SP2, is just as vulnerable as Windows 2000.)

Both bugs could allow a hacker to attack Windows 2000 PCs without having to first obtain a legitimate log-on username and password, and/or have physical access to a company's network.

"The Plug and Play vulnerability will be really easy to exploit," said Mike Murray, the director of research at vulnerability management vendor nCircle. "And Windows 2000 makes the easiest worm target."

At the end of June, Microsoft shifted Windows 2000 from what it calls "mainstream" support to "extended" support; the latter means that while Microsoft still provides security fixes for the operating system -- as with the vulnerabilities publicized Tuesday -- it won't for non-security issues.

This week's vulnerabilities prove that Windows 2000, no matter where it is in Microsoft's support cycle, will continue to be a target for attackers. "It's not like Windows 2000 goes away just because Microsoft says it's old," noted Murray. "We'll see exploits against Windows 2000 for years to come."

Mark Maiffret, the chief hacking officer of eEye Digital Security, agreed, and said the fact that Windows 2000 is so vulnerable is the result of Microsoft's decision not to retroactively beef up the OS's security, as it did with Windows XP in 2004 when it released XP SP2. "Windows 2000 is still supported, but not proactively. It's like Microsoft's saying, 'we know you're vulnerable and we'll make fixes, but you should really buy the latest thing.'"

That may be difficult. According to a recent study by Assetmetrix, a Canadian provider of asset management software, Windows 2000 still accounts for nearly half of the corporate Windows market.

Maiffret is confident that if hackers want to, they can easily put together a worm to exploit the Plug and Play vulnerability on Windows 2000. "They could definitely write something as serious as Slammer or Blaster," he said. "It's so straight-forward.

"But that doesn't mean they will. They've figured out that all a major worm does is cause more patching. The lack of worms [recently] isn't because of improved security, it's because hackers don't want the attention."

Stephen Toulouse, a program manager for Microsoft's Security Response Center, said the particular weakness disclosed Tuesday differed from the "Sasser" worm because it was less vulnerable on newer operating systems.

Security practices also have improved since the last major worm attacks were unleashed, Toulouse said.

"I think it's a pretty different environment right now," he said. "More and more customers are applying updates more quickly, more customers have better firewall protection."

The flaw's less-serious effect on Windows XP systems suggests the company may have tried to address the problem, but left users with older software mostly unprotected, Maiffret said.

"This bug has existed in code that's over four years old," he said. "It can't be the first time that somebody finally looked at it."

Improved security can be expected on newer software, but Toulouse said a wider hole in Windows 2000 doesn't signal any effort to avoid fixing problems with the older software.

"When something is reported to us and it's a vulnerability that needs to be addressed, we address it on all platforms," he said.

Maiffret said he expects hackers to quickly take advantage of the weakness, possibly jeopardizing security at large companies where software updates can take several days or weeks to install.

"The race is definitely going to be won by the exploit writers, because they're going to be able to publish an exploit in the next couple of days," Maiffret said. "It's such a glaring bug, I don't know how anybody else didn't discover it."

A major worm, however, is less likely because such an attack prompts users to seal any remaining holes in vulnerable computers, Maiffret said.

Add comment  Email to a Friend

Discussion is closed - view comments archieve
2005-08-19 02:51:32 - it is to be suspected that system now is... Bill Gates
Total 1 comments
Copyright © 2001-2013 Computer Crime Research Center
CCRC logo