Detailed exploit code has already become available for a critical flaw in a Microsoft Workstation Service function that was patched only two days ago as part of Microsoft's security updates for November.
The remotely exploitable buffer-overrun flaw was addressed in Microsoft Security Bulletin MS06-070 and allows malicious attackers to take complete control of compromised systems. The flaw allows attackers to create new user accounts, install programs and view, modify or delete data. It is considered by security analysts to be the most serious of the seven 'critical' flaws disclosed by Microsoft this month.
"Microsoft is aware that detailed exploit code was published on the internet claiming to exploit the vulnerability in the Workstation Service addressed by MS06-070," the company said. Security Engineers at the Microsoft Security Response Center are currently investigating the accuracy of this claim, and the company will issue a security advisory as soon as possible, Microsoft added.
The company also stressed that the vulnerability is critical only on Windows 2000 systems.
Amol Sarwate, manager of the vulnerability management lab at security vendor Qualys, said his company has so far seen at least two examples of exploit code targeted at the Workstation Service vulnerability. Qualys is in the process of testing one of the exploits to see how effective it really is, he said.
"What this highlights is just how quickly exploits are becoming available [for new vulnerabilities]," said Sarwate. "So far, there has not been any evidence of a virus or a mass worm taking advantage of the exploit, but it is only a matter of time."
It's only taking a few hours to reverse engineer patches to create new exploits, Sarwate added.
One of the exploits that has become available for the workstation service flaw was developed by Immunity. The Miami Beach-based penetration-testing company was able to develop a proof-of-concept code against the flaw one hour after Microsoft released a patch for it on Tuesday and a fully working exploit in about three hours, said Kostya Kortchinsky, a senior researcher at Immunity. The code has been tested and found to be working "perfectly well" against several versions of Windows 2000, including Service Pack 3 and SP4, he said.
The only mitigating factor is that an attacker would need to have a domain controller set up and accessible somewhere around the machine that is being attacked for the exploit to work, he said.
Immunity has also developed working exploit code attacking vulnerabilities in client service for NetWare that was also disclosed by Microsoft this week. The flaw and patch for it was described in Microsoft Security Bulletin MS06-066.