Microsoft IIS SSL (MS04-011) Worm in the Wild? Or Maybe Not.


Symantec late Tuesday afternoon captured a sample of malicious code that spreads by exploiting one of the many vulnerabilities in Windows disclosed this month by Microsoft.

The vulnerability stems from a flaw in Windows Protected Communications Technology (PCT) v. 1.0, a packet protocol within Microsoft’s SSL library.Symantec’s DeepSight Threat network — a global group of sensors that tracks up-and-coming exploits — snagged a copy of the code Tuesday afternoon, said Alfred Huger, the senior director of engineering with Symantec’s security response team.

“The sample is automated code, but whether it’s a bot or actually a worm, we don’t yet know,” said Huger. “Either way,” said Huger, “we’re urging everyone to expedite their patching of this vulnerability. If this isn’t a worm, I think we’ll see one in short order.”

Perhaps this worm based perhaps on THCIISLAME was the cause of Microsoft calling its customers on Friday of last week. This does not alleviate the patch testing process, but perhaps it is cause for overtime on the side of developers (not just server teams everywhere) to test the patches. There is annecdotal evidence that the latest patches may cause a user policy issue as well, so be sure to test.
User Policies Are Not Applied When You Log On to a Computer That Is Running Windows 2000 SP4

Update: – Windows Flaw Draws Attacks and False Alarm

Antivirus company Symantec has backtracked after claiming it captured an example of a new Internet worm that takes advantage of a recently-disclosed hole in Windows machines running Secure Sockets Layer (SSL). On Tuesday, the company trapped an example of the malicious code called backdoor.mipsiv. and warned customers that it was either a new worm or small automated program called a “bot” that exploits a new Windows Private Communications Transport Protocol (PCT) vulnerability, part of the Windows implementation of SSL. However, on Wednesday, Symantec said further analysis of the code shows it is neither a worm nor a bot, and doesn’t use the PCT vulnerability.

It is always take these calls for “patch or be damned” with a grain of salt. Until SANS Internet Storm Center sends out the imminent danger warning, we have our patch schedule (including testing) on track to be completed soon.


Comments are closed.