Worms exploit Microsoft MS06-040 flaws
A new threat has emerged which exploits the vulnerability that was revealed during Microsoft’s mega patch Tuesday last week.
Security firm Sophos warns in a security alert that two worms – W32/Cuebot-L and W32/Cuebot-M – spread via AOL instant messenger, exploiting the vulnerability described in Microsoft’s MS06-040 security bulletin. Sophos rates the threats as ‘critical’.
According to Sophos, when either Cuebot-L or Cuebot-M worms infect a PC they turn off the Windows firewall and open a backdoor, allowing remote hackers to gain access and control over the computer. The affected computer will also try and find other computers to infect.
Unusually, the US Department of Homeland Security added its voice to those urging users to patch their software. In a statement, the Department said, ‘Attempts to exploit vulnerabilities in operating systems routinely occur within 24 hours of the release of a security patch. This vulnerability could impact government systems, private industry and critical infrastructure, as well as individual and home users.’
The new alert highlights the ‘arms race’ that goes on between Microsoft, IT managers and the cyber criminals. On the one hand Microsoft will announce the patch and attempt to update as many computers as possible in the following days while hackers will try to exploit the vulnerability and infect as many machines as they can before the hole is filled.
Although Microsoft rarely gives full details of the vulnerability – and never in advance of the patches being issued – enough is normally revealed to at least point potential hackers in the direction of where a flaw might lie.
‘Microsoft only issued a patch against the security hole used by these worms in the last few days, and yet already malware is being written that exploit this vulnerability to attack computer systems. This is a real headache for Microsoft as they try and reassure people that their operating system is becoming more secure,’ said Graham Cluley, senior technology consultant for Sophos.
Microsoft, for its part has added detection to its OneCare Live security software and emphasises that ‘initial indicators are not showing an Internet-wide impact or some type of efficient automated attack’. It also emphasises that those who have installed the patch are not at risk.