Hot on the heels of the MS06-040 worm, we have more bad news for Microsoft users. An email came out on Bugtraq yesterday that addresses a MS06-035 exploit which seems to be crashing machines, even after the patch is applied:
quote:| After furiously patching since last week for catching up with MS06-040, we discovered that a old exploit for MS06-035 (again or still) works on a number fully patched systems including Windows 2003 Server, Windows XP and Windows 2000. |
This story is also being followed by the ISC as it unfolds - Unpatched exploit gets publicity - in which they add:
quote:| We are looking forward to a patch from Microsoft, but have no indication of a timeline at this point. |
It appears that Microsoft made a small mention of this previously on their MSRC blog. The specific mention of this issue actually dates back to July 28th, where they say:
quote:|
* While this appears to have been found after the release of MS06-035, this does not affect the same code path or functionality or vulnerability that was addressed by the update. * Unlike some of the current speculation that we have observed, the current PoC is limited to a denial of service that would cause the target host to blue screen. At this time we have not identified any possibilities with this issue that could allow remote code execution. * We have not observed or received any reports of the PoC being used to actively attack systems. |
This last point is key! This was when they had posted it... Now a Bugtraq posting has been read by how many readers and reposted on how many blogs and forums? That email and a follow up have provided links to Proof-of-Concept code that crashes patched computers. With no definite time frame for the release of a patch, MS is giving the script kiddies extra time to “play”.