Recent Microsoft Security Bulletins: Exploits Already on the Loose

It was only 48 hours before a set of three exploits were released that take advantage of critical problems announced by Microsoft earlier this week. On August 8 the company released six bulletins that explained numerous problems in Internet Explorer, as well as Windows' Plug and Play, among several other problems many of which are considered to be critical.

At least two exploits are now circulating on the Internet that take advantage of the unchecked buffer vulnerabilities in Plug and Play . Both spawn a remote command shell on vulnerable systems. One exploit spawns a shell on port 8721 by default and the other allows the intruder to specify the port on which to spawn a command shell.

Another exploit takes advantage of vulnerabilities in Internet Explorer related to the loading of COM objects. In particular, the exploit uses a combination of Javascript and shell code to spawn a remote command shell on an affected system. Based on the example code, the exploit tries to load an object found in the devenum.dll file. Microsoft's Cumulative Update for Internet Explorer sets the kill bit for a long list of Class Identifier (CLIDs), including CLIDs found in the devenum.dll file, to help prevent exploits.

According to Microsoft's severity ratings, the Plug and Play problems are critical on Windows 2000 systems and moderate on Windows XP and Windows Server 2003. The COM object problems in Internet Explorer are critical in all versions of Internet Explorer 5.x and 6.x, except for those versions running on Windows Server 2003, which are rated as moderate.

Neverthless even a moderate risk rating warrants prompt action to mitigate intrusion. Administrators would do well to install the patches as soon as possible.