Microsoft, under attack, releases Blaster security advice

With a new version of the W32.Blaster worm on the loose and set to spawn a massive DoS (denial of service) attack on a Microsoft Corp. Web site Saturday, the software maker released a set of security guidelines for users Friday in an effort to minimize the damage.

Free IT resource Virtualization Insights from Top Experts - Learn how virtualization gets real! Sponsored by Dell Free IT resource TechNet: More ways to know it, share it, and keep it running. Sponsored by Microsoft

Ironically, the call for preventative measures came while the software maker was investigating another DoS attack on its site that occurred late Thursday. A spokeswoman for Microsoft said Friday that the current attack was not due to Blaster, however, and that they were still investigating the cause.

Meanwhile, the possibility of an attack from Blaster still looms.

The current variation of the W32.Blaster worm could affect computers running the Windows 2000, Windows XP, Windows NT and Windows Server 2003 software, Microsoft said.

The worm takes advantage of a known vulnerability in a Windows component called the DCOM (Distributed Component Object Model).

The worm causes PCs to repeatedly crash and could potentially use infected machines to launch the DoS attack on the Windowsupdate.com site.

The Redmond, Washington, software maker advised users of the vulnerable software to update their computers with the latest patches and turn on "Autoupdate" to simplify the process for installing future updates. Users are instructed to install and use anti-virus software and to use a firewall.

"Many resources have been deployed to help ensure that customers have the guidelines and tools they need to enhance their computer security," Microsoft's Senior Director of Trustworthy Computing Jeff Jones said in a statement released Friday.

Also on Thursday, Microsoft released a new tool that customers can use to scan computer networks for machines that are vulnerable to attack by the Blaster worm.

The tool works on a variety of Windows operating systems and enables Windows customers to confirm that a necessary software patch has been applied, according to Jeff Sharpe, a Microsoft spokesman.

That patch, MS03-026, was released in July and prevents infection from Blaster. The company provided a link to the free tool on a special Web page set up to respond to the Blaster worm outbreak, which has affected hundreds of thousands of Windows machines worldwide. The tool can be found at http://www.microsoft.com/security/incident/blast.asp

However, David Litchfield a security expert and cofounder of Next Generation Security Software Ltd. in Surrey, U.K., said he was surprised Microsoft did not advise users to simply disable DCOM.

"DCOM is not needed by 99.9 percent of home users," Litchfield said, "but it is enabled by default." According to Litchfield, DCOM allows users to access to a program from another computer.

The new Blaster worm first appeared on the Internet Monday and quickly started to spread. According to antivirus firm Network Associates Inc., the worm had infected between 250,000 and 1 million computers as of Thursday.

Now Microsoft fears that the infected computers will launch a DOS attack against its Windows update site, causing the site to run slowly or be inaccessible to customers.

While confirming that a DOS attack brought down the company's main Web page, www.microsoft.com, late Thursday, spokesman Sean Sundwall said windowsupdate.microsoft.com was unaffected by the attack and was not offline at any time.

The software maker said Friday that it is taking aggressive steps to keep the site up, but if it becomes inaccessible users will be able to access and download the Blaster patches at http://www.microsoft.com/security. More detailed instructions on how to take the preventative measures are also detailed at that address.