CERT warns about new Microsoft vulnerability

The CERT Coordination Center at Carnegie Mellon University issued an advisory Tuesday that calls attention to a recently disclosed security hole in Microsoft Corp.'s Windows 2000 and Windows XP operating systems.

The buffer overrun vulnerability in the Workstation Service, a Windows component, is well-suited to exploitation by an Internet worm and would allow malicious hackers to remotely attack and compromise vulnerable systems, CERT said.

Microsoft released a "critical" security bulletin, MS03-049, and a software patch for the Workstation Service vulnerability Tuesday and encouraged all customers to download and install the patch immediately.

The service is turned "on" by default in Windows 2000 and Windows XP systems and allows computers on a network to connect to file servers and network printers, Microsoft said.

The CERT Advisory, CA-2003-28, echoes Microsoft's recommendation that users apply the patch immediately and encourages organizations to block ports 138, 139, and 445, which provide outsiders access to a network using TCP (Transmission Control Protocol) and UDP (User Datagram Protocol).

Security companies issued warnings to their customers about the new vulnerability, as well.

Internet Security Systems Inc. released a security brief on Tuesday that called the Workstation Service vulnerable "relatively easy to exploit," and warned that "exploits written to take advantage of standard (buffer overruns) are generally very robust, and good candidates for use in the creation of Internet worms."

The CERT Advisory about the Workstation Service is similar to an advisory the Pittsburgh-based organization issued in October after Microsoft revealed that there was a security hole in the widely deployed Windows Messenger Service, which allowed users on a network to display text messages on pop-up windows on a Windows user's desktop.

Like Workstation Service, Windows Messenger Service is enabled by default on many versions of Windows and contains a buffer overrun vulnerability that make it an attractive target for malicious hackers and virus writers.

After releasing a patch for the Windows Messenger Service vulnerability, Microsoft said it would disable the feature by default in Service Pack 2 for Windows XP in an effort to protect computers from attacks.

Turning off Workstation Service will not be easy. The Service must be enabled in order for computers on a network to connect to shared file servers or printers. Disabling disrupts a user's ability to log on to and browse computer networks, Microsoft said.

Microsoft and CERT said that disabling Workstation Service is only feasible as an alternative to applying the software patch for stand-alone computers that are not on a network, such as those used by home users.