Microsoft Corp warned yesterday that there are three more remotely exploitable vulnerabilities in recent versions of Windows, two of them very similar to and as dangerous as that which permitted Blaster to spread.

According to one security group, an exploit for the third hole, which permits a denial-of-service attack against vulnerable machines, has been available since code was posted to the web by Chinese hackers on July 25.

Microsoft sent out a series of alerts to users of Windows NT 4.0, 2000, XP and Server 2003, warning there are two buffer overrun vulnerabilities in the OS that could allow hackers to run arbitrary code on their machines.

Bad luck to users of older Windows versions – Microsoft no longer supports those operating systems and has no idea if the vulnerabilities affect you (this time, the company issued a patch for unsupported NT 4.0 as an exception).

The two vulnerabilities are in the components of Windows that deal with remote procedure calls (RPC) to distributed component object model (DCOM) services. A worm could be designed to exploit these holes automatically.

This is RPC and Blaster all over again with new patches required and a strong potential of new variants of the original Blaster worm emerging, said Marc Maiffret, co-founder of eEye Digital Security Inc, which is credited with discovering the problems.

Exploit code for these critical holes has yet to be found online, but it’s only a matter of time before it is. It took less than a month for Blaster (aka MSBlast, LovSan) to emerge after the first RPC hole was discovered in July.

Internet Security Systems Inc said in its alert that an exploit for the third bug disclosed yesterday – a less-serious RPC vulnerability that allows denial of service attacks – has been available for download since July 25.

The new critical security holes, coming so close to the last batch, will not do Microsoft’s tarnished image any favors, particularly given the level of attention the constant security problems with Windows has been reaching in the mainstream media and government (see separate story).

In addition to the lurking threat of Blaster’s son, there’s also a possibility that the internet could soon be hit by a seventh version of SoBig, an email worm that travels as an executable attachment and infects Windows users.

The sixth version, SoBig.F, stopped trying to infect new machines yesterday, bringing temporary relief to network administrators who have had to deal with SoBig.F in addition to the usual volume of spam email.

In a post to a public mailing list yesterday, a Cambridge University mail administrator said that in the last three weeks SoBig.F was sent to the university 3.5 million times, infecting 56% of messages, (a third of a terabyte of mail in total) and consuming on average 2Mbps of bandwidth.

And virus experts warn that the next version could be released soon. In late August, Central Command Inc, an anti-virus software firm, said that precedent suggests SoBig.G could emerge shortly after September 10th.

VP of products and services Steven Sundermeier said: The virus author(s) of Sobig have developed a predictable pattern of releasing new variants soon after the current version de-activates itself. The first version was released in January.

Despite the arrests of a Minnesota teenager and a Romanian graduate student in connection with two Blaster variants, law enforcement in the US and elsewhere has yet to release any information about the its progress tracing the original authors of Blaster.

Likewise, a suspect in the SoBig case has yet to be arrested, although the FBI is known to have obtained IP addresses from a small Usenet service provider that is believed to have been used by the SoBig.F author to infect the first victims.

Source: ComputerWire