Symantec Security Response to MS Advisory
Symantec Security Response to Microsoft Security Advisory
Last week, the Zobot and Esbot threats exploited a Microsoft Windows Plug and Play (PnP) Service vulnerability to create a backdoor on the computer system and allow remote attackers to have unauthorised access to the compromised computer.
During detailed analysis of the worms and the vulnerability, Symantec Security Response experts discovered that slight modifications to the exploit could impact some Windows XP and Windows XP SP1 systems with the possible result of unauthorized remote code execution. Windows XP SP2, however, is not susceptible to this exploitation method.
More Details on Windows PnP Service Vulnerability
The impacted configurations of Windows XP and Windows XP SP1 are not default configurations.
Attack scenarios are possible when the “guest” account is both enabled and removed from the “Deny access to this computer from the network” entry in the “User Rights Assignment” Security Policy. This can happen when Simple File and Print Sharing has been enabled, for example by sharing a folder or a printer with the local network.
It is important to note that Simple File and Print Sharing is only available on Windows XP machines that are not part of a Windows Active Directory Domain. However, configuring a Windows XP SP1 host to share network resources prior to joining an Active Directory Domain will leave it in the vulnerable state even after the Domain is joined.
After discovery and validation
in the lab environment, Symantec worked with Microsoft to
confirm the results. Today, Microsoft issued new
information regarding the patch for the vulnerability first
described in Microsoft Security Bulletin MS05-039,
http://www.microsoft.com/technet/security/Bulletin/MS05-039.mspx
issued on August 9, 2005.
Additional information can be
found at:
http://www.microsoft.com/technet/security/advisory/906574.mspx
“Following responsible disclosure practices, Symantec notified Microsoft, validated the findings and quickly informed the public to protect against possible future threats,” said Oliver Friedrichs, senior manager, Symantec Security Response. “Symantec continues to urge users to update their systems when new patches are available to protect against possible exploits.”
Recommendations
As part of a defence in depth security solution, Symantec encourages the use of client security solutions which offer additional protection against possible exploitations of this vulnerability.
Enterprises should deploy a client security solution that includes intrusion prevention such as Symantec Client Security.
Consumers should install an Internet security solution such as Norton Internet Security 2005 AntiSpyware Edition to protect against today's known and tomorrow's unknown threats.
Both solutions have a signature that detects this vulnerability and blocks exploitation.
Symantec’s security experts will closely monitor its global intelligence network to scout for any unusual activities.
ENDS