Symantec Security Response to Microsoft Security Advisory
Last week, the Zobot and Esbot threats exploited a Microsoft Windows Plug and Play (PnP) Service vulnerability to create
a backdoor on the computer system and allow remote attackers to have unauthorised access to the compromised computer.
During detailed analysis of the worms and the vulnerability, Symantec Security Response experts discovered that slight
modifications to the exploit could impact some Windows XP and Windows XP SP1 systems with the possible result of
unauthorized remote code execution. Windows XP SP2, however, is not susceptible to this exploitation method.
More Details on Windows PnP Service Vulnerability
The impacted configurations of Windows XP and Windows XP SP1 are not default configurations.
Attack scenarios are possible when the “guest” account is both enabled and removed from the “Deny access to this
computer from the network” entry in the “User Rights Assignment” Security Policy. This can happen when Simple File and
Print Sharing has been enabled, for example by sharing a folder or a printer with the local network.
It is important to note that Simple File and Print Sharing is only available on Windows XP machines that are not part of
a Windows Active Directory Domain. However, configuring a Windows XP SP1 host to share network resources prior to
joining an Active Directory Domain will leave it in the vulnerable state even after the Domain is joined.
After discovery and validation in the lab environment, Symantec worked with Microsoft to confirm the results. Today,
Microsoft issued new information regarding the patch for the vulnerability first described in Microsoft Security
Bulletin MS05-039, http://www.microsoft.com/technet/security/Bulletin/MS05-039.mspx issued on August 9, 2005.
Additional information can be found at: http://www.microsoft.com/technet/security/advisory/906574.mspx
“Following responsible disclosure practices, Symantec notified Microsoft, validated the findings and quickly informed
the public to protect against possible future threats,” said Oliver Friedrichs, senior manager, Symantec Security
Response. “Symantec continues to urge users to update their systems when new patches are available to protect against
possible exploits.”
Recommendations
As part of a defence in depth security solution, Symantec encourages the use of client security solutions which offer
additional protection against possible exploitations of this vulnerability.
Enterprises should deploy a client security solution that includes intrusion prevention such as Symantec Client
Security.
Consumers should install an Internet security solution such as Norton Internet Security 2005 AntiSpyware Edition to
protect against today's known and tomorrow's unknown threats.
Both solutions have a signature that detects this vulnerability and blocks exploitation.
Symantec’s security experts will closely monitor its global intelligence network to scout for any unusual activities.
ENDS