Experts Warn of New Worm Threat By Brian Krebs Microsoft Corp. is warning consumers that it discovered new security holes in its Windows operating system that could be exploited by an Internet worm similar to the "Blaster" worm that infected more than a half-million computers last month. Security experts cautioned that a new worm could emerge within several hours or days, and could be far more damaging than Blaster. "We got really lucky that Blaster didn't try to delete files or render computers otherwise unusable," said Vimal Solanki, senior product marketing manager for Santa Clara, Calif., anti-virus software designer Network Associates. "It's really up to your imagination what hackers could do with this flaw." Microsoft urged consumers to immediately download and install free software from its Web site to patch the vulnerabilities. The Department of Homeland Security also issued an advisory about the security holes. The problems reside in services deeply woven into the fabric of the Windows operating system that allow users to communicate across Microsoft networks. Microsoft labeled both flaws "critical," meaning they could be easily exploited by an Internet worm, a program that spreads rapidly across the Internet without any action on the part of the user. "We're urging all Microsoft users to patch their systems as soon as possible, because -- whether or not we do see a worm that takes advantage of this -- hackers could still use the vulnerability to execute whatever programs they wanted to on a user's machine," said Stephen Toulouse, a program manager at Microsoft's security response center. Alfred Huger, senior director of engineering at Symantec Security Response, said his company has observed several exploits already in circulation within online hacker channels. Huger said Cupertino Calif.-based Symantec's own security researchers figured out how to alter the Blaster exploit for use against the most recent security hole. "It certainly would not be a great leap forward to modify Blaster to fit this current problem," Huger said. "With this new security hole, we're looking at the exact same situation [as with Blaster], except that far fewer people are currently patched against it." "This is pretty much identical to the issue that spawned the Blaster worm," said Art Manion, an Internet security analyst with the CERT Coordination Center, a government-funded security watchdog group at Carnegie Mellon University in Pittsburgh. Microsoft on July 16 advised users to patch their computers to prevent worms like Blaster. One week later, computer code to exploit the security hole was posted online. Less than two weeks after that, the first of several Blaster worms hit the Internet. Dan Ingevaldson, engineering manager for Atlanta-based Internet Security Systems's X-Force research development group, said the window of opportunity for users to patch their systems would likely be far shorter this time because hackers already know how the vulnerable service interacts with the Windows operating system. "It's not going to take a real genius to cobble together a new attack," Ingevaldson said. Many large Internet service providers have installed filters to block Blaster-like Web traffic, which could lessen the damage caused by a new worm, said Manion of CERT. © 2003 The Washington Post Company