Microsoft Security Advisory (899588)
Vulnerability in Plug and Play Could Allow Remote Code Execution and Elevation of Privilege
Published: | Updated:
Zotob is a worm that targets Windows 2000–based computers and takes advantage of a security issue that was addressed by Microsoft Security Bulletin MS05-039. This worm and its variants install malicious software, and then search for other computers to infect.
If you have installed the update released with Security Bulletin MS05-039, you are already protected from Zotob and its variants. If you are using any supported version of Windows other than Windows 2000, you are not at risk from Zotob and its variants. As part of our Software Security Incident Response Process, our investigation has determined that only a small number of customers have been affected, and Microsoft security professionals are working directly with them. We have seen no indication of widespread impact to the Internet. Customers who believe they have been attacked should contact their local FBI office or post their complaint on the Internet Fraud Complaint Center Web site. Customers outside of the United States should contact the national law enforcement agency in their country.
For more information about these worms, to help determine if you have been infected by these worms, and for instructions on how to repair your system if you have been infected by these worms, see the Zotob Security Incident Web site or the Microsoft Virus Encyclopedia. For Microsoft Virus Encyclopedia references see the “Overview” section. You can also use the Microsoft Windows Malicious Software Removal Tool to search for and remove the Zotob worm and its variants from your hard drive.
Other versions of Windows, including Windows XP Service Pack 2 and Windows Server 2003 are not impacted by Worm:Win32/Zotob.A, its variations, and similar worms attempting to exploit the Windows Plug and Play vulnerability, unless they have already been compromised by other malicious software. Customers can protect against attacks attempting to utilize this vulnerability by installing the security updates provided by the Microsoft Security Bulletin MS05-039 immediately. The MS05-039 security bulletin is available at the following Web site.
Microsoft is disappointed that certain security researchers have breached the commonly accepted industry practice of withholding vulnerability data so close to update release and have published exploit code, potentially harming computer users. We continue to urge security researchers to disclose vulnerability information responsibly and allow customers time to deploy updates so they do not aid criminals in their attempt to take advantage of software vulnerabilities.
- Windows 2000 systems are primarily at risk from this vulnerability. Windows 2000 customers who have installed the MS05-039 security update are not affected by this vulnerability. If an administrator has disabled anonymous connections by changing the default setting of the RestrictAnonymous registry key to a value of 2, Windows 2000 systems would not be vulnerable remotely from anonymous users. However, because of a large application compatibility risk, we do not recommend customers enable this setting in production environments without first extensively testing the setting in their environment. For more information, search for RestrictAnonymous at the Microsoft Help and Support Web site.
- While not the current target of these attacks, it’s important to note that on Windows XP Service Pack 2 and Windows Server 2003 an attacker must have valid logon credentials and be able to log on locally to exploit this vulnerability. The vulnerability could not be exploited remotely by anonymous users or by users who have standard user accounts on Windows XP Service Pack 2 or Windows Server 2003. This is because of enhanced security built directly into the affected component. Even if an administrator has enabled anonymous connections by changing the default setting of the RestrictAnonymous registry key, Windows XP Service Pack 2 and Windows Server 2003 are not vulnerable remotely by anonymous users or by users who have standard user accounts. However, the affected component is available remotely to users who have administrative permissions.
- While not the current target of these attacks, it’s important to note that on Windows XP Service Pack 1 an attacker must have valid logon credentials to try to exploit this vulnerability. The vulnerability could not be exploited remotely by anonymous users. However, the affected component is available remotely to users who have standard user accounts on Windows XP Service Pack 1. The existing attacks are not designed to provide the authentication required to exploit this issue on these operating systems. Even if an administrator has enabled anonymous connections by changing the default setting of the RestrictAnonymous registry key, Windows XP Service Pack 1 systems are not vulnerable remotely by anonymous users.
- This issue does not affect Windows 98, Windows 98 SE, or Windows Millennium Edition.
- You can provide feedback by completing the form by visiting the following Web site.
- Customers in the U.S. and Canada can receive technical support from Microsoft Product Support Services. For more information about available support options, see the Microsoft Help and Support Web site.
- International customers can receive support from their local Microsoft subsidiaries. For more information about how to contact Microsoft for international support issues, visit the International Support Web site.
- The Microsoft TechNet Security Web site provides additional information about security in Microsoft products.
The information provided in this advisory is provided "as is" without warranty of any kind. Microsoft disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. In no event shall Microsoft Corporation or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if Microsoft Corporation or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply.
- August 11, 2005: Advisory published
- August 14, 2005: Advisory has been updated to advise customers that Microsoft is actively analyzing and providing guidance on a malicious worm identified as the “Worm:Win32/Zotob.A”.
- August 15, 2005: Advisory has been updated to document additional variants of Worm:Win32/Zotob.A. We have also updated the advisory to document information about the impact of the RestrictAnonymous registry key.
- August 16, 2005: Advisory has been updated to document additional information about variations of Worm:Win32/Zotob.A and additional information about the ongoing investigation.
- August 17, 2005: Advisory has been updated to document additional information about variations of Worm:Win32/Zotob.A. We are also announcing the availability of a revised version of the Microsoft Windows Malicious Software Removal Tool that helps to address these attacks.