Peter Ferrie, Frédéric Perriot
Virus Bulletin, Aug 2004, pp. 5-8
ISSN 0956-9979
August 2004
The LSASS vulnerability of Microsoft security bulletin MS04-011 affects Windows 2000 and XP, the two most widespread Microsoft operating systems today. It is a stack overflow, hence easily and reliably exploitable - and eEye was kind enough to provide the world with thorough documentation of the possible exploitation vectors.
Following in the path of previous high-profile vulnerabilities, the LSASS bug was quickly targeted by proof-of-concept exploits, themselves reused in worms including W32/Sasser.A. Despite the publicity that surrounded Sasser due to its immediate success following its appearance (30 April 2004), this was not the first worm to make use of the vulnerability: some LSASS-exploiting Gaobot variants had surfaced about a week earlier. However, it was the automated infection of new systems that was the decisive factor in making Sasser more widespread.