Friday, July 30, 2010

Friday Quick Links

This was the week for worrying about the Microsoft LNK 0-day exploit (I found at least one laptop with 54 instances of it), browser patches, and a nasty flaw in a banking app for the iPhone:

SophosLabs Released Free Tool to Validate Microsoft Shortcut
SophosLabs has just released a free tool that provides detection against the Windows shortcut exploit that we published last week here and here. Sophos has indicated it works with any antivirus software and it works with Windows XP/Vista/7 but not 2000. When Windows tries to display an icon with a shortcut, the tool will intercept the request in order to validate it and give back control to the user if not found to be malicious.

SophosLabs has made a video available on what is the exploit and how the tool works here and the tool is available for downloaded here.

Safari update fixes auto-fill flaw ahead of Black Hat talk - SC Magazine US
US-CERT Current Activity: Apple Releases Safari 5.0.1 and Safari 4.1.1
added July 28, 2010 at 01:35 pm
Apple has released Safari 5.0.1 and Safari 4.1.1 for Windows and Mac OS X to address multiple vulnerabilities in Safari and WebKit. These vulnerabilities may allow an attacker to execute arbitrary code, cause a denial-of-service condition, or obtain sensitive information.

US-CERT encourages users and administrators to review Apple article HT4276 and apply any necessary updates to help mitigate the risks.

Apple patches Safari Auto-Fill security hole | ZDNet
By Ryan Naraine | July 28, 2010, 12:30pm PDT
LAS VEGAS — Apple has shipped a major Safari browser update to fix 15 documented security holes, including a known flaw in the browser’s AutoFill Web Forms feature that can be hacked to steal data from the computer’s address book.

The update comes ahead of a presentation at this year’s Black Hat security conference where Web application security researcher Jeremiah Grossman is scheduled to discuss the AutoFill hack.

US-CERT Current Activity: Google Releases Chrome 5.0.375.125
added July 27, 2010 at 12:01 pm
Google has released Chrome 5.0.375.125 for Linux, Mac, and Windows to address multiple vulnerabilities. These vulnerabilities may allow an attacker to execute arbitrary code or obtain sensitive information.

US-CERT encourages users and administrators to review the Google Chrome Releases blog entry and apply any necessary updates to help mitigate the risks.

Google patches Chrome, sidesteps Windows kernel bug
Google on Monday patched five vulnerabilities in Chrome by issuing a new "stable" build of the browser.

The update to Chrome 5.0.375.125 fixed three flaws rated "high," Google's second-most-serious threat rating, as well as one pegged "medium" and another labeled as "low in Google's four-step scoring system. Danish vulnerability tracker Secunia judged the cumulative update as "highly critical" using its own ranking.

And earlier this week, already blogged here:
US-CERT Current Activity: Firefox Releases Firefox 3.6.8
added July 26, 2010 at 08:40 am
The Mozilla Foundation has released Firefox 3.6.8 to address a critical vulnerability. This vulnerability may allow an attacker to execute arbitrary code.

US-CERT encourages users and administrators to review the Mozilla Foundation security advisory MFSA 2010-48 and update to Firefox 3.6.8 to help mitigate the risks.

Is your iPhone backup file secure? - F-Secure Weblog : News from the Lab
Tuesday's edition of the Wall Street Journal reported on a security flaw in Citi's mobile banking application for the iPhone.

Customers are advised to update.

From the WSJ:
"Citi said its iPhone app accidentally saved information—including account numbers, bill payments and security access codes—in a hidden file on users' iPhones."

The files are not difficult to locate. ... And they can be easily viewed with free software such as SQLite Database Browser.

iTunes offers encryption [of the backed-up files - ASF], but most people probably don't use it.

If you have an iPhone or iPod, make sure your backups are encrypted even if you don't run any banking apps.

Wednesday, July 21, 2010

Microsoft issues FixIt for LNK vulnerability

Well, I predicted Microsoft would patch this problem, but first they want us to "FixIt" manually.  I ran this FixIt on my main workstation and the main effect is to change some of your "Quick Start" and desktop icons to generic ones:

This mike look like a problem but it is really only a minor inconvenience.  When you hover your mouse over an icon, a tooltip pops up with its name.  And icons in the Start Menu still have their full names:

Security Advisory 2286198 Updated - The Microsoft Security Response Center (MSRC) - Site Home - TechNet Blogs
We've just updated Microsoft Security Advisory 2286198 to let customers know that we now have an automated "Fix It" available to implement the workaround we first outlined in our original posting on Friday, July 16, 2010. More information is available in the KB article 2286198, but in summary running the "Fix It" can help prevent attacks attempting to exploit this vulnerability. This workaround will disable some icons from being displayed
Microsoft Security Advisory: Vulnerability in Windows Shell could allow remote code execution
Microsoft has released a Microsoft security advisory (2286198) about this issue for IT professionals. The security advisory contains additional security-related information. To view the security advisory, visit the following Microsoft Web site:

To have us fix this problem for you, go to the "Fix it for me" section. If you would rather fix this problem yourself, go to the "Let me fix it myself" section.
Windows Shortcut Exploit: What You Need to Know
Microsoft released Security Advisory 2286198 late last week to address a newly-discovered zero-day flaw that can be exploited simply by clicking a shortcut icon. However, that original guidance is being questioned by security researchers, and exploit code is now available, making a bad situation even worse.

According to the Microsoft advisory, "The vulnerability exists because Windows incorrectly parses shortcuts in such a way that malicious code may be executed when the icon of a specially crafted shortcut is displayed." An attack can exploit the flaw and compromise the system or run malicious code without any additional user intervention--even circumventing UAC, and Windows 7 security controls.

More info on what is patched in Firefox 3.6.7

Good write-up at the Zero Day blog at ZDNet about what has been fixed in Firefox 3.6.7 and why you need to update, especially if you are running as a local administration.

Firefox hit by drive-by download security holes | ZDNet
Mozilla has shipped a mega patch for Firefox to fix a total of 16 security flaws that expose Web surfers to drive-by download, data theft and local bar spoofing attacks.

The latest Firefox 3.6.7 update includes fixes for nine “critical” issues that could be exploited to launch remote code execution attacks. Two of the 16 bugs are rated “high risk” while five carry a “moderate” severity rating.

Tuesday, July 20, 2010

Skimmers Siphoning Credit Card Data at Gas Stations in Arizona, Colorado, Florida

If you buy gas using a DEBIT card, you're particularly at risk since when your debit-card account is compromised, the effects on you are much worse than when a credit-card account is stolen.  The scary thing about these "skimmers" is that they're INTERNAL -- inside the gas pumps -- and can't be seen from the outside.  The Krebs on Security blog has a lot more than the stuff I've excerpted here.

Skimmers Siphoning Card Data at the Pump — Krebs on Security
Thieves recently attached bank card skimmers to gas pumps at more than 30 service stations along several major highways in and around Denver, Colorado, the latest area to be hit by a scam that allows crooks to siphon credit and debit card account information from motorists filling up their tanks.

Forced to re-issue an unusually high number of bank cards due to fraudulent charges on the accounts, a regional bank serving Colorado and surrounding states recently began searching for commonalities among the victimized accounts. The financial institution, which shared information with on the condition that it not be named, found that virtually all of the compromised cardholders had purchased gas from one of a string of filling stations along or not far from Interstate 25, a major North-South highway that runs through the heart of Denver.

Several Valero stations along the I-25 corridor reached by phone acknowledged being visited over the past week by local police and U.S. Secret Service agents searching for skimmer devices. The stations declined to comment on the record, but said investigators left them with a bulletin stating that stations in the area had been targeted and urging them to be on the lookout for suspicious activity around the pumps.
Similar attacks on gas station pumps recently have hit other parts of the country: Police in Arizona also are dealing with a spike in reports about skimmers showing up at gas pumps, prompting Gov. Janice Brewer this month to urge the Arizona Department of Weights and Measures to increase their inspection efforts in looking for skimmers at gas stations.

The gas pumps compromised in the Denver-area attacks, showed no outward signs of having been tampered with or altered, according to several sources. My source at the bank said all of the pumps in question contained a device on the inside of the pumps designed to record data stored on the back of cards inserted into the compromised pumps, but he wasn’t sure whether the skimmers were designed to transmit the stolen data wirelessly.

My source said the hacked pumps in Denver tended to be on the outside edges of the gas station, those hardest to see by clerks in the station. ...

Unlike most skimmers affixed to ATMs — which can often be spotted because they rely on fraud devices that are attached to the exterior of the cash machines — gas station skimmers are planted after the thieves have gained access to the interior of the pumps. As result, there are rarely any signs that a gas pump has been compromised. However, consumers can and should keep a close eye on their monthly bank statements and report any unauthorized charges immediately.

The Truth In Lending Act limits consumer liability to fifty dollars $50.00 once a credit card is reported lost or stolen, although many card issuers will waive that amount as well. Fraudulent debit card charges are a different story: The Electronic Fund Transfer Act limits liability for unauthorized charges to $50.00, provided you notify your financial institution within two business days of discovering that your debit card was “lost or stolen.” If you wait longer, but notify your bank within 60 days of the date your statement is mailed, you could be responsible for up to $500.00. Wait longer than that and you could lose all the money stolen from your account.

Governor Brewer calls for increased effort to combat a rise in credit card skimmers
PHOENIX - Governor Jan Brewer is taking new measures to combat a rise in the number of credit card "skimmers" found around the Valley.

"Skimmers" are illegal devices that can copy information from your credit or debit card. These devices can be attached to an ATM machine or gas pump and are difficult to detect. Criminals can use the information to steal your identity and create counterfeit credit and debit cards.

You can find additional information regarding safety tips on gas pump skimmers by visiting .

Firefox 3.6.7 fixes some security issues

Mozilla Firefox 3.6.7 Release Notes

What’s New in Firefox 3.6.7

Firefox 3.6.7 fixes the following issues found in previous
versions of Firefox 3.6:

Please see the
list of changes

in this version. You may also be interested in the
3.6.6 release notes
for a list of changes in the previous version.

iTunes buffer overflow vulnerability (Windows only); Apple Releases iTunes 9.2.1

Here's another patch that needs to be installed on any Windows computer running iTunes.
iTunes buffer overflow vulnerability
Apple is reporting new version of iTunes (9.2.1), which address CVE-2010-1777: A buffer overflow exists in the handling of itpc: URLs, which might lead to application termination or arbitrary code execution.

More information at

This affects version 9 of iTunes, and only on the Windows platform.
US-CERT Current Activity: Apple Releases iTunes 9.2.1
added July 20, 2010 at 07:54 am

Apple has released iTunes 9.2.1 to address a vulnerability. This vulnerability is due to improper handling of itpc URLs. itpc is the protocol used by Apple iTunes for handling podcasts. By convincing a user to access a specially crafted itpc URL, an attacker may be able to execute arbitrary code or cause a denial-of-service condition.

US-CERT encourages users and administrators to review Apple article HT4263 and update to iTunes 9.2.1 to help mitigate the risks associated with this vulnerability.

Serious Microsoft Windows LNK Vulnerability

This one looks very serious to me, and I expect Microsoft will be forced to release an "out-of-band" patch to correct this problem. Unfortunately both the workarounds proposed by Microsoft in its Security Advisory have significant effects on the usability of Windows PCs -- disabling the use of icons for shortcuts means all your desktop shortcuts and all your "Quick Start" icons will be identical generic shapes, and disabling WebDAV affects many web-enabled programs like JungleDisk backup.  SANS has raised the Infocon level to Yellow, something it hasn't done since 2009. 

Below are links and synopses of many articles. The "Mitigating Factors" section of Microsoft's Security Advisory notes that "An attacker who successfully exploited this vulnerability could gain the same user rights as the local user. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights." Anyone running as a local administrator, however, is extremely vulnerable to this issue until it is patched.

US-CERT Current Activity: Microsoft Windows LNK Vulnerability
US-CERT is aware of a vulnerability affecting Microsoft Windows. This vulnerability is due to the failure of Microsoft Windows to properly obtain icons for LNK files. Microsoft uses LNK files, commonly referred to as "shortcuts," as references to files or applications.

By convincing a user to display a specially-crafted LNK file, an attacker may be able to execute arbitrary code that would give the attacker the privileges of the user. Viewing the location of an LNK file with Windows Explorer is sufficient to trigger the vulnerability. By default, Microsoft Windows has AutoRun/AutoPlay features enabled. These features can cause Windows to automatically open Windows Explorer when a removable drive is connected, thus opening the location of the LNK and triggering the vulnerability. Other applications that display file icons can be used as an attack vector for this vulnerability as well. Depending on the operating system and AutoRun/AutoPlay configuration, exploitation can occur without any interaction from the user.

Microsoft has released Microsoft Security Advisory 2286198 in response to this issue. Users are encouraged to review the advisory and consider implementing the workarounds listed to reduce the threat of known attack vectors. Please note that implementing these workarounds may affect functionality. The workarounds include
  • disabling the display of icons for shortcuts
  • disabling the WebClient service
In addition to implementing the workarounds listed in Microsoft Security Advisory 2286198, US-CERT encourages users and administrators to consider implementing the following best practice security measures to help further reduce the risks of this and other vulnerabilities:
  • Disable AutoRun as described in Microsoft Support article 967715.
  • Implement the principle of least privilege as defined in the Microsoft TechNet Library.
  • Maintain up-to-date antivirus software.
Additional information can be found in the US-CERT Vulnerability Note VU#940193.

US-CERT will provide additional information as it becomes available.
Preempting a Major Issue Due to the LNK Vulnerability - Raising Infocon to Yellow
... we believe wide-scale exploitation is only a matter of time. The proof-of-concept exploit is publicly available, and the issue is not easy to fix until Microsoft issues a patch. Furthermore, anti-virus tools' ability to detect generic versions of the exploit have not been very effective so far.

Although the original attack used the LNK vulnerability to infect systems from a USB key, the exploit can also launch malicious programs over SMB file shares. In one scenario, attackers that have access to some systems in the enterprise can use the vulnerability to infect other internal systems.

We discussed the LNK vulnerability in a diary a few days ago. That note pointed to Microsoft's advisory that described the bug "Windows Shell Could Allow Remote Code Execution," which affects most versions of Windows operating systems. Microsoft's workarounds for the issue include:

  • Disable the displaying of icons for shortcuts. This involves deleting a value from the registry, and is not the easiest thing to do in some enterprise settings. Group Policy-friendly options include the use of  Registry Client-Side Extensions, the regini.exe utility and the creation of a custom .adm file: see Distributing Registry Changes for details.
  • Disable the WebClient service. This will break WebDAV and any services that depend on it.
... Additional recommendations ... have [probably been] done this already back when the Conficker worm began spreading. Another challenge is that Windows 2000 and Windows XP Service Pack 2 are vulnerable, yet Microsoft no longer provides security patches for these OS. As the result, we believe most environments will be exposed until Microsoft releases a patch. We're raising the Infocon level in the hope that increased vigilance will increase enterprises' ability to detect and respond the attacks that may use the LNK vulnerability.

Microsoft Security Advisory (2286198): Vulnerability in Windows Shell Could Allow Remote Code Execution
Mitigation refers to a setting, common configuration, or general best-practice, existing in a default state, that could reduce the severity of this issue. The following mitigating factors may be helpful in your situation:
• An attacker who successfully exploited this vulnerability could gain the same user rights as the local user. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.

Other articles and discussions:
This is an article about a third-party fix for this discussed in one of the SANS pages:

Wednesday, July 14, 2010

Quick links for Bastille Day, 2010

Two quickies about phone security issues and one surprising report about which company had the most vulnerabilities.

Slashdot News Story | Hack AT&T Voicemail With Android
An anonymous reader writes "It is shockingly easy to gain access to an AT&T customer's voicemail using caller ID spoofing techniques. What's worse is that AT&T knows about it. On your Android phone, download one of the two caller ID spoofing programs. Input the number of your target as the destination number and then enter the same number as the spoofed caller ID. Then connect your call. If the target has not added a voicemail password (the default is no password), you will be dropped into a random menu of their voicemail and eventually can drill up or down to get what you want. You can change greetings, erase messages, send voicemails out of the target account, and much more. How many politicians up in arms about Google Wi-Fi sniffing will want to know more about this?"

BlackBerry offers users free security app
BlackBerry maker RIM has shown a new free application that owners can use to track their much-loved smartphones in the event they are lost, stolen, or simply misplaced around the house.

In beta until later this year, the simplest and perhaps most useful feature of BlackBerry Potect is the way it can be used to trace a mislaid BlackBerry. Users log in to Protect web portal and activate the 'loud ring' feature, which causes the BlackBerry to advertise its location for one minute, hopefull from a nearby location.

The feature works as long as the phone is switched on and will override the silent mode setting. Failing that, the ringer will default to maximum volume to allow users to phone the handset instead.

In the event that the phone is lost in a public place, the Protect app portal can be used to remotely set up a password and lock setting on the device as a way of protecting data from prying eyes. A 'lost and found' screen can also be set.

In order to locate the lost smartphone, the GPS function allows the portal to track the BlackBerry's exact map location. If the device has been stolen, a remote wipe feature can be used to delete all stored data from the device, including from any installed Micro-SD card.

A wireless backup function, which should have been set first, allows lost data to be restored to a new BlackBerry.

Members of the Beta Zone can get hold of the pre-release version of the app from this week via invite codes but all other BlackBerry users will have to wait until later this year to use Protect, the company said.

Report: Apple had the most vulnerabilities throughout 2005-2010 | ZDNet

Which vendor has the most reported security vulnerabilities?

According to Secunia’s recently released report, between 2005 and 2010 that’s Apple Inc. followed by Oracle and Microsoft. Moreover, based on the company’s data, ten vendors are responsible for 38% of the total number of vulnerabilities, and seven of the vendors on the top 10 list back in 2005, still occupy the top positions in 2010.

However, interpreting this data through the prism of the current threat landscape, results in some pretty interesting findings. For instance, although Apple visibly tops the graph, excluding social engineering driven malware attacks targeting Mac OS X users, there are no known widespread campaigns utilizing any of these vulnerabilities — targeted attacks and cyber espionage attacks excluded.

Moreover,  although Adobe is on the 5th position, in 2009 malicious PDFs represented 80 percent of all exploits, followed by active exploitation of Flash taking into consideration the fact that millions of users continue browsing the Web using outdated versions of Adobe’s products.

Microsoft Patch Tuesday: one CRITICAL patch, and the end of support for Windows 2000 and XP SP2

Microsoft's Patch Tuesday for July, 2010, was a small but very important one.  SANS rates patch MS10-042 as "PATCH NOW", their highest rating. It affects Windows XP and Windows 2003 Server only, not Vista or Windows 7.  This patch fixes a vulnerability which is being actively exploited right now, so if you are still running XP, get patching!  Here are links to and some wording from articles about this month's patch set.

July 2010 Microsoft Black Tuesday Summary
Overview of the July 2010 Microsoft Patches and their status.

Important: with today's patches, support for XP SP2 officially comes to an end. There will be no more patches for XP SP2 after today.

US-CERT Current Activity: Microsoft Releases July Security Bulletin
Microsoft Releases July Security Bulletin
added July 13, 2010 at 01:25 pm

Microsoft has released updates to address vulnerabilities in Microsoft Windows and Office as part of the Microsoft Security Bulletin Summary for July 2010. These vulnerabilities may allow an attacker to execute arbitrary code.

US-CERT encourages users and administrators to review the bulletins and follow best-practice security policies to determine which updates should be applied.

Here's the official Microsoft TechNet Blog entry about this, with links:

July 2010 Security Bulletin Release - The Microsoft Security Response Center (MSRC) - Site Home - TechNet Blogs
Hi everyone. As part of our usual monthly update cycle, today Microsoft is releasing four security bulletins to address five vulnerabilities in Windows and Microsoft Office.

Microsoft patches critical bugs in Windows, Office
Microsoft today patched five vulnerabilities in Windows and Office, including a bug hackers have been exploiting for almost a month.

As expected, today's patch slate was short: Just four security updates that included fixes for five separate flaws. Of the four updates, three were rated "critical," the highest threat ranking in Microsoft's four-step scoring system. All five of the specific vulnerabilities patched today were also rated critical.

Two of the bulletins affected Windows, while the remaining pair impacted Office. Four of the five vulnerabilities in the bulletin quartet were pegged by Microsoft with an exploitability index score of "1," meaning that the company expects attacks to materialize in the next 30 days.

But there were few surprises. Last week Microsoft revealed that the two Windows updates would address already-acknowledged bugs in Windows XP and Windows 7 .

Microsoft Security Updates, and a Farewell to Windows XP Service Pack 2 — Krebs on Security
Microsoft today released software updates to fix at least five security vulnerabilities in computers running its Windows operating system and Office applications. Today also marks the planned end-of-life deadline for Windows XP Service Pack 2, a bundle of security updates and features that Microsoft first released in 2004.

Four out of five of the flaws fixed in today’s patch batch earned a “critical” rating, Redmond’s most severe. Chief among them is a bug in the Help and Support Center on Windows XP and Server 2003 systems that’s currently being exploited by crooks to break into vulnerable machines.

... Anyone still using Windows 2000 should take note of this important change: After today, Microsoft will no longer be shipping security updates or any other updates for Windows 2000 machines.

One interesting thing about MS10-042 is that the vulnerability that it fixes was disclosed to Microsoft only 33 days before it was fixed. There has been a LOT of chatter about whether or not this vulnerability should have been made public the way it was, but there is no question that having it public certainly made Microsoft patch it very quickly.

MS Patch Tuesday: Googler zero-day fixed in 33 days | ZDNet
Last month, When Google researcher Tavis Ormandy released details on a critical Help and Support Center vulnerability that exposed Windows XP and Windows Server 2003 users to malicious hacker attacks, Microsoft was publicly unhappy with the decision.

Ormandy claims he spent five days negotiating with Microsoft for a 60-day patch window and decided to go public only when the company could not provide him with confirmation that it would issue a prompt fix.

Now, just 33 days later, Microsoft has shipped MS10-042 as a “critical” bulletin to cover the hole which has already led to in-the-wild malware attacks.


The fact that Microsoft pushed out a fix in just 33 days — much shorter than the average time it takes to issue a fix for a Windows vulnerability — is a boost to full-disclosure advocates who argue that Ormandy’s actions actually helped to secure the ecosystem.

Monday, July 12, 2010

Quick Notes after a driving vacation

Since the last time I posted I have driven 7,000 miles, from Tucson, Arizona, to Mt. Desert Island and Acadia National Park in Maine, and back. Most of the driving west of the Mississippi and about half the driving east of it was on non-Interstate highways to avoid traffic. I need a vacation to recover from my vacation.

Of course, the Bad Guys don't take vacations, or if they do, they don't all take them at the same time. Updates galore happened while I was away:

Google Releases Chrome 5.0.375.99
added July 7, 2010 at 08:46 am

Google has released Chrome 5.0.375.99 for Linux, Mac, and Windows to address multiple vulnerabilities. These vulnerabilities may allow an attacker to execute arbitrary code or cause a denial-of-service condition.

Mozilla Firefox 3.6.6 (updated Tue 13 Jul 2010 06:50)
What’s New in Firefox 3.6.6
Firefox 3.6.6 modifies the crash protection feature to increase the amount of time that plugins are allowed to be non-responsive before being terminated.

Please see the complete list of changes in this version. You may also be interested in the Firefox 3.6.4 release notes for a list of changes in the previous version.

Adobe Releases Update for Adobe Reader and Adobe Acrobat
added June 29, 2010 at 02:03 pm

Adobe has released an update for Reader and Acrobat to address multiple vulnerabilities. These vulnerabilities affect the following versions:

* Adobe Reader 9.3.2 and earlier versions for Windows, Macintosh, and UNIX
* Adobe Acrobat 9.3.2 and earlier versions for Windows and Macintosh

Exploitation of these vulnerabilities may allow an attacker to execute arbitrary code or cause a denial-of-service condition.
ASF Note: version 8.2.3 was also released. Administrators can get .MSP installer files from and Official Adobe Security Bulletin page here: Adobe - Security Bulletins: APSB10-15 - Security updates available for Adobe Reader and Acrobat. Home users should use "Check for Updates" on the "Help" menu.

Sunbelt Blog: Patch Tuesday coming [next] week
Microsoft has issued advance notification for the July patch on Tuesday. Four bulletins are expected.

Security bulletins will be issued for Microsoft Windows (two critical bulletins fixing vulnerabilities that could allow remote execution of code) and two for Microsoft Office (one critical and one important – both fix vulnerabilities that could allow remote code execution.)

The patches will include a fix for the vulnerability in Windows Help and Support Center (XP and Server 2003 only) that can allow execution of code from malicious Web pages or malicious links in e-mail (CVE-2010-1885). There were reports of the vulnerability being exploited after Google researcher Tavis Ormandy made public proof of concept code earlier this month.

This month also marks the end date for support for Windows XP SP2 and Windows 2000.
Note: If you are still running any Windows 2000 systems, PATCH THEM THIS TUESDAY as Microsoft will no longer provide Windows Updates for Windows 2000 after Tuesday.
Last Patch Tuesday for Windows 2000 and Windows XP SP2
... As of July 13, 2010, there will be no new security updates, non-security hotfixes, or option to engage Microsoft product development resources, just like Windows XP SP2.

In addition, though, Windows 2000 will no longer have access to free or paid support options, and there will be no further updates to online support content. The solution for Windows 2000 is not as easy either.