"If I can exploit one single box on your network, I can exploit all of them," Huger added.
The exploit, which Symantec's security team has confirmed by modifying an existing proof of concept exploit, takes advantage of UDP (User Datagram Protocol), a sub-protocol within the TCP standard. UDP, often used for real-time audio and video traffic, doesn't require the three-stage handshake authentication of TCP, and broadcasts data to all systems on a network's sub-net at the same time.
"An application doesn't care about UDP," said Huger. "It takes the packet, period, with no authentication."
A worm just 2.7K in size would be enough to simultaneously infect up to 254 machines. Although that's larger than the minute 376 bytes used by SQLSlammer, "the difference is really trivial," Huger said.
Not only might such a worm spread faster than Slammer, its damage could significantly outweigh Slammer's damage, for it would have a much greater number of potential targets. The Windows Messenger Service vulnerability exists not just in enterprise machines -- as with Slammer -- but also countless home computers running Windows.
