On April 22 Microsoft became aware of code available on the Internet that seeks to exploit vulnerabilities already addressed as part of its April 13 security updates, code that attempts to use the IIS PCT/SSL vulnerability on servers running Internet Information Services with the Secure Socket Layer authentication enabled.  The vulnerability was addressed by bulletin MS04-011 (www.windowsupdate.com) and Microsoft urged all customers to immediately install the MS4-011 update as well as the other critical updates provided on April 13. 

In addition, Microsoft published a knowledge base article KB187498 at http://support.microsoft.com/default.aspx?scid=kb;en-us;187498 which provides additional details on SSL and how to disable PCT without applying MS04-011. 

Now Symantec's "DeepSight Threat" network - a global group of sensors that tracks up-and-coming exploits - is reported to have obtained a copy of the code on April 27.

"The sample is automated code, but whether it's a bot or actually a worm, we don't yet know,"  said Alfred Huger, the senior director of engineering with Symantec's security response team.

Only a worm can infect other systems indirectly, by sending itself via e-mail or tucking copies into shared folders, Huger explained. But either way, he urged everyone to expedite their patching of this vulnerability.

"If this isn't a worm, I think we'll see one in short order," he said.