Zotob

The Apple Blog normally gets things right, but if you’re looking for coverage on Windows, Apple sites aren’t the best places to go for information. In its report on the Zotob worm, it includes this:

It apparently does a buffer overflow exploit on Windows 2000 and XP machines running the LSASS service on TCP port 445, just as the Sasser worm did before it.
It’s a shame this service is still running on a default installation of Windows 2000 and XP. Machines with all the latest security patches should be doing OK.

This is incorrect. As Johannes Ulrich of the SANS Institute explains:

Windows XP and Windows Server 2003 systems could be vulnerable in certain rare circumstances, however. In order for this to happen, the system’s registry file would have to be altered to allow the computer to list system resources without requiring a login, a practice called “enabling Null sessions.”  Null sessions are not enabled by default in Windows XP or Windows Server 2003, Ullrich said.

There’s plenty of misinformation about Zotob floating round the Macosphere. Hopefully, this won’t become one of those urban myths (like “Macs don’t have any software”).