Critical Out-of-Cycle Patch from Microsoft (MS08-067)
From first alert on Tuesday, to patch release on Thursday, Microsoft has rushed an out-of-cycle patch out to Windows users, acting on a privately reported problem affecting the core Windows kernel.
In some detail, the vulnerability is a problem with the way that Windows handles Remote Procedure Calls (RPC) and can result in a remote unauthenticated user (i.e. anyone on the Internet) being able to take complete control over your system.
Microsoft acknowledges that the issue is being actively targeted by malicious code, though code samples have yet to appear publicly. It has been reported that Gimmiv.A is a worm which is using this particular vulnerability to attack vulnerable systems, though Microsoft's initial guidance was that it was only being used in targeted attacks.
Already different groups have claimed to have reverse engineered the patch and there are fears that this vulnerability could lead to something like the Blaster worm from 2003, where a patch was available but attacks took down a significant number of systems anyway.
In some of the open analysis that has taken place, there is enough information to point to the NetPathCanonicalize call as being the weakness currently being exploited. The available information also shows a fairly straight forward buffer overflow.
Users who have enabled the builtin Windows firewall (default on systems after XP SP2) will be protected by default against this issue, though it is still urgent to apply the patch. However, if print or file sharing is enabled the system is vulnerable again. This means that many systems that would otherwise be secure are not going to be.
Windows Vista and 2008 systems are vulnerable if the file / print sharing has been enabled for networks of type 'Public'.
According to the Security Vulnerability Research & Defense team at Microsoft, ASLR and DEP should provide some added protection to Windows Vista and Windows 2008, though it is still considered possible that arbitrary code execution could take place. The UAC feature of Vista and 2008 will also limit anonymous attacks, however if "Password Protected Sharing" is disabled, anonymous attacks will be successful. If TCP ports 139 and 445 are blocked at the network perimeter it will mitigate against external attacks, however internal networked systems will remain vulnerable and some services might no longer work as expected, including:
- Applications that use SMB (CIFS)
- Applications that use mailslots or named pipes (RPC over SMB)
- Server (File and Print Sharing)
- Group Policy
- Net Logon
- Distributed File System (DFS)
- Terminal Server Licensing
- Print Spooler
- Computer Browser
- Remote Procedure Call Locator
- Fax Service
- Indexing Service
- Performance Logs and Alerts
- Systems Management Server
- License Logging Service
Despite Microsoft providing non-patch mitigation options, the criticality of this particular vulnerability, and the fact that it is being targeted in the wild means that users and administrators should apply the patch as soon as possible.
For Windows 2000, XP, and 2003, the vulnerability has been rated as Critical, with Windows Vista and 2008 attracting Important ratings. Microsoft have even acknowledged that the pre-beta versions of Windows 7 are also affected by this particular vulnerability. The ISC have rated their threat indicator to Yellow, as have Symantec.
You can get MS08-067 direct from Microsoft, here.
24 October 2008
Social bookmark this page at eKstreme.
Alternatively, Bookmark or Share via AddThis
Do you like how we cover Information Security news? How about checking out our company services, delivered the same way our news is.
Let our Free OS X Screen Saver deliver the latest security alerts and commentary to your desktop when you're not at your system.
Comments will soon be available for registered users.
Subscribe to our feed.