Custom software developer. IT consultant. Geek.
Emergency Windows Patch
I’ve spent a lot of time over the past 27 hours notifying clients about the emergency Windows patch released yesterday afternoon, and also installing that patch on servers and workstations. So I’m just now getting a chance to post the information here, to my blog. (Isn’t that a great diagram to the right? No, I didn’t make that.)
The gist
- This is a major vulnerability affecting the “Server” service that is part of Windows 2000/XP/2003/Vista/2008.
- The problem is not as critical in Windows Vista and Windows Server 2008, as those operating systems have better built in protections in place. These systems should still be patched though.
- An attacker could leverage this vulnerability to execute any code of their choice.
- An attacker can only exploit the code if they can access the file sharing ports on Windows. In general, these are blocked by software firewalls, hardware firewalls, wifi routers, etc.
- The key threat is if a machine on your network were to get affected via some other exploit or user action and then use this exploit to spread throughout your network.
What you need to do
Go to Windows Update and install the patch — right now.
If you’re using Windows Vista, click the start button and type “update”, then click “Windows Update” in the list of programs.
If you’re running an earlier operating system, open Internet Explorer and go to: http://update.microsoft.com
Versions affected
- Desktop
- Windows 2000 SP4
- Windows XP SP2 and SP3
- Windows XP 64-bit SP2
- Vista and Vista SP1
- Vista 64-bit and Vista 64-bit SP1
- Server
- Windows Server 2003 SP1 and SP2
- Windows Server 2008 32-bit/64-bit/Itanium
Resources and links
Full bulletin for MS08-067 is available at http://www.microsoft.com/technet/security/bulletin/MS08-067.mspx
File information details can be found in Microsoft Knowledge Base Article 958644
Microsoft TechNet Security TechCenter as a source of security information: http://technet.microsoft.com/security
Security updates are available from Microsoft Update, Windows Update, and Office Update.
Security updates are also available from the Microsoft Download Center.
Microsoft Baseline Security Analyzer – Microsoft Baseline Security Analyzer.
FAQ
What is the scope of the vulnerability?
This is a remote code execution vulnerability. An attacker who successfully exploited this vulnerability could take complete control of an affected system remotely. On Microsoft Windows 2000, Windows XP, and Windows Server 2003 systems, an attacker could exploit this vulnerability over RPC without authentication to run arbitrary code. It is possible that this vulnerability could be used in the crafting of a wormable exploit. If successfully exploited, an attacker could then install programs or view, change, or delete data; or create new accounts with full user rights.
What causes the vulnerability?
The vulnerability is caused by the Windows Server service not properly handling specially crafted RPC requests.
What is the Server service?
The Server service provides RPC support, file and print support, and named pipe sharing over the network. The Server service allows the sharing of your local resources (such as disks and printers) so that other users on the network can access them. It also allows named pipe communication between applications running on other computers and your computer, which is used for RPC.
What is RPC?
Remote Procedure Call (RPC) is a protocol that a program can use to request a service from a program located on another computer in a network. RPC helps with interoperability because the program using RPC does not have to understand the network protocols that are supporting communication. In RPC, the requesting program is the client and the service-providing program is the server.
What might an attacker use the vulnerability to do?
An attacker who successfully exploited this vulnerability could take complete control of the affected system.
How could an attacker exploit the vulnerability?
An attacker could try to exploit the vulnerability by sending a specially crafted message to an affected system. On Microsoft Windows 2000, Windows XP, and Windows Server 2003 systems, any anonymous user with access to the target network could deliver a specially crafted network packet to the affected system in order to exploit this vulnerability. On Windows Vista and Windows Server 2008 systems, however, only an authenticated user with access to the target network could deliver a specially crafted network packet to the affected system in order to exploit this vulnerability.
What systems are primarily at risk from the vulnerability?
While all workstations and servers are at risk regarding this issue, systems running Microsoft Windows 2000, Windows XP, or Windows Server 2003 are primarily at risk due to the unique characteristics of the vulnerability and affected code path.
What does the update do?
The update addresses the vulnerability by correcting the manner in which the Server service handles RPC requests.
When this security bulletin was issued, had Microsoft received any reports that this vulnerability was being exploited?
Yes. Microsoft is aware of limited, targeted attacks attempting to exploit the vulnerability. However, when the security bulletin was released, Microsoft had not seen any examples of proof of concept code published.
Does applying this security update help protect customers from the code that attempts to exploit this vulnerability?
Yes. This security update addresses the vulnerability that is currently being exploited. The vulnerability that has been addressed has been assigned the Common Vulnerability and Exposure number CVE-2008-4250.
| Print article | This entry was posted by John Pattison on October 24, 2008 at 5:07 pm, and is filed under Blog. Follow any responses to this post through RSS 2.0. Both comments and pings are currently closed. |
Comments are closed.