Emergency Microsoft Patch MS08-067 Issued, Exploit code in wild
The Patch:
Microsoft has released the patch to windows update.
Details:
"This security update resolves a privately reported vulnerability in the Server service. The vulnerability could allow remote code execution if an affected system received a specially crafted RPC request. On Microsoft Windows 2000, Windows XP, and Windows Server 2003 systems, an attacker could exploit this vulnerability without authentication to run arbitrary code. It is possible that this vulnerability could be used in the crafting of a wormable exploit. Firewall best practices and standard default firewall configurations can help protect network resources from attacks that originate outside the enterprise perimeter.
This security update is rated Critical for all supported editions of Microsoft Windows 2000, Windows XP, Windows Server 2003, and rated Important for all supported editions of Windows Vista and Windows Server 2008. For more information, see the subsection, Affected and Non-Affected Software, in this section.
The security update addresses the vulnerability by correcting the way that the Server service handles RPC requests. " - Microsoft
Affected Software
Operating System | Maximum Security Impact | Aggregate Severity Rating | Bulletins Replaced by this Update |
Remote Code Execution |
Critical |
||
Remote Code Execution |
Critical |
||
Remote Code Execution |
Critical |
None | |
Remote Code Execution |
Critical |
||
Remote Code Execution |
Critical |
None | |
Remote Code Execution |
Critical |
||
Remote Code Execution |
Critical |
None | |
Remote Code Execution |
Critical |
||
Remote Code Execution |
Critical |
None | |
Remote Code Execution |
Critical |
||
Remote Code Execution |
Critical |
None | |
Remote Code Execution |
Important |
None | |
Windows Vista x64 Edition and Windows Vista x64 Edition Service Pack 1 |
Remote Code Execution |
Important |
None |
Remote Code Execution |
Important |
None | |
Remote Code Execution |
Important |
None | |
Remote Code Execution |
Important |
None |
"Buffer underflow in Microsoft Windows 2000 SP4, XP SP2 and SP3, Server 2003 SP1 and SP2, Vista Gold and SP1, and Server 2008 allows remote attackers to execute arbitrary code via a Server Message Block (SMB) request that contains a filename with a crafted length, aka "SMB Buffer Underflow Vulnerability." - NIST
UPDATE: Microsoft has just released more information on this.
"We discovered this vulnerability as part of our research into a limited series of targeted malware attacks against Windows XP systems that we discovered about two weeks ago through our ongoing monitoring. As we investigated these attacks we found they were utilizing a new vulnerability and initiated our Software Security Incident Response Process (SSIRP). As we analyzed the vulnerability in our SSRP process, we found that this vulnerability was potentially wormable on Windows XP and older systems. Our analysis also showed that it would be possible to address this vulnerability in a way that would enable us to develop an update of appropriate quality for broad distribution quickly. Based on those two factors, we felt that it was in the best interest of customers for us to release this update before the regular November release cycle.We have also have detection for the malware we found used in attacks exploiting this vulnerability (TrojanSpy:Win32/Gimmiv.A and TrojanSpy:Win32/Gimmiv.A.dll) in the signatures the MMPC is releasing today and sharing that information with our partners." - MSRC
UPDATE 2: Microsoft is providing more details at the webcast below.
UPDATE 3: More detail about MS08-067, the out-of-band netapi32.dll security update
UPDATE 4: The exploit code has been published on milworm.
Additional Reading:
Microsoft Webcast: http://msevents.microsoft.com/CUI/WebCastEventDetails.aspx?EventID=1032393978&EventCategory=4&culture=en-US&CountryCode=US
MSRC Details: http://blogs.technet.com/msrc/archive/2008/10/23/ms08-067-released.aspx
Microsoft Alert: http://blogs.technet.com/msrc/archive/2008/10/22/advance-notification-for-out-of-band-release.aspx
Nist Details: http://web.nvd.nist.gov/view/vuln/detail;jsessionid=a5fe3ed14945005c4adc2b12c6d2?execution=e1s1
Bulletin Details: http://www.microsoft.com/technet/security/Bulletin/ms08-067.mspx
Malware protection center article says you'd be vulnerable if you enabled "File Sharing" service over the network...
Posted by: Anonymous | Oct 23, 2008 11:31:50 PM