Tuesday, October 28, 2008

Microsoft Out-Of-Band Security Patch

Microsoft released an out-of-band security bulletin on 24 Oct (23 Oct-US Time) while i was away for holiday. This Patch is to resolve a vulnerability in the Server service of Microsoft Windows. It affects the Windows systems across the board from Windows 2000 to Windows 2008 (including XP, 2003 and Vista).

Microsoft has detected limited, targeted attacks exploiting this vulnerability in the wild and also noted the possibility that this vulnerability could be used in the crafting of a wormable exploit on Windows XP and older operating systems.

An unauthenticated attacker can trigger this vulnerability remotely by sending a specially crafted RPC request to execute arbitrary code on Windows Server 2000, Windows XP and Windows 2003. By default, Windows Vista and Windows Server 2008 require authentication.

However, the attacker must be able to reach the RPC interface to exploit the vulnerability. In the default out-of-the-box scenario, the interface is not reachable as the firewall is enabled on Windows XP SP2, Windows Vista, and Windows Server 2008. Unfortunately, the RPC could be exposed in one of the following two conditions:

1) Firewall is disabled
2) Firewall is enabled but file/printer sharing is also enabled.

When File/Printer Sharing is enabled on Windows Vista and Windows Server 2008, the firewall only expose the RPC interface to the network type shared. For example, if a printer is shared on a network type ‘Private’, the firewall will block incoming RPC connections if the computer switches over to a network type ‘Public’. If you then choose to share the printer on the network type ‘Public’, Vista and Windows Server 2008 will prompt to ask if you really want to enable “File and Printer Sharing” for ALL public networks.

Details and patches are available in Microsoft Security Bulletin MS08-067

For more technical information and advices on Microsoft Vulnerabilities, you can visit Microsoft Security Vulnerability Research & Defense Blog

No comments: