On CHOW: Throw parties like a pro
BNET Business Network:
BNET
TechRepublic
ZDNet

October 23rd, 2008

MS ships emergency patch for Windows worm hole

Posted by Ryan Naraine @ 10:03 am

Categories: Arbitrary Code Execution, Botnets, Browsers, Complex Attacks, Data theft, Exploit code, Kernel-level Exploits, Malware, Microsoft, Patch Watch, Pen testing, Responsible disclosure, Viruses and Worms, Vulnerability research, Zero-day attacks

Tags: Microsoft Windows Server, Vulnerability, Microsoft Corp., Windows Server Service, Microsoft Windows, RPC, Security, Operating Systems, Software, Networking

windows_bullet_holes.jpgMicrosoft has released an out-of-band patch to fix an extremely critical worm hole that exposes Windows users to remote code execution attacks.

The emergency update comes just one week after the regularly scheduled Patch Tuesday and follows the discovery of a targeted zero-day attack, Microsoft said in an advisory.   The vulnerability is rated “critical” on Windows 2000, Windows XP and Windows Server 2003.

On Windows Vista and Windows Server 2008, the flaw carries an “important” rating.

From Microsoft’s critical MS08-067 bulletin:

  • A remote code execution vulnerability exists in the Server service on Windows systems. The vulnerability is due to the service not properly handling specially crafted RPC requests. An attacker who successfully exploited this vulnerability could take complete control of an affected system.

Microsoft said it was aware of “limited, targeted attacks attempting to exploit the vulnerability” but the company did not provide any clues about the origin of the attacks or the target that was hit.    There are no signs yet of public proof-of-concept code.

According to the bulletin, there is a chance that the vulnerability could lead to a “wormable exploit.”

  • The vulnerability could allow remote code execution if an affected system received a specially crafted RPC request. On Microsoft Windows 2000, Windows XP, and Windows Server 2003 systems, an attacker could exploit this vulnerability without authentication to run arbitrary code. It is possible that this vulnerability could be used in the crafting of a wormable exploit.
  • Firewall best practices and standard default firewall configurations can help protect network resources from attacks that originate outside the enterprise perimeter.

The vulnerable Windows Server service provides RPC support, file and print support, and named pipe sharing over the network. It is also used to allow the sharing of your local resources (such as disks and printers) so that other users on the network can access them.

This is the first out-of-cycle patch from Microsoft since the fix for the animated cursor vulnerability in April 2007.  It is the 67th bulletin from Redmond this year.

Ryan NaraineRyan Naraine is a journalist and security evangelist at Kaspersky Lab. He manages Threatpost.com, a security news portal. Here is Ryan's full profile and disclosure of his industry affiliations.


Email Ryan Naraine

For daily updates on Ryan's activities, follow him on Twitter.

Subscribe to Zero Day via Email alerts or RSS.

  • Talkback
  • Most Recent of 181 Talkback(s)
Windows is working for millions . . .
So is unprotected sex working for millions of people . . . until they catch AIDS.

[snicker, snicker, smirk, smirk]... (Read the rest)
Posted by: brian ansorge Posted on: 11/06/08 You are currently: a Guest | | Terms of Use
Patches  jinx101 | 10/23/08
Patches? ... PATCHES??!??  TG2 | 10/24/08
At this time of year  stillgolfing | 10/24/08
You're lucky  Tranman123 | 10/24/08
RE: MS ships emergency patch for Windows worm hole  Arjay99 | 10/23/08
Why would you think that? (NT)  Loverock Davidson | 10/23/08
Are you talking about the OS that lost the OWN2PWN contest?  NonZealot | 10/23/08
Maybe you should get some facts on the  mrlinux | 10/23/08
Irrelevent. In the end the Mac was compromised first.  ye | 10/23/08
Only because he had a choice and he....  mrlinux | 10/23/08
Perhaps. But in the end it was OS X which fell first. (nt)  ye | 10/23/08
sorry, but you're wrong  rtk | 10/23/08
Since when did you ever think  Crestview | 10/24/08
OSX was hacked first because....  snberk341 | 10/23/08
Let's do this.....  todbran@... | 10/23/08
@todbran  cabecker | 10/24/08
Nice try!  RocketEater | 10/23/08
Buzzzt, sorry, you lose  rtk | 10/23/08
can you say "load of crap"?  Crestview | 10/24/08
So...  Spiritusindomit@... | 10/29/08
Absolutely NOT irrelevant  bmerc | 10/24/08
And that the hack could only be used once  GuidingLight | 10/23/08
OS X was hacked through Safari  mikefarinha | 10/23/08
Safari  LiquidLearner | 10/23/08
Close, but still wrong.  rtk | 10/23/08
correct  isulzer | 10/23/08
almost  rtk | 10/23/08
Hey Non-guy.  Arjay99 | 10/23/08
Actually, the store is not all that crowded  GuidingLight | 10/23/08
Is that on the normal weekly repair basis?  Crestview | 10/24/08
Hey Zealot  Crestview | 10/24/08
Hey, Crestview.  Arjay99 | 10/24/08
Which proves  Crestview | 10/24/08
Evidence, perhaps - proof, not so much.  Arjay99 | 10/24/08
This post proves..  bmerc | 10/24/08
Arjay99, bmerc, took the bait, didn't ya?  Crestview | 10/24/08
Arjay99, bmerc, one more thing  Crestview | 10/24/08
And why waste time "debating"?  Crestview | 10/24/08
Did you realize?  jpleace | 10/23/08
Do you realise...  djchandler | 10/23/08
So, what's your point?  Crestview | 10/24/08
I think his point is that it is pretty frickin' STUPID  bmerc | 10/24/08
What blunder?  Crestview | 10/24/08
Did you realise  CaptainSlog | 10/24/08
Please remember  willpd13 | 10/27/08
It had to come  Richard Flude | 10/23/08
Patched before exploited  NonZealot | 10/23/08
You forgot to mention the service is inaccessible with a default...  ye | 10/23/08
Is that so?  Richard Flude | 10/23/08
Yes. That is so.  ye | 10/24/08
Vista's protection  rtk | 10/24/08
Zone Alarm  Crestview | 10/24/08
Wait a minute!  Crestview | 10/24/08
LOL! (nt)  ye | 10/24/08
Standards appear a little different  Richard Flude | 10/23/08
What you have to understand about NZ is  bmerc | 10/24/08
Before exploited? Absolute BS, an outrageous lie.  bmerc | 10/24/08
Uhhh  prikkebeen | 10/24/08
It puzzles me why  CaptainSlog | 10/24/08
It puzzles me how  Li1t | 10/25/08
It puzzles me more now  CaptainSlog | 10/25/08
what i don't understand...  willpd13 | 10/27/08
Except for...  zkiwi | 10/25/08
Name just one  rag@... | 10/23/08
Again: Malware writers are unlikely to target a small...  ye | 10/23/08
Not that rubbish again...  zkiwi | 10/25/08
What do you mean?  Ole Man | 10/26/08
That...  zkiwi | 10/26/08
Been hearing that lame excuse for years  hasta la Vista, bah-bie | 10/27/08
Again . . .  brian ansorge | 11/06/08
Not to mention  Crestview | 10/24/08
Same goes the other way  ColdFusion_z | 10/24/08
Sounds like your trying to convince yourself.  john_gillespie@... | 10/24/08
I would rather have my PC "compromised"  Crestview | 10/24/08
Crestview...  MacPcUser | 10/24/08
None of the above  Crestview | 10/24/08
RE: MS ships emergency patch for Windows worm hole  Loverock Davidson | 10/23/08
sheesh man  frgough | 10/23/08
You've already booked every room.  NonZealot | 10/23/08
For what? (NT)  Loverock Davidson | 10/23/08
I think he's coming on to you (nt)  ye | 10/23/08
I have that affect on people (NT)  Loverock Davidson | 10/23/08
You are helping malware publishers by promoting windows  InAction Man | 10/23/08
Not really  Loverock Davidson | 10/23/08
Well......  todbran@... | 10/23/08
"Cause in every city, there's fools to pity"  InAction Man | 10/23/08
Windows is working for millions . . .  brian ansorge | 11/06/08
emergency patch for Windows  aussieblnd@... | 10/23/08
No  Loverock Davidson | 10/23/08
Yes  todbran@... | 10/23/08
.....  Linux User 147560 | 10/23/08
Yep...  todbran@... | 10/23/08
There is a reason for that (NT)  Loverock Davidson | 10/23/08
STOP FEEDING THIS IDIOT TROLL  itanalyst2@... | 10/23/08
And what about the paid trolls on the other side of the fence?  Martin_Australia | 10/23/08
SHHHHH! He's one of 'em... (nt)  Wolfie2K3 | 10/23/08
BINGO! - nt  USTechHead | 10/24/08
mmm lol  isulzer | 10/23/08
Canonical, Red Hat, Novell for example  rtk | 10/23/08
OSS?  Crestview | 10/24/08
In a word "No"  thx-1138_@... | 10/26/08
Are you sure???  Media-Ted@... | 10/23/08
What's funny is...  914four | 10/24/08
No fair!  Crestview | 10/24/08
yet another reason to use Vista  qmlscycrajg | 10/23/08
For quoting MSFT?  weberdan@... | 10/23/08
Doesn't matter  todbran@... | 10/23/08
Exploits people chose to install  LiquidLearner | 10/23/08
Translation:  isulzer | 10/23/08
Oh heres something else you should consider.  isulzer | 10/23/08
the percentage of  rtk | 10/23/08
the only thing..  isulzer | 10/24/08
I call BS  rtk | 10/23/08
RE: MS ships emergency patch for Windows worm hole  Eeem | 10/23/08
RE: MS ships emergency patch for Windows worm hole  usaflorida5000 | 10/23/08
Ditto  MGP2 | 10/23/08
????  jkosborn4 | 10/23/08
Wow!  RocketEater | 10/23/08
A link to your own site attepting to drive traffic there?  GuidingLight | 10/23/08
Nice try!  RocketEater | 10/23/08
RE: MS ships emergency patch for Windows worm hole  toms3898@... | 10/23/08
Do this  wolf_z | 10/24/08
RE: MS ships emergency patch for Windows worm hole  toms3898@... | 10/23/08
First, stay calm...  914four | 10/24/08
Here's what you do  gene_fitz@... | 10/24/08
NOTE: This applies MOSTLY to W2K, XP (and Server 2003)  Gruffydd | 10/23/08
no  isulzer | 10/23/08
What is that? A link to your own site so as to drive traffic there?  GuidingLight | 10/23/08
Oops. meant this as a reply to someone else  GuidingLight | 10/23/08
Warning when attempting to engage ActiveX ; to avoid Worm_Jake _Trojan.  rtirman37@... | 10/23/08
RE: MS ships emergency patch for Windows worm hole  toms3898@... | 10/23/08
It's called  tracy anne | 10/23/08
I suggest the Linux Mint patch  User07734 | 10/23/08
If I understand your question...  Media-Ted@... | 10/23/08
Ya know what bugs me....  billbryan516 | 10/23/08
heh  isulzer | 10/23/08
Hi Bill,  914four | 10/24/08
old cars and old frts  vilppuu@... | 10/24/08
Not to get too far off topic but...  914four | 10/24/08
How very odd  Crestview | 10/24/08
Try this...  914four | 10/25/08
I totally disagree  Crestview | 10/24/08
RE: MS ships emergency patch for Windows worm hole  medezark@... | 10/23/08
explain to me...  isulzer | 10/23/08
Macs don't have *as much* malware  gene_fitz@... | 10/24/08
effectively...  isulzer | 10/24/08
In the early 90ies...  914four | 10/25/08
RE: MS ships emergency patch for Windows worm hole  ghot@... | 10/23/08
go away  seannj427 | 10/24/08
What the heck does "out-of-band" mean anyway?  wcallahan@... | 10/24/08
it means...  isulzer | 10/24/08
I've heard of at least 10 trillion  Crestview | 10/24/08
10 Trillion??  wcallahan@... | 10/24/08
So you don't know what sarcasm is?  Crestview | 10/24/08
Your sarcasmicness amazes me  wcallahan@... | 10/24/08
Really, it just is not my problem  Crestview | 10/24/08
10 trillion  blaacksheep | 10/24/08
Sarcasm and exaggerations always draw fire  Crestview | 10/24/08
RE: MS ships emergency patch for Windows worm hole  wcallahan@... | 10/24/08
RE: MS ships emergency patch for Windows worm hole  tomjerou@... | 10/24/08
RE: MS ships emergency patch for Windows worm hole  medezark@... | 10/24/08
Why the difference?  Flying Pig | 10/24/08
RE: MS ships emergency patch for Windows worm hole  tburzio | 10/24/08
MORE DOUBLETALK from MicroSloth!  XweAponX | 10/24/08
RE: MS ships emergency patch for Windows worm hole  everettf | 10/25/08
RE: MS ships emergency patch for Windows worm hole  parkerjgpatton | 10/27/08
RE: MS ships emergency patch for Windows worm hole  Romano4444 | 10/27/08
RE: MS ships emergency patch for Windows worm hole  ed norris | 10/27/08
Delay?  stillgolfing | 10/27/08
RE: MS ships emergency patch for Windows worm hole  thomas.smith18@... | 10/27/08
AMEN!  stillgolfing | 10/27/08
Can't we all just get along?  wcallahan@... | 10/27/08
RE: MS ships emergency patch for Windows worm hole  billbryan516 | 10/27/08
You are full of it!!  MRR045 | 10/27/08
Good Idea  abunaim7@... | 10/27/08
RE: MS ships emergency patch for Windows worm hole  morwen | 10/28/08
First out of band since 2007?  notsofast | 10/29/08
I agree with linus torvalds...  Spiritusindomit@... | 10/29/08
Semi-BS  notsofast | 11/02/08
STOP polluting the airwaves, already!  Dr. K | 11/05/08
RE: MS ships emergency patch for Windows worm hole  Dr. K | 11/05/08

What do you think?

SponsoredWhite Papers, Webcasts, and Downloads

advertisement

Recent Entries

advertisement

Archives

Favorite Links

ZDNet Blogs

White Papers, Webcasts, and Downloads

SmartPlanet

Click Here