Microsoft Security Bulletin MS08-067 – Critical Updated

Vulnerability in Server Service Could Allow Remote Code Execution (958644)

Published: October 23, 2008

Version: 1.0

General Information

Executive Summary

Thissecurity update resolves a privately reported vulnerability in theServer service. The vulnerability could allow remote code execution ifan affected system received a specially crafted RPC request. OnMicrosoft Windows 2000, Windows XP, and Windows Server 2003 systems, anattacker could exploit this vulnerability without authentication to runarbitrary code. It is possible that this vulnerability could be used inthe crafting of a wormable exploit. Firewall best practices andstandard default firewall configurations can help protect networkresources from attacks that originate outside the enterprise perimeter.

Thissecurity update is rated Critical for all supported editions ofMicrosoft Windows 2000, Windows XP, Windows Server 2003, and ratedImportant for all supported editions of Windows Vista and WindowsServer 2008. For more information, see the subsection, Affected and Non-Affected Software, in this section.

Thesecurity update addresses the vulnerability by correcting the way thatthe Server service handles RPC requests. For more information about thevulnerability, see the Frequently Asked Questions (FAQ) subsection forthe specific vulnerability entry under the next section, Vulnerability Information.

Recommendation. Microsoft recommends that customers apply the update immediately.

Known Issues. None

Affected and Non-Affected Software

Thefollowing software have been tested to determine which versions oreditions are affected. Other versions or editions are either past theirsupport life cycle or are not affected. To determine the support lifecycle for your software version or edition, visit Microsoft Support Lifecycle.

Affected Software

Operating System Maximum Security Impact Aggregate Severity Rating Bulletins Replaced by this Update

Microsoft Windows 2000 Service Pack 4

Remote Code Execution

Critical

MS06-040

Windows XP Service Pack 2

Remote Code Execution

Critical

MS06-040

Windows XP Service Pack 3

Remote Code Execution

Critical

None

Windows XP Professional x64 Edition

Remote Code Execution

Critical

MS06-040

Windows XP Professional x64 Edition Service Pack 2

Remote Code Execution

Critical

None

Windows Server 2003 Service Pack 1

Remote Code Execution

Critical

MS06-040

Windows Server 2003 Service Pack 2

Remote Code Execution

Critical

None

Windows Server 2003 x64 Edition

Remote Code Execution

Critical

MS06-040

Windows Server 2003 x64 Edition Service Pack 2

Remote Code Execution

Critical

None

Windows Server 2003 with SP1 for Itanium-based Systems

Remote Code Execution

Critical

MS06-040

Windows Server 2003 with SP2 for Itanium-based Systems

Remote Code Execution

Critical

None

Windows Vista and Windows Vista Service Pack 1

Remote Code Execution

Important

None

Windows Vista x64 Edition and Windows Vista x64 Edition Service Pack 1

Remote Code Execution

Important

None

Windows Server 2008 for 32-bit Systems*

Remote Code Execution

Important

None

Windows Server 2008 for x64-based Systems*

Remote Code Execution

Important

None

Windows Server 2008 for Itanium-based Systems

Remote Code Execution

Important

None

*Windows Server 2008 server core installation affected.For supported editions of Windows Server 2008, this update applies,with the same severity rating, whether or not Windows Server 2008 wasinstalled using the Server Core installation option. For moreinformation on this installation option, see Server Core. Note that the Server Core installation option does not apply to certain editions of Windows Server 2008; see Compare Server Core Installation Options.

Frequently Asked Questions (FAQ) Related to This Security Update

Vulnerability Information

Severity Ratings and Vulnerability Identifiers

Server Service Vulnerability – CVE-2008-4250

Update Information

Detection and Deployment Tools and Guidance

Security Update Deployment

Other Information

Support

Customers in the U.S. and Canada can receive technical support from Microsoft Product Support Services at 1-866-PCSAFETY. There is no charge for support calls that are associated with security updates.

Internationalcustomers can receive support from their local Microsoft subsidiaries.There is no charge for support that is associated with securityupdates. For more information about how to contact Microsoft forsupport issues, visit the International Support Web site.

Disclaimer

Theinformation provided in the Microsoft Knowledge Base is provided “asis” without warranty of any kind. Microsoft disclaims all warranties,either express or implied, including the warranties of merchantabilityand fitness for a particular purpose. In no event shall MicrosoftCorporation or its suppliers be liable for any damages whatsoeverincluding direct, indirect, incidental, consequential, loss of businessprofits or special damages, even if Microsoft Corporation or itssuppliers have been advised of the possibility of such damages. Somestates do not allow the exclusion or limitation of liability forconsequential or incidental damages so the foregoing limitation may notapply.

Revisions

V1.0 (October 23, 2008): Bulletin published.

Here are some FAQ’s 

What is the scope of the vulnerability?

This is a remote code execution vulnerability. An attacker who successfully exploited this vulnerability could take complete control of an affected system remotely. On Microsoft Windows 2000, Windows XP, and Windows Server 2003 systems, an attacker could exploit this vulnerability over RPC without authentication to run arbitrary code. It is possible that this vulnerability could be used in the crafting of a wormable exploit. If successfully exploited, an attacker could then install programs or view, change, or delete data; or create new accounts with full user rights.

What causes the vulnerability? 

The vulnerability is caused by the Windows Server service not properly handling specially crafted RPC requests.

What is the Server service? 

The Server service provides RPC support, file and print support, and named pipe sharing over the network. The Server service allows the sharing of your local resources (such as disks and printers) so that other users on the network can access them. It also allows named pipe communication between applications running on other computers and your computer, which is used for RPC.

What is RPC? 

Remote Procedure Call (RPC) is a protocol that a program can use to request a service from a program located on another computer in a network. RPC helps with interoperability because the program using RPC does not have to understand the network protocols that are supporting communication. In RPC, the requesting program is the client and the service-providing program is the server.

What might an attacker use the vulnerability to do? 

 An attacker who successfully exploited this vulnerability could take complete control of the affected system.

How could an attacker exploit the vulnerability? 

An attacker could try to exploit the vulnerability by sending a specially crafted message to an affected system. On Microsoft Windows 2000, Windows XP, and Windows Server 2003 systems, any anonymous user with access to the target network could deliver a specially crafted network packet to the affected system in order to exploit this vulnerability. On Windows Vista and Windows Server 2008 systems, however, only an authenticated user with access to the target network could deliver a specially crafted network packet to the affected system in order to exploit this vulnerability.

What systems are primarily at risk from the vulnerability?

While all workstations and servers are at risk regarding this issue, systems running Microsoft Windows 2000, Windows XP, or Windows Server 2003 are primarily at risk due to the unique characteristics of the vulnerability and affected code path.

 

What does the update do? 

The update addresses the vulnerability by correcting the manner in which the Server service handles RPC requests.

When this security bulletin was issued, had Microsoft received any reports that this vulnerability was being exploited? 

Yes. Microsoft is aware of limited, targeted attacks attempting to exploit the vulnerability. However, when the security bulletin was released, Microsoft had not seen any examples of proof of concept code published.

Does applying this security update help protect customers from the code that attempts to exploit this vulnerability? 

Yes. This security update addresses the vulnerability that is currently being exploited. The vulnerability that has been addressed has been assigned the Common Vulnerability and Exposure number. CVE-2008-4250 

Here are some additional resources you should be aware of…….

Full bulletin for MS08-067 is available at

Full bulletin for MS08-067

File information details can be found in

Microsoft Knowledge Base Article 958644

 ******

Security Updates Are Available from…

Office Update

Microsoft Update

Windows Update
  

Microsoft TechNet Security TechCenter as a source of security information:

http://technet.microsoft.com/security

Security updates are also available from 

the Microsoft Download Center

Microsoft Baseline Security Analyzer 

Microsoft Baseline Security Analyzer

  

To go to the Official Microsoft Posting…
 
 

This one is important  ! ! ! ! !
 

Posted by Michael Corey, Founder & CEO

www.ntirety.com

 

 

Leave a Reply