As you are well aware if you read my previous blog entry, Microsoft has just released a new crtical patch Microsoft Security Bulletin MS08-067
Here are some FAQ’s
What is the scope of the vulnerability?
This is a remote code execution vulnerability. An attacker who successfully exploited this vulnerability could take complete control of an affected system remotely. On Microsoft Windows 2000, Windows XP, and Windows Server 2003 systems, an attacker could exploit this vulnerability over RPC without authentication to run arbitrary code. It is possible that this vulnerability could be used in the crafting of a wormable exploit. If successfully exploited, an attacker could then install programs or view, change, or delete data; or create new accounts with full user rights.
What causes the vulnerability?
The vulnerability is caused by the Windows Server service not properly handling specially crafted RPC requests.
What is the Server service?
The Server service provides RPC support, file and print support, and named pipe sharing over the network. The Server service allows the sharing of your local resources (such as disks and printers) so that other users on the network can access them. It also allows named pipe communication between applications running on other computers and your computer, which is used for RPC.
What is RPC?
Remote Procedure Call (RPC) is a protocol that a program can use to request a service from a program located on another computer in a network. RPC helps with interoperability because the program using RPC does not have to understand the network protocols that are supporting communication. In RPC, the requesting program is the client and the service-providing program is the server.
What might an attacker use the vulnerability to do?
An attacker who successfully exploited this vulnerability could take complete control of the affected system.
How could an attacker exploit the vulnerability?
An attacker could try to exploit the vulnerability by sending a specially crafted message to an affected system. On Microsoft Windows 2000, Windows XP, and Windows Server 2003 systems, any anonymous user with access to the target network could deliver a specially crafted network packet to the affected system in order to exploit this vulnerability. On Windows Vista and Windows Server 2008 systems, however, only an authenticated user with access to the target network could deliver a specially crafted network packet to the affected system in order to exploit this vulnerability.
What systems are primarily at risk from the vulnerability?
While all workstations and servers are at risk regarding this issue, systems running Microsoft Windows 2000, Windows XP, or Windows Server 2003 are primarily at risk due to the unique characteristics of the vulnerability and affected code path.
What does the update do?
The update addresses the vulnerability by correcting the manner in which the Server service handles RPC requests.
When this security bulletin was issued, had Microsoft received any reports that this vulnerability was being exploited?
Yes. Microsoft is aware of limited, targeted attacks attempting to exploit the vulnerability. However, when the security bulletin was released, Microsoft had not seen any examples of proof of concept code published.
Does applying this security update help protect customers from the code that attempts to exploit this vulnerability?
Yes. This security update addresses the vulnerability that is currently being exploited. The vulnerability that has been addressed has been assigned the Common Vulnerability and Exposure number. CVE-2008-4250
Here are some additional resources you should be aware of…….
Full bulletin for MS08-067 is available at
File information details can be found in
Security Updates Are Available from…
Microsoft TechNet Security TechCenter as a source of security information:
Security updates are also available from
Microsoft Baseline Security Analyzer
Note this was updated from original Post
Posted by Michael Corey, Founder & CEO