A week after the release of Microsoft's October 2007 security update, Windows administrators are experiencing some...
Several have reported system difficulties after installing the fixes released in security bulletins MS07-057 and MS07-058. Meanwhile, researchers warn that exploit code has been released for a new zero-day flaw in Windows.
Most of the patching trouble concerns MS07-058, which fixes a denial-of-service flaw in the remote procedure call (RPC) facility due to a glitch in how the program communicates with the NTLM security provider when performing authentication of RPC requests. The flaw affects all supported editions of Windows 2000, Windows XP, Windows Server 2003, and Windows Vista.
Edward Ziots, a Rhode Island-based network engineer, said he encountered reboot problems after installing it.
"Systems are hanging and the RPC connection is lost after the application of MS07-058," he said in an email exchange. "Basically, the server goes into a state of limbo … [you] can't remotely administer it, can't even use remote commands to shut it down. The only way I could get a reboot on my systems was a hard power down."
Susan Bradley, a Microsoft MVP and IT administrator at Tamiyasu, Smith, Horn and Braun Accountancy Corp. in Fresno, Calif., said one of her colleagues had to deal with four servers affected by the glitch. The problem is difficult for Microsoft to resolve, Bradley said.
"They can't get on the box to debug or reprogram it," she said. "We have been discussing rebooting problems for a while with Microsoft, but unless they can get on the box and see … there's not much they can do."
A Microsoft spokesman said there is no evidence of significant deployment problems with MS07-058.
"If customers believe they are experiencing an issue, they should contact Customer Support Services for no-charge support right away. This will help Microsoft to resolve the customer's issue more quickly and identify those instances where there is a broader issue," the spokesman said.
Separately, some Windows administrators have reported problems after installing MS07-057, which fixes four Internet Explorer flaws attackers could exploit to run malicious code if the victim uses the browser to view a specially crafted Web page.
One administrator reported via the patch management email forum hosted by Roseville, Minn.-based Shavlik Technologies that several university IT shops are having issues with MS07-057 and its compatibility with third-party security programs.
"We have confirmed other universities are seeing this issue, but have not been able to determine what third-party applications could be causing the problem," the administrator said. "Some machines are running SAV Corporate (10.1 and 10.2) and others are running McAfee Enterprise."
If their patch-deployment issues weren't enough of a challenge, Windows administrators also have a new Windows zero-day flaw to worry about, though it appears this one can only be exploited locally.
The French Security Incident Response Team (FrSIRT) released its FrSIRT/ADV-2007-3537 advisory Friday morning for a moderately critical Windows flaw attackers could exploit to obtain elevated privileges. "This issue is caused by a buffer overflow error in the Macrovision Security Driver (secdrv.sys) when processing user-supplied data, which could be exploited by local unprivileged attackers to gain Ring0 privileges and take complete control of an affected system," FrSIRT said, crediting researcher Ruben Santamarta with the discovery.
Though there is currently no patch, Santamarta said in a blog entry on the Reverse Mode Web site that he and his colleagues chose to disclose this information since an exploit has been caught in the wild.
"We see no reason to hide information that can be useful for administrators and researchers," he said.
Symantec researcher Elia Florio wrote about the problem in the Symantec Security Response Center blog, saying that the center has notified Microsoft of the issue.
"The mitigating factor is that the attacker has to be logged on to or have access to the compromised computer with a valid account, since the exploit only works locally," Florio wrote. "Home users are probably less exposed to this threat."