Microsoft releases Windows patch to stop worm attack

By Robert Westervelt, News Editor 23 Oct 2008 | SearchSecurity.com

Security Wire Daily News Digg This!     StumbleUpon     Del.icio.us

Microsoft issued an emergency patch to repair a critical Windows server service vulnerability that leaves Windows systems dangerously open to attack. The software maker also said it had to act quickly because it was aware of targeted attacks affecting Windows users.

There's really the potential for something quite nasty to happen if you think about partnering this vulnerability with another one. Wolfgang Kandek chief technology officer, Qualys

This fix marks the fourth time that Microsoft has released a security patch outside of its monthly cycle. In its bulletin, Microsoft said the flaw could be exploited by an attacker without authentication to run arbitrary code. The attacker would have to send a malicious remote procedure call (RPC) request, which could result in taking complete control of a system. The flaw is rated critical on Windows 2000, XP, and Windows Server 2003 and is given an important rating on Windows Vista and Windows Server 2008.

"It is possible that this vulnerability could be used in the crafting of a wormable exploit," Microsoft said in its MS08-067 bulletin. "Firewall best practices and standard default firewall configurations can help protect network resources from attacks that originate outside the enterprise perimeter."

The vulnerability was discovered as part of Microsoft's investigation into a series of targeted malware attacks against Windows XP systems. Targeted attacks have been ongoing for about two weeks, said Christopher Budd, security program manager in the Microsoft Security Response Center.

Security experts said the flaw is probably contained within the Server Message Block protocol, an area that handles file sharing, printer sharing and remote administration.

"It's a very basic networking component of all versions of Windows server," said Amichai Shulman founder of database security vendor Imperva Inc.

Jason Miller, security data team manager at Shavlik Technologies LLC, called the flaw extremely dangerous and said a worm created to exploit the hole could do a lot of damage on corporate networks.

SearchSecurity radio:

"This one is pretty nasty; this vulnerability can be exploited anonymously, meaning you can just target the system, send it something and you're in you've got full access to that system," Miller said. "The scary part is if somebody knows how to [exploit] it, it's only a matter of time before that information gets leaked."

In an email message, Ben Greenbaum, senior research manager for Symantec Security Response, said the good news is that Vista and later operating systems are very difficult to exploit since most systems won't have affected ports exposed to the Internet.

"That being said, all it takes is one client-side exploit or Trojan that includes this exploit as a payload to get such a worm into a corporate network, where the affected ports are typically exposed to other internal computers," Greenbaum said.

Since it's technically a file sharing vulnerability, an attacker would need to build a worm capable of scanning ports for machines with file sharing enabled, said Wolfgang Kandek, chief technology officer of Qualys Inc.

"It's complicated from a technical perspective but somebody in the business would find it relatively easy to do," Kandek said. "There's really the potential for something quite nasty to happen if you think about partnering this vulnerability with another one."

Shavlik's Miller said a workaround involves disabling the Windows server service, which could cause major problems for a lot of systems. Instead, rolling out a patch should be a lot easier, he said.

"Typically in a cycle for patches you would want to test the patch to see if it breaks any applications, but something like this you're going to have to deploy it," Miller said. "You've got to shoot from the hip and be a cowboy."

The last time Microsoft released a patch out of its normal cycle was in April 2007 when it patched the Windows ANI curser handling flaw. At the time, Microsoft was tracking limited attacks against the flaw allowing an attacker to run malicious commands on a victim's machine.

Tags: Windows Security: Alerts, Updates and Best Practices,  Security Patch Management,  VIEW ALL TAGS

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Windows Security: Alerts, Updates and Best Practices Microsoft to address flaws in Windows, Office for Mac Microsoft fixes security update that breaks Internet Explorer What is the best database patch management process? Microsoft addresses critical SMBv2 flaw, fixes record number of flaws Microsoft to address SMB zero-day, IIS FTP Service vulnerabilities Microsoft releases temporary fix for SMB2 zero-day vulnerability Microsoft issues SMB vulnerability advisory, patch pending Attackers target Microsoft IIS; new SMB flaw discovered Microsoft repairs Windows media, TCP/IP vulnerabilities Microsoft five critical updates won't include IIS Security Patch Management Squad: Tokenization, Phishing and the Feds Should management processes change based on a patch release schedule? Should Windows Mobile updates come from Microsoft? Adobe updates ColdFusion, JRun, Flex Trusteer CEO criticizes Adobe, touts better patch deployments Patch management study shows IT taking significant risks Vulnerability mitigation study shows need for faster patching Microsoft to issue security report card, new tool at Black Hat How to manage patches for Adobe When is it suitable to remove Java updates?

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary BotHunter  (SearchSecurity.com) principle of least privilege (POLP)  (SearchSecurity.com) security identifier  (SearchSecurity.com) trusted computing  (SearchSecurity.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary