Severity: High
11 November, 2008
Summary:
§ These vulnerabilities affect: All current versions of Windows, and many versions of Office
§ How an attacker exploits them: Multiple vectors of attack, including enticing a victim to a malicious web site
§ Impact: Various; in the worst case, attacker can gain complete control of your Windows computer
§ What to do: Install the appropriate Microsoft patches immediately
Severity: High
11 November, 2008
Summary:
§ These vulnerabilities affect: All current versions of Windows, and many versions of Office
§ How an attacker exploits them: Multiple vectors of attack, including enticing a victim to a malicious web site
§ Impact: Various; in the worst case, attacker can gain complete control of your Windows computer
§ What to do: Install the appropriate Microsoft patches immediately
Exposure:
Today, Microsoft released two security bulletins describing vulnerabilities that affect Windows and components that ship with it. Some of the vulnerabilities also affect Office and Office-related products. Each vulnerability affects different versions of Windows to a different extent. However, a remote attacker could exploit the worst of these flaws to gain complete control of your Windows PC. The summary below lists the vulnerabilities in order of severity, worst first.
MS08-069: Three XML Core Services Vulnerabilities
Microsoft’s XML Core Services (MSXML) provide a high degree of support for XML standards in Windows. Though the XML Core Services do not ship with all versions of Windows, they ship with a variety of popular Microsoft products and software updates, including some versions of Office and Internet Explorer. You’re likely to find the XML Core Services on most of your Windows workstations. (For further details on which products include the XML Core Services, scroll to the bottom of the Microsoft Knowledge Base article, “List of Microsoft XML Parser versions.”)
Microsoft’s bulletin describes three vulnerabilities that affect MSXML. The worst vulnerability involves memory corruption, arising from MSXML poorly handling specially crafted XML content. By enticing one of your users to a malicious web site, an attacker could leverage this vulnerability to execute code on that user’s computer, with that user’s privileges. If that user has local administrative rights, the attacker could gain complete control of the user’s machine. The two remaining MSXML flaws include a less severe Cross-Site Scripting vulnerability, and an Information Disclosure flaw.
Microsoft rating: Critical.
MS08-068: SMB Credential-Reflection Vulnerability
Server Message Block (SMB) is a protocol Windows uses for network file sharing. By default, Windows SMB suffers from something called a “credential-reflection vulnerability” when handling NT LAN Manager (NTLM) credentials. In credential-reflection attacks, an attacker somehow captures a victim’s login credentials, which are typically sent as hash values. In most cases, the attacker captures these credentials by sniffing network traffic or enticing a user to log into malicious servers which record the login. Once the attacker captures the hashed credentials, they replay those login credentials in order to log into some system with the victim’s privileges. Microsoft SMB ships with some credential-reflection protection mechanisms. However, Windows does not enable them by default. By enticing one of your users to log in to a malicious SMB server, an attacker could leverage this lack of protection to capture that user’s NTLM login credentials, and gain access to that user’s computer. If the user has local administrative privileges, the attacker gains full control of the user’s machine. However, most administrators do not allow SMB traffic (ports 135 and 445) to pass beyond their perimeter, out to the Internet. Therefore, this flaw primarily poses an internal threat.
Microsoft rating: Important.
Solution Path:
Microsoft has released patches for Windows which correct all of these vulnerabilities. You should download, test, and deploy the appropriate patches throughout your network immediately.
- 2000
- XP SP2
- XP SP3
- XP x64
- Server 2003
- Server 2003 Itanium Edition
- Server 2003 x64
- Vista
- Vista x64
- Server 2008
- Server 2008 Itanium Edition
- Server 2008 x64
- Office
Note: Due to the confusing array of possible combinations of MSXML, you may want to let Windows Update find the appropriate patch automatically.
- For Windows 2000
- For Windows XP
- For Windows XP x64
- For Windows Server 2003
- For Windows Server 2003 x64
- For Windows Server 2003 Itanium
- For Windows Vista
- For Windows Vista x64
- For Windows Server 2008
- For Windows Server 2008 x64
- For Windows Server 2008 Itanium
For All WatchGuard Users:
WatchGuard Fireboxes reduce the risks presented by one of these vulnerabilities. By default, your Firebox blocks the ports necessary to launch the SMB attack described above. However, attackers could also exploit the SMB attack locally, without passing traffic through your firewall. Furthermore, attackers could exploit the XML vulnerabilities using normal HTTP traffic, which you must allow for your users to browse the web. For those reasons, we urge you to apply Microsoft’s patches.
Status:
Microsoft has released patches correcting these issues.
References:
§ Microsoft Security Bulletin MS08-068
Microsoft Security Bulletin MS08-069