Severity: High
14 October, 2008
Summary:
§These vulnerabilities affect: All current versions of Windows
§How an attacker exploits them: Multiple vectors of attack, including sending specially crafted network traffic
§Impact: Various results; in the worst case, attacker can gain complete control of your Windows computer
§What to do: Install the appropriate Microsoft patches immediately
Severity: High
14 October, 2008
Summary:
§These vulnerabilities affect: All current versions of Windows
§How an attacker exploits them: Multiple vectors of attack, including sending specially crafted network traffic
§Impact: Various results; in the worst case, attacker can gain complete control of your Windows computer
§What to do: Install the appropriate Microsoft patches immediately
Exposure:
Today, Microsoft released seven security bulletins describing vulnerabilities that affect Windows and components that ship with it. Each vulnerability affects different versions of Windows to a different extent. However, a remote attacker could exploit the worst of these flaws to gain complete control of your Windows PCs. The summary below lists the vulnerabilities, in order from highest to lowest severity.
MS08-060: Windows 2000 Active Directory (AD) Buffer Overflow Vulnerability
Active Directory (AD) is the authentication component Windows uses to verify the credentials of users logging into your systems. The AD component that ships with Windows 2000 suffers from a buffer overflow vulnerability. By sending a specially crafted LDAP or LDAP over SSL (LDAPS) request, an attacker could exploit this vulnerability to gain complete control of your Windows domain controller. Once an attacker gained control of such an high value server, he’d have a significant hold over your network. However, most administrators do not allow LDAP (port 389) or LDAPS (port 636) requests through their firewall. In most cases, an attacker would have to launch this attack from inside your network in order for it to succeed.
Microsoft rating: Critical.
MS08-063: SMB Buffer Overflow Vulnerability
Server Message Block (SMB) is a protocol Windows uses for network file sharing. According to Microsoft, SMB suffers from a buffer overflow vulnerability involving its inability to handle specially crafted file names. By sending specially crafted SMB packets, an attacker could exploit this vulnerability to gain complete control of your Windows computers. However, only authenticated users with valid Windows credentials could exploit this vulnerability. That makes this flaw, too, primarily an insider threat.
Microsoft rating: Important.
MS08-065: Message Queuing Remote Code Execution Vulnerability
Microsoft Message Queuing (MSMQ) is a technology that allows applications running at different times to communicate with one another over the network in an asynchronous fashion. Unfortunately, the MSMQ service suffers from a security vulnerability having to do with the way it parses Remote Procedure Call (RPC) requests. By sending a specially crafted RPC request, an attacker could exploit this vulnerability to gain complete control of your Windows computer. However, Windows doesn’t enable MSMQ by default, which significantly lowers the severity of this flaw. Furthermore, this flaw only affects Windows 2000 computers.
Microsoft rating: Important.
MS08-062: Internet Printing Server Remote Code Execution Vulnerability
Internet Printing Protocol (IPP) is an ISAPI extension that is enabled by default on many Windows servers running Internet Information Services (IIS). This protocol suffers from an unspecified integer overflow vulnerability. By sending a specially crafted HTTP POST request, an attacker could trick a vulnerable IIS web server into connecting to a malicious computer masquerading as an IPP-compatible printer. The malicious computer could then send specially crafted IPP responses to the vulnerable IIS server, which would exploit the IPP integer overflow vulnerability. The attacker could leverage this integer overflow vulnerability to execute code on the IIS web server with the privileges of the logged-in user. If he or she has administrative privileges, the attacker would gain complete control of your IIS server. That said, only authenticated users with valid Windows credentials can exploit this vulnerability, making it primarily an insider threat. Furthermore, the latest Windows servers no longer enable IPP by default, and so are not inherently vulnerable to this flaw.
Microsoft rating: Important.
MS08-061: Three Kernel Elevation of Privilege Vulnerabilities
The kernel is the central component of any operating system (OS). According to Microsoft, the Windows kernel suffers from three elevation of privilege vulnerabilities. The three flaws differ technically, but have the same scope and impact. If an attacker can log into one of your Windows machines, and can run a specially crafted program, he could exploit any of these three flaws to gain complete control of that machine. Of course, in order to log into your machines, the attacker needs valid Windows credentials. This fact significantly lowers the severity of this vulnerability, making it primarily an insider threat.
Microsoft rating: Important.
MS08-066: Ancillary Function Driver Elevation of Privilege Vulnerability
The Ancillary Function Driver (AFD.sys) is one of the components Windows installs to support the Windows Socket API (winsock). Unfortunately, AFD suffers from an elevation of privilege vulnerability very similar in scope to the three described above. If an attacker can log into one of your Windows machines, and can run a specially crafted program, he could exploit this flaw to gain complete control of that machine. As before, the attacker needs valid Windows credentials in order to exploit this vulnerability, making it primarily an insider threat.
Microsoft rating: Important.
MS08-064: Virtual Address Descriptor Elevation of Privilege Vulnerability
According to Microsoft, a Virtual Address Descriptor (VAD) is a form of virtual memory that allows each application to have its own private address space. The memory manager component that handles VAD suffers from an integer overflow flaw. Like the two flaws described above, if an attacker can log into one of your Windows machines, and can run a specially crafted program, he could exploit this integer overflow vulnerability to elevate privileges, gaining complete control of that machine. Again, the attacker needs valid Windows credentials in order to exploit this vulnerability, making it primarily an insider threat.
Microsoft rating: Important.
Solution Path:
Microsoft has released patches for Windows which correct all of these vulnerabilities. You should download, test, and deploy the appropriate patches throughout your network immediately.
Note: This vulnerability only affects Windows 2000 Servers.
§For Windows Server 2003 Itanium
§For Windows Server 2008 Itanium
Note: This vulnerability only affects Windows 2000 Servers.
§For Windows Server 2003 Itanium
§For Windows Server 2008 Itanium
§For Windows Server 2003 Itanium
§For Windows Server 2008 Itanium
§For Windows Server 2003 Itanium
Note: Doesn’t affect Windows 2000, Vista, or Server 2008.
§For Windows Server 2003 Itanium
§For Windows Server 2008 Itanium
Note: Doesn’t affect Windows 2000.
For All WatchGuard Users:
WatchGuard Fireboxes, by default, reduce the risks presented by many of these vulnerabilities. For instance, by default your Firebox blocks the ports necessary to launch the Active Directory, SMB, and Message Queuing attacks described above. However, attackers could exploit many of these attacks locally, without passing traffic through your firewall. For that reason, we urge you to apply the patches above.
Status:
Microsoft has released patches correcting these issues.
References:
§Microsoft Security Bulletin MS08-060
§Microsoft Security Bulletin MS08-061
§Microsoft Security Bulletin MS08-062
§Microsoft Security Bulletin MS08-063
§Microsoft Security Bulletin MS08-064
§Microsoft Security Bulletin MS08-065
Microsoft Security Bulletin MS08-066