The official corporate security response blog
@MSFTSecResponse
How to Report a Vulnerability to the MSRC
Hi, this is Christopher Budd. As we go into the weekend I wanted to take a moment and give you an update on the latest information around MS08-067 and Microsoft Security Advisory 958963.
Essentially there is no new information to report. We’ve seen no significant changes in the threat landscape since our posting of Microsoft Security Advisory 958963 on Monday. We continue to see strong, rapid and wide deployments of the security update worldwide. We also still have no reports of issues with the security update.
All that said, as Mike noted on Monday, we have seen exploit code resulting in code execution in public. If you’ve not yet tested and deployed the security update, we continue to urge you to do so as quickly as possible.
Like we always do, we will keep watching the situation and will let you know if anything changes.
Thanks!
Christopher
*This posting is provided "AS IS" with no warranties, and confers no rights*
Hey folks, Mike Reavey here,
It’s been almost five days since we originally released MS08-067, and our tracking shows that security deployments remain strong. We’re also still unaware of any application compatibility issues with this update.
Like we’ve said, we’re continuing to watch the threat environment. Yesterday, we said that our analysis of public exploit code that was available showed it would always result in a denial of service. Today, we’ve identified the public availability of exploit code that now shows code execution for the vulnerability addressed by MS08-067. This exploit code has been shown to result in remote code execution on Windows Server 2003, Windows XP, and Windows 2000 systems. Our investigation has shown that it does not affect customers who have installed the update. We’ve just published Microsoft Security Advisory 958963 to let customers know about this new development.
At this time, attacks are still limited and targeted, even with the release of this new exploit code. The malware situation remains the same, as we’ve not seen any self-replicating worms, but instead malware that would be classified as Trojans -- specifically the malware we discussed when we released the security update on Thursday.
While there are no new broad attacks from this public exploit code now, we do expect that over the next few days and weeks this public exploit code may likely be used to create new versions of malware that could be used for broader attacks, possibly including self-replicating worms. Therefore, we continue to strongly encourage customers to test and deploy the security update as quickly as possible.
We will continue to monitor the situation via our ongoing Software Security Incident Response Process (SSIRP) and post updates to the Advisory and the MSRC Blog as we become aware of malware that significantly changes the threat environment.
In the meantime, we continue to urge customers to continue to test and deploy the security update.
-Mike Reavey
Hi,
On Thursday, October 23, 2008, Microsoft released an Out-Of-Band Security Bulletin (MS08-067). To meet the customer demand for information relating to this release, Microsoft conducted three customer webcasts. Two of these webcasts were conducted on Thursday, October 23rd and the other on Friday, October 24th. The link below will direct you to a collection of all questions answered during the three webcasts.
Here is the link to the full Q&A so you can see all of the answers that were provided for these great questions:
http://blogs.technet.com/msrc/archive/2008/10/27/microsoft-out-of-band-security-bulletin-ms08-067-webcast-q-a.aspx
Also, here is the link to the Q&A index page in case you want to view previous months:
http://blogs.technet.com/msrc/pages/microsoft-security-bulletin-webcast-q-a-index-page.aspx
As always, customers experiencing issues installing any of the updates this month should contact our Customer Service and Support group:
Customers in the U.S. and Canada can receive technical support from Microsoft Customer Support Services at 1-866-PCSAFETY. There is no charge for support calls that are associated with security updates.
International customers can receive support from their local Microsoft subsidiaries. There is no charge for support that is associated with security updates. For more information about how to contact Microsoft for support issues, visit the International Support Web site.
Al Brown
*This posting is provided "AS IS" with no warranties, and confers no rights.*
Register now for the November 2008 Security Bulletin Webcast
Security Bulletin Webcast Q&A Index Hosts: Christopher Budd, Security Response Communications Lead
Adrian Stone, Lead Security Program Manager (MSRC)
Website: TechNet/security
Chat Topic: Microsoft out-of-band Security Bulletin (MS08-067) TechNet Webcast Date: Thursday, October 23, 2008 and Friday, October 24, 2008
Note: The below questions were submitted from webcast attendees and are not necessarily in the order they were addressed during webcast.
Q: Does it bypass the network security (i.e. firewalled system) of the system, and how large a scale are we talking in terms of current use in the wild?
A: We have seen limited, targeted attacks in the wild. The mitigations and workarounds for this vulnerability are listed in the security bulletin, including blocking ports 139 and 445. The Microsoft out-of-band security bulletin for October 2008 is here: http://www.microsoft.com/technet/security/bulletin/ms08-067.mspx
Q: It is possible to mount local drives on remote systems using RDP. Does Windows use RPC for that, too? May a worm that is active on a workstation use RDP to replicate a remote system?
A: Remote desktop protocol does not use RPC to mount drives.
Q: The default configuration of the Windows Firewall exception for File and Print sharing has a "subnet only" scope. For a machine connected directly to the internet, wouldn't this scope limitation provide some protection against worm propagation (assuming the exception has been allowed on that machine)?A: Any exposure to the vulnerability leaves the system exposed to compromise.
Q: Do you see this update being revised? For example, we roll this out tonight, and the update is later revised. Will MSBA show as false positive?
A: No, MBSA 2.1 will use the latest information that is supplied via Microsoft Update.
Q: So hibernation would not be a reboot, correct?
A: Correct. Hibernation will not substitute a reboot.
Q: What are issues with installing this patch on Windows 2003 cluster?
A: There are no known issues reported with this update.
Q: On Windows Vista, if User Access Control (UAC) has been disabled, should this be considered critical instead of important?
A: If the UAC prompting is disabled, the integrity levels foundational work still works to require authentication. The Security Vulnerability Research & Defense blog has a LOT more information about this. It is still important though…Protections afforded by UAC enhancements are in place even if the UAC prompting has been disabled.
Q: Can this attack happen through RPC/HTTPS?
A: This attack cannot happen via RPC over HTTP. The IIS server works as an RPC proxy but it doesn't forward on all RPC traffic.
Q: Are Windows 2000 pre-SP4 and Windows 2003 pre-SP1 (RTM) affected by this vulnerability?
A: All currently supported versions of Windows are impacted. Please refer to the security bulletin for all affected products: http://www.microsoft.com/technet/security/bulletin/ms08-067.mspx
Q: Will systems lacking the latest current service pack be applicable to receive the security update?
A: All supported operating systems/and service packs can and should install the update. A complete list is found in the security bulletin as well as information on what to do if you are running older platforms.
Q: Did I hear you say this update is not un-installable? Slide 9 says it is un-installable.
A: The update is un-installable through Add and Remove programs in Control Panel.
Q: What has been the vector of the previous attacks?
A: We believe the primary attack vector for any attacks will be a connection from an attacker to a vulnerable system over TCP ports 139 or 445, connecting to the server service to send malformed RPC requests.
Q: What happens when a system becomes infected if the update has not been applied and it is applied afterwards?
A: The system would have to first be cleaned of the infection and then security update would need to be applied in order to keep the system from being compromised again.
Q: As stated, the server service isn't accessible through firewalls with default configuration but would it be possible to get infected another way such as by websites (asp or java) that call on the server service?
A: The vulnerability is caused by the Windows Server service not properly handling specially crafted RPC requests. We have no reports of this being exploitable through websites.
Q: If the Server service is disabled, does that mitigate the known attack vectors?
A: No. Unfortunately the BROWSER service runs in the same svchost so attackers could reach the vulnerable code through the Browser service.
NOTE: we previously said that disabling the server service was a mitigation. You need to disable server service and browser service.
Q: It’s an unauthenticated buffer overflow on Windows XP and earlier. Did ASLR have anything to do with it being medium on Windows 2008 and Windows vista?
A: Yes. ASLR, DEP, UAC and other technologies played a role in reducing the impact of this vulnerability in Windows Vista and Windows Server 2008. More information about this can be found on Michael Howard's blog at http://blogs.msdn.com/sdl/archive/2008/10/22/ms08-067.aspx
Q: Windows Vista & 2008 severity is important due to authentication being required to remote exploit. What level of authorization is required? Would a default domain-joined Vista install allow a domain user context to exploit remotely?
A: The Security Vulnerability Research & Defense (SVRD) blog at http://blogs.technet.com/swi/archive/2008/10/23/More-detail-about-MS08-067.aspx has a detailed matrix showing which scenarios are vulnerable. Any authenticated user on Vista and 2008 could exploit this vulnerability if the endpoint is reachable (firewall determines if it is reachable).
Q: Does this and how affect the ISA?
A: We are not aware of any issues with the ISA firewall at this time. We are continuing to investigate.
Q: What methods (network/email/web) can this vulnerability be exploited? What non-updated protection methods can be used?
A: This vulnerability can be exploited through an RPC interface. There are non-update workarounds published at the SVRD blog http://blogs.technet.com/swi/
Q: Is there a reason why I would not want to turn the server service off for workstations?
A: If the Server service is disabled, you will not be able to share files or printers from your computer.
Q: Would an attacker exploit External to Internal? Is there an external FW port that can be blocked?
A: An attacker could exploit external to internal if a perimeter firewall does not block the exploit. You can block external attacks at your perimeter router by filtering TCP port 139 and 445.
Q: Is there a potential impact installing on Exchange 2003 or OWA2003? (We dont have a test server)
A: We have ensured that the update is of high quality and there should not be any impact of installing it on Exchange 2003 or any other application.
Q: Also we use a behavior-based IP agent on our endpoints. Is there a behavior we can identify and wrap rules around it to prevent exploit?
A: The exploits we have seen so far attempt to download a Trojan and run it. Depending on what behavior is blocked, you might be safe from that specific exploit. However, exploit writers are very tricky and rules can be bypassed.
Q: I cannot find the bulletin on our SCCM 2007 server. Is it actually ready for download? I'm sitting in Denmark.
A: All updates should be propagating world-wide and should be available soon, if not now.
Q: Are there Metasploit or Nessus plugins available yet?
A: We're watching and haven't seen an exploit yet. We have heard rumors that ImmunitySec CANVAS has made some progress towards a working exploit today.
Q: So say by default Vista and Win2K8 requires authentication, is it possible to configure Windows XP/2003 to do the same? Say through local security settings in group policy?
A: The authentication protection provided by Vista is afforded through enhancements in the User Access Control. It is not configurable on XP/WS03.There is a way but it's not super clean. The access control list is hard-coded in the source code so it cannot be changed easily through group policy. We did publish some code attached to the aforementioned SVRD blog that could be built and run to prevent anonymous connections from being able to exploit the vulnerability.
Q: Is a new CAB file being released today? Or when?
A: Yes a New Cab was released at 10 AM PST. It does take some time to replicate to all of the download servers throughout the world.
Q: If we are blocking ports 139 and 445 inbound from the internet at our firewall, are we fully protected if we do not install the update right away?
A: Block these ports at your perimeter will protect from external attacks. However, attacks that originate from within your network will not be prevented.
Q: Does this vulnerability also affect RPC/HTTP connected Exchange?
A: No – vulnerability cannot be reached via RPC over HTTP.
Q:I have "approved" the update via WSUS at 2pm. I do not see it listed on the client computer (windows update shield). The WSUS server shows the update as installed 9%. How should I interpret this ??
A: This is all dependent on how your Computers have been configured to talk to your WSUS server. Default configuration is to contact the WSUS server once every 22 hours. Clients will not report Compliance/Needing this update until they contact the server.
Q: Can we get a clarification if a worm has been detected in the wild? I heard you say there wasn't, but my information Security manager said your CSIRT said there was a worm in wild.
A: To be clear - we do NOT know of a worm currently in the wild exploiting this vulnerability.
Q: Are there any known malicious code out in the wild taking advantage of this vulnerability at this point? If yes, has it been given a name under which it might be detected by anti malicious products?
A: The Microsoft Malware Protection Center’s (MMPC) name for this malware is Exploit:Win32/MS08067.gen!A
For more information, please visit the MMPC page: http://www.microsoft.com/security/portal/
Their team blog, which has additional information is: http://blogs.technet.com/mmpc/
Q: What are the symptoms after exploitation? Is anything logged in Event Viewer for example? i.e. as sys admin, is there anything we should be looking for to identify machines that may have been exploited before the security update has reached the machine?
A: Yes, look for svchost.exe crashes in module netapi32.dll. However, this will only be the case for failed attacks. Successful attacks will not register.
Q: Should we do this for the servers that are within our infrastructure behind Checkpoint firewalls? We are deploying this right away to our DMZ servers.
A: Yes. The update should be applied to all your systems. Internal systems will not be attacked from the Internet but they will still be vulnerable to internal attacks.
Q: Is the Malware a rootkit? Are there IDS Signatures? Is there an IP address the malware is phoning home too?
A: The latest info on the malware can be found on the Microsoft Malware Protection Center blog at http://blogs.technet.com/mmpc/ . Information was provided to IDS vendors so they can create signatures.
Q: When will WSUS pick up the Vista and W2K8 updates? So far WSUS has only picked up the critical updates for XP and W2K3...
A: All of the updates should have been downloaded to your WSUS server at the same time. If this is not the case, if you have WSUS 3.0 SP1, you can download the specific updates directly from the Microsoft Update Catalog using the "Import Updates" from the "Updates" page.
Q: Why does the server service get affected? Why is this vulnerable? Are you only vulnerable if you have file and print sharing enabled? Can you just disable file and print services for mitigation until you can install the patch?
A: The server services is affected due to a stack-based buffer overflow inside a loop. You are vulnerable if you have file and printer sharing enabled or if your firewall is turned off. Detailed information about this can be found at the SVRD blog http://blogs.technet.com/swi/
Q: Has the malware samples been shared with other AV vendors for emergency or extra dat / signatures?
A: Yes - we have been working with all of our partners including AV vendors. See the MMPC blog for the latest info at http://blogs.technet.com/mmpc/.
Also, Microsoft has a new program, the Microsoft Active Protections Program (MAPP), in which we share vulnerability information. Please check the partners for their active protections - http://www.microsoft.com/security/msrc/mapp/partners.mspx
Q: This will replace the MS06-040….are you feeling that this is worse or similar to that situation? Will Symantec have definitions to detect the malware that is out there?
A: This is a very similar vulnerability as MS06-040. However, we believe the ecosystem is in a better position to respond than in previous incidents. We have worked hard to get detection logic to trusted vendors who can help block attacks. Additionally, Symantec is a partner in our Microsoft Active Protections Program and the partners and some links to their active protections are here: http://www.microsoft.com/security/msrc/mapp/partners.mspx
Q: You keep mentioning self-replicating attacks. Are the attacks in the wild self-replicating?
A: No.
Q: Are there known exploits that result in elevated privileges?
A: Limited, targeted exploits have been seen in the wild that result in remote code execution with system privileges.
Q: We're using SMS 2003. After downloading the updated catalog, there are only English version of the updates. Will there be other language versions released?
A: Yes. The update has released in all language versions.
Q: MS06-070 (as well as XP SP3) also appears to supersede MS06-040. Are these superseding updates related to MS08-067, or are these superseding updates all independent of each other?
A: The bulletin supersedence is for the affected component. The bulletin only calls out the specified platforms where supersedence occurs.
Q:Are updates going to be pushed out to Tipping Point and similar vendors?
A: Information has been provided to IDS vendors. You should check with your vendor to determine when their updates will be provided. Tipping point is a MAPP partner. Please refer to their website or our MAPP pages, which can be found here: http://www.microsoft.com/security/msrc/mapp/partners.mspx
Q: MS08-067 is stating that the update is only for XP SP2/3 and Server2003 SP1/SP2. Does that mean that XP SP1/RTM and Server2003 RTM is NOT affected??
A: No it does not. Those platforms are not supported and our bulletins only discuss supported platforms.
Q:Is this Vulnerability related to a prior security update? Is it possible that an update in October has caused the Vulnerability?
A: The update is not related to any issues from the October security release. The component updated was previously updated by MS06-040.
Q: Can the 'Server' Service be restarted after the patch has been applied, to avoid rebooting?
A: You'll have to actually restart the svchost.exe where the Server service runs. And there is a lot of stuff going on in that netsvc svchost. We haven't tested trying to become safe without rebooting. The update requires a reboot to flush the current binary out of memory, a service restart is not enough to protect your systems.
Q: If the uuid that is being used in the exploit is blocked what will actually be stopped ? Will it block file shares ?
A: When blocking the UUID (universally unique Identifier), certain applications that rely on the Microsoft Server Message Block (SMB) Protocol may not function as intended. However, you will still be able to view and use file shares and printer resources on other systems.
Q: Any details on current targeting of malware?
A: For the most current information about the malware, you can reference the Microsoft Malware Protections Center blog at http://blogs.technet.com/mmpc/
Q: It says in the description that a 'wormable exploit' is possible. I think that is horrifying. Could you give any kind of indication how likely this is actually going to occur?
A: We know this vulnerability is able to be put into a self-propagating exploit. We cannot estimate the likelihood of this actually occurring. However, the threat of such an exploit was sufficient enough for us to release an update out-of-band update as we have done today.
Q: Our IDS vendor is claiming to have a signature to address this vulnerability and have had it since 2006. Can you expand on that claim?
A: While we cannot speak authoritatively to what other vendors say about their signatures, there was a very similar vulnerability in 2006 - MS06-040. It is possible that the IDS vendor built protections for that vulnerability that may also applies to this vulnerability.
Q: Are there known self-propagating exploits against this circulating in the wild?
A: At this time, we have not seen a self-propagating exploit in the wild.
Q: Has any regression testing has been done if we want to uninstall the patch?
A: Yes - this testing was completed and no issues were discovered.
Q: Is it possible to explain what a "well configured firewall" means?
A: In this case, block inbound TCP/139 and TCP/445. For other threats, other ports should be blocked but those two ports are sufficient to prevent this vulnerability from being exploited.
Q:I s this a buffer-overflow issue? Does Cisco Security Agent (CSA) mitigate the vulnerability?
A: It is a stack based buffer overflow. Cisco is one of our Microsoft Active Protections Program partners and they have received guidance. I'd expect them to provide protections soon. We encourage you to reference the following page any time a Microsoft security update has been released: http://www.microsoft.com/security/msrc/mapp/partners.mspx
Q: Is there an exploitability index rating for this vulnerability?
A: The Exploitability Index assessment is available in the October summary, which is found here: http://www.microsoft.com/technet/security/bulletin/ms08-067.mspx
Q: What is the need for the reboot, is it a functionality requirement? What level of regression testing has been performed?
A: A reboot is needed to protect your system and ensure the update has been properly installed. The updated has undergone regression testing.
Q: Does this affect any Microsoft SQL Server software?
A: No, this does not affect SQL Server software, only the underlying OS.
Q: Can you please elaborate on the attack vectors and the potential impacts if the patch is applied to a server and not rebooted.
A: An attacker could try to exploit the vulnerability by sending a specially crafted message to an affected system. An attacker who successfully exploits this can execute code with system privileges. A reboot is required after installation to be protected.
Q: Are you expecting more security patches in addition to the one released today? If so, when will we be notified of them?
A: We are not expecting to release any additional out of band updates.
Q: This is a major .dll (netapi32.dll) and could have a great impact. We have started our testing and would like any information of known issues.
A: There are no known issues reported with this update
Q: MS06-040 introduced a problem where applications that used large amounts of contiguous memory failed. (see kb924054) Has MS08-067 been tested for similar issues?
A: Regression testing has been performed on this update and no known issues exist at this time.
Q: I thought you said Forefront product customers should ensure updates but your answer seems to be only about FS Client. For Forefront for Exchange and SharePoint Server, should they get latest signatures for those too?
A: All Forefront products should be able to update to the most recent signatures.
Q: I don't understand. RPC uses 135 and negotiates a port from 1024+ range. how is 139 and 445 in the picture?
A: RPC includes the ability to use SMB as a transport. When this happens, ports 139 and 445 are used.
Q: Our test matrix is dependent upon what is being updated. What do you recommend testing?
A: The affected binary updated is netapi32.dll. The primary function affected is in file and printer sharing.
Q: I've seen reports of (sporadic) problems with Wi-Fi connectivity after installing MS08-067. Do you have any information about this?
A: We investigate all reports about potential issues but have not verified any known issues at this time.
Q: What are our chances to mitigate this threat if our agency is fully patched this weekend?
A: Customers who have installed the MS08-067 security update are protected from this vulnerability.
Q: Are there any specific test points that you recommend? What should I do to satisfy the powers that be, that I've thoroughly tested this update?
A: The patch involves network file and printer sharing. It is recommended that you perform tests of any network printing or file sharing required by your environment.
Q: Will Forefront for Exchange 2007 include protection for this vulnerability?
A: Microsoft Forefront Client Security Antivirus: v1.45.1016.0 includes signatures related to this vulnerability. These will be available for Forefront for Exchange as well.
Q: Is Small Business Server 2003 impacted?
A: Yes.
Q: What are the names of these Trojans? How do we know if we've been infected? Our Forefront installs have been finding lots of Trojans recently...
A: The Microsoft Malware Protection Center’s (MMPC) name for this malware is Exploit: Win32/MS08067.gen!A
For more information, please visit the MMPC page: <http://www.microsoft.com/security/portal/>
Their team blog, which has additional information, is: <http://blogs.technet.com/mmpc/>
Q: Is the AV protection information available to all VARs?
A: Yes - we have been working with all of our partners including AV vendors. See the MMPC blog for the latest info at <http://blogs.technet.com/mmpc/>.
Also, Microsoft has a new program, the Microsoft Active Protections Program (MAPP <http://www.microsoft.com/security/msrc/mapp/overview.mspx>), in which we share vulnerability information. Please check the partners for their active protections - <http://www.microsoft.com/security/msrc/mapp/partners.mspx>
Q: Why isn't the vulnerability exploitable over RPC over HTTP? Isn't RPC over HTTP just using HTTP to proxy an otherwise typical RPC transaction?
A: In order for RPC over http to work for an endpoint, the endpoint must specifically support it. This endpoint does not.
Q: Is it safe to just push out the executable en mass via SMS, or should I let the scanning tool determine if the update is actually needed?
A: There are no known issues with the update. You should determine which updating strategy works best for your environment.
Q: Did you say that we could get attacked through port TCP 3389 (Remote Desktop Protocol)?
A: The vulnerability relies on TCP ports 139 and 445.
Q: Are all SP levels of Windows XP \ Server 2003 affected? Are previous service pack levels more vulnerable?
A: Windows XP SP1 is currently out of support. Customers using XP SP1 are encouraged to upgrade. Windows XP SP2, Windows XP SP3, and all service packs of Windows Server 2003 are equally vulnerable.
Q: Does it make a difference if the user is running as admin or just a local user......
A: This vulnerability is not dependant on the logged on user since it exploits a network service.
Q: What is the Advance Notification Service (ANS)?
A: Please refer to http://www.microsoft.com/technet/security/bulletin/advance.mspx for more details on ANS.
Q: What if your system comes up with no critical updates available from Microsoft Update. This seems like a false positive. I know this particular server does not have the patch.
A: There should not be any delays in delivery from Microsoft Update at this point. You can download the update directly. The download links are available in the bulletin.
Q: Windows XP Service Pack 1 is not listed in the affected software, does it need the update?
A: Windows XP SP1 is not a supported platform. All supported operating systems/and service packs can and should install the update. A complete list is found in the security bulletin, as well as information on what to do if you are running older platforms.
Q: Why does Microsoft have AV protection for known malware and not other AV vendors? When will other AV vendors have the information that they need to provide protections or do they have the same malware binaries available?
A: We have been working with all of our partners including AV vendors. See the MMPC blog for the latest info at <http://blogs.technet.com/mmpc/>. Also, Microsoft has a new program, the Microsoft Active Protections Program (MAPP http://www.microsoft.com/security/msrc/mapp/overview.mspx>), in which we share vulnerability information. Please check the partners for their active protections - <http://www.microsoft.com/security/msrc/mapp/partners.mspx>
Q: Are clients running Windows XP SP3 without any server functionality still vulnerable?
A: Yes. Windows XP SP3 clients are also vulnerable if they have file and printer sharing enabled or if they have Windows Firewall turned off.
Q: Are there any performance impacts of this change, specifically on Exchange servers?
A: We have identified no issues with this update; performance or otherwise.
Q: How can I tell if any of my workstations have been compromised? Is there any evidence of the system being violated?
A: Successful attacks may be impossible to detect. On the other hand, failed attacks will cause a crash in svchost.exe. However, not all svchost.exe crashes indicate an attack of this vulnerability.
Q: Does Microsoft Internet Security and Acceleration Server (ISA) 2006 help to mitigate this vulnerability?
A: ISA can be used to block incoming connections to TCP/139 and TCP/445 and will mitigate an external attack. However, attacks originating from internal resources could still succeed.
Q: Can Microsoft address the question of the number of active exploits at this time? Do you know yet?
A: We are only aware of limited targeted attacks against Windows XP and Windows 2003 machines.
Q: Has an HTTP or other web distribution method of this exploit been identified or seen in the wild?
A: At this time, we have not seen a web distribution method used or identified.
Q: Any known issues thus far with 3rd party applications?
A: There are no known issues with this update at this time.
Q: Will this affect Virtual Machine (VM) servers?
A: Yes. All currently supported versions of Windows are impacted. Please refer to the security bulletin for all affected products
Q: Can you elaborate on how we can use Data Execution Prevention (DEP) on our Windows XP machines to protect our computers?
A: Take a look at http://technet.microsoft.com/en-us/library/cc700810.aspx for details on how to do this.
Q: Due to the nature of deploying in a large environment, will you have alerts when a damaging version of the proof of concept that is currently in the wild is seen. Scheduling reboots can take several days to avoid business outages. Outages are acceptable when a worm is active.
A: We will continue to update our customers as additional information becomes available through blogs, advisories, etc.
Q: I found a blog article that said Microsoft Forefront Client Security malware version 1012+ will detect and prevent the attack. http://blogs.technet.com/msrc/archive/2008/10/23/ms08-067-released.aspx Does that make this hotfix less critical?
A: No. This update continues to be important for Vista and Windows Server 2008 and critical for Windows 2000, 2003 and XP.
Q: if the firewall is on, yet you allow RDP (remote desktop), does that prevent the attack?
A: Allowing RDP does not prevent the attack. An attacker could exploit external to internal if a perimeter firewall does not block the exploit. You can block external attacks at your perimeter router by filtering TCP port 139 and 445. The Security Vulnerability Research & Defense (SVRD) blog at <http://blogs.technet.com/swi/archive/2008/10/23/More-detail-about-MS08-067.aspx> has a detailed matrix showing which scenarios are vulnerable.
Q: it's unclear from the "history" explanation....has worm-type self-replicating attacks/code been found in the wild?
A: To be clear - we do NOT know of a worm currently in the wild exploiting this vulnerability. We are aware of limited, targeted attacks exploiting this vulnerability.
Q: Does blocking Internet access via TCP port 139 and 445 protect internal network from infection?
A: Yes, blocking incoming connections to TCP/139 and TCP/445 will mitigate an external attack
Q: I thought I heard it said that malware has been found to have exploited this vulnerability, but to date there is no known successful worm, please explain the difference.
A: The malware detected was not a worm. You can read about the malware at the MMPC blog at http://blogs.technet.com/mmpc/
Q: Is RCP over http or https, such as Outlook used to remotely connect to Exchange vulnerable to this issue?
A: No, RPC over http does not expose this vulnerability.
Q: What is the vulnerability of the entire network if a user is using an air card remotely and connecting through a Virtual Private Network (VPN) even though you are blocking port 139 and 445 on your firewalls?
A: As long as the VPN client blocks ingress traffic to the user (single homed), the mobile system is protected from direct attack. However, if the system does become infected while the VPN client is disabled, it will gain access to port 139 and 445 on the internal network once the VPN client is enabled. This could potentially (depending on the exact configuration and deployment) allow an attack to take place on the internal network. We recommend installing security updates on internal systems as well.
Q: If one is using domain isolation (IPSec/GPO/certificates) are we protected from non-domain machines and domain-joined machines? Can there be an exploit that looks legit in this scenario and still works within domain isolation?
A: IPSec can help protect between trusted partners, however does not protect against insider threat attacks. Although IPSec can offer some protection, the vulnerability is still reachable in scenarios such as dual homed systems, or insider threat scenarios.
Q: Can one download the individual patch without having to go through windows update.
A: Yes - this update can be downloaded directly from the download center
Q: Is this just a vulnerability in the Windows Server or do I need to patch Windows client operating systems as well?
A: The vulnerability is present on Windows Clients, too.
Q: Our server/web application was not making calls over TCP 135, however post patch it began using port 135 which our firewall blocks. Are you positive port 135 is not in play here?
A: There are no known issues with this update. The update is not designed to enable or disable port 135 and we have not seen this behavior.
Q: How will this patch impact products used for remote control support such as VNC or remote desktop?
A: The update itself has no known issues or application compatibility issues. However, if you manually enable blocks on TCP ports 139/445, this could impact various program and applications.
Q: What will break if I disable ports 139, 445? Are these standard ports used for Microsoft communication?
A: The bulletin lists some of the programs and services impacted by blocking ports 139/445 to include such things as applications that use SMB (CIFS), group policy, print spooler, computer browser, etc.
Q: Can we go ahead and send the users the KB958644 file and have them apply the update manually; even If our Windows XP SP2 and Vista SP1 machines did not run updates for the past few months.
A: This is a stand-alone update and does not require any prerequisites for installation.
Q: In Vista/Server 2008, how can it be initiated? i.e. a pop-up appear to the user and clicks OK.
A: For all platforms, there will be no user interaction with a successful exploit. The exploit goes through an RPC request packet and does not require user interaction.
Q: For Internal systems behind a firewall ... can this vulnerability be spread via email or only by a malicious direct attack?
A: If an internal system becomes compromised, it could attack other systems within the perimeter as it would likely be able to reach other internal systems on the affected ports. However, this system would need to be compromised through a different vector, as the firewall would filter inbound attacks. One such vector could include sending an executable exploit via e-mail, but the user would need to click and execute such an exploit himself. As such, we strongly recommend installing the systems on internal systems as well to ensure complete coverage
Q: Can you describe the TCP-IP packet
A: Details of the know exploit can be found on the SVRD blog at http://blogs.technet.com/swi/default.aspx
Q: Is there a way to detect vulnerable hosts in a network through an application based scanner? After updating all the hosts in our environment, I would like to be able to scan and detect hosts that have not been patched. Additionally, once I install the patch, where do I look to confirm it has installed successfully.
A: KB 958644 lists the version numbers on netapi32.dll that should be applied by the update. Scanning for these version numbers should enable you to see if the patch has been properly applied. The bulletin also lists registry keys created by the update.
Q: At least one of our Windows 2003 Servers that had the patch applied did not request a restart. It sounds like we should reboot even if not requested by the update installation. Is that correct?
A: A reboot is needed to protect your system and ensure the update has been properly installed.
Q: Is there any recommended testing in a Quality Assurance (QA) environment?
A: You may wish to focus on components that use the Browser and the Server service, such as applications which use SMB and file sharing and the printer and fax service.
Q: For non-Vista and Server 2008 operating systems, is there a configuration option in other operating systems that disable RPC? And is this a practical remedy?
A: The workarounds listed in the bulletin lists disabling server and browser services. The bulletin also lists the impacts of applying these workarounds.
Q: Is RDP/TS file transfer vulnerable?
A: Remote desktop protocol does not use RPC to mount drives and has not been shown to be affected by the vulnerability.
Q: Does the Windows XP firewall in default configuration protect from this RPC request?
A: In the default out-of-the-box scenario, the interface is not reachable due to the firewall enabled by default on Windows XP SP2. Unfortunately, either one of the following two conditions exposes the RPC endpoint:
1) Firewall is disabled
2) Firewall is enabled but file/printer sharing is also enabled.
Q: What is the Forefront Client Security antivirus signature update number that addresses this vulnerability? At the Malware Protection Center I see an entry for Win32/MS08067.gen!A that indicates the update is v1.45.1051? Has this been released to WSUS?
A: Forefront has a signature that generically triggers on some attempts to exploit this vulnerability. These signatures are continuously being updated as threats evolve. Additional coverage is constantly being released through the ongoing updates for Forefront. The earliest detection signature was added with 1.45.1012.0, but we recommend to continuously update these signatures as updates are added. Forefront signatures are indeed being released to WSUS.
Q: In the context of an enterprise, where every client has access to a public share on a server, this means every client is an authenticated user so he could run an attack rather accidentally or willfully?
A: Assuming we are talking about connecting to a server share through file system APIs, then the answer is “No”, the workstation does not become vulnerable.
Q: Is there exploit code for this vulnerability?
A: We have seen this exploit used in the wild. However, we have not seen working exploit code posted to public resources at this time.
Q: Have you seen how effective antivirus programs are in detecting an attack?
A: We cannot comment on the effectiveness of third party products. However, we are actively sharing information with our partners in the MAPP program and expect vendors will be releasing threat updates continuously to better protect their users.
Q: Can the Windows 2003 SP2 security patch be downloaded as part of the regular windows update?
A: That is correct; Automatic Updates will automatically push down the update to any supported OS (including Windows Server 2003 SP2)
Q: Where was the link for the registry modification to make Windows XP systems require authentication? Does this also cover Windows 2003?
A: There is no method for forcing Windows XP/2003 to use authentication. However, we are still investigating this and will update the SVRD blog at http://blogs.technet.com/swi/default.aspx if new information becomes available.
Q: If User Account Control (UAC) is disabled, does it become critical?
A: Disabling the UAC prompt does not disable the integrity level access check. In other words, regardless of whether the UAC prompt is enabled or disabled, the integrity level check will be performed. This limits the impact of this vulnerability on Vista and Windows Server 2008 (refer to the SVRD blog post blog http://blogs.technet.com/swi/archive/2008/10/23/More-detail-about-MS08-067.aspx).
Q: My WSUS auto approved critical updates... therefore I am safe and don't need to do anything except for set a deadline for rapid deployment, right? Approving KB 958644 gets the guts, right?
A: This sounds right but we cannot validate your environment. We would recommend that you test to make sure the update was deployed using MBSA 2.1. Using WSUS, administrators can deploy the latest critical updates and security updates for Microsoft Windows 2000 operating systems and later. For more information about how to deploy this security updates using Windows Server Update Services, visit the Windows Server Update Services Web site <http://go.microsoft.com/fwlink/?LinkId=50120>.
Q: Do you need to patch Vista - 64bit systems?
A: Yes - all supported platforms are affected by this vulnerability.
Q: Are there any known issues with MS08-067 synchronizing with WSUS 2 servers. My WSUS server is not retrieving this new update?
A: There are no known issues at this time. This is also dependent on how your Computers have been configured to talk to your WSUS server <http://technet.microsoft.com/en-us/wsus/default.aspx>. Default configuration is to contact the WSUS server once every 22 hours. Clients will not report Compliance/Needing this update until they contact the server.
Q: if a Windows 2003 Domain Controller is attacked and compromised, could a domain administrator account be created to then attack Windows Vista?
A: If successfully exploited, an attacker could then install programs or view, change, or delete data; or create new accounts with full user rights.
Q: We have business units requesting servers in both our Developer and Production networks to be exempted from receiving this patch for various reasons. Can anything be done at the network layer (firewall) to help protect hosts without this patch?
A: We believe the primary attack vector for any attacks will be a connection from an attacker to a vulnerable system over TCP ports 139 or 445, connecting to the server service to send malformed RPC requests. However, attacks that originate from within your network will not be prevented
Q: What type of applications would be most vulnerable to this vulnerability?
A: File and printer sharing. TCP ports 139 and 445.
Q: Will the update be made available through the SMS 2003 download synch process?
A: This update will be sent through the normal update process. You can see all detection and deployment information for all platforms in the bulletin.
Q: How vulnerable are we if we have servers that are affected on Windows Server 2003 in our DMZ, that don't have any of the affected ports open?
A: These ports are used to initiate a connection with the affected component. Blocking TCP ports 139 and 445 at the firewall will help protect systems that are behind that firewall from attempts to exploit this vulnerability. If these ports are disabled locally through disabling the affected services (as listed in our workarounds) would also prevent exploitation. Regardless, these are mere workarounds and should be followed by the deployment of the patch as soon as possible for the organization.
Q: Can you please point me to the master list of the Microsoft Patch supersedence? I use a patch monitoring tool that is not capable of understanding patch supersedence automatically. This means that I must “de-select patches” that have been replaced by newer ones.
A: This bulletin supersedes MS06-040 on selected platforms as shown in the bulletin affected software table. You can search for additional bulletins at http://www.microsoft.com/technet/security/Current.aspx.
Q: Is the patch supported on Windows Server 2003 x64 SP1?
A: The affected platforms are listed in the bulletin and yes, Window 2003 x64 SP1 is supported.
Q: What type of protections does Internet Security and Acceleration Server provide against this vulnerability?
A:
1. The ISA and TMG RPC filter only recognizes RPC traffic that begins on the RPC End-Point Mapper (TCP:135). Since MS08-067 attacks are carried within CIFS (TCP:445) or NetBIOS (TCP:139) connections, they are not visible to the ISA or TMG RPC filter.
Hello everyone,
This is Christopher Budd once again. As I said in my last post, we aren’t done when we release an update. Our response teams are constantly watching the situation around the world to understand as much as possible what’s going on with things like the threat environment and the state of security update deployments.
Based on some of our latest situation reports I wanted to provide you with an update as of this morning. You’ve told us it’s helpful for you to have this information on an ongoing basis.
In terms of the security update itself, we’re seeing strong deployments worldwide. We also have no reports of known issues with the security update at this time.
In terms of the overall threat environment, we’ve not seen any major changes so far. We are aware that people are working to develop reliable public exploit code for the vulnerability. We are aware of discussion about code posted on a public site, but our analysis has shown that code always results in a denial of service, to demonstrate the vulnerability. So far, we’ve not seen evidence of public, reliable exploit code showing code execution.
Additionally, we’re not aware of any broad attacks or new malware seeking to exploit this vulnerability since we’ve released the security update on Thursday. While there have been a couple of reports of a “new worm”, these reports are actually inaccurate: they’re talking about malware we found in our investigation of the original targeted and limited attacks that we talked about in our posting on Thursday. Specifically, these reports are talking about TrojanSpy:Win32/Gimmiv.A and TrojanSpy:Win32/Arpoc.A (which is the specific attack associated with Exploit:Win32/MS08067.gen!A). Both of these are trojans, not self-replicating worms.
While deployments of the updates are happening quickly and relatively smoothly, and the threat environment hasn’t changed significantly since Thursday, we don’t want customers to take that as a sign to decrease their pace of, or even delay, deployments for this update. This is a Critical vulnerability that is being actively attacked, though so far in a limited, targeted fashion. Those were the reasons we released this out-of-band and it is because of this that we continue to urge customers to aggressively test and deploy this update as soon as possible.
In addition, we are not relaxing our vigilance here. Our teams around the world continue to work around the clock, watching for any changes in the threat environment or issues that could impact customers’ ability to deploy these updates. As always, we will let you know through the MSRC weblog of any changes in this situation.
Thanks,
Hi All,
Mike Reavey, here. Just wanted to let you know that based on customer feedback, we have set up two additional Security Bulletin Webcasts related to this out-of-band release. Details are below:
· For the Thursday, 10/23/08, 5:00 PM Webcast, customers can register at: http://msevents.microsoft.com/CUI/EventDetail.aspx?EventID=1032394183&Culture=en-US
· For the Friday, 10/24/08, 11:00 AM Webcast, customers can register at: http://msevents.microsoft.com/CUI/EventDetail.aspx?EventID=1032394179&Culture=en-US
We'll have an overview of this out-of-band release, and you'll have the opportunity to ask us questions around the release.
Also you can find additional information on how the Microsoft Security Response Center has been working with members of the Microsoft Active Protections Program at http://blogs.technet.com/ecostrat/.
In the meantime, we encourage you to test and deploy the security updates and security software signatures as soon as possible.
Mike
This is Christopher Budd. Following up on my post from last night, I wanted to let you know that we’ve released MS08-067 today.
This security update resolves a vulnerability in the Server service that affects all currently supported versions of Windows. Windows XP and older versions are rated as “Critical” while Windows Vista and newer versions are rated as “Important”. Because the vulnerability is potentially wormable on those older versions of Windows, we’re encouraging customers to test and deploy the update as soon as possible. To help you better understand the details around the vulnerability, my colleagues over at the Security Vulnerability Research & Defense blog have provided some more information here. Also, Michael Howard has provided some background on the vulnerability from the Security Development Lifecycle perspective here.
In addition, to releasing a security update to address the vulnerability, we’ve also taken steps to help enable broader protections for customers. Specifically, our colleagues in the Microsoft Malware Protection Center have released updated signatures that can enable Microsoft Forefront and Microsoft OneCare to protect against current attempts to exploit the vulnerability (Exploit:Win32/MS08067.gen!A). You can read about what they’re doing to help protect here. We have also provided information to our security partners in our Microsoft Active Protections Program and our Microsoft Security Response Alliance Program. We encourage all customers to update the signatures for their security protection products to help provide protections while they’re testing and deploying these updates.
We discovered this vulnerability as part of our research into a limited series of targeted malware attacks against Windows XP systems that we discovered about two weeks ago through our ongoing monitoring. As we investigated these attacks we found they were utilizing a new vulnerability and initiated our Software Security Incident Response Process (SSIRP). As we analyzed the vulnerability in our SSRP process, we found that this vulnerability was potentially wormable on Windows XP and older systems. Our analysis also showed that it would be possible to address this vulnerability in a way that would enable us to develop an update of appropriate quality for broad distribution quickly. Based on those two factors, we felt that it was in the best interest of customers for us to release this update before the regular November release cycle.We have also have detection for the malware we found used in attacks exploiting this vulnerability (TrojanSpy:Win32/Gimmiv.A and TrojanSpy:Win32/Gimmiv.A.dll) in the signatures the MMPC is releasing today and sharing that information with our partners.
We aren’t done when we release an update. Our Customer Service and Support teams are ready to support customers as they deploy the update. And our security teams, and our partners, are monitoring for active attacks against this vulnerability. As always, we’ll update you with any information that we have as it develops.
Hello this is Christopher Budd,
I wanted to let you know that we’ve just posted an Advance Notification for an out-of-band bulletin release. We plan to release one Windows security bulletin with a maximum severity of Critical; scheduled for a target time of 10:00 a.m. PT on Thursday Oct. 23, 2008. A restart will be required.
We have scheduled a special webcast to cover this release. This will also be on Thursday at 1 p.m. PT. You can register for it here.
Thanks
Register now for the Novemberr 2008 Security Bulletin Webcast
Security Bulletin Webcast Q&A Index
Hosts: Christopher Budd, Security Response Communications Lead
Chat Topic: October 2008 Security BulletinDate: Wednesday, October 15, 2008
Q: What is the difference between Microsoft Update and Windows Update as patch mechanisms?
A: Windows Update only provides detection and deployment support for Microsoft Windows Components. Microsoft Update provides a more comprehensive product coverage including many non-windows software components such as the Office suites
Q: MS08-058 CVE-2008-2947 has a publicly known exploit. How reliable is that exploit... how does that exploit work?
A: We do not comment on the reliability or mechanics of public exploit code. We strongly recommend customers apply this patch to their systems.
Q: Most of the security bulletins replace earlier releases... are these areas being repeatedly exploited and does Microsoft need to patch every time?
A: When a security update replaces an existing update, you will only need to install the latest update for that component to insure that you are secure. Microsoft Updates address vulnerabilities in such a way that our customers have protection from software vulnerabilities.
Q: MS08-061 has in its “known issues” section that you may get offered this update twice on a XP Service Pack (SP)3 machine. Is this only for some XP SP3 systems and is there a list of known trigger events or conditions that cause the patch to be reoffered again before you are fully patched? See http://support.microsoft.com/kb/954211
A: This should only occur on systems where the SP3 installation has failed, or SP3 has installed and subsequently removed. This leaves the win32k.sys component in an unsigned state. If an unsigned win32k.sys component is detected, this update will detect the file, correct the component, and then exit. After this occurs, the package is re-offered to the system.
Q: For the Elevation of Privilege (EOP), does the user require credentials of his own to exploit the vulnerability
A: Yes, for both local EOP vulnerabilities an attacker must have legitimate credentials to log on-to a system and then use the vulnerability to elevate their privileges to SYSTEM level rights
Q: Why doesn't MS08-059 apply to Microsoft Host Integration Server (HIS) 2000 Service Pack 1 (server), HIS 2000 SP1 (client), and HIS 2000 (client)? Is it because they are not vulnerable or because they are no longer supported by Microsoft?
A: It is because these are no longer supported releases. Please see the Microsoft Support Lifecycle pages at http://www.microsoft.com/lifecycle.
Q: Does Microsoft Host Integration Server have an associated executable?
A: The files associated with this fix are Hisservicelib.dll, RPCDetect.dll and SNArpcsv.exe. This information is also available in KB956695.
Q: We are seeing the Exploitability Index probably for the first time, would like to know the motive behind sharing this information and how one can make use of this data...
A: Christopher Budd covered this during the slide presentation, however, there are several online documents, one being a "how to" and the second being a "Frequently Asked Questions" that are available from the "Exploitability Index" link within this month's summary bulletin.
Q: Are there any more surprises with the Office patches this month? We have had a number of issues with dealing with unpredictable actions from Office after deployment.
A: We are not aware of any issues with this bulletin. If you’re experiencing behavior not discussed in the security bulletin, please contact our support teams using the information at http://support.microsoft.com/security .
Q: I noticed the standalone viewer patch for the Access Snapshot Viewer (MS08-041) was also released with the October bulletin release. Will that be delivered by Windows Update?
A: The standalone viewer is only on the download site.
Q: What open shares on DCs need to be open
A: For the Server Message Block (SMB) bulletin MS08-063. Any open shares on a DC that allow authenticated users to write to that share will expose that system to the SMB vulnerability.
Q: Can you add the Security Advisory to the supercedence grid for future webcasts?
A: Where that makes sense, yes, we can do that.
Q: Is there are reason why the Kill Bits update (956391) was released as an advisory instead of a security bulletin as MS08-032 was?
A: Microsoft is releasing this Cumulative Security Update of ActiveX Kill Bits with an advisory because the new kill bits either do not affect Microsoft software, or had been previously set in a Microsoft Security Bulletin.
Q: MS08-063 requires an authenticated account, if the guest account is enabled would this exploit work?
A: Yes, if the guest accounts are enabled in an enterprise environment then this vulnerability is exposed to attackers with only guest privileges as well.
Q: In the KB article, what changes are made when applying MS08-056 on a Window Server 2003 SP1 and SP2 with Office XP SP3? The 3 registry keys mentioned in KB 956464 were not removed.
A: The update was designed to remove the registry keys for these protocols. If you believe this is not happening we recommend you log a support call and we can investigate further.
Q: The new Aggregate Severity and Exploitability Index Rating is a good idea, but would it be possible to have a master page that is kept up to date with all bulletins that have been rated, similar to the security bulletin search page? This would greatly assist in deployment of new systems so critical patches can be included in images/deployment scripts.
A: Thank you very much for the suggestion. We will take it under consideration.
Q: MS08-063 appears to be exploitable by authenticated users connecting to Domain Controllers and being able to take full control of them. Is this true? If so, why is the severity rating not higher?
A: The SMB vulnerability has some mitigation: this is intranet only (enterprise customers); does require authentication; does require SMB. On Active Directory (AD) SMB is default, however the vulnerability also requires open shares on the AD servers that allows low privilege authentication with write access to the open share.
Q: Did MS08-058 disable error reporting for Internet Explorer (IE) 7 crashes under Vista SP1? I have needed to terminate IE due to hangs 3-5 times since installing MS08-058 and I am not being prompted to send error reports to Microsoft.
A: No, the IE updates do not disable Error Reporting. We would recommend contacting product support at 866-PCSafety if you believe you are having a problem with one of the bulletins.
During this month’s webcast we were able to address 18 questions in the time allotted. The questions were spread fairly evenly across all bulletins, as well as the Exploitability Index that was released for the first time with this Bulletin Release Cycle.
http://blogs.technet.com/msrc/pages/monthly-security-bulletin-webcast-q-a-October-2008.aspx