Since the release we have received several great questions regarding MS08-067 (http://www.microsoft.com/technet/security/Bulletin/MS08-067.mspx), thus we decided to compile answers for them. We still want to encourage everyone to apply the update.
Can the vulnerability be reached through RPC over HTTP?
No, the vulnerability cannot be reached through RPC over HTTP. RPC over HTTP is an end-to-end protocol that has three roles: client, proxy and server. To be clear, this is different from standard RPC, and the two protocols do not interoperate. Moreover, the only way to hit the vulnerable code is through named pipes, so the Interface security callback will drop the connection when connecting through TCP/IP.
Using Outlook to connect to an Exchange server to access e-mail is a common scenario that uses RPC over HTTP; since the RPC over HTTP proxy is used the Exchange server is not exposed to external attacks.
Further information about RPC over HTTP:
Further information about using Exchange with RPC over HTTP:
What type of protections does ISA provide against this vulnerability?
Can an anonymous user reach the vulnerable code if the “restrict anonymous named pipes” group policy setting is used?
There are two different behaviors depending on the platform version.
Unfortunately the Windows XP SP2 and Windows Server 2003 group policy setting “Network Access: Named pipes that can be accessed anonymously” (see http://technet.microsoft.com/en-us/library/cc785123.aspx for more information) will not block anonymous connections to the browser named pipe. The vulnerable code can still be reached since by default, connections to this named pipe will be allowed regardless of the setting. In short, even if “browser” is removed from this list, the named pipe can still be reached anonymously.
In Windows Vista and Windows Server 2008 this behavior was changed and the setting takes effect when the browser named pipe is removed and the system is restarted.
Would sharing files and/or printers via Terminal Server or Remote Desktop Connection expose the vulnerability?
No, Terminal Server and Remote Desktop Connection do redirection using virtual channels embedded inside the RDP protocol. Moreover, Terminal Server does not open ports 139 or 445.
We would like to thank the engineers who helped provide definitive answers to these technical questions:
- Bruce Dang, Fermin J. Serna, Damian Hasse, Andrew Roths and Jonathan Ness from the SVRD team
- Tassaduq Basu, Kamen Moutafov from the Windows Networking Team
- Scott Field from the Windows Security Architecture Team
- Jim Harrison from the ISA Team
- Costin Hagiu from the RDP Team
- David Kruse from the Core File System Team
Posting is provided "AS IS" with no warranties, and confers no rights.