This month we released an update for SMB that addresses three vulnerabilities. This blog post provides additional information that might help prioritize the deployment of this update, and help explain the risk for code execution.
In the bulletin you will see that the cumulative severity rating is Critical for Windows 2000, XP and Server 2003 systems, while Vista and Server 2008 have cumulative severity ratings of Moderate.
Two of the three vulnerabilities pose the risk for Remote Code Execution (CVE-2008-4834 and CVE-2008-4835), and hence these are rated Critical. However, Vista and Server 2008 systems are not vulnerable to the first of these vulnerabilities, and the second vulnerability does not affect systems using default settings. As a result, we rated Vista and Server 2008 as Moderate for CVE-2008-4835. CVE-2008-4114 affects all Windows platforms and results in a system DoS without any risk of RCE, and hence is rated Moderate. The table below summarizes the exposure for each version of Windows.
For all affected versions of Windows, the two RCE vulnerabilities are unlikely to result in functioning exploit code as stated in the exploitability index (http://technet.microsoft.com/en-us/security/cc998259.aspx). There are a few reasons for this:
In terms of prioritizing the deployment of this update, we recommend updating SMB servers and Domain Controllers immediately since a system DoS would have a high impact. Other configurations should be assessed based on the role of the machine. For example, non-critical workstations could be considered lower priority assuming a system DoS is an acceptable risk. Systems with SMB blocked at the host firewall could also be updated more slowly.
- Mark Wodrich, SVRD Blogger
Posting is provided "AS IS" with no warranties, and confers no rights.