Enterprise IT pros might be breathing a sign of relief. Some Patch Tuesdays are loaded with critical and important fixes, but today's consists only of two patches (although there was an emergency patch issued mid-cycle, MS08-067, on October 23.) The strange news in this set of patches is that one of them seems to be from a problem first reported seven years ago.
The critical MS08-069 update fixes a flaw in the Microsoft XML Core Services used by Internet Explorer and other programs to render Web pages. Flaws that work via the browser by sending users to Web sites often tend to be rated as critical. Windows or Office users who visit a site and open a malicious document are hacked.
The second MS08-068 update fixes a bug rated important for Windows XP, 2000 and Server 2003 users, and only "moderate" on Vista and Server 2008. It solves an issue with the Windows Server Message Block (SMB) software used by Windows to share files and print documents over a network.
"I find the 'Important' bulletin far more interesting this month," said Eric Schultze, CTO of Shavlik Technologies in St. Paul, in a written commentary sent to various reporters, including Microsoft Subnet. "From what I can tell, it appears that MS08-068 (Important) is addressing a vulnerability that was first made public 7+ years ago (in 2001). Sir Dystic, from Cult of the Dead Cow, found a vulnerability in Microsoft operating systems that enabled attackers complete access to user's computers. He wrote a utility called SMBRelay to demonstrate the flaw. Microsoft was aware of the issue but didn't issue any security bulletins or patches to correct the behavior. Well, it looks like they've finally seen the light and have addressed this issue via the MS08-068 patch."
The SMBRelay attack works when victim are on the same corporate network, the firewall is turned off, or when the victim's firewall allows file and printer sharing services, Schultze describes. The attacker gets the victim to run HTML code (either via an e-mail or by visiting a web site) that includes an HTML reference to a picture stored on a server controlled by the hacker. When the victim's machine tries to grab the picture on the hacker's machine over NetBIOS ports, the hacker's machine asks the victim's machine to authenticate to it. The hacker can then use the challenge-response authentication obtained in reply to connect to a victim's machine without a password. Once connected, the hacker has all the same rights and privileges as the victim.
The scariest part of this exploit is not its age. It is that there is no way to tell who has been accessing your computer without your password. In addition to applying the patch, ensuring that your firewall is indeed blocking inbound/outbound NetBIOS access and enabling SMBsigning on all NetBIOS communication are also defenses Schultze says.
Visit the Microsoft Subnet home page for more news, blogs, podcasts.
More blog post from the Microsoft Subnet posts:
Also see:7 Keys to Cleaning Up Windows with Windows 717 job-hunting resources for Windows prosGlenn Weadock on Windows Server 2008Library of Windows management tools from A Better Windows Worldall Microsoft Subnet bloggers.bi-weekly Microsoft newsletter. (Click on News/Microsoft News Alert.)
Sign up for the