Enterprise IT pros might be breathing a sign of relief. Some Patch Tuesdays are loaded with critical and important fixes, but today's consists only of two patches (although there was an emergency patch issued mid-cycle, MS08-067, on October 23.) The strange news in this set of patches is that one of them seems to be from a problem first reported seven years ago.
The critical MS08-069 update fixes a flaw in the Microsoft XML Core Services used by Internet Explorer and other programs to render Web pages. Flaws that work via the browser by sending users to Web sites often tend to be rated as critical. Windows or Office users who visit a site and open a malicious document are hacked.
The second MS08-068 update fixes a bug rated important for Windows XP, 2000 and Server 2003 users, and only "moderate" on Vista and Server 2008. It solves an issue with the Windows Server Message Block (SMB) software used by Windows to share files and print documents over a network.
"I find the 'Important' bulletin far more interesting this month," said Eric Schultze, CTO of Shavlik Technologies in St. Paul, in a written commentary sent to various reporters, including Microsoft Subnet. "From what I can tell, it appears that MS08-068 (Important) is addressing a vulnerability that was first made public 7+ years ago (in 2001). Sir Dystic, from Cult of the Dead Cow, found a vulnerability in Microsoft operating systems that enabled attackers complete access to user's computers. He wrote a utility called SMBRelay to demonstrate the flaw. Microsoft was aware of the issue but didn't issue any security bulletins or patches to correct the behavior. Well, it looks like they've finally seen the light and have addressed this issue via the MS08-068 patch."
The SMBRelay attack works when victim are on the same corporate network, the firewall is turned off, or when the victim's firewall allows file and printer sharing services, Schultze describes. The attacker gets the victim to run HTML code (either via an e-mail or by visiting a web site) that includes an HTML reference to a picture stored on a server controlled by the hacker. When the victim's machine tries to grab the picture on the hacker's machine over NetBIOS ports, the hacker's machine asks the victim's machine to authenticate to it. The hacker can then use the challenge-response authentication obtained in reply to connect to a victim's machine without a password. Once connected, the hacker has all the same rights and privileges as the victim.
The scariest part of this exploit is not its age. It is that there is no way to tell who has been accessing your computer without your password. In addition to applying the patch, ensuring that your firewall is indeed blocking inbound/outbound NetBIOS access and enabling SMBsigning on all NetBIOS communication are also defenses Schultze says.
Visit the Microsoft Subnet home page for more news, blogs, podcasts.
More blog post from the Microsoft Subnet posts:
7 Keys to Cleaning Up Windows with Windows 7
17 job-hunting resources for Windows pros
Glenn Weadock on Windows Server 2008
Library of Windows management tools from A Better Windows World
Subscribe to all Microsoft Subnet bloggers.
Sign up for the bi-weekly Microsoft newsletter. (Click on News/Microsoft News Alert.)
Julie Bort is the editor of Microsoft Subnet and Network World's Online Community Editor. She also writes the Open Source Subnet blog and is the editor responsible for the Cisco Subnet and Open Source Subnet web sites. If you have an idea for a blog, or a news tip on Microsoft, Cisco or Open Source technologies, contact her at email@example.com, 970-482-6454 or follow Julie on Twitter @Julie188.
The Microsoft Subnet blog is the official blog of the Network World's Microsoft Subnet community. Microsoft Subnet is the independent voice of Microsoft customers and is your gateway to daily Microsoft news, blogs, opinion, books, prize giveaways and more. Visit the Microsoft Subnet index page daily, and while you are there, subscribe to the Microsoft newsletter.
Policy on comments: Respectful discussion is welcomed! However comments that use inappropriate language, consist of name calling or personal attacks, or include accusations of wrongdoing are not appropriate. Those comments will be deleted or edited