Skip Links

Two flaws one critical, one seven years old, are fixed in November's Patch Tuesday

By Microsoft Subnet on Tue, 11/11/08 - 4:02pm.

Enterprise IT pros might be breathing a sign of relief. Some Patch Tuesdays are loaded with critical and important fixes, but today's consists only of two patches (although there was an emergency patch issued mid-cycle, MS08-067, on October 23.) The strange news in this set of patches is that one of them seems to be from a problem first reported seven years ago.

The critical MS08-069 update fixes a flaw in the Microsoft XML Core Services used by Internet Explorer and other programs to render Web pages. Flaws that work via the browser by sending users to Web sites often tend to be rated as critical. Windows or Office users who visit a site and open a malicious document are hacked.

The second MS08-068 update fixes a bug rated important for Windows XP, 2000 and Server 2003 users, and only "moderate" on Vista and Server 2008. It solves an issue with the Windows Server Message Block (SMB) software used by Windows to share files and print documents over a network.

"I find the 'Important' bulletin far more interesting this month," said Eric Schultze, CTO of Shavlik Technologies in St. Paul, in a written commentary sent to various reporters, including Microsoft Subnet. "From what I can tell, it appears that MS08-068 (Important) is addressing a vulnerability that was first made public  7+ years ago (in 2001).  Sir Dystic, from Cult of the Dead Cow, found a vulnerability in Microsoft operating systems that enabled attackers complete access to user's computers.  He wrote a utility called SMBRelay to demonstrate the flaw.  Microsoft was aware of the issue but didn't issue any security bulletins or patches to correct the behavior.  Well, it looks like they've finally seen the light and have addressed this issue via the MS08-068 patch."

The SMBRelay attack works when victim are on the same corporate network, the firewall is turned off, or when the victim's firewall allows file and printer sharing services, Schultze describes. The attacker gets the victim to run HTML code (either via an e-mail or by visiting a web site) that includes an HTML reference to a picture stored on a server controlled by the hacker. When the victim's machine tries to grab the picture on the hacker's machine over NetBIOS ports, the hacker's machine asks the victim's machine to authenticate to it. The hacker can then use the challenge-response authentication obtained in reply to connect to a victim's machine without a password. Once connected, the hacker has all the same rights and privileges as the victim.

The scariest part of this exploit is not its age. It is that there is no way to tell who has been accessing your computer without your password. In addition to applying the patch, ensuring that your firewall is indeed blocking inbound/outbound NetBIOS access and enabling SMBsigning on all NetBIOS communication are also defenses Schultze says.

Visit the Microsoft Subnet home page for more news, blogs, podcasts.
More blog post from the Microsoft Subnet posts:

Also see:

7 Keys to Cleaning Up Windows with Windows 7
17 job-hunting resources for Windows pros
Glenn Weadock on Windows Server 2008
Library of Windows management tools from A Better Windows World
Subscribe to all Microsoft Subnet bloggers.
Sign up for the bi-weekly Microsoft newsletter. (Click on News/Microsoft News Alert.)

Blog Roll
Microsoft Subnet Home Page
All Microsoft Subnet bloggers
Blake Handler The Road to Know Where
Dmitry's PowerBlog
Doug Brown,DABCC
Ed Bott's Windows Expertise
Joseph Tartakoff Microsoft Blog
Long Zheng istartedsomething
Paul Thurrott's Supersite for Windows
Robert McLaws WindowsNow
Todd Bishop's Microsoft Blog