Microsoft reveals critical holes in Active Directory, mainframe gateway

Microsoft Tuesday issued four critical patches to close 10 vulnerabilities, some on critical IT systems such as Active Directory.

The platforms affected by the critical vulnerabilities include Active Directory, Internet Explorer, Host Integration Server and Excel. In all, Microsoft issued 11 patches (see complete list here). In addition to the four that were critical, six were listed as important and one as moderate.

The patches were listed as MS08-056 through MS08-066. (Compare Patch and Vulnerability Management products.)

"There is a nasty bunch of remotely exploited items," says Eric Schultze, CTO of Shavlik Technologies. He says the vulnerabilities this month are centered more on remote execution rather than "visit this evil Web site and get hacked."

"We are getting into more vulnerabilities that hit the infrastructure, the Windows kernel, Active Directory, protocol overflows,"he says. "If you have a Windows 2000 domain controller you are hosed."

In the Active Directory vulnerability, numbered as MS08-060, anyone on a corporate network can send a series of packets to the domain controller and take over the domain. The vulnerability only affects Windows 2000.

"Then they own the domain," Schultze says. "By owning it they then have domain admin privileges, which means they own every laptop and server and desktop in that domain. They can create user accounts, they can delete everybody's user accounts, they can lock everybody off the server, they can delete fields, they can add and delete services and they control everything in the domain."

Another potentially dangerous vulnerability lies in Host Integration Server RPC Service (MS08-059), which is another remote execution bug. The vulnerability covers 2000, 2004 and 2006 version of host integration server.

"Control of HIS can give an attacker control of data flowing into and out of some of the most closely guarded systems on the planet," Sheldon Malm, director of security R&D for nCircle, wrote in a research note. "It is absolutely vital for customers to find and remediate this vulnerability as quickly as possible. Host Integration Server is the de facto gateway linking Windows hosts to business critical mainframes and AS/400 systems, which in turn host databases and Customer Information Control System (CICS) applications that are believed to run in 90% of Fortune 500 corporations."

The other critical patches are a cumulative update for Internet Explorer (MS08-058) that resolves five privately reported vulnerabilities and one that was publicly disclosed.

The vulnerabilities, however, cut a wide swath across Internet Explorer.

"It is not as simple as patching IE for XP or Vista as it impacts 2000, XP, Vista as well as Microsoft Windows Server 2003 and 2008," says Don Leatham, senior director of solutions and strategy at Lumension.

The final critical patch (MS08-057) involved three privately reported vulnerabilities affecting Excel. The hole would allow a hacker to gain control of a system if the user opened a specially crafted Excel file.