Microsoft patch closes 7-year-old OS hole, expert says

Former Microsoft employee chides company for not acting sooner.

A former Microsoft employee who's now CTO for a patch management firm says an update issued by Microsoft on Tuesday closes a vulnerability that has been exploited for almost seven years and that he first identified while working for the company.

Eric Schultze, who served as a founding member of the Trustworthy Computing team at Microsoft and was a security director for the vendor, says the MS08-068 patch that Microsoft released as part of its monthly Patch Tuesday announcement closes a flaw he first tested at Microsoft in 2001.

“It is important to get this one patched right away because exploit tools are readily available,” says Schultze, even though the patch is rated “important” and not “critical.” (Compare patch management tools)

“Back in 2001 there was an exploit tool released called SMBRelay and a gentleman by the name of Sir Dystic wrote it,” says Schultze, CTO for Shavlik Technologies. “I was at Microsoft and I tested it and said ‘holy crap, this works.’ I addressed it with Microsoft but they buried their head in the sand. But it looks like they may have finally fixed it.”

Tuesday, Schultze again tested the flaw and confirmed that the “MS08-068 patch does address the SMBRelay attack” written by hacker Sir Dystic, from Cult of the Dead Cow, in March 2001.

He chided Microsoft for leaving the hole open for so long on so many versions of the operating system.

“This means that Microsoft has known of this problem since 2001 and was not able to (or chose not to) fix it until now,” Schultze wrote in an e-mail follow-up to an earlier interview. “This also means that working exploit code has been available for all operating systems including Windows NT 4, Windows 2000, XP, Windows Server 2003, Vista and Windows Server 2008.” He goes on to say, “though as Microsoft correctly states, exploitation is severely mitigated on Vista and Windows Server 2008.”

Schultze acknowledges that the Server Message Block (SMB) flaw addressed in MS08-068 has become less of a threat since companies began to fine-tune their firewalls. But the vulnerability, which could allow an attacker to take over a user’s hard drive, is still a threat within a company’s firewalls, he says.

One operating system that the vulnerability affects is Windows XP SP2, which is still widely used on corporate networks.

Key to exploiting the patch is that an attacker’s machine and the target machine are both running NetBios, which lets applications running on different computers communicate over a LAN and today is usually blocked at the corporate firewall. The machines also need to have Windows Server Services running, which is turned on by default in XP and other Windows versions, but is off by default in Vista and Windows Server 2008.

The attacker could send an HTML e-mail or direct the victim to a Web site, either of which would have a specially formed Web page that references in the source code a small image file. The source code would point to a malicious server rather than the image file using a file:// command, an operating system NetBios-like command that is part of the base operating system.

The malicious server would require the victim’s system to authenticate and when it did, the malicious server would grab the information and replay it on the network to gain access to the victim’s machine and hard drive. The attacker would have the same rights as the user after gaining access. If those were administrative rights, the attacker would have full access to the machine.

Schultze says networks that use SMB packet signing would immediately be able to identify the malicious activity as a man-in-the-middle attack.

“This could be pretty nasty on a corporate network,” says Schultze. “On an internal corporate network where you have NetBios wide open or Server Services wide open, you don’t typically firewall those machines, but across the Internet it would be blocked,” he says.

Back in 2001, however, people didn’t know to block NetBios at the firewall.

“XP’s firewall will prevent this hack, but many companies configure it to be off,” says Schultze.

MS08-068 goes hand-in-hand with patch MS08-067, which Microsoft released Oct. 23 and affected all versions of Windows since Windows 2000. The patch, rated critical, addresses the same SMBRelay vulnerability and was released off the normal second Tuesday of the month release cycle.

August Patch Tuesday: Internet Explorer, Office hit hard

September Patch Tuesday: Microsoft patches will put IT on hunt for affected systems

October Patch Tuesday: Microsoft reveals critical holes in Active Directory, mainframe gateway

As for why this hole was open for so long, Schultze says it was at such a low-level in the operating system that Microsoft decided to forget it and if users complained “they would tell them to turn on SMB packet signing.”

“For hackers these are the cool vulnerabilities. These are the one they look forward to,” he says.

In addition to MS08-068, which was one of only two patches on Tuesday, Microsoft also released a critical patch that closes an XML parsing flaw. The vulnerability, addressed with patch MS08-069, could allow a hacker to take over a machine.

“It looks like a malformed XML statement will allow memory corruption that lets a hacker execute arbitrary code on the target machine,” says Don Leatham, senior director of solutions and strategy at Lumension.

Copyright © 2008 IDG Communications, Inc.

The 10 most powerful companies in enterprise networking 2022