Reflections on the October 2008 Microsoft patch release

Lots of security patches released today. Different than most months. In prior months, the majority of the security bulletins addressed ‘client-side’ vulnerabilities. ie. those that require user interaction, such as visiting an evil website or opening a malformed document. This month, we had a good number of ‘server-side’ vulnerabilities.

Server side vulnerabilities are a hacker’s best friend. They enable attackers to target a system they’d like to break into and not wait for a user to take an action before the attack can be completed. (In a client-side attack, you also don’t have control over who might open the email or visit the site.)

The most interesting bulletins this month are in the middle of the pack – MS08-060 through MS08-063. We’ll start with those and then touch on the rest.

MS08-060 ‘Vulnerability in Active Directory Could Allow Remote Code Execution (957280)’ is a Critical issue that impacts Windows 2000 domain controllers. This one is really nasty. Unauthenticated users can send a specially crafted LDAP packet to the Win2K AD server and then do with that server what they wish. Complete Domain Admin access, if they do it correctly. Once you have domain admin access, you can add your own user account, delete user accounts, lockout accounts, access nearly any desktop, laptop or server that is a member of the domain, delete files, install or remove services, or monkey with group policy objects. I’d get this one patched as soon as possible if I have any Windows 2000 DC’s on my network. Note, this attack is probably limited to internal networks – as the LDAP and SSL LDAP ports (tcp 389 and tcp 636) are usually blocked at the corporate firewall.

MS08-063 ‘Vulnerability in SMB Could Allow Remote Code Execution (957095)’ is my next favorite one this month. Microsoft calls this one Important, I call it cool. SMB is the protocol that you use to perform file and printer sharing activities on your network – anything from logging-in to accessing shared files to sending a document to a printer – it’s all SMB. If a disgruntled user connects to a file share on a remote system and renames a specific file in that share in specific manner (including length), the renamed file will cause code to execute on that file server – thereby enabling the attacker to run code of their choice on that server. This impacts all Operating Systems – Windows 2000 through Windows Server 2008. This attack will be primarily an internal network attack, as the SMB ports (tcp 139 and tcp 445) are usually blocked at the firewall.

MS08-061 ‘Vulnerabilities in Windows Kernel Could Allow Elevation of Privilege (954211)’ and MS08-062 ‘Vulnerability in Windows Internet Printing Service Could Allow Remote Code Execution (953155)’ are each rated Important, yet when exploited together, should be considered Critical.

MS08-062 is a flaw in the Internet Printing Service that is present in IIS installations. In this attack, the hacker sends commands to the Internet Printer Service on the target system. The target system responds by connecting to the SMB port (tcp 445) on the hacker’s computer to pick up and execute the evil code. The evil code will execute in kernel mode (aka admin rights). The threat is mitigated somewhat, as the attacker must have some level of credentials to the system before they submit the commands to the printer service. It’s also unlikely that the IIS server will have outbound SMB access to the hacker’s workstation, as outbound SMB traffic should be blocked at the firewall. Exploit code for this issue has been discovered on the Internet.

MS08-061 is a privilege escalation attack. By executing special code on a target server, the attacker can raise their permissions from that of ‘user’ to a higher level account (like administrator). Envision a shared web server environment, where you (as a user level account) can upload code to a webserver hosted by your ISP. Upload the evil privilege escalation code to the webserver. Once it’s posted to your webserver, execute this file via your web browser. The IIS service now has admin level permissions and can do various tasks like dumping out password hashes, reading files, and creating backdoors. This attack impacts all Operating systems. Microsoft rates this as Important, as it requires that you already have access to upload code to the webserver. Microsoft says that exploit code for this is likely.

A quick review of the other items:
MS08-056: Vulnerability in Microsoft Office Could Allow Information Disclosure (957699) is a web browser protocol-like vulnerability that can present itself if you’re running Office XP. If you have Office XP installed and you click on a hyperlink that has CDO://SomeEvilURL, the attacker may be able to inject script into your browser that can be used to spy on other web sessions, grab cookies, or perform cross site scripting. This is rated Moderate – working exploit code not likely.

MS08-057: Vulnerabilities in Microsoft Excel Could Allow Remote Code Execution (956416) is another ‘open a malicious document and get hacked’ vulnerability that applies to all versions of Excel. Nuff said. (Microsoft says this is Critical and working exploit code is likely.)

MS08-058: Cumulative Security Update for Internet Explorer (956390) is a ‘visit an evil website and get hacked’ vulnerability. Also known as ‘IE patch of the month’. (Microsoft rates this as Critical and says that exploit code is likely. The vulnerability impacting IE on Windows 2000 was previously made public.)

MS08-059: Vulnerability in Host Integration Server RPC Service Could Allow Remote Code Execution (956695) is rated Critical and impacts Host Integration Servers (2000, 2004, 2006) – otherwise known as SNA Servers. An unauthenticated attacker can issue SNARPC commands to the target system and execute any commands they want on the server. If you have SNA Servers, get them patched right away. If you don’t know what SNA Servers are, ignore this one.

MS08-064: Vulnerability in Virtual Address Descriptor Manipulation Could Allow Elevation of Privilege (956841) is an Important patch (as per Microsoft) that could enable ‘users’ to become ‘administrators’ on their systems. Similar to MS08-061, but only applies to XP and later systems.

MS08-065: Vulnerability in Message Queuing Could Allow Remote Code Execution (951071) is rated Important by Microsoft, but should be rated Critical (as compared to the MS08-059 Host Integration Server standards). Windows 2000 systems with MSMQ installed can be hacked by anonymous (internal) users by sending an RPC request to the MSMQ Service. The attacker can then do as they please with the target system. Microsoft says code execution is difficult in this attack, and therefore doesn’t expect to see any exploit code for this to be released.

MS08-066: Vulnerability in the Microsoft Ancillary Function Driver Could Allow Elevation of Privilege (956803) is an Important bulletin and impacts XP and WS03 systems. Like MS08-064 and MS08-061, this can enable attackers to move from user status to admin status on their systems. Microsoft says exploit code is likely to be released.

Finally, Microsoft released their exploitability index today. This provides Microsoft’s take on how difficult an exploit would be to craft, and whether we’re likely to see working exploit code for the issue (information gleaned from these ratings in included in the summaries above.) While I like the concept of this guide, I couldn’t actually find the data. Microsoft didn’t include this in the security bulletins themselves, but rather in the monthly security bulletin summary (who reads that?). Microsoft would be well served to include this information in the bulletin itself in future Patch Tuesday releases.


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: