Microsoft Security Bulletin MS08-067 – Critical
Vulnerability in Server Service Could Allow Remote Code Execution (958644)

This security update resolves a privately reported vulnerability in the Server service. The vulnerability could allow remote code execution if an affected system received a specially crafted RPC request. On Microsoft Windows 2000, Windows XP, and Windows Server 2003 systems, an attacker could exploit this vulnerability without authentication to run arbitrary code. It is possible that this vulnerability could be used in the crafting of a wormable exploit. Firewall best practices and standard default firewall configurations can help protect network resources from attacks that originate outside the enterprise perimeter.

This security update is rated Critical for all supported editions of Microsoft Windows 2000, Windows XP, Windows Server 2003, and rated Important for all supported editions of Windows Vista and Windows Server 2008. For more information, see the subsection, Affected and Non-Affected Software, in this section.

The security update addresses the vulnerability by correcting the way that the Server service handles RPC requests. For more information about the vulnerability, see the Frequently Asked Questions (FAQ) subsection for the specific vulnerability entry under the next section, Vulnerability Information.


http://www.microsoft.com/technet/security/Bulletin/MS08-067.mspx

Wie angekündigt, hat Microsoft ein Sicherheits-Update für eine kritische Lücke außerhalb der Reihe veröffentlicht. Bei der Lücke handelt es sich um einen Fehler im RPC-Dienst, der sich laut Fehlerbericht ausnutzen lässt, um Code über das Netz in ein System zu schleusen und auszuführen. Dazu genügen präparierte RPC-Requests, für deren Verarbeitung ein Angreifer sich unter Windows 2000, XP und Server 2003 nicht einmal beim Zielsystem authentifizieren muss.

Microsoft weist ausdrücklich darauf hin, dass die Lücke Potenzial für einen Wurm aufweist. Der Wurm MSBlaster alias Lovsan hatte sich Mitte 2003 über eine ähnliche Lücke im RPC-Dienst verbreitet und erhebliche Schäden angerichtet. Allerdings geschah dies in Zeiten, als die Firewall in Windows XP noch nicht standardmäßig aktiviert war und viele PCs somit ungeschützt sowohl im Internet als auch in lokalen Netze hingen.

Zudem schreiben die Redmonder im Security Bulletin MS08-067, dass es bereits erste gezielte Attacken gäbe, bei denen Angreifer versuchen würden, durch die Lücke in Systeme einzudringen. Öffentlich sei bislang aber noch kein Exploit gesichtet worden. PCs mit einer aktivierten Firewall sollen vor derartigen Angriffen sicher sein. Unter Vista und Server 2008 soll zudem eine vorherige Authentifizierung erforderlich sein, um den Fehler ausnutzen zu können.

Angesichts der Tatsache, dass Windows von 2000 bis zu Server 2008 betroffen ist, stellt sich die Frage, wie der fehlerhafte Code gerade in einem so sensiblen Serverdienst so lange unentdeckt bleiben konnte. Selbst in der Beta-Version von Windows 7 ist der Fehler enthalten. Microsoft betont immer wieder, dass im Rahmen des Software Development Lifecycles (SDL) unabhängige Teams den Programmcode sowohl manuell als auch mit Tools auditieren würden.

Microsoft empfiehlt allen Anwendern, das Update so schnell wie möglich zu installieren. Außer bei Windows 2000 erhalten alle Microsoft-Betriebssysteme das Update automatisch.

heise online › News › 2008 › KW 43 › Microsoft patcht kritische Lücke im RPC-Dienst

F-Secure: Out-of-band patch from Microsoft

F-Secure: Here's what has been going on with MS08-067 since Friday

As most of you likely know, Microsoft released an out-of-band update on October 23, 2008. This usually indicates a worm-capable vulnerability when there are already in-the-wild exploits. MS08-067 is very similar to MS06-040, the netapi vulnerability few years back.

We did some time line analysis on Trojan-Spy:W32/Gimmiv which exploits the vulnerability. As far as we can see, the first versions of Gimmiv were compiled around the 19th of September which is well over a month ago. We also did code comparison between the variants, and mostly, the changes in the variants are because the attackers were changing parameters instead of introducing new features.

[read more]

A public exploit has been circulated for the recent RPC hole in Windows. When the vulnerability was publicised last Wednesday, Microsoft still said in its security bulletin that although there were targeted attacks, the actual attack code wasn't publicly available – but the company did warn that the the hole was a potential target for worms. It now seems that this prediction has come true, as a program called "Gimmiv.A" has reportedly been sighted in the wild. Gimmiv.A infiltrates vulnerable computers and sends information back to base. Some virus scanners and intrusion detection systems already offer signatures to recognise these attacks.

Security specialists Threatexperts have published a more in-depth analysis of Gimmiv in their blog. They report that the worm collects data on infected computers and sends them to a remote server in encrypted form. The exact content of the data has so far not been established. Microsoft points out that although Gimmiv.A installs malware on infected systems it does not spread by itself, which explains the relatively low number of incidents. This means that, technically speaking, Gimmiv.A is not a worm, as there is no automated distribution through the net.

Users are advised to immediately install the security update that closes the hole. Although XP firewall – included and enabled by default since SP2 – prevents the worm from accessing the RPC service, XP will open the necessary ports within local networks when file and printer sharing services are activated. If that connection is also the internet connection and there isn't a proper firewall in place on the router, or if a user mistakenly links the file and printer sharing services to a dedicated internet link, then the service is potentially also available through the internet.

According to Microsoft, the Data Execution Protection feature under Windows XP and Server 2003 offers no protection against such attacks as the vulnerability is said to be located in a Windows code segment that is not protected by "/GS security" cookies. When functions compiled using the /GS option are called, they deposit a cookie on the stack. This cookie is overwritten and thus rendered void in the event of a typical buffer overflow, prompting Windows to suspend the system.

For Vista and Server 2008, the story appears to be different. Here, the Address Space Layout Randomization feature is said to make the hole more difficult to exploit. If possible, Windows will choose random addresses both for the code and for DLLs as well as data objects like stacks and heaps when loading a process. The functions within the exploit can then no longer identify the exact location to jump to.

According to Microsoft's own report, the vendor only found out about the hole about two weeks ago when investigating attacks on Windows XP systems. The hole is said to be located in the same code area as an RPC parsing and routing flaw (MS06-040) already fixed in 2006. Although the Vanebot and Mocbot worms exploited the hole, there was no widespread distribution at the time. Gimmiv.A is speculated to be a variety of Mocbot.



Article on heise-online.co.uk - Windows RPC hole being exploited already

Code building on the proof of concept binaries that were mentioned last week has moved into the wild.

[http://www.f-secure.com/weblog/archives/00001526.html]