Zum Inhalt wechseln


Foto

Out-of-Band Microsoft Security Bulletin Advance Notification for October 23, 2008


  • Bitte melde dich an um zu Antworten
4 Antworten in diesem Thema

#1 Monarch

Monarch

    Board Veteran

  • 1.071 Beiträge

 

Geschrieben 23. Oktober 2008 - 08:46

Es scheint ein außerplanmäßiges Security-Bulletin zu geben:

********************************************************************
Microsoft Security Bulletin Advance Notification for October 2008
Issued: October 22, 2008
********************************************************************

This is an advance notification of an out-of-band security bulletin
that Microsoft is intending to release on October 23, 2008.

The full version of the Microsoft Security Bulletin Advance
Notification for October 2008 can be found at
Microsoft Security Bulletin Advance Notification for October 2008.

This bulletin advance notification will be replaced with the
revised October bulletin summary on October 23, 2008. The revised
bulletin summary will include the out-of-band security bulletin as
well as the security bulletins already released on October 14, 2008.

For more information about the bulletin advance notification service,
see
Microsoft Security Bulletin Advance Notification.

To receive automatic notifications whenever
Microsoft Security Bulletins are issued, subscribe to Microsoft
Technical Security Notifications on
Microsoft Technical Security Notifications.

Microsoft will host a webcast to address customer questions on
this out-of-band security bulletin on October 23, 2008, at 1:00 PM
Pacific Time (US & Canada). Register for this out-of-band Security
Bulletin Webcast at
Microsoft Security Bulletin Summaries and Webcasts.

Microsoft also provides information to help customers prioritize
monthly security updates with any non-security, high-priority
updates that are being released on the same day as the monthly
security updates. Please see the section, Other Information.

This advance notification provides the software subject as the
bulletin identifier, because the official Microsoft Security
Bulletin numbers are not issued until release. The bulletin summary
that replaces this advance notification will have the proper
Microsoft Security Bulletin numbers (in the MSyy-xxx format) as the
bulletin identifier. The security bulletins for this month are as
follows, in order of severity:


Critical Security Bulletin
============================

Windows Bulletin

- Affected Software:
- Microsoft Windows 2000 Service Pack 4
- Windows XP Service Pack 2 and
Windows XP Service Pack 3
- Windows XP Professional x64 Edition and
Windows XP Professional x64 Edition Service Pack 2
- Windows Server 2003 Service Pack 1 and
Windows Server 2003 Service Pack 2
- Windows Server 2003 x64 Edition and
Windows Server 2003 x64 Edition Service Pack 2
- Windows Server 2003 with SP1 for Itanium-based Systems and
Windows Server 2003 with SP2 for Itanium based Systems
- Windows Vista and
Windows Vista Service Pack 1
- Windows Vista x64 Edition and
Windows Vista x64 Edition Service Pack 1
- Windows Server 2008 for 32-bit Systems
(Windows Server 2008 Server Core installation affected)
- Windows Server 2008 for x64-based Systems
(Windows Server 2008 Server Core installation affected)
- Windows Server 2008 for Itanium-based Systems

- Impact: Remote Code Execution
- Version Number: 1.0
Status: MCP; MCDST XP; MCSA 2003; MCTS: Windows Vista Configuration; MCITP: Enterprise Support Technician
Passed: 70-290, 70-270, 70-271, 70-272, 70-291, 71-621
Planned: ICND1, evt. 70-284, 70-299,

#2 Monarch

Monarch

    Board Veteran

  • 1.071 Beiträge

 

Geschrieben 23. Oktober 2008 - 13:02

Microsoft wird heute Abend gegen ca.19 Uhr (10 am PST) ein kritisches Sicherheitsupdate veröffentlichen, welches alle unterstützen Versionen von Windows betrifft. Allein die Tatsache, dass die Veröffentlichung out-of-band erfolgt, zeigt, wie kritisch dieser Patch ist.

Code Red, Nimda, Slammer 6 Co. zeigten in der Vergangenheit, wie eine derartige Lücke zum Angriff einlädt. Obwohl die Patches gegen die damals vorhandenen Lücken schon längere Zeit zur Verfügung standen und von Microsoft auf die Dringlichkeit des Einspielens hingewiesen wurde, hatten viele Administratoren die Gefahr nicht erkannt und verpasst, ihre Systeme vor den Angriffen entsprechend zu schützen.

Administratoren sollten sich darauf vorbereiten, diesen Patch schnellstmöglich auszurollen, da die Lücke bei allen aktuell unterstützten Windows-Versionen außer Windows Vista und Windows Server 2008 von unauthentifizieren Angreifern ohne Benutzerinteraktion ausnutzbar ist.

Der Patch wird für Microsoft Windows 2000 SP 4, Windows XP SP 2 & 3 sowie Windows Server 2003 SP 1 & 2 (inkl. x64 Edition und Itanium-basierende Systeme) als kritisch, für Windows Vista Gold & SP 1 (inkl. x64 Edition) sowie Windows Server 2008 (für 32-bit, 64-bit und Itanium-basierende Systeme) als wichtig eingestuft.

Dabei folgen wir einem schon vor Jahren veröffentlichten Rating System. Die Einstufungen bedeuten im Einzelnen:

Critical
A vulnerability whose exploitation could allow the propagation of an Internet worm without user action"

Important
A vulnerability whose exploitation could result in compromise of the confidentiality, integrity, or availability of users data, or of the integrity or availability of processing resources.

Moderate
Exploitability is mitigated to a significant degree by factors such as default configuration, auditing, or difficulty of exploitation.

Low
A vulnerability whose exploitation is extremely difficult, or whose impact is minimal.


Quelle: .: Daniel Melanchthon :. : Out-of-band release: Kritisches Windows-Sicherheitsupdate
Status: MCP; MCDST XP; MCSA 2003; MCTS: Windows Vista Configuration; MCITP: Enterprise Support Technician
Passed: 70-290, 70-270, 70-271, 70-272, 70-291, 71-621
Planned: ICND1, evt. 70-284, 70-299,

#3 Monarch

Monarch

    Board Veteran

  • 1.071 Beiträge

 

Geschrieben 23. Oktober 2008 - 20:34

More detail about MS08-067, the out-of-band netapi32.dll security update

Today Microsoft released a security update that fixes a remote code execution vulnerability in the Windows Server Service. This is a serious vulnerability and we have seen targeted attacks using this vulnerability to compromise fully-patched Windows XP and Windows Server 2003 computers so we have released the fix "out of band" (not on the regular Patch Tuesday). Due to the serious nature of the vulnerability and the threat landscape requiring an out-of-band release, you probably have questions about your own organization's risk level, what actions you can take to protect yourself, and why newer platforms are at reduced risk. We hope to answer those questions in this blog post.

Which platforms are at higher risk?

An unauthenticated attacker can trigger this vulnerability remotely for code execution on Windows Server 2000, Windows XP and Windows 2003. By default, Windows Vista and Windows Server 2008 require authentication. However, the attacker must be able to reach the RPC interface to exploit the vulnerability. In the default out-of-the-box scenario, the interface is not reachable due to the firewall enabled by default on Windows XP SP2, Windows Vista, and Windows Server 2008. Unfortunately, either one of the following two conditions exposes the RPC endpoint:

1) Firewall is disabled
2) Firewall is enabled but file/printer sharing is also enabled.

When File/Printer Sharing is enabled on Windows Vista and Windows Server 2008, the firewall only expose the RPC interface to the network type shared. For example, if a printer is shared on a network type ‘Private’, the firewall will block incoming RPC connections if the computer switches over to a network type ‘Public’. If you then choose to share the printer on the network type ‘Public’, Vista and Windows Server 2008 will prompt to ask if you really want to enable “File and Printer Sharing” for ALL public networks.

For more information about file/printer sharing, visit the following URLs:

- for Vista File and Printer Sharing in Windows Vista
- for XP Making File and Printer Sharing Safer in Windows XP Service Pack 2

The following picture illustrates the risk for each platform in more detail.

http://blogs.technet...6/original.aspx


weiter gehts unten...
Status: MCP; MCDST XP; MCSA 2003; MCTS: Windows Vista Configuration; MCITP: Enterprise Support Technician
Passed: 70-290, 70-270, 70-271, 70-272, 70-291, 71-621
Planned: ICND1, evt. 70-284, 70-299,

#4 Monarch

Monarch

    Board Veteran

  • 1.071 Beiträge

 

Geschrieben 23. Oktober 2008 - 20:35

More about mitigations (DEP, ASLR, /GS)

On Vista and Windows Server 2008, the combination of Address Space Layout Randomization (ASLR, Michael Howard's Web Log : Address Space Layout Randomization in Windows Vista) and Data Execution Protection (DEP, A detailed description of the Data Execution Prevention (DEP) feature in Windows XP Service Pack 2, Windows XP Tablet PC Edition 2005, and Windows Server 2003 ) will make the exploitation of this vulnerability more difficult. ASLR will randomize the base address of modules, heaps, stacks, PEB, TEBs, etc. making difficult the return into known locations. Known DEP bypass techniques will not be applicable on these platforms because of the presence of ASLR.

Regarding /GS protection, the stack frame of the function that contained the overflowed buffer was protected with a stack frame boundary cookie. However, due to the nature of this particular vulnerability, the exploit code is able to take advantage of another stack frame that was not meant to be protected by the /GS security cookie. The /GS security cookie is only emitted for functions meeting certain criteria.

UAC mitigates even when the prompting is disabled

As mentioned above, Windows Vista and Windows Server 2008 by default require authentication. But the security callback on the RPC interface has not been changed on the more recent platforms. Instead, the UAC and integrity level hardening work introduced with Vista is forcing the authentication requirement. The anonymous user connects with integrity level "Untrusted" while the named pipe requires at least a "Low" integrity level. Since "Untrusted" is lower than "Low" integrity level, the access check fails. Note that disabling the UAC prompt does not disable the integrity level access check. In other words, regardless of whether the UAC prompt is enabled or disabled, the integrity level check will be performed. The integrity level check will fail on Vista and Windows Server 2008 if the user connects anonymously. See Windows Integrity Mechanism Design for more information.

There is a non-default scenario where a non-domain-joined Windows Vista and Windows Server 2008 can be exploited anonymously. If the feature “Password Protected Sharing” is disabled, anonymous connections come in at “Medium” integrity level. Because "Medium" integrity level is a higher integrity level than "Low", the integrity level check will succeed. This would allow Windows Vista and Windows Server 2008 to be exploited anonymously. This feature could be disabled through Vista’s Network Sharing Center in the “Sharing and Discovery” section.

Most perimeter firewalls will block exploit attempts from outside your organization

If you are behind a perimeter firewall that filters inbound connections to TCP ports 139 and 445, you will not be reachable from the Internet. This is a common home user scenario. In this scenario, only the machines in your local LAN will have the ability to exploit this vulnerability.

weiter geht's unten...
Status: MCP; MCDST XP; MCSA 2003; MCTS: Windows Vista Configuration; MCITP: Enterprise Support Technician
Passed: 70-290, 70-270, 70-271, 70-272, 70-291, 71-621
Planned: ICND1, evt. 70-284, 70-299,

#5 Monarch

Monarch

    Board Veteran

  • 1.071 Beiträge

 

Geschrieben 23. Oktober 2008 - 20:36

How you can protect yourself

You should apply the security update as soon as you can. This is the best way you can protect yourself. While you are testing the update and preparing your deployment process, you may choose to use one or more of the workarounds listed in the security bulletin. (link to security bulletin) We have researched several options that range from turning off the affected component to limiting the exposure to authenticated users.

There is one other workaround option that we didn't include in the bulletin because it is not a supported scenario. The Server service exposes the vulnerable code over an RPC named pipe. The access control list for the named pipe is specified in the netapi32.dll code. It can be changed for any current Windows session. When Windows is rebooted, the ACL will get reset to the default value. However, if you were to change the ACL on every boot after the service is started, the window of attack for anonymous users would be very small. We have developed a simple tool that can remove the ANONYMOUS access control entry is the named pipe's access control list. (Please remember that this is not a supported scenario.) Here's what it looks like when run:

C:\>chacl.exe \\.\pipe\srvsvc
opening up \\.\pipe\srvsvc
Got back 3 ACE entries
Found an entry for ANONYMOUS LOGON. Deleting it...
deleted that ACE

Setting new DACL changes...
Done

C:\>chacl.exe \\.\pipe\browser
opening up \\.\pipe\browser
Got back 3 ACE entries
Found an entry for ANONYMOUS LOGON. Deleting it...
deleted that ACE

Setting new DACL changes...
Done

Posting is provided "AS IS" with no warranties, and confers no rights.


Quelle: Security Vulnerability Research & Defense : More detail about MS08-067, the out-of-band netapi32.dll security update
Status: MCP; MCDST XP; MCSA 2003; MCTS: Windows Vista Configuration; MCITP: Enterprise Support Technician
Passed: 70-290, 70-270, 70-271, 70-272, 70-291, 71-621
Planned: ICND1, evt. 70-284, 70-299,