All about ms08 068

On November 11, 2008, Microsoft Corporation (NASDAQ:MSFT) released two security bulletins where it provided necessary information and patches for four program bugs. One bulletin, talking about the vulnerability known as MS08-068 has been rated “important” and the other vulnerability, MS08-069, has been rated “critical.”

The MS08-068 is a vulnerability related to Microsoft’s Server Message Block (SMB) system. According to the official website of Microsoft, the vulnerability allows remote code execution on affected systems. It says:

An attacker who successfully exploited this vulnerability could install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.

The MS08-068 security update has been rated important for all the editions of Microsoft Windows 2000, Windows XP, and Windows Server 2003, and moderate, for all the editions of Windows Vista and Windows Server 2008. Interestingly, this vulnerability was made public in 2001. Eric Schultze, CTO, Shavlik Technologies, LLC, said:

“Sir Dystic, from Cult of the Dead Cow, found a vulnerability in Microsoft operating systems that enabled attackers complete access to user’s computers. He wrote a utility called SMBRelay to demonstrate the flaw. Microsoft was aware of the issue but didn’t issue any security bulletins or patches to correct the behavior. Well, it looks like they’ve finally seen the light and have addressed this issue via the MS08-068 patch.”

Schultze used to demonstrate the after effect of the attack in various classroom training sessions and it surprised the students very much. Christopher Budd, who used to work at the Microsoft Security Response Center (MSRC) in 2001 said:

When this issue was first raised back in 2001, we said that we could not make changes to address this issue without negatively impacting network-based applications. And to be clear, the impact would have been to render many (or nearly all) customers’ network-based applications then inoperable. For instance, an Outlook 2000 client wouldn’t have been able to communicate with an Exchange 2000 server. We did say that customers who were concerned about this issue could use SMB signing as an effective mitigation, but, the reality was that there were similar constraints that made it infeasible for customers to implement SMB signing.

Tyler Reguly, security research engineer, nCircle, said that Microsoft has chosen to release the patch now because of the availability of the SMB relay module in the Metaspoilt framework for several months.

The MS08-069 is a vulnerability of Microsoft MSXML parser. It comes with the MS office products. If the user opens up a malicious document or website that has been maliciously crafted, he/she will be hacked. Computer World says:

The most serious of the two updates, MS08-069, fixed three separate flaws in XML Core Services, the component that not only provides interoperability between several scripting languages — including JScript and Visual Studio — and XML applications, but more importantly allows Internet Explorer to render XML-based content.

Your ads will be inserted here by

Easy AdSense.

Please go to the plugin admin page to paste your ad code.

“The name says it all,” said Andrew Storms, director of security operations at nCircle Network Security Inc. “This is a core service for all versions of Microsoft Windows, and it will certainly be a source of research for attackers.”

Ben Greenbaum, Senior research manager, Symantec Corporation (NASDAQ:SYMC)  said that the XML Core Services vulnerability is more of a concern because it would have more of an opportunity to be exploited. Of the three bugs, there is one “critical” patch which was labeled as Common Vulnerabilities and Exposures (CVE) in early 2007. Microsoft said that the patch was published more than 22 months ago.

Useful links:

Computer World

CIO

blogs.technet.com

Information Week