[STEAM-ADVISORY] MS08-067, Critical Windows remote code execution vulnerability

Security Team threat advisory notification list. steam-advisory at lists.purdue.edu
Thu Oct 23 13:59:08 EDT 2008


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

MS08-067, Critical Windows remote code execution vulnerability.

STEAM-ADVISORY NO. 2008102301
PURDUE UNIVERSITY SECURITY TEAM CIRT
23 October 13:45:00 EDT 2008

**** NOTICE ****
Also listed as CVE-2008-4250

Microsoft reports a "limited, targeted attack attempting to exploit this
vulnerability".
****************


==OVERVIEW==

Today, Microsoft released an out of cycle patch to address a critical,
unauthenticated, remote code execution vulnerability in its Windows
operating systems. This vulnerability exists in the Server service and
can be exploited via a specially crafted RPC request. This allows an
attacker to have complete control over a system.

==SYSTEMS AFFECTED==

 * Microsoft Windows 2000 Service Pack 4
 * Windows XP Service Pack 2
 * Windows XP Service Pack 3
 * Windows XP Professional x64 Edition
 * Windows XP Professional x64 Edition Service Pack 2
 * Windows Server 2003 Service Pack 1
 * Windows Server 2003 Service Pack 2
 * Windows Server 2003 x64 Edition
 * Windows Server 2003 x64 Edition Service Pack 2
 * Windows Server 2003 with SP1 for Itanium-based Systems
 * Windows Server 2003 with SP2 for Itanium-based Systems
 * Windows Vista and Windows Vista Service Pack 1
 * Windows Vista x64 Edition, Windows Vista x64 Edition Service Pack 1
 * Windows Server 2008 for 32-bit Systems
 * Windows Server 2008 for x64-based Systems
 * Windows Server 2008 for Itanium-based Systems

==DETAILS==

A remote code execution vulnerability in the Windows operating
system has been reported to Microsoft, prompting the issuing of a
critical out of band patch today. Vulnerable systems can be exploited
via a specially crafted RPC request which leverages a flaw in the Server
service of Windows. This exploit does not require the attacker to be
authenticated and can be performed remotely. This attack results in the
compromise of the operating system and allows the attacker to have
complete control of a system.


==SOLUTIONS==

Microsoft recommends that administrators apply this update immediately.
This patch requires a reboot.

Other best practices can also mitigate this threat, such as disabling
unused services and using firewalls at the operating system and network
levels to block TCP ports 139 and 445. Specifically, Microsoft
recommends disabling the Server and Computer Browser services as a
potential workaround if the system cannot be patched immediately.
Alternately, on Vista and Server 2008, the affected RPC identifier can
be filtered (see MS08-067 for detailed instructions).

==FURTHER INFORMATION AND RESOURCES==

MS08-067
http://www.microsoft.com/technet/security/Bulletin/MS08-067.mspx

CVE-2008-4250
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-4250

Secunia Advisory SA32326
http://secunia.com/Advisories/32326/

SANS ISC
http://isc.sans.org/diary.html?storyid=5227

==STEAM-CIRT CONTACT INFORMATION==

For questions concerning this advisory, please send email to:
  itap-securityhelp at purdue.edu.

Report computer-related abuse to steam-cirt:
  http://www.purdue.edu/securePurdue/incidentReportForm.cfm

http://www.purdue.edu/securepurdue/steam
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iEYEARECAAYFAkkAu2wACgkQPROieKcG94yfgwCgji0dTlk7dfQzn8INgVEESxqc
tg8AoJOh4LQTC3FX9Gxd2BD4fbs9Z39p
=UvZl
-----END PGP SIGNATURE-----


More information about the STEAM-ADVISORY mailing list