Register now for the December 2008 Security Bulletin Webcast
Hosts: Christopher Budd, Security Response Communications Lead
Adrian Stone, Lead Security Program Manager (MSRC)
Chat Topic: November 2008 Security Bulletin
Date: Wednesday, November 11, 2008
Q: Along with the expected updates, my Windows Server Update Services (WSUS) servers picked up KB948110, an update for SQL Server 2000 Service Pack 4, during the same sync on Wednesday morning. What gives?
A: There was a minor revision to the SQL Server update to prevent it from being incorrectly offered to x64 machines. When there are revisions to updates, WSUS servers will sync down this update to insure that your infrastructure has the latest information.
A: If you disapprove the update on your WSUS server your update will be removed from your network.
A: The Server Message Block (SMB) update (MS08-068) is enterprise specific, the attacker can only get code to run in the context of the logged on user. They cannot elevate privileges as part of this vulnerability and exploitation of this vulnerability requires user interaction as well (requires authentication).
Q: Do you have any information regarding “cdudf_xp”? After researching Microsoft site, there have been some suggestions that this could be spyware that is hiding itself as this file.
A: You can obtain free security-related support from Microsoft Customer Support Services (CSS) by calling +1 (866) PC-SAFETY (+1 (866) 727-2338) in the U.S. and Canada, or at your local international subsidiary at <http://support.microsoft.com/common/international.aspx>
Q: Please explain with an example how MS08-068 can be exploited. If you could include the attack vector an attacker would use and how s/he would exploit the vulnerability, it would help in assessing the risk.
A: A SMB reflection attack requires an attacker to convince a user to visit a malicious server under the attackers’ control. If the attacker can convince a user to connect to their server, then the attacker gets the users credentials and can take those credentials and reflect them back to the user.
Q: Is this vulnerability (MS08-068) being exploited in the wild on Windows XP? What about the other Operating systems?
A: Microsoft is not aware of any customers reporting that they have been exploited using this vulnerability; however there is publicly available POC and tools that can leverage this vulnerability.
Q: In MS08-069, in case of a corporate environment, are we referring to firewall best practices at the perimeter or at the workstations?
A: I think this question is in reference to MS08-068 (SMB). Perimeter firewall is what is referenced in the bulletin. Workstations can also block SMB connections by restricting ports (139 and 445) however blocking SMB at the workstation can severely impact the workstations ability to communicate normally with intranet resources as well as block active directory communication.
Q: Depending on the threat level of malware, can Microsoft release the MSRT (Malicious Software Removal Tool) OOB (Out-Of-Band)?
A: We schedule normal MSRT releases to coincide with bulletin releases. As always, we continue to monitor the threat landscape and make adjustments where needed to respond. This includes releasing updates out of band.
Q: What determines whether a reboot is needed or not?
A: Each update has specific instructions on the requirement of a reboot built into to package. General guidelines for an update requiring a reboot is if the system has vulnerable bits loaded into memory that will be replace on next system startup.
Q: Regarding the first update (MS08-068), would an attacker be able to capture credentials “off the wire” and then replay? Also, you mentioned that the attack would be back to the users’ system. Could the credentials be fired at any system where the credentials were valid?
A: The credentials cannot be grabbed off the wire; an attacker needs to have the client connect to their server. The credential token can be used to forward to other systems where the credentials are valid.
Q: I understand from <blog.metasploit.com/2008/11/ms08-067-metasploit-and-smb-relay.html > that the update for MS08-068 (typo in the URL) is narrow, and that more attack vectors are easily possible, especially with this blog post.
A: This particular bulletin closed the credential reflection attack; however it does not address other credential attacks which may still be possible.
Q: Has Microsoft received reports of file locking problems caused by MS08-067 conflicting with McAfee VirusScan 8.7i?
A: No – we have not received reports of this. Currently, the MS08-067 update has no known issues