Most common questions that we’ve been asked regarding MS08-067

Since the release we have received several great questions regarding MS08-067 (http://www.microsoft.com/technet/security/Bulletin/MS08-067.mspx), thus we decided to compile answers for them. We still want to encourage everyone to apply the update.   Can the vulnerability be reached through RPC over HTTP? No, the vulnerability cannot be reached through RPC over HTTP. RPC over HTTP is an…

0

More detail about MS08-067, the out-of-band netapi32.dll security update

Today Microsoft released a security update that fixes a remote code execution vulnerability in the Windows Server Service. This is a serious vulnerability and we have seen targeted attacks using this vulnerability to compromise fully-patched Windows XP and Windows Server 2003 computers so we have released the fix “out of band” (not on the regular…

0

Bulletin severity for October bulletins

Bulletin severity is an interesting topic to many blog readers.  We often hear that you think a bulletin should be rated higher or lower.  Sometimes we even hear one person suggesting a higher rating and another suggesting a lower rating for the same issue.  J  This post is not to advocate for or against the…

0

MS08-066 : Catching and fixing a ProbeForRead / ProbeForWrite bypass

The driver afd.sys is responsible for handling socket connections.  MS08-066 addresses several vulnerabilities in afd.sys that could allow an attacker to execute arbitrary code in kernel mode. These vulnerabilities can only be exploited locally and there is no remote vector from our investigations. One of these vulnerabilities involves a ProbeForRead / ProbeForWrite bypass when using…

0

MS08-065 : Exploitable for remote code execution?

Today, we released MS08-065 to fix an issue in MSMQ.  You’ll notice that the bulletin was rated “Important” and indicates that remote code execution is possible.  However, we would like to show you that in practice the severity of the fixed issue is limited only to information disclosure. If the MSMQ service were installed by…

0

MS08-061 : The case of the kernel mode double-fetch

MS08-061 addresses several vulnerabilities in win32k.sys where you can execute arbitrary code in kernel mode. These bugs can only be exploited locally and there is no remote vector based on our investigation of the vulnerability. One of these vulnerabilities involves multiple kernel mode accesses of user mode data leading to an interesting race condition.  When…

0

MS08-059 : Running Microsoft Host Integration Server 2006 as non-admin

Microsoft Host Integration Server 2006 is an interesting product.  It allows developers to manage business processes on IBM mainframe and AS/400 (big iron) servers as XML web services.  You can find a free trial version available for download at http://www.microsoft.com/hiserver/downloads/default.mspx. Unfortunately, access to the management interface was not properly locked-down.  MS08-059 is an update for…

0

Service isolation explanation

The past few days, we have had service isolation on our minds here in Redmond after the POC code posting last week from Cesar Cerrudo.  Nazim Lala from the IIS team posted a great blog entry about the fix and why it is taking so long to release it.  I expect it to be close…

0