Register now for the November 2008 Security Bulletin Webcast
Security Bulletin Webcast Q&A Index
Hosts: Christopher Budd, Security Response Communications Lead
Adrian Stone, Lead Security Program Manager (MSRC)
Website: TechNet/security
Chat Topic: Microsoft out-of-band Security Bulletin (MS08-067) TechNet Webcast
Date: Thursday, October 23, 2008 and Friday, October 24, 2008
Note: The below questions were submitted from webcast attendees and are not necessarily in the order they were addressed during webcast.
Q: Does it bypass the network security (i.e. firewalled system) of the system, and how large a scale are we talking in terms of current use in the wild?
A: We have seen limited, targeted attacks in the wild. The mitigations and workarounds for this vulnerability are listed in the security bulletin, including blocking ports 139 and 445. The Microsoft out-of-band security bulletin for October 2008 is here: http://www.microsoft.com/technet/security/bulletin/ms08-067.mspx
Q: It is possible to mount local drives on remote systems using RDP. Does Windows use RPC for that, too? May a worm that is active on a workstation use RDP to replicate a remote system?
A: Remote desktop protocol does not use RPC to mount drives.
Q: The default configuration of the Windows Firewall exception for File and Print sharing has a “subnet only” scope. For a machine connected directly to the internet, wouldn’t this scope limitation provide some protection against worm propagation (assuming the exception has been allowed on that machine)?
A: Any exposure to the vulnerability leaves the system exposed to compromise.
Q: Do you see this update being revised? For example, we roll this out tonight, and the update is later revised. Will MSBA show as false positive?
A: No, MBSA 2.1 will use the latest information that is supplied via Microsoft Update.
Q: So hibernation would not be a reboot, correct?
A: Correct. Hibernation will not substitute a reboot.
Q: What are issues with installing this patch on Windows 2003 cluster?
A: There are no known issues reported with this update.
Q: On Windows Vista, if User Access Control (UAC) has been disabled, should this be considered critical instead of important?
A: If the UAC prompting is disabled, the integrity levels foundational work still works to require authentication. The Security Vulnerability Research & Defense blog has a LOT more information about this. It is still important though…Protections afforded by UAC enhancements are in place even if the UAC prompting has been disabled.
Q: Can this attack happen through RPC/HTTPS?
A: This attack cannot happen via RPC over HTTP. The IIS server works as an RPC proxy but it doesn’t forward on all RPC traffic.
Q: Are Windows 2000 pre-SP4 and Windows 2003 pre-SP1 (RTM) affected by this vulnerability?
A: All currently supported versions of Windows are impacted. Please refer to the security bulletin for all affected products: http://www.microsoft.com/technet/security/bulletin/ms08-067.mspx
Q: Will systems lacking the latest current service pack be applicable to receive the security update?
A: All supported operating systems/and service packs can and should install the update. A complete list is found in the security bulletin as well as information on what to do if you are running older platforms.
Q: Did I hear you say this update is not un-installable? Slide 9 says it is un-installable.
A: The update is un-installable through Add and Remove programs in Control Panel.
Q: What has been the vector of the previous attacks?
A: We believe the primary attack vector for any attacks will be a connection from an attacker to a vulnerable system over TCP ports 139 or 445, connecting to the server service to send malformed RPC requests.
Q: What happens when a system becomes infected if the update has not been applied and it is applied afterwards?
A: The system would have to first be cleaned of the infection and then security update would need to be applied in order to keep the system from being compromised again.
Q: As stated, the server service isn’t accessible through firewalls with default configuration but would it be possible to get infected another way such as by websites (asp or java) that call on the server service?
A: The vulnerability is caused by the Windows Server service not properly handling specially crafted RPC requests. We have no reports of this being exploitable through websites.
Q: If the Server service is disabled, does that mitigate the known attack vectors?
A: No. Unfortunately the BROWSER service runs in the same svchost so attackers could reach the vulnerable code through the Browser service.
NOTE: we previously said that disabling the server service was a mitigation. You need to disable server service and browser service.
Q: It’s an unauthenticated buffer overflow on Windows XP and earlier. Did ASLR have anything to do with it being medium on Windows 2008 and Windows vista?
A: Yes. ASLR, DEP, UAC and other technologies played a role in reducing the impact of this vulnerability in Windows Vista and Windows Server 2008. More information about this can be found on Michael Howard’s blog at http://blogs.msdn.com/sdl/archive/2008/10/22/ms08-067.aspx
Q: Windows Vista & 2008 severity is important due to authentication being required to remote exploit. What level of authorization is required? Would a default domain-joined Vista install allow a domain user context to exploit remotely?
A: The Security Vulnerability Research & Defense (SVRD) blog at http://blogs.technet.com/swi/archive/2008/10/23/More-detail-about-MS08-067.aspx has a detailed matrix showing which scenarios are vulnerable. Any authenticated user on Vista and 2008 could exploit this vulnerability if the endpoint is reachable (firewall determines if it is reachable).
Q: Does this and how affect the ISA?
A: We are not aware of any issues with the ISA firewall at this time. We are continuing to investigate.
Q: What methods (network/email/web) can this vulnerability be exploited? What non-updated protection methods can be used?
A: This vulnerability can be exploited through an RPC interface. There are non-update workarounds published at the SVRD blog http://blogs.technet.com/swi/
Q: Is there a reason why I would not want to turn the server service off for workstations?
A: If the Server service is disabled, you will not be able to share files or printers from your computer.
Q: Would an attacker exploit External to Internal? Is there an external FW port that can be blocked?
A: An attacker could exploit external to internal if a perimeter firewall does not block the exploit. You can block external attacks at your perimeter router by filtering TCP port 139 and 445.
Q: Is there a potential impact installing on Exchange 2003 or OWA2003? (We dont have a test server)
A: We have ensured that the update is of high quality and there should not be any impact of installing it on Exchange 2003 or any other application.
Q: Also we use a behavior-based IP agent on our endpoints. Is there a behavior we can identify and wrap rules around it to prevent exploit?
A: The exploits we have seen so far attempt to download a Trojan and run it. Depending on what behavior is blocked, you might be safe from that specific exploit. However, exploit writers are very tricky and rules can be bypassed.
Q: I cannot find the bulletin on our SCCM 2007 server. Is it actually ready for download? I’m sitting in Denmark.
A: All updates should be propagating world-wide and should be available soon, if not now.
Q: Are there Metasploit or Nessus plugins available yet?
A: We’re watching and haven’t seen an exploit yet. We have heard rumors that ImmunitySec CANVAS has made some progress towards a working exploit today.
Q: So say by default Vista and Win2K8 requires authentication, is it possible to configure Windows XP/2003 to do the same? Say through local security settings in group policy?
A: The authentication protection provided by Vista is afforded through enhancements in the User Access Control. It is not configurable on XP/WS03.There is a way but it’s not super clean. The access control list is hard-coded in the source code so it cannot be changed easily through group policy. We did publish some code attached to the aforementioned SVRD blog that could be built and run to prevent anonymous connections from being able to exploit the vulnerability.
Q: Is a new CAB file being released today? Or when?
A: Yes a New Cab was released at 10 AM PST. It does take some time to replicate to all of the download servers throughout the world.
Q: If we are blocking ports 139 and 445 inbound from the internet at our firewall, are we fully protected if we do not install the update right away?
A: Block these ports at your perimeter will protect from external attacks. However, attacks that originate from within your network will not be prevented.
Q: Does this vulnerability also affect RPC/HTTP connected Exchange?
A: No – vulnerability cannot be reached via RPC over HTTP.
Q:I have “approved” the update via WSUS at 2pm. I do not see it listed on the client computer (windows update shield). The WSUS server shows the update as installed 9%. How should I interpret this ??
A: This is all dependent on how your Computers have been configured to talk to your WSUS server. Default configuration is to contact the WSUS server once every 22 hours. Clients will not report Compliance/Needing this update until they contact the server.
Q: Can we get a clarification if a worm has been detected in the wild? I heard you say there wasn’t, but my information Security manager said your CSIRT said there was a worm in wild.
A: To be clear - we do NOT know of a worm currently in the wild exploiting this vulnerability.
Q: Are there any known malicious code out in the wild taking advantage of this vulnerability at this point? If yes, has it been given a name under which it might be detected by anti malicious products?
A: The Microsoft Malware Protection Center’s (MMPC) name for this malware is Exploit:Win32/MS08067.gen!A
For more information, please visit the MMPC page: http://www.microsoft.com/security/portal/
Their team blog, which has additional information is: http://blogs.technet.com/mmpc/
Q: What are the symptoms after exploitation? Is anything logged in Event Viewer for example? i.e. as sys admin, is there anything we should be looking for to identify machines that may have been exploited before the security update has reached the machine?
A: Yes, look for svchost.exe crashes in module netapi32.dll. However, this will only be the case for failed attacks. Successful attacks will not register.
Q: Should we do this for the servers that are within our infrastructure behind Checkpoint firewalls? We are deploying this right away to our DMZ servers.
A: Yes. The update should be applied to all your systems. Internal systems will not be attacked from the Internet but they will still be vulnerable to internal attacks.
Q: Is the Malware a rootkit? Are there IDS Signatures? Is there an IP address the malware is phoning home too?
A: The latest info on the malware can be found on the Microsoft Malware Protection Center blog at http://blogs.technet.com/mmpc/ . Information was provided to IDS vendors so they can create signatures.
Q: When will WSUS pick up the Vista and W2K8 updates? So far WSUS has only picked up the critical updates for XP and W2K3…
A: All of the updates should have been downloaded to your WSUS server at the same time. If this is not the case, if you have WSUS 3.0 SP1, you can download the specific updates directly from the Microsoft Update Catalog using the “Import Updates” from the “Updates” page.
Q: Why does the server service get affected? Why is this vulnerable? Are you only vulnerable if you have file and print sharing enabled? Can you just disable file and print services for mitigation until you can install the patch?
A: The server services is affected due to a stack-based buffer overflow inside a loop. You are vulnerable if you have file and printer sharing enabled or if your firewall is turned off. Detailed information about this can be found at the SVRD blog http://blogs.technet.com/swi/
Q: Has the malware samples been shared with other AV vendors for emergency or extra dat / signatures?
A: Yes - we have been working with all of our partners including AV vendors. See the MMPC blog for the latest info at http://blogs.technet.com/mmpc/.
Also, Microsoft has a new program, the Microsoft Active Protections Program (MAPP), in which we share vulnerability information. Please check the partners for their active protections - http://www.microsoft.com/security/msrc/mapp/partners.mspx
Q: This will replace the MS06-040….are you feeling that this is worse or similar to that situation? Will Symantec have definitions to detect the malware that is out there?
A: This is a very similar vulnerability as MS06-040. However, we believe the ecosystem is in a better position to respond than in previous incidents. We have worked hard to get detection logic to trusted vendors who can help block attacks. Additionally, Symantec is a partner in our Microsoft Active Protections Program and the partners and some links to their active protections are here: http://www.microsoft.com/security/msrc/mapp/partners.mspx
Q: You keep mentioning self-replicating attacks. Are the attacks in the wild self-replicating?
A: No.
Q: Are there known exploits that result in elevated privileges?
A: Limited, targeted exploits have been seen in the wild that result in remote code execution with system privileges.
Q: We’re using SMS 2003. After downloading the updated catalog, there are only English version of the updates. Will there be other language versions released?
A: Yes. The update has released in all language versions.
Q: MS06-070 (as well as XP SP3) also appears to supersede MS06-040. Are these superseding updates related to MS08-067, or are these superseding updates all independent of each other?
A: The bulletin supersedence is for the affected component. The bulletin only calls out the specified platforms where supersedence occurs.
Q:Are updates going to be pushed out to Tipping Point and similar vendors?
A: Information has been provided to IDS vendors. You should check with your vendor to determine when their updates will be provided. Tipping point is a MAPP partner. Please refer to their website or our MAPP pages, which can be found here: http://www.microsoft.com/security/msrc/mapp/partners.mspx
Q: MS08-067 is stating that the update is only for XP SP2/3 and Server2003 SP1/SP2. Does that mean that XP SP1/RTM and Server2003 RTM is NOT affected??
A: No it does not. Those platforms are not supported and our bulletins only discuss supported platforms.
Q:Is this Vulnerability related to a prior security update? Is it possible that an update in October has caused the Vulnerability?
A: The update is not related to any issues from the October security release. The component updated was previously updated by MS06-040.
Q: Can the ‘Server’ Service be restarted after the patch has been applied, to avoid rebooting?
A: You’ll have to actually restart the svchost.exe where the Server service runs. And there is a lot of stuff going on in that netsvc svchost. We haven’t tested trying to become safe without rebooting. The update requires a reboot to flush the current binary out of memory, a service restart is not enough to protect your systems.
Q: If the uuid that is being used in the exploit is blocked what will actually be stopped ? Will it block file shares ?
A: When blocking the UUID (universally unique Identifier), certain applications that rely on the Microsoft Server Message Block (SMB) Protocol may not function as intended. However, you will still be able to view and use file shares and printer resources on other systems.
Q: Any details on current targeting of malware?
A: For the most current information about the malware, you can reference the Microsoft Malware Protections Center blog at http://blogs.technet.com/mmpc/
Q: It says in the description that a ‘wormable exploit’ is possible. I think that is horrifying. Could you give any kind of indication how likely this is actually going to occur?
A: We know this vulnerability is able to be put into a self-propagating exploit. We cannot estimate the likelihood of this actually occurring. However, the threat of such an exploit was sufficient enough for us to release an update out-of-band update as we have done today.
Q: Our IDS vendor is claiming to have a signature to address this vulnerability and have had it since 2006. Can you expand on that claim?
A: While we cannot speak authoritatively to what other vendors say about their signatures, there was a very similar vulnerability in 2006 - MS06-040. It is possible that the IDS vendor built protections for that vulnerability that may also applies to this vulnerability.
Q: Are there known self-propagating exploits against this circulating in the wild?
A: At this time, we have not seen a self-propagating exploit in the wild.
Q: Has any regression testing has been done if we want to uninstall the patch?
A: Yes - this testing was completed and no issues were discovered.
Q: Is it possible to explain what a “well configured firewall” means?
A: In this case, block inbound TCP/139 and TCP/445. For other threats, other ports should be blocked but those two ports are sufficient to prevent this vulnerability from being exploited.
Q:I s this a buffer-overflow issue? Does Cisco Security Agent (CSA) mitigate the vulnerability?
A: It is a stack based buffer overflow. Cisco is one of our Microsoft Active Protections Program partners and they have received guidance. I’d expect them to provide protections soon. We encourage you to reference the following page any time a Microsoft security update has been released: http://www.microsoft.com/security/msrc/mapp/partners.mspx
Q: Is there an exploitability index rating for this vulnerability?
A: The Exploitability Index assessment is available in the October summary, which is found here: http://www.microsoft.com/technet/security/bulletin/ms08-067.mspx
Q: What is the need for the reboot, is it a functionality requirement? What level of regression testing has been performed?
A: A reboot is needed to protect your system and ensure the update has been properly installed. The updated has undergone regression testing.
Q: Does this affect any Microsoft SQL Server software?
A: No, this does not affect SQL Server software, only the underlying OS.
Q: Can you please elaborate on the attack vectors and the potential impacts if the patch is applied to a server and not rebooted.
A: An attacker could try to exploit the vulnerability by sending a specially crafted message to an affected system. An attacker who successfully exploits this can execute code with system privileges. A reboot is required after installation to be protected.
Q: Are you expecting more security patches in addition to the one released today? If so, when will we be notified of them?
A: We are not expecting to release any additional out of band updates.
Q: This is a major .dll (netapi32.dll) and could have a great impact. We have started our testing and would like any information of known issues.
A: There are no known issues reported with this update
Q:MS06-040 introduced a problem where applications that used large amounts of contiguous memory failed. (see kb924054) Has MS08-067 been tested for similar issues?
A: Regression testing has been performed on this update and no known issues exist at this time.
Q: I thought you said Forefront product customers should ensure updates but your answer seems to be only about FS Client. For Forefront for Exchange and SharePoint Server, should they get latest signatures for those too?
A: All Forefront products should be able to update to the most recent signatures.
Q: I don’t understand. RPC uses 135 and negotiates a port from 1024+ range. how is 139 and 445 in the picture?
A: RPC includes the ability to use SMB as a transport. When this happens, ports 139 and 445 are used.
Q: Our test matrix is dependent upon what is being updated. What do you recommend testing?
A: The affected binary updated is netapi32.dll. The primary function affected is in file and printer sharing.
Q: I’ve seen reports of (sporadic) problems with Wi-Fi connectivity after installing MS08-067. Do you have any information about this?
A: We investigate all reports about potential issues but have not verified any known issues at this time.
Q: What are our chances to mitigate this threat if our agency is fully patched this weekend?
A: Customers who have installed the MS08-067 security update are protected from this vulnerability.
Q: Are there any specific test points that you recommend? What should I do to satisfy the powers that be, that I’ve thoroughly tested this update?
A: The patch involves network file and printer sharing. It is recommended that you perform tests of any network printing or file sharing required by your environment.
Q: Will Forefront for Exchange 2007 include protection for this vulnerability?
A: Microsoft Forefront Client Security Antivirus: v1.45.1016.0 includes signatures related to this vulnerability. These will be available for Forefront for Exchange as well.
Q: Is Small Business Server 2003 impacted?
A: Yes.
Q: What are the names of these Trojans? How do we know if we’ve been infected? Our Forefront installs have been finding lots of Trojans recently…
A: The Microsoft Malware Protection Center’s (MMPC) name for this malware is Exploit: Win32/MS08067.gen!A
For more information, please visit the MMPC page: <http://www.microsoft.com/security/portal/>
Their team blog, which has additional information, is: <http://blogs.technet.com/mmpc/>
Q: Is the AV protection information available to all VARs?
A: Yes - we have been working with all of our partners including AV vendors. See the MMPC blog for the latest info at <http://blogs.technet.com/mmpc/>.
Also, Microsoft has a new program, the Microsoft Active Protections Program (MAPP <http://www.microsoft.com/security/msrc/mapp/overview.mspx>), in which we share vulnerability information. Please check the partners for their active protections - <http://www.microsoft.com/security/msrc/mapp/partners.mspx>
Q: Why isn’t the vulnerability exploitable over RPC over HTTP? Isn’t RPC over HTTP just using HTTP to proxy an otherwise typical RPC transaction?
A: In order for RPC over http to work for an endpoint, the endpoint must specifically support it. This endpoint does not.
Q: Is it safe to just push out the executable en mass via SMS, or should I let the scanning tool determine if the update is actually needed?
A: There are no known issues with the update. You should determine which updating strategy works best for your environment.
Q: Did you say that we could get attacked through port TCP 3389 (Remote Desktop Protocol)?
A: The vulnerability relies on TCP ports 139 and 445.
Q: Are all SP levels of Windows XP \ Server 2003 affected? Are previous service pack levels more vulnerable?
A: Windows XP SP1 is currently out of support. Customers using XP SP1 are encouraged to upgrade. Windows XP SP2, Windows XP SP3, and all service packs of Windows Server 2003 are equally vulnerable.
Q: Does it make a difference if the user is running as admin or just a local user……
A: This vulnerability is not dependant on the logged on user since it exploits a network service.
Q: What is the Advance Notification Service (ANS)?
A: Please refer to http://www.microsoft.com/technet/security/bulletin/advance.mspx for more details on ANS.
Q: What if your system comes up with no critical updates available from Microsoft Update. This seems like a false positive. I know this particular server does not have the patch.
A: There should not be any delays in delivery from Microsoft Update at this point. You can download the update directly. The download links are available in the bulletin.**
Q: Windows XP Service Pack 1 is not listed in the affected software, does it need the update?
A: Windows XP SP1 is not a supported platform. All supported operating systems/and service packs can and should install the update. A complete list is found in the security bulletin, as well as information on what to do if you are running older platforms.
Q: Why does Microsoft have AV protection for known malware and not other AV vendors? When will other AV vendors have the information that they need to provide protections or do they have the same malware binaries available?
A: We have been working with all of our partners including AV vendors. See the MMPC blog for the latest info at <http://blogs.technet.com/mmpc/>. Also, Microsoft has a new program, the Microsoft Active Protections Program (MAPP http://www.microsoft.com/security/msrc/mapp/overview.mspx>), in which we share vulnerability information. Please check the partners for their active protections - <http://www.microsoft.com/security/msrc/mapp/partners.mspx>
Q: Are clients running Windows XP SP3 without any server functionality still vulnerable?
A: Yes. Windows XP SP3 clients are also vulnerable if they have file and printer sharing enabled or if they have Windows Firewall turned off.
Q: Are there any performance impacts of this change, specifically on Exchange servers?
A: We have identified no issues with this update; performance or otherwise.
Q: How can I tell if any of my workstations have been compromised? Is there any evidence of the system being violated?
A: Successful attacks may be impossible to detect. On the other hand, failed attacks will cause a crash in svchost.exe. However, not all svchost.exe crashes indicate an attack of this vulnerability.
Q: Does Microsoft Internet Security and Acceleration Server (ISA) 2006 help to mitigate this vulnerability?
A: ISA can be used to block incoming connections to TCP/139 and TCP/445 and will mitigate an external attack. However, attacks originating from internal resources could still succeed.
Q: Can Microsoft address the question of the number of active exploits at this time? Do you know yet?
A: We are only aware of limited targeted attacks against Windows XP and Windows 2003 machines.
Q: Has an HTTP or other web distribution method of this exploit been identified or seen in the wild?
A: At this time, we have not seen a web distribution method used or identified.
Q: Any known issues thus far with 3rd party applications?
A: There are no known issues with this update at this time.
Q: Will this affect Virtual Machine (VM) servers?
A: Yes. All currently supported versions of Windows are impacted. Please refer to the security bulletin for all affected products
Q: Can you elaborate on how we can use Data Execution Prevention (DEP) on our Windows XP machines to protect our computers?
A: Take a look at http://technet.microsoft.com/en-us/library/cc700810.aspx for details on how to do this.
Q: Due to the nature of deploying in a large environment, will you have alerts when a damaging version of the proof of concept that is currently in the wild is seen. Scheduling reboots can take several days to avoid business outages. Outages are acceptable when a worm is active.
A: We will continue to update our customers as additional information becomes available through blogs, advisories, etc.
Q: I found a blog article that said Microsoft Forefront Client Security malware version 1012+ will detect and prevent the attack. http://blogs.technet.com/msrc/archive/2008/10/23/ms08-067-released.aspx Does that make this hotfix less critical?
A: No. This update continues to be important for Vista and Windows Server 2008 and critical for Windows 2000, 2003 and XP.
Q: If the firewall is on, yet you allow RDP (remote desktop), does that prevent the attack?
A: Allowing RDP does not prevent the attack. An attacker could exploit external to internal if a perimeter firewall does not block the exploit. You can block external attacks at your perimeter router by filtering TCP port 139 and 445. The Security Vulnerability Research & Defense (SVRD) blog at <http://blogs.technet.com/swi/archive/2008/10/23/More-detail-about-MS08-067.aspx> has a detailed matrix showing which scenarios are vulnerable.
Q: It’s unclear from the “history” explanation….has worm-type self-replicating attacks/code been found in the wild?
A: To be clear - we do NOT know of a worm currently in the wild exploiting this vulnerability. We are aware of limited, targeted attacks exploiting this vulnerability.
Q: Does blocking Internet access via TCP port 139 and 445 protect internal network from infection?
A: Yes, blocking incoming connections to TCP/139 and TCP/445 will mitigate an external attack
Q: I thought I heard it said that malware has been found to have exploited this vulnerability, but to date there is no known successful worm, please explain the difference.
A: The malware detected was not a worm. You can read about the malware at the MMPC blog at http://blogs.technet.com/mmpc/
Q: Is RCP over http or https, such as Outlook used to remotely connect to Exchange vulnerable to this issue?
A: No, RPC over http does not expose this vulnerability.
Q: What is the vulnerability of the entire network if a user is using an air card remotely and connecting through a Virtual Private Network (VPN) even though you are blocking port 139 and 445 on your firewalls?
A: As long as the VPN client blocks ingress traffic to the user (single homed), the mobile system is protected from direct attack. However, if the system does become infected while the VPN client is disabled, it will gain access to port 139 and 445 on the internal network once the VPN client is enabled. This could potentially (depending on the exact configuration and deployment) allow an attack to take place on the internal network. We recommend installing security updates on internal systems as well.
Q: If one is using domain isolation (IPSec/GPO/certificates) are we protected from non-domain machines and domain-joined machines? Can there be an exploit that looks legit in this scenario and still works within domain isolation?
A: IPSec can help protect between trusted partners, however does not protect against insider threat attacks. Although IPSec can offer some protection, the vulnerability is still reachable in scenarios such as dual homed systems, or insider threat scenarios.
Q: Can one download the individual patch without having to go through windows update.
A: Yes - this update can be downloaded directly from the download center
Q: Is this just a vulnerability in the Windows Server or do I need to patch Windows client operating systems as well?
A: The vulnerability is present on Windows Clients, too.
Q: Our server/web application was not making calls over TCP 135, however post patch it began using port 135 which our firewall blocks. Are you positive port 135 is not in play here?
A: There are no known issues with this update. The update is not designed to enable or disable port 135 and we have not seen this behavior.
Q: How will this patch impact products used for remote control support such as VNC or remote desktop?
A: The update itself has no known issues or application compatibility issues. However, if you manually enable blocks on TCP ports 139/445, this could impact various program and applications.
Q: What will break if I disable ports 139, 445? Are these standard ports used for Microsoft communication?
A: The bulletin lists some of the programs and services impacted by blocking ports 139/445 to include such things as applications that use SMB (CIFS), group policy, print spooler, computer browser, etc.
Q: Can we go ahead and send the users the KB958644 file and have them apply the update manually; even If our Windows XP SP2 and Vista SP1 machines did not run updates for the past few months.
A: This is a stand-alone update and does not require any prerequisites for installation.
Q: In Vista/Server 2008, how can it be initiated? i.e. a pop-up appear to the user and clicks OK.
A: For all platforms, there will be no user interaction with a successful exploit. The exploit goes through an RPC request packet and does not require user interaction.
Q: For Internal systems behind a firewall … can this vulnerability be spread via email or only by a malicious direct attack?
A: If an internal system becomes compromised, it could attack other systems within the perimeter as it would likely be able to reach other internal systems on the affected ports. However, this system would need to be compromised through a different vector, as the firewall would filter inbound attacks. One such vector could include sending an executable exploit via e-mail, but the user would need to click and execute such an exploit himself. As such, we strongly recommend installing the systems on internal systems as well to ensure complete coverage
Q: Can you describe the TCP-IP packet
A: Details of the know exploit can be found on the SVRD blog at http://blogs.technet.com/swi/default.aspx
Q: Is there a way to detect vulnerable hosts in a network through an application based scanner? After updating all the hosts in our environment, I would like to be able to scan and detect hosts that have not been patched. Additionally, once I install the patch, where do I look to confirm it has installed successfully.
A:KB 958644 lists the version numbers on netapi32.dll that should be applied by the update. Scanning for these version numbers should enable you to see if the patch has been properly applied. The bulletin also lists registry keys created by the update.
Q: At least one of our Windows 2003 Servers that had the patch applied did not request a restart. It sounds like we should reboot even if not requested by the update installation. Is that correct?
A: A reboot is needed to protect your system and ensure the update has been properly installed.
Q: Is there any recommended testing in a Quality Assurance (QA) environment?
A: You may wish to focus on components that use the Browser and the Server service, such as applications which use SMB and file sharing and the printer and fax service.
Q: For non-Vista and Server 2008 operating systems, is there a configuration option in other operating systems that disable RPC? And is this a practical remedy?
A: The workarounds listed in the bulletin lists disabling server and browser services. The bulletin also lists the impacts of applying these workarounds.
Q: Is RDP/TS file transfer vulnerable?
A: Remote desktop protocol does not use RPC to mount drives and has not been shown to be affected by the vulnerability.
Q: Does the Windows XP firewall in default configuration protect from this RPC request?
A: In the default out-of-the-box scenario, the interface is not reachable due to the firewall enabled by default on Windows XP SP2. Unfortunately, either one of the following two conditions exposes the RPC endpoint:
-
Firewall is disabled
-
Firewall is enabled but file/printer sharing is also enabled.
Q: What is the Forefront Client Security antivirus signature update number that addresses this vulnerability? At the Malware Protection Center I see an entry for Win32/MS08067.gen!A that indicates the update is v1.45.1051? Has this been released to WSUS?
A: Forefront has a signature that generically triggers on some attempts to exploit this vulnerability. These signatures are continuously being updated as threats evolve. Additional coverage is constantly being released through the ongoing updates for Forefront. The earliest detection signature was added with 1.45.1012.0, but we recommend to continuously update these signatures as updates are added. Forefront signatures are indeed being released to WSUS.
Q: In the context of an enterprise, where every client has access to a public share on a server, this means every client is an authenticated user so he could run an attack rather accidentally or willfully?
A: Assuming we are talking about connecting to a server share through file system APIs, then the answer is “No”, the workstation does not become vulnerable.
Q: Is there exploit code for this vulnerability?
A: We have seen this exploit used in the wild. However, we have not seen working exploit code posted to public resources at this time.
Q: Have you seen how effective antivirus programs are in detecting an attack?
A: We cannot comment on the effectiveness of third party products. However, we are actively sharing information with our partners in the MAPP program and expect vendors will be releasing threat updates continuously to better protect their users.
Q: Can the Windows 2003 SP2 security patch be downloaded as part of the regular windows update?
A: That is correct; Automatic Updates will automatically push down the update to any supported OS (including Windows Server 2003 SP2)
Q: Where was the link for the registry modification to make Windows XP systems require authentication? Does this also cover Windows 2003?
A: There is no method for forcing Windows XP/2003 to use authentication. However, we are still investigating this and will update the SVRD blog at http://blogs.technet.com/swi/default.aspx if new information becomes available.
Q: If User Account Control (UAC) is disabled, does it become critical?
A: Disabling the UAC prompt does not disable the integrity level access check. In other words, regardless of whether the UAC prompt is enabled or disabled, the integrity level check will be performed. This limits the impact of this vulnerability on Vista and Windows Server 2008 (refer to the SVRD blog post blog http://blogs.technet.com/swi/archive/2008/10/23/More-detail-about-MS08-067.aspx).
Q: My WSUS auto approved critical updates… therefore I am safe and don’t need to do anything except for set a deadline for rapid deployment, right? Approving KB 958644 gets the guts, right?
A: This sounds right but we cannot validate your environment. We would recommend that you test to make sure the update was deployed using MBSA 2.1. Using WSUS, administrators can deploy the latest critical updates and security updates for Microsoft Windows 2000 operating systems and later. For more information about how to deploy this security updates using Windows Server Update Services, visit the Windows Server Update Services Web site <http://go.microsoft.com/fwlink/?LinkId=50120>.
Q: Do you need to patch Vista - 64bit systems?
A: Yes - all supported platforms are affected by this vulnerability.
Q: Are there any known issues with MS08-067 synchronizing with WSUS 2 servers. My WSUS server is not retrieving this new update?
A: There are no known issues at this time. This is also dependent on how your Computers have been configured to talk to your WSUS server <http://technet.microsoft.com/en-us/wsus/default.aspx>. Default configuration is to contact the WSUS server once every 22 hours. Clients will not report Compliance/Needing this update until they contact the server.
Q: If a Windows 2003 Domain Controller is attacked and compromised, could a domain administrator account be created to then attack Windows Vista?
A: If successfully exploited, an attacker could then install programs or view, change, or delete data; or create new accounts with full user rights.
Q: We have business units requesting servers in both our Developer and Production networks to be exempted from receiving this patch for various reasons. Can anything be done at the network layer (firewall) to help protect hosts without this patch?
A: We believe the primary attack vector for any attacks will be a connection from an attacker to a vulnerable system over TCP ports 139 or 445, connecting to the server service to send malformed RPC requests. However, attacks that originate from within your network will not be prevented
Q: What type of applications would be most vulnerable to this vulnerability?
A: File and printer sharing. TCP ports 139 and 445.
Q: Will the update be made available through the SMS 2003 download synch process?
A: This update will be sent through the normal update process. You can see all detection and deployment information for all platforms in the bulletin.
Q: How vulnerable are we if we have servers that are affected on Windows Server 2003 in our DMZ, that don’t have any of the affected ports open?
A: These ports are used to initiate a connection with the affected component. Blocking TCP ports 139 and 445 at the firewall will help protect systems that are behind that firewall from attempts to exploit this vulnerability. If these ports are disabled locally through disabling the affected services (as listed in our workarounds) would also prevent exploitation. Regardless, these are mere workarounds and should be followed by the deployment of the patch as soon as possible for the organization.
Q: Can you please point me to the master list of the Microsoft Patch supersedence? I use a patch monitoring tool that is not capable of understanding patch supersedence automatically. This means that I must “de-select patches” that have been replaced by newer ones.
A: This bulletin supersedes MS06-040 on selected platforms as shown in the bulletin affected software table. You can search for additional bulletins at http://www.microsoft.com/technet/security/Current.aspx.
Q: Is the patch supported on Windows Server 2003 x64 SP1?
A: The affected platforms are listed in the bulletin and yes, Window 2003 x64 SP1 is supported.
Q: What type of protections does Internet Security and Acceleration Server provide against this vulnerability?
A:
1. The ISA and TMG RPC filter only recognizes RPC traffic that begins on the RPC End-Point Mapper (TCP:135). Since MS08-067 attacks are carried within CIFS (TCP:445) or NetBIOS (TCP:139) connections, they are not visible to the ISA or TMG RPC filter.
- By default, ISA Server and TMG do not allow RPC, NetBIOS or SMB traffic from the external network.
- By default, ISA 2000 allows all traffic unfiltered from the LAT (Internal network) to the local host. Any ISA 2000 deployment should be patched immediately.
- By default, ISA 2004, 2006 and TMG do not allow SMB, NetBIOS Session or RPC to the local machine except from remote management hosts, array members and Content Storage Servers (CSS). Since compromised CSS and remote management hosts may pose a threat to the ISA or TMG server, they should be updated immediately.
- If you have changed ISA or TMG policies to allow SMB or NetBIOS traffic to the local host (such as for a Branch Office scenario), you should patch your ISA or TMG server immediately.