Since the release we have received several great questions regarding MS08-067 (http://www.microsoft.com/technet/security/Bulletin/MS08-067.mspx), thus we decided to compile answers for them. We still want to encourage everyone to apply the update.
Can the vulnerability be reached through RPC over HTTP?
No, the vulnerability cannot be reached through RPC over HTTP. RPC over HTTP is an end-to-end protocol that has three roles: client, proxy and server. To be clear, this is different from standard RPC, and the two protocols do not interoperate. Moreover, the only way to hit the vulnerable code is through named pipes, so the Interface security callback will drop the connection when connecting through TCP/IP.
Using Outlook to connect to an Exchange server to access e-mail is a common scenario that uses RPC over HTTP; since the RPC over HTTP proxy is used the Exchange server is not exposed to external attacks.
Further information about RPC over HTTP:
http://msdn.microsoft.com/en-us/library/aa375384.aspx
Further information about using Exchange with RPC over HTTP:
http://technet.microsoft.com/en-us/library/aa996072(EXCHG.65).aspx
What type of protections does ISA provide against this vulnerability?
-
- The ISA and TMG RPC filter only recognizes RPC traffic that begins on the RPC End-Point Mapper (TCP:135). Since MS08-067 attacks are carried within CIFS (TCP:445) or NetBIOS (TCP:139) connections, they are not visible to the ISA or TMG RPC filter.
- By default, ISA Server and TMG do not allow RPC, NetBIOS or SMB traffic from the external network.
- By default, ISA 2000 allows all traffic unfiltered from the LAT (internal network) to the local host. The update should be applied to any ISA 2000 deployment immediately.
- By default, ISA 2004, 2006 and TMG do not allow SMB, NetBIOS Session or RPC to the local machine except from remote management hosts, array members and Content Storage Servers (CSS). Since compromised CSS and remote management hosts may pose a threat to the ISA or TMG server, they should have the update applied immediately.
- If you have changed ISA or TMG policies to allow SMB or NetBIOS traffic to the local host (such as for a Branch Office scenario), you should apply the update to your ISA or TMG server immediately.
Can an anonymous user reach the vulnerable code if the “restrict anonymous named pipes” group policy setting is used?
There are two different behaviors depending on the platform version.
Unfortunately the Windows XP SP2 and Windows Server 2003 group policy setting “Network Access: Named pipes that can be accessed anonymously” (see http://technet.microsoft.com/en-us/library/cc785123.aspx for more information) will not block anonymous connections to the browser named pipe. The vulnerable code can still be reached since by default, connections to this named pipe will be allowed regardless of the setting. In short, even if “browser” is removed from this list, the named pipe can still be reached anonymously.
In Windows Vista and Windows Server 2008 this behavior was changed and the setting takes effect when the browser named pipe is removed and the system is restarted.
Would sharing files and/or printers via Terminal Server or Remote Desktop Connection expose the vulnerability?
No, Terminal Server and Remote Desktop Connection do redirection using virtual channels embedded inside the RDP protocol. Moreover, Terminal Server does not open ports 139 or 445.
We would like to thank the engineers who helped provide definitive answers to these technical questions:
- Bruce Dang, Fermin J. Serna, Damian Hasse, Andrew Roths and Jonathan Ness from the SVRD team
- Tassaduq Basu, Kamen Moutafov from the Windows Networking Team
- Scott Field from the Windows Security Architecture Team
- Jim Harrison from the ISA Team
- Costin Hagiu from the RDP Team
- David Kruse from the Core File System Team
Posting is provided “AS IS” with no warranties, and confers no rights.