Monday, October 27, 2008

MS08-067 Windows Server Remote Exploit Information

We received a flood of requests from our customers to see if Sentinel IPS is protecting against attacks on this new vulnerability. Once we assured them we have several signatures are in place, (thanks Emerging Threats!) I figured a follow up with some information on this vulnerability would be helpful.

First the vulnerability is a remote buffer overflow in the RPC (remote procedure call) code in Windows OS. This vulnerability allows full code execution/system compromise over the wire.

Second, MS went public with information on this vulnerability around October 22nd after it found info of active exploitation in the wild.

Is public exploit code available? "You betcha", http://www.milw0rm.com/exploits/6841

Which versions of Windows are vulnerable? Microsoft Windows 2000, Windows XP, Windows Vista, Windows 2003 Server and Windows Server 2008

Is there a patch, update available? Yes, MS pushed an emergency update (out of band patch) on Friday, Oct 24th. That gives you an idea how serious this is.

Doesn't my firewall protect this? Yes, sort of... If you are denying ports 139 and 445 to the host, but you are likely vulnerable to your LAN, and if your grandma plugs directly into her DSL modem and turned off that pesky Windows firewall (uh oh).

What happens when I am compromised? There is a worm/botnet currently spreading using this vulnerability and after successful compromise, it then scans the local network for vulnerable machines. This means dirty laptops are extremely high risk to spread this worm.

What is the malware which the worm spreads? It is your standard auto-propigating trojan/malware/botnet client which is currently going by the name Gimmiv (Win32.Gimmiv.a/b worm).

What can I do? Keep an eye on your machines, run the latest AV software and make sure your firewalls and IPS are protecting ports 139/445 wherever possible. Last but not least, patch patch patch!

Godspeed.

1 comment:

coastman14 said...

does this affect the
script src=nb88.cn js virus that is injected in all of my servers?