Tips 4 Techies                        "This stuff can give you a headache!" - Mr. Bill

Microsoft unexpectedly released a critical Out of Band Windows update that affects Windows 2000, Windows XP and Windows 2003 systems. Exploits have been reported in the wild. Windows Vista can be exploited as well but requires authentication.

Posted by NIST.org on Thursday 23 October 2008

This vulnerability is rated Extremely Critical for Windows 2000, Windows XP, and Windows 2003 Server.

If you are blocking inbound TCP ports 139 and 445 at your firewall you will not be reachable from the Internet. Only PC's on your local network will be vulnerable. Current exploits are targeting select users via an email Trojan. Once opened the Trojan unleashes a worm on the local network. You should, of course, apply this latest patch immediately

Microsoft Security Bulletin MS08-067 – Critical - Microsoft.com. "This security update resolves a privately reported vulnerability in the Server service. The vulnerability could allow remote code execution if an affected system received a specially crafted RPC request. On Microsoft Windows 2000, Windows XP, and Windows Server 2003 systems, an attacker could exploit this vulnerability without authentication to run arbitrary code. It is possible that this vulnerability could be used in the crafting of a wormable exploit."

More detail about MS08-067, the out-of-band netapi32.dll security update - MS Security Vulnerability Research & Defense Blog. "This is a serious vulnerability and we have seen targeted attacks using this vulnerability to compromise fully-patched Windows XP and Windows Server 2003 computers so we have released the fix "out of band" (not on the regular Patch Tuesday). Due to the serious nature of the vulnerability and the threat landscape requiring an out-of-band release"

Microsoft out-of-band patch - Severity Critical - SANS.ORG. "As most of you remember, worms such as Blaster and its kin were able to propagate through RPC/DCOM vulnerabilities and is in a very similar area of code. Microsoft has detected limited, targeted attacks exploiting this flaw in the wild. It is expected that with the release of the update, much more of the hacker community will become aware of how to exploit this and create a major worm outbreak or botnet activity." SANS Internet Storm Center has raised the threat condition to "Yellow".

Microsoft issues priority patch for wormable flaw - SecurityFocus.com. "The vulnerability, caused by the flawed processing of remote procedure call (RPC) requests by the Windows Server service, is already being used by online attackers to compromise vulnerable systems, Microsoft said in its advisory. Windows XP, Windows 2000 and Windows 2003 systems could be compromised remotely, if the systems do not have a personal firewall installed and working or if file and printer sharing is activated."

Microsoft Windows Server Service Vulnerability SA32326 - Secunia.com. The vulnerability is caused due to an error in the Server Service component when processing RPC requests and can be exploited via specially crafted RPC requests. NOTE: According to Microsoft, the vulnerability is currently being actively exploited.

Microsoft Windows Server Service Vulnerability (MS08-067) - FrSirt.com. Rated as Critical. "Note: This vulnerability is being exploited in targeted attacks."