CERT-In Advisory CIAD-2008-63
Exploitation of critical Microsoft Windows Vulnerabilities
Original issue date:
December 04, 2008
Severity Rating: High
Systems Affected
- Microsoft Windows Operating Systems
Overview
It has been observed that the un-patched systems for recent critical Windows vulnerabilities are being exploited widely which could provide the complete control to an attacker. It is to be noted that the vendor has already released the respective patches for the discovered vulnerabilities.
Description
It has been observed that the exploits that take advantage of some critical Windows vulnerabilities are circulating in the wild. An attacker who successfully exploited any of the following vulnerabilities could take complete control of an affected system:
1. MS08-067 : This vulnerability exists in Server Service and is caused due to overflow when handling malformed RPC requests. This enables executing arbitrary code of the attacker and providing complete control of an affected system. The vulnerability is potentially enables automatic exploitation and different malicious codes like Exploit:Win32/MS08067.gen!A, TrojanSpy: Win32/
Gimmiv.A, TrojanSpy:Win32/Gimmiv.A.dll, Conficker.A, IRCbot.BH are now exploiting the flaw to spread. There is a significant increase in scanning traffic for TCP ports 139 and 445 which relates to the malicious activity done by the said malicious codes.
2. MS08-068 : This vulnerability allows an attacker to redirect an incoming SMB connection back to the machine it came from and then access the victim machine using the victim's own credentials. Thus, an attacker could gain the control of an affected system in context of logged-on user. Tools to exploit this vulnerability are available on Internet.
3. MS08-069 : Particuldarly Microsoft XML Core Services 3.0 in different Microsoft installations iexs vulnerable to remote code execution. When XML content is parsed, MSXML may corrupt the system state in such a way that an attacker could run arbitrary code in context of logged-on user. Exploit codes for this vulnerability are available on Internet.
Workarounds
- Block TCP Ports 139 and 445 on perimeter firewall
- Disable File and Print sharing, if not required
- Block inbound SMB connections using the Windows Firewall
- Enable IPSec and require it on inbound SMB connections
- Enable SMB message signing on critical servers or on all machines
- Disable Active Scripting in the Internet and Local intranet security zone, if not required
- Set Internet and Local intranet security zone settings to "High" to prompt before running ActiveX Controls and Active Scripting in these zones or configure Internet Explorer to prompt before running Active Scripting
Solutions
References
http://www.cert-in.org.in/advisory/ciad-2008-59.htm
http://www.cert-in.org.in/vulnerability/civn-2008-170.htm
http://www.cert-in.org.in/vulnerability/civn-2008-177.htm
http://www.cert-in.org.in/vulnerability/civn-2008-178.htm
http://www.cert-in.org.in/currentacts/currentact.htm#TGAM
http://www.cert-in.org.in/virus/win32_conficker.htm
http://blogs.technet.com/msrc/archive/2008/10/23/ms08-067
-released.aspx
http://blogs.technet.com/swi/archive/2008/10/23/More-detail
-about-MS08-067.aspx
http://blogs.technet.com/swi/archive/2008/11/11/smb-credential
-reflection.aspx
http://blogs.technet.com/msrc/archive/2008/11/11/ms08-068-and
-smbrelay.aspx
http://asert.arbornetworks.com/2008/10/ms08-067-server-service
-vulnerabilities-redux-and-wormability/
http://isc.sans.org/diary.html?storyid=5275&rss
http://www.securityfocus.com/brief/862
http://securitylabs.websense.com/content/Blogs/3237.aspx
http://securitylabs.websense.com/content/Alerts/3218.aspx
Disclaimer
The information provided herein is on "as is" basis, without warranty of any kind.
Contact Information
Phone: +91-11-24368572
Postal address
Indian Computer Emergency Response Team (CERT-In)
Ministry of Communications and Information Technology
Electronics Niketan
6, C.G.O. Complex
New Delhi-110 003
|
