Microsoft released critical fixes on Patch Tuesday for vulnerabilities that could leave the door open for worms that wreak havoc on business networks. In all, Microsoft released one security bulletin that addresses three vulnerabilities, two of them rated critical.
"Both vulnerabilities rated as critical by Microsoft are server-side remote code-execution vulnerabilities in the Server Message Block (SMB) protocol," said Alfred Huger, vice president of Symantec Security Response. "Remote attackers, even without a username and password, can take advantage of this issue and execute any commands they wish on the vulnerable server."
How Big is the Threat?
Wolfgang Kandek, CTO of Qualys, agreed that none of the three SMB vulnerabilities require credentials or user actions for successful exploitation. In addition, he noted, SMB is installed on all Windows operating systems by default, making it a critical component.
"IT administrators should treat the bulletin with attention, as the vulnerabilities can result in a denial-of-service attack or remote code execution," Kandek said. "The Exploitability Index for this month rates all CVEs at level three, 'functioning exploit code unlikely,' which is surprising to us as there have been discussions on CVE-2008-4114 regarding ways to exploit the vulnerability. Although we have not seen an active exploit in the wild, we were able to reproduce the denial-of-service condition in a lab
environment. It is interesting that Microsoft would rate it a three, as there has been knowledge shared on how to exploit it."
Even though the SMB vulnerabilities are listed as critical, Andrew Storms, director of Security at nCircle, said nearly all users will find themselves automatically protected by default operating system and firewall configurations. "Despite these existing configuration protections, users are still urged to install this patch ASAP," he said. "Everyone should try to start the new year out right by taking this slow MS month to ensure they have updated their systems with the many patches released in 2008."
Tyler Reguly, senior security engineer at nCircle, said Microsoft is correct in stating that domain controllers are at greater risk than workstations and servers.
"Domain controllers are at the head of any Windows shop. Therefore, similar to the statement 'Cut off the head and the rest will die,' if an intruder can own the domain controller, they can own everything. I'm sure we'll see this actively exploited before too long; it's very important that organizations patch as soon as possible," Reguly said. "The continuing economic pressure increases the odds of an insider threat, and these vulnerabilities are exactly the kind of thing insiders exploit."
Noticeably absent from the January bulletin is a fix for MS-SQL server (961040), which Kandek expected to be part of this month's release. Most likely last month's large security update, followed by the Internet Explorer out-of-band patch (MS08-078), has left little time for releasing an additional MS-SQL patch, he said.
"For the last four months, Microsoft's patching rhythm has been disrupted with October's out-of-band patch as well as another in December, keeping the holiday period busy," Kandek said. "We will have to see if 2009 follows suit. We are keeping a close eye on Vista and its deployment numbers in the enterprise as well as gaining our first impressions of Windows 7."