Ken, Basically it's a juicy door for exploits, unauthenticated remote code execution, non-authenticated access is just that, unauthenticated, no trust, no authenticated before authorization and legitimate access. It basically a violate of AAA security principles. Honestly, I personally loathe any type of weak or non-existent access to systems, and we seen it in this one that it keeps opening up the door for attacks.
Any its pretty easy to get authenticated credentials harvested from one exploited system and use these to wack the rest of them. A quick exploit, dump the hashes, run em through ophcrack or jack the ripper, and then impersonate those credentials ( hey generic dumb user) and then run your exploit. Its about a trivial exercise. SO as for Vista and W2k8 being a little less vulnerabile, sorry they are just as vulnerable as the Win2k,XP, and Win2k3 boxes, when you look at them being on the same network as the others mentioned. Again, it's a total pain in the preverbal keister, been up far too many hours getting my network straight with this patch, calling for a lot of downtime, and disrupting operations. Thanks M$ you guys take the cake on this one:) /END Thread Z Edward E. Ziots Network Engineer Lifespan Organization MCSE,MCSA,MCP,Security+,Network+,CCA Phone: 401-639-3505 -----Original Message----- From: Ken Schaefer [mailto:[EMAIL PROTECTED] Sent: Sunday, October 26, 2008 8:49 PM To: NT System Admin Issues Subject: RE: Out of Cycle Critical Windows Patch ? Um, not sure what you are saying here... Are you saying that because there are unauthenticated ways of calling the Server service, then Microsoft needs to review all the pieces of code that the server service calls, even if they aren't part of the server service itself? (FWIW Windows Server 2008 and Vista require authentication by default to the server service, so there's one fix). I know they are doing code reviews, but as per the SDL blog, this particular issue in netapi32.dll is a particularly different one to fix. Cheers Ken > -----Original Message----- > From: Ziots, Edward [mailto:[EMAIL PROTECTED] > Sent: Monday, 27 October 2008 11:44 AM > To: NT System Admin Issues > Subject: RE: Out of Cycle Critical Windows Patch ? > > Yean pretty aware that netapi32.dll is called by a lot of items, which > sends the attack vector up quite a bit, but the server service was the > route into both if memory serves me right, so question is why did > another unauthenticated RPC error attack with that service as the route > happen again when they made a fix for a similar vulnerability 2+ yrs > ago.. > > Z > > Edward E. Ziots > Network Engineer > Lifespan Organization > MCSE,MCSA,MCP,Security+,Network+,CCA > Phone: 401-639-3505 > -----Original Message----- > From: Ken Schaefer [mailto:[EMAIL PROTECTED] > Sent: Sunday, October 26, 2008 6:50 PM > To: NT System Admin Issues > Subject: RE: Out of Cycle Critical Windows Patch ? > > Hmm - I check MS06-040 again, and I don't think they are the same "type" > of issue. > > The current bug is in the NetCanonicalize API - not in the Server > service. It's just that the server service is a route to get to that bug > - because it calls that API. But it's entirely possible for /other/ > applications to also call that API. Just use Process Explorer, and see > how many applications are using Netapi32.dll - I think you'll find it's > a lot. Any of these /might/ also call that API, and become a vector for > compromise. > > Cheers > Ken > > > -----Original Message----- > > From: Ken Schaefer [mailto:[EMAIL PROTECTED] > > Sent: Monday, 27 October 2008 9:28 AM > > To: NT System Admin Issues > > Subject: RE: Out of Cycle Critical Windows Patch ? > > > > According to the SDL blog, this is why this particular issue is not > easy to > > discover, especially using automated analysis: > > http://blogs.msdn.com/sdl/archive/2008/10/22/ms08-067.aspx > > > > Cheers > > Ken > > > > > -----Original Message----- > > > From: Ziots, Edward [mailto:[EMAIL PROTECTED] > > > Sent: Monday, 27 October 2008 12:45 AM > > > To: NT System Admin Issues > > > Subject: RE: Out of Cycle Critical Windows Patch ? > > > > > > Yeah someone lit a fire under MSFT arse and they got with the > program on > > > this one, but only after they detected systems getting exploited in > the > > > wild. Why they didn't determine this flaw back when they patched > 06-040 > > > for the same type of issue we probably will never know... > > > > > > Z > > > > > > Edward E. Ziots > > > Network Engineer > > > Lifespan Organization > > > MCSE,MCSA,MCP,Security+,Network+,CCA > > > Phone: 401-639-3505 > > > > > > -----Original Message----- > > > From: Kurt Buff [mailto:[EMAIL PROTECTED] > > > Sent: Friday, October 24, 2008 8:08 PM > > > To: NT System Admin Issues > > > Subject: Re: Out of Cycle Critical Windows Patch ? > > > > > > Taking this in a slightly different direction... > > > > > > I told the IT Director and COO yesterday that I was patching all > > > servers, and sending an email to all of the laptop users to do the > > > same. > > > > > > They were a bit skeptical, but not only did the emails that I > > > forwarded them from various lists buttress my opinion, this morning > I > > > got forwarded a voicemail by the IT Director, from a rep at MSFT. > Gist > > > of the message - MSFT is taking this extremely seriously, and you > > > should patch now. > > > > > > Director's comments was "nice job, good of you to jump on this." > > > > > > Anyone else get a call like this from MSFT? It's the first time I've > > > heard of them doing this, and I take it as a really good sign - MSFT > > > is finally getting the real clue about this stuff. > > > > > > Kurt > > > > > > On Fri, Oct 24, 2008 at 3:52 AM, Oliver Marshall > > > <[EMAIL PROTECTED]> wrote: > > > > Chaps, > > > > > > > > The update that was sent out last night, has that caused any > issues > > > > elsewhere? We've had a spate of calls from users about problems > today, > > > > several servers which were set to auto-update for various reasons > have > > > > had varying levels of failure. It's mentally busy here for a > Friday, > > > and > > > > the one thing they have in common is that all the machine rebooted > for > > > > an update last night. > > > > > > > > Is it just us ? > > > > > > ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ > > ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ > > ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ > ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ > > ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ > ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~
