FYI......Todd ________________________________
From: [email protected] [mailto:[email protected]] On Behalf Of joe Sent: Tuesday, January 13, 2009 1:19 PM To: [email protected] Subject: [ActiveDir] MS09-001 - Get to patching folks! http://www.microsoft.com/technet/security/bulletin/ms09-jan.mspx Vulnerabilities in SMB Could Allow Remote Code Execution (958687) This security update resolves several privately reported vulnerabilities in Microsoft Server Message Block (SMB) Protocol. The vulnerabilities could allow remote code execution on affected systems. An attacker who successfully exploited these vulnerabilities could install programs; view, change, or delete data; or create new accounts with full user rights. Firewall best practices and standard default firewall configurations can help protect networks from attacks that originate outside the enterprise perimeter. Best practices recommend that systems that are connected to the Internet have a minimal number of ports exposed. "While this is a remote code execution vulnerability, functioning exploit code is unlikely." http://blogs.technet.com/swi/archive/2009/01/09/ms09-001-prioritizing-th e-deployment-of-the-smb-bulletin.aspx For all affected versions of Windows, the two RCE vulnerabilities are unlikely to result in functioning exploit code as stated in the exploitability index (http://technet.microsoft.com/en-us/security/cc998259.aspx). There are a few reasons for this: * The vulnerabilities cause a fixed value (zero) to be written to kernel memory - not data that the attacker controls. * Controlling what data is overwritten is difficult. To exploit this type of kernel buffer overrun, an attacker typically needs to be able to predict the layout and contents of memory. The memory layout of the targeted machine will depend on various factors such as the physical characteristics (RAM, CPUs) of the system, system load, other SMB requests it is processing, etc. In terms of prioritizing the deployment of this update, we recommend updating SMB servers and Domain Controllers immediately since a system DoS would have a high impact. Other configurations should be assessed based on the role of the machine. For example, non-critical workstations could be considered lower priority assuming a system DoS is an acceptable risk. Systems with SMB blocked at the host firewall could also be updated more slowly. -- O'Reilly Active Directory Fourth Edition - http://www.joeware.net/win/ad4e.htm ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~
