I rather disagree with M$ idea that exploit code is unlikely. This one can turn into the same type of worm as RPC DCOM and MS08-067>
Here is a excerpt from MS08-67 "How could an attacker exploit the vulnerability? An attacker could try to exploit the vulnerability by sending a specially crafted message to an affected system. On Microsoft Windows 2000, Windows XP, and Windows Server 2003 systems, any anonymous user with access to the target network could deliver a specially crafted network packet to the affected system in order to exploit this vulnerability." When you hear remote code execution, anonymous user and specifically crafted packets, you got reasons to worry, we already seen folks turn around attack code and then worms pretty quickly, even though Microsoft doesn't think exploit will be likely, which has proven a farce more times than I can count or even remember. Patch your systems, and do it quick, or suffer the consequences... Z Edward E. Ziots Network Engineer Lifespan Organization Email: [email protected] Phone: 401-639-3505 MCSE, MCP+I, ME, CCA, Security +, Network + ________________________________ From: Todd Lemmiksoo [mailto:[email protected]] Sent: Tuesday, January 13, 2009 2:31 PM To: NT System Admin Issues Subject: FW: [ActiveDir] MS09-001 - Get to patching folks! FYI......Todd ________________________________ From: [email protected] [mailto:[email protected]] On Behalf Of joe Sent: Tuesday, January 13, 2009 1:19 PM To: [email protected] Subject: [ActiveDir] MS09-001 - Get to patching folks! http://www.microsoft.com/technet/security/bulletin/ms09-jan.mspx Vulnerabilities in SMB Could Allow Remote Code Execution (958687) This security update resolves several privately reported vulnerabilities in Microsoft Server Message Block (SMB) Protocol. The vulnerabilities could allow remote code execution on affected systems. An attacker who successfully exploited these vulnerabilities could install programs; view, change, or delete data; or create new accounts with full user rights. Firewall best practices and standard default firewall configurations can help protect networks from attacks that originate outside the enterprise perimeter. Best practices recommend that systems that are connected to the Internet have a minimal number of ports exposed. "While this is a remote code execution vulnerability, functioning exploit code is unlikely." http://blogs.technet.com/swi/archive/2009/01/09/ms09-001-prioritizing-th e-deployment-of-the-smb-bulletin.aspx For all affected versions of Windows, the two RCE vulnerabilities are unlikely to result in functioning exploit code as stated in the exploitability index (http://technet.microsoft.com/en-us/security/cc998259.aspx). There are a few reasons for this: * The vulnerabilities cause a fixed value (zero) to be written to kernel memory - not data that the attacker controls. * Controlling what data is overwritten is difficult. To exploit this type of kernel buffer overrun, an attacker typically needs to be able to predict the layout and contents of memory. The memory layout of the targeted machine will depend on various factors such as the physical characteristics (RAM, CPUs) of the system, system load, other SMB requests it is processing, etc. In terms of prioritizing the deployment of this update, we recommend updating SMB servers and Domain Controllers immediately since a system DoS would have a high impact. Other configurations should be assessed based on the role of the machine. For example, non-critical workstations could be considered lower priority assuming a system DoS is an acceptable risk. Systems with SMB blocked at the host firewall could also be updated more slowly. -- O'Reilly Active Directory Fourth Edition - http://www.joeware.net/win/ad4e.htm ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~
