Microsoft out-of-band patch - Severity Critical

As reported earlier today, Microsoft released a critical update today for Windows Operating System. The update addresses a vulnerability with RPC calls which can be referenced from SMB connections. As most of you remember, worms such as Blaster and its kin were able to propagate through RPC/DCOM vulnerabilities and is in a very similar area of code. Microsoft has detected limited, targeted attacks exploiting this flaw in the wild. It is expected that with the release of the update, much more of the hacker community will become aware of how to exploit this and create a major worm outbreak or botnet activity.


On our initial reviewed of the information available from Microsoft, we believe that client computers need to be updated with all due haste. Windows 2000, XP, and Server 2003 are listed as critical. Windows Vista and Server 2008 is only listed as important due to the additional security features with these newer operating systems.

http://isc.sans.org/

Date:10.23.2008

Threat Type: Malicious Web Site / Malicious Code

Websense

For those users which don't have Automatic Updates turned on, please visit the Windows Update site, ASAP, and install the update..OR... If you choose, you can download and run the manual installer of the update which can be downloaded from the link below:

http://www.microsoft.com/technet/sec.../MS08-067.mspx

So far today, I've tested and updated about 30 of our office machines with both Windows XP SP3 and Windows 2000 SP4.. All installations went smoothly and required a reboot after the installation.. During the tests, I updated using either the manual installers from the link above or the Windows Update site.. Either method worked fine.

Hope this helps.

Grif

? We have samples in-house of the trojans in-the-wild that are being used in targeted attacks, taking advantage of this exploit. These are currently only targeted attacks, not being used broadly by malware authors.

? It is not a light thing. The urgency is quite real ? unpatched, you?ve got the spectre of another SQL Slammer, Code Red type of scenario if the malware writers create a worm. The other issue with this patch is that it affects a broad number of systems (XP, Windows 2000 and 2003 -- the Vista/2008 platform isn't at the same level of risk).

? It is an extraordinary event that pushes Microsoft to do an out-of-band update. This is a big deal for them ? each update is tested on a vast number of machines. It underscores the potential seriousness of this vulnerability.

Patch like hell and let?s hope everything will be ok in the morning.

http://sunbeltblog.blogspot.com/index.html

Just a note about problems after the rollout of the KB 958644 updates.. A few issues are starting to appear on networks after the installation of the 958644 Patch.. The Network seems to disappear and as such, various "ping" options and "My Network Places" aren't working correctly. We've seen a few minor issues so far in our agency network.

Other examples at the links below:

http://www.experts-exchange.com/OS/Microsoft_Operating_Systems/Server/2003_Server/Q_23848958.html

http://tim.mackey.ie/IIS6ServiceUnavailableAfterInstallingKB958644.aspx

It's not happening on all networks and the problem hasn't been clarified yet, but as mentioned in the previous posts here, it's still best to patch those computers.. The impact of Blaster and Sasser worms were severe and this vulnerability is much the same.

Hope this helps.

Grif

Sunday, October 26, 2008

Hello everyone,



This is Christopher Budd once again. As I said in my last post, we aren?t done when we release an update. Our response teams are constantly watching the situation around the world to understand as much as possible what?s going on with things like the threat environment and the state of security update deployments.



Based on some of our latest situation reports I wanted to provide you with an update as of this morning. You?ve told us it?s helpful for you to have this information on an ongoing basis.



In terms of the security update itself, we?re seeing strong deployments worldwide. We also have no reports of known issues with the security update at this time.



In terms of the overall threat environment, we?ve not seen any major changes so far. We are aware that people are working to develop reliable public exploit code for the vulnerability. We are aware of discussion about code posted on a public site, but our analysis has shown that code always results in a denial of service, to demonstrate the vulnerability. So far, we?ve not seen evidence of public, reliable exploit code showing code execution.

More: http://blogs.technet.com/msrc/archive/2008/10/26/update-on-ms08-067.aspx