Risk
11/11/2008
03:33 PM
Connect Directly
LinkedIn
Twitter
Google+
RSS
E-Mail
50%
50%

Microsoft's November Patch Tuesday Unusually Light

The lone critical vulnerability affects Microsoft XML Core Services and, left unchecked, could allow remote code execution if the user visits a maliciously crafted Web page.

Microsoft on Tuesday released two Security Bulletins addressing four vulnerabilities.

The unusually light "Patch Tuesday" includes one bulletin rated "critical" and one bulletin rated "important."

The critical vulnerability, MS08-069, affects Microsoft XML Core Services. It could allow remote code execution if the user visits a maliciously crafted Web page.

The important vulnerability, MS08-068, addresses a publicly disclosed vulnerability in Microsoft Server Message Block (SMB) Protocol. It could allow remote code execution on an affected system, but it becomes a less serious issue if the user does not have administrative rights.

Eric Schultze, CTO of Shavlik Technologies, in an e-mailed statement, said that the MS08-068 is the more interesting of the two bulletins.

"It appears that MS08-068 (Important) is addressing a vulnerability that was first made public 7+ years ago (in 2001)," said Schultze. "Sir Dystic, from Cult of the Dead Cow, found a vulnerability in Microsoft operating systems that enabled attackers complete access to user's computers. He wrote a utility called SMBRelay to demonstrate the flaw. Microsoft was aware of the issue but didn't issue any security bulletins or patches to correct the behavior. Well, it looks like they've finally seen the light and have addressed this issue via the MS08-068 patch."

Schultze said he used to demonstrate this attack at classroom training sessions around the country and that participants had been surprised that Microsoft knew about the attack but hadn't fixed it.

Tyler Reguly, security research engineer at nCircle, in an e-mailed statement, also questioned Microsoft's assertion that MS08-069 deserves to be rated as the more significant of the two bulletins.

He cited the high risk of insider threats and said that SMB redirection represents "the ultimate insider attack in today's enterprise environment, where IE is often the corporate standard and can be made to pass credentials when a user simply visits a Web page."

One reason that Microsoft may have chosen to deal with this vulnerability is that SMB redirection has been available in the Metasploit framework for several months.

"Metasploit's SMB_Relay module greatly reduces the effort required to take advantage of this attack, allowing users to set up a fake Web page pointing to a host running Metasploit and exploiting each machine," said Reguly. "This ease of attack and the fact that the attack is already easily accessible to the public may mean we see increased exploitation compared to what we would usually see."

Last month, Microsoft released an out-of-band security update to address a critical flaw that could let a remote attacker take over Windows computers without any user interaction. Microsoft said it had done so because there was active exploitation of the vulnerability.

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Flash Poll
Current Issue
Cartoon
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2013-6335
Published: 2014-08-26
The Backup-Archive client in IBM Tivoli Storage Manager (TSM) for Space Management 5.x and 6.x before 6.2.5.3, 6.3.x before 6.3.2, 6.4.x before 6.4.2, and 7.1.x before 7.1.0.3 on Linux and AIX, and 5.x and 6.x before 6.1.5.6 on Solaris and HP-UX, does not preserve file permissions across backup and ...

CVE-2014-0480
Published: 2014-08-26
The core.urlresolvers.reverse function in Django before 1.4.14, 1.5.x before 1.5.9, 1.6.x before 1.6.6, and 1.7 before release candidate 3 does not properly validate URLs, which allows remote attackers to conduct phishing attacks via a // (slash slash) in a URL, which triggers a scheme-relative URL ...

CVE-2014-0481
Published: 2014-08-26
The default configuration for the file upload handling system in Django before 1.4.14, 1.5.x before 1.5.9, 1.6.x before 1.6.6, and 1.7 before release candidate 3 uses a sequential file name generation process when a file with a conflicting name is uploaded, which allows remote attackers to cause a d...

CVE-2014-0482
Published: 2014-08-26
The contrib.auth.middleware.RemoteUserMiddleware middleware in Django before 1.4.14, 1.5.x before 1.5.9, 1.6.x before 1.6.6, and 1.7 before release candidate 3, when using the contrib.auth.backends.RemoteUserBackend backend, allows remote authenticated users to hijack web sessions via vectors relate...

CVE-2014-0483
Published: 2014-08-26
The administrative interface (contrib.admin) in Django before 1.4.14, 1.5.x before 1.5.9, 1.6.x before 1.6.6, and 1.7 before release candidate 3 does not check if a field represents a relationship between models, which allows remote authenticated users to obtain sensitive information via a to_field ...

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Three interviews on critical embedded systems and security, recorded at Black Hat 2014 in Las Vegas.