07:07 PM

Microsoft's Patch Tuesday Vital For Windows Server 2000 Users

While it's the Active Directory vulnerability that is rated "critical," fixes for Windows Server 2008 and Windows Vista show the newer operating systems are not immune from attacks.

Microsoft on Tuesday made available its regularly scheduled monthly security software patches, including 11 downloads to repair vulnerabilities in Windows Vista, Windows Server 2008, Windows Server 2000, Microsoft Office, and other products.

The so-called Patch Tuesday included four bulletins rated "critical" that affect Active Directory, Excel Host Integration Server, and Internet Explorer. Six bulletins are rated "important." The last one is rated "moderate." The "important" vulnerabilities have to do with privilege elevation and remote code execution. The "moderate" vulnerability has to do with information disclosure.

The Excel vulnerability affects various versions of Microsoft Office, including Microsoft Office for Mac 2004 and 2008. The IE patch could allow information disclosure or remote code execution if a user views a specially crafted Web page.

Of the "critical" patches, Vulnerability in Active Directory Could Allow Remote Code Execution (MS08-060) is garnering the most attention. Failure to apply the software could allow remote code execution if an attacker gains access to an affected network.

"This vulnerability only affects Microsoft Windows 2000 servers configured to be domain controllers," Microsoft said in its bulletin. "If a Microsoft Windows 2000 server has not been promoted to a domain controller, it will not be listening to Lightweight Directory Access Protocol (LDAP) or LDAP over SSL (LDAPS) queries, and will not be exposed to this vulnerability."

Eric Schultze, CTO of security firm Shavlik and formerly with Microsoft security, told InformationWeek he considers MS08-060 the most important in the batch.

"It's especially critical for an IT shop that has Windows [Server] 2000 domains and domain controllers," Schultze said. "You might not have them for long as any disgruntled employee can rename the files and take control of those assets without this patch."

Schultze said that Microsoft Security Bulletin MS08-063 and MS08-065, while labeled "important," is more than likely critical for a company's security. Both vulnerabilities allow for remote code execution, a favored target of hackers. MS08-063 in particular is dangerous because it impacts the Microsoft Server Message Block (SMB) protocol.

"That's the file- and printer-sharing protocol," Schultze said. "It's the protocol you use to log in and send something to the printer. So, if I go to my S drive and rename those files and give it a specifically long file name, then the moment that I do that, I can own that file server without human interaction. ... It's the first time in a long time we have seen these server-side vulnerabilities."

MS08-065 is a hole in Microsoft's Message Queuing Service (MSMQ) on Windows 2000 systems. The vulnerability could allow remote code execution on Microsoft Windows 2000 systems with the MSMQ service enabled.

Schultze also noted that five of the 11 bulletins posted by Microsoft are addressing vulnerabilities found in Windows Vista and Windows Server 2008. "This really shows us that these operating systems are impacted by legacy code that goes back to Windows 1998 or earlier," he said.

As it has done for the last few quarters, Microsoft is hosting a Webcast on Oct. 15 to address customer questions on these bulletins.

Customers are also being warned about an e-mail sent out by hackers who are posing as a Microsoft security executive.

An e-mail to many of Microsoft's customers claiming to be from Steve Lipner, Microsoft's security assurance director, is in fact a Mal/EncPk-CZ Trojan virus that allows hackers to gain remote control over an infected PC.

The note reads: "Please notice that Microsoft company has recently issued a Security Update for OS Microsoft Windows. Since public distribution of this update through the official website http://www.microsoft.com would have resulted in efficient creation of a malicious software, we made a decision to issue an experimental private version of an update for all Microsoft Windows OS users."

Microsoft said that it never sends out security updates by mail and warns customers not to open any attachments within the e-mail.

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
Security Operations and IT Operations: Finding the Path to Collaboration
A wide gulf has emerged between SOC and NOC teams that's keeping both of them from assuring the confidentiality, integrity, and availability of IT systems. Here's how experts think it should be bridged.
Flash Poll
New Best Practices for Secure App Development
New Best Practices for Secure App Development
The transition from DevOps to SecDevOps is combining with the move toward cloud computing to create new challenges - and new opportunities - for the information security team. Download this report, to learn about the new best practices for secure application development.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
Published: 2015-10-15
The Direct Rendering Manager (DRM) subsystem in the Linux kernel through 4.x mishandles requests for Graphics Execution Manager (GEM) objects, which allows context-dependent attackers to cause a denial of service (memory consumption) via an application that processes graphics data, as demonstrated b...

Published: 2015-10-15
netstat in IBM AIX 5.3, 6.1, and 7.1 and VIOS 2.2.x, when a fibre channel adapter is used, allows local users to gain privileges via unspecified vectors.

Published: 2015-10-15
Cross-site request forgery (CSRF) vulnerability in eXtplorer before 2.1.8 allows remote attackers to hijack the authentication of arbitrary users for requests that execute PHP code.

Published: 2015-10-15
Directory traversal vulnerability in QNAP QTS before 4.1.4 build 0910 and 4.2.x before 4.2.0 RC2 build 0910, when AFP is enabled, allows remote attackers to read or write to arbitrary files by leveraging access to an OS X (1) user or (2) guest account.

Published: 2015-10-15
Cisco Application Policy Infrastructure Controller (APIC) 1.1j allows local users to gain privileges via vectors involving addition of an SSH key, aka Bug ID CSCuw46076.

Dark Reading Radio
Archived Dark Reading Radio
In past years, security researchers have discovered ways to hack cars, medical devices, automated teller machines, and many other targets. Dark Reading Executive Editor Kelly Jackson Higgins hosts researcher Samy Kamkar and Levi Gundert, vice president of threat intelligence at Recorded Future, to discuss some of 2016's most unusual and creative hacks by white hats, and what these new vulnerabilities might mean for the coming year.