Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Risk

10/14/2008
07:07 PM
50%
50%

Microsoft's Patch Tuesday Vital For Windows Server 2000 Users

While it's the Active Directory vulnerability that is rated "critical," fixes for Windows Server 2008 and Windows Vista show the newer operating systems are not immune from attacks.

Microsoft on Tuesday made available its regularly scheduled monthly security software patches, including 11 downloads to repair vulnerabilities in Windows Vista, Windows Server 2008, Windows Server 2000, Microsoft Office, and other products.

The so-called Patch Tuesday included four bulletins rated "critical" that affect Active Directory, Excel Host Integration Server, and Internet Explorer. Six bulletins are rated "important." The last one is rated "moderate." The "important" vulnerabilities have to do with privilege elevation and remote code execution. The "moderate" vulnerability has to do with information disclosure.

The Excel vulnerability affects various versions of Microsoft Office, including Microsoft Office for Mac 2004 and 2008. The IE patch could allow information disclosure or remote code execution if a user views a specially crafted Web page.

Of the "critical" patches, Vulnerability in Active Directory Could Allow Remote Code Execution (MS08-060) is garnering the most attention. Failure to apply the software could allow remote code execution if an attacker gains access to an affected network.

"This vulnerability only affects Microsoft Windows 2000 servers configured to be domain controllers," Microsoft said in its bulletin. "If a Microsoft Windows 2000 server has not been promoted to a domain controller, it will not be listening to Lightweight Directory Access Protocol (LDAP) or LDAP over SSL (LDAPS) queries, and will not be exposed to this vulnerability."

Eric Schultze, CTO of security firm Shavlik and formerly with Microsoft security, told InformationWeek he considers MS08-060 the most important in the batch.

"It's especially critical for an IT shop that has Windows [Server] 2000 domains and domain controllers," Schultze said. "You might not have them for long as any disgruntled employee can rename the files and take control of those assets without this patch."

Schultze said that Microsoft Security Bulletin MS08-063 and MS08-065, while labeled "important," is more than likely critical for a company's security. Both vulnerabilities allow for remote code execution, a favored target of hackers. MS08-063 in particular is dangerous because it impacts the Microsoft Server Message Block (SMB) protocol.

"That's the file- and printer-sharing protocol," Schultze said. "It's the protocol you use to log in and send something to the printer. So, if I go to my S drive and rename those files and give it a specifically long file name, then the moment that I do that, I can own that file server without human interaction. ... It's the first time in a long time we have seen these server-side vulnerabilities."

MS08-065 is a hole in Microsoft's Message Queuing Service (MSMQ) on Windows 2000 systems. The vulnerability could allow remote code execution on Microsoft Windows 2000 systems with the MSMQ service enabled.

Schultze also noted that five of the 11 bulletins posted by Microsoft are addressing vulnerabilities found in Windows Vista and Windows Server 2008. "This really shows us that these operating systems are impacted by legacy code that goes back to Windows 1998 or earlier," he said.

As it has done for the last few quarters, Microsoft is hosting a Webcast on Oct. 15 to address customer questions on these bulletins.

Customers are also being warned about an e-mail sent out by hackers who are posing as a Microsoft security executive.

An e-mail to many of Microsoft's customers claiming to be from Steve Lipner, Microsoft's security assurance director, is in fact a Mal/EncPk-CZ Trojan virus that allows hackers to gain remote control over an infected PC.

The note reads: "Please notice that Microsoft company has recently issued a Security Update for OS Microsoft Windows. Since public distribution of this update through the official website http://www.microsoft.com would have resulted in efficient creation of a malicious software, we made a decision to issue an experimental private version of an update for all Microsoft Windows OS users."

Microsoft said that it never sends out security updates by mail and warns customers not to open any attachments within the e-mail.

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Edge-DRsplash-10-edge-articles
7 Old IT Things Every New InfoSec Pro Should Know
Joan Goodchild, Staff Editor,  4/20/2021
News
Cloud-Native Businesses Struggle With Security
Robert Lemos, Contributing Writer,  5/6/2021
Commentary
Defending Against Web Scraping Attacks
Rob Simon, Principal Security Consultant at TrustedSec,  5/7/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-32089
PUBLISHED: 2021-05-11
** UNSUPPORTED WHEN ASSIGNED ** An issue was discovered on Zebra (formerly Motorola Solutions) Fixed RFID Reader FX9500 devices. An unauthenticated attacker can upload arbitrary files to the filesystem that can then be accessed through the web interface. This can lead to information disclosure and c...
CVE-2020-24586
PUBLISHED: 2021-05-11
The 802.11 standard that underpins Wi-Fi Protected Access (WPA, WPA2, and WPA3) and Wired Equivalent Privacy (WEP) doesn't require that received fragments be cleared from memory after (re)connecting to a network. Under the right circumstances, when another device sends fragmented frames encrypted us...
CVE-2020-24587
PUBLISHED: 2021-05-11
The 802.11 standard that underpins Wi-Fi Protected Access (WPA, WPA2, and WPA3) and Wired Equivalent Privacy (WEP) doesn't require that all fragments of a frame are encrypted under the same key. An adversary can abuse this to decrypt selected fragments when another device sends fragmented frames and...
CVE-2020-24588
PUBLISHED: 2021-05-11
The 802.11 standard that underpins Wi-Fi Protected Access (WPA, WPA2, and WPA3) and Wired Equivalent Privacy (WEP) doesn't require that the A-MSDU flag in the plaintext QoS header field is authenticated. Against devices that support receiving non-SSP A-MSDU frames (which is mandatory as part of 802....
CVE-2020-26139
PUBLISHED: 2021-05-11
An issue was discovered in the kernel in NetBSD 7.1. An Access Point (AP) forwards EAPOL frames to other clients even though the sender has not yet successfully authenticated to the AP. This might be abused in projected Wi-Fi networks to launch denial-of-service attacks against connected clients and...