Support Overview

Help Desk

Online Service Request

Emergency IT Support

Security Alerts

Computer Usage Tips

Security Alerts

Security Warning: Microsoft Released an "Out-of-Band" Security Bulletin on Oct. 23, 2008

Microsoft released what they called an "Out-of-Band Microsoft Security Bulletin" on October 23, 2008 for a critical vulnerability in Remote Procedure Call (RPC) in the Server service for all currently supported versions of Windows. Microsoft considers it critical for Windows 2000, Windows XP, and Windows Server 2003. (On Windows Vista and Windows Server 2008, the vulnerable code path is only accessible to authenticated users and, thus, is not as critical.) Microsoft recommends that customers apply the update immediately. The update is uninstallable.

Vanja Svajcer of SophosLabs, UK wrote, "When Microsoft decides to release an out of band security update only a week after the regular monthly update you can be sure that we are dealing with a serious issue."

As most of you remember, worms such as Blaster, Nachi, Welchia, and the likes were able to propagate through RPC/DCOM vulnerabilities and this vulnerability is in a very similar area of code. That might give you an idea why Microsoft and other security experts are so concerned about this Server Service vulnerability. We recommend that you install the patch with all due haste.

This is an unauthenticated remote execution vulnerability. An attacker who successfully exploited this vulnerability could take complete control of an affected system remotely. This vulnerable could be used for a self-propagating attack (worm). What makes this vulnerability so critical is that an attacker could exploit this vulnerability without authentication to run arbitrary code and that it is possible for this vulnerability to be used in a wormable exploit. The more and quicker the update is deployed, the less of a target there will be for a worm and the less likely more exploits will be.

The vulnerability is currently being exploited as a limited and targeted malware attack. This exploit has been named Win32/MS08067.gen!A. Virus protection vendors should have updated definitions for the specific malware available by the end of Wednesday. As usual, reverse engineering the MS08-067 patch will show malware writers how to exploit the RPC request flaw and other exploits of this vulnerability are possible.

Microsoft indicated that the exploit was present in Trojan horse attacks. They stated, "We have also have detection for the malware we found used in attacks exploiting this vulnerability (TrojanSpy:Win32/Gimmiv.A and TrojanSpy:Win32/Gimmiv.A.dll) ..." Websense© Security Labs™ has received reports of exploits circulating in the wild that take advantage of this vulnerability to install a Trojan (Gimmiv) upon successful exploitation.

Windows NT is affected by this vulnerability. Microsoft has created patches for NT4 Workstation, NT4 Server, and NT4 Terminal Server; however, these patches are only available to those who have purchased an NT4 Custom Support Agreement from Microsoft.

Firewall best practices (blocking inbound connections to TCP ports 139 and 445) can help protect network resources from attacks that originate outside your network perimeter. The current exploit is bypassing network perimeter firewalls.

More Information

Microsoft Security Response Center (MSRC) Blog

Microsoft Security Vulnerability Research & Defense


SophosLabs Blog with Vanja Svajcer

SANS Handler Diary (see especially update #2)

Websense Security Labs alert

Managed Services

Based on the criticality, IT Professional Services performed an emergency deployment of this update on Wednesday afternoon to all systems under managed care.

Professional Services

If you need assistance installing the vendor-supplied security update, IT Professional Services can help. Call our help desk.

Find out more about our managed care service.

To find out how vulnerable your network is schedule a free network security analysis today.

We at IT Professional Services (ITPS) hope that the information in this bulletin is valuable to you. ITPS believes the information provided herein is reliable. While care has been taken to ensure accuracy, your use of the information contained in this bulletin is at your sole risk. All information in this bulletin is provided "as-is", without any warranty, whether express or implied, of its accuracy, completeness, fitness for a particular purpose, title or non-infringement, and none of the third-party products or information mentioned in the bulletin are authored, recommended, supported or guaranteed by ITPS. ITPS shall not be liable for any damages you may sustain by using this information, whether direct, indirect, special, incidental or consequential, even if it has been advised of the possibility of such damages.

Privacy Policy

© 2009-2013 IT Professional Services All rights are reserved.  (805) 650-6030