Microsoft is releasing an out of band patch today. This Critical severity release is unusual — the last time such a patch was released was 18 months ago, when Windows users were getting slammed with exploits targeting one of the .ani vulnerabilities.
It most likely is a very serious issue, and Microsoft is remaining tight on the details. The fact that the April 2007 ani vulnerability was targeted by one of the last serious Windows worm incidents (although it wasn’t well publicized) when a variant of the Fubalca/Fujacks family was released, provides a clue as to just how bad this one is. At the time in 2007, hundreds of attacking web sites also were targeting the vulnerability in client-side browser attacks.
At any rate, Windows users need to be sure to update their systems today.
Update: MS08-067 is released. The vulnerability is related to the Server Service as a delivery vector and resides in multiple versions of Netapi32.dll and Wnetapi32.dll: “The vulnerability could allow remote code execution if an affected system received a specially crafted RPC request”.
Even their newest project, Windows 7.0 pre-beta, is effected. It’s interesting to note that authentication can effect exploit delivery, but the same code vulnerability is maintained in the base networking code:”On Windows 7 Pre-Beta systems, the vulnerable code path is only accessible to authenticated users. This vulnerability is not liable to be triggered if the attacker is not authenticated, and therefore would be rated Important.” Is “guest” considered an authenticated user on Windows 7.0?
Workarounds can be found at the link for those who cannot patch immediately.
And look at that, it’s so fresh that the CVE identifier is empty even a couple of hours following its release. Here’s a snapshot of the National Vulnerability Database at 2:00 p.m. MST:
Install now. You should be looking at something like this screenshot, instead of spending time on this blog:
Unfortunately, keep in mind that the update requires a reboot.
For all you hardcore hax0rs, Skywing has put together a detailed post on using the AT service and hiew to to inject the updated code into svchost.exe and manually hot patch the running vulnerable service, avoiding a reboot. Fun reading, but not recommended.
In it he claims that he wasn’t able to use BinDiff to identify the patched code, but for those RE’s with a lack of funding, there is a limited trial version of v2.0 that worked great on netapi32 and helped id this problem as a stack overflow within a couple minutes of Microsoft’s patch release. You can see for yourself what a great tool Bindiff really is — google is your friend.
Finally, our colleague Sergei also posted a fine writeup on some ITW malware targeting the vulnerability. There has been some accusations of misinformation from a couple other vendors’ blogs, but it’s a solid writeup. Imho, the trojan/bot could be described as a multi-component worm, much like Sasser of four years ago.
