MS08-067 – Out-of-cycle Windows Patch
Microsoft rarely releases these out of cycle patches, but when they do lots of people get excited. It should come as no surprise that we aren’t.
If you want to get an idea of what could happen as a result of this vulnerability, think MS06-040/Graweg/Mocbot/SDBot/August-September 2006. MS06-040 was a similar vulnerability which allowed criminals to gain control of systems they could reach via Server Message Block (SMB). Of course if you can get to someone’s machine via SMB, there’s a lot of harm that could possibly be done.
Of course, we would like to believe that corporations are doing an adequate job of preventing SMB into their networks from untrusted sources. Obviously, this has the potential to storm around inside an organization if an infected host is brought in from some foolish exposure. In particular, think about partners you deal with who aren’t as well funded as you, or that remote support technician who wants to use his/her privileged access to that black box you currently have handling payment processing in order to gain access to your sales database.
Yes, exploitation potentially “wormy”, but we had two other vulnerabilities patched on the 14th that were also “wormy.” We’re not going to ignore the potential of an inside infection (e.g. within your LAN), but a lot would have to happen before that takes place (as in CNN reporting a worm spreading rapidly).
In short, only you know the state of your roving/remote users. Can you or should you consider blocking SMB from them? Do think about it? At least until they’ve been patched? Focus on those high risk users (e.g. executives) and any users with permitted less secure configurations. You should also move to protect critical infrastructure assets.
Although Microsoft say they have seen attacks, they qualify them as “limited, targeted.” That’s in line with current criminal activity.
Tags: Information Security, InfoSec, MS08-067, Patching, risk, Vulnerabilities
