Applying Microsoft's out-of-band patch may prove fatal

By Koushik Saha on 26.10.08

Filed Under: , , , , ,

Microsoft's out-of-band patch fixes open ports on Windows that could be exploited by dishonest employees, or by outsiders if a system faces the Internet. The MS08-67 patch is critical for Windows XP and older versions, and important for Windows Vista. Reports have a n2.exe file being downloaded on Windows computers vulnerable to a worm.It doesn't happen often, but when it does it gets the attention of the security Relevant Products/Services world. Microsoft Relevant Products/Services on Thursday issued an out-of-band patch designated as critical for Windows XP and older versions, and important for Windows Vista.

MS08-67 resolves a vulnerability in the server Relevant Products/Services service that affects all currently supported versions of Windows. Because the vulnerability is potentially wormable on older versions of Windows, Microsoft is encouraging customers to test and deploy the update as soon as possible.

Microsoft discovered the vulnerability as part of its research into a limited series of targeted malware attacks against Windows XP systems. Researchers found attackers were using a new vulnerability that was potentially wormable. The company planned a Webcast on Friday to discuss the release. Holding Out Hope

This advisory has all the makings of a worm, according to Tyler Reguly, a security engineer for nCircle. "The difference between this and slammer or code red, or at least I hope it's a difference, is that hopefully there aren't too many Internet-facing machines listening on ports 139 and 445," he said. "If it is facing the Internet, that means that not even a simple home router is used, and that thought scares me."

Reguly could see this used by an employee inside a company. For example, if a company's internal security isn't adequate, a disgruntled employee with the proper skill set could take advantage of the vulnerability.

Security researchers are warning IT administrators to keep in mind that a patch is released out-of-band for a reason. Like Microsoft, security researchers suggest patching this immediately. According to Microsoft and Symantec, the problem is being seen in limited, targeted attacks. However, that could escalate if systems are left unpatched.

The Threat of Identity Theft

"While the first thing that comes to mind with a patch is protection, malicious individuals are thinking, 'Yes, we can see where the vulnerability is.' This means it's easier for hackers to develop exploit code to take advantage of this vulnerability," Reguly said.

Security researchers are also considering what this could mean to smaller retailers focused on PCI compliance. Reguly worked for a small business in the past that had SBS 2000 directly connected to the Internet, and traffic was being routed through that server.

"Setups like this do exist and they are vulnerable," he cautioned. "Unpatched retailers without adequate security practices could leave their clients open to identity theft."

0 comments for this post