Direct patch download links for MS10-002 KB978207

Microsoft had released the out of band patch to resolve Internet Explorer vulnerabilities, see KB978207 and MS10-002 for additional details.

The patches for IE6, IE7, and IE8 are available on Windows Update and Microsoft Update.  Unfortunately for me, our business proxy blocks access to these sites.  We also have to go through a corporate vulnerability rating process, and if the vulnerability rates severe enough, a deployment plan will be developed, and tested, and scheduled…. long story short, without intervention on my part, it will be a long time until my machine sees any critical updates.

The ISC has rated this vulnerability at it’s highest risk level, PATCH NOW!

I manually downloaded the patch from the Microsoft download site.  You can find the patch for all OSs and versions of IE here.

New Internet Explorer 7 0-day exploit

SANS has reported a Microsoft IE7 0-day expoit that is now in the wild. This vulnerability is not adderssed by the forthcoming December 2008 patch Tuesday releases, or by the MS08-073 patch that was released on 12-09-2008.

Analysis shows the current exploit checks for the following conditions:

The user has to be running Internet Explorer
The version of Internet Explorer has to be 7
The operating system has to be Windows XP or Windows 2003

SANS has not yet confirmed if other versions are affected (Internet Explorer 6 or Internet Explorer 7 on Microsoft Windows Vista).

ThreatExpert has a very nice overview of the modifications the exploit makes to compromised computers.

Additional Resources:

ZDNet Security Blog
Secunia Advisory

MS08-067 vulnerability, exploit, and reverse engineering in detail

Since Microsoft released the out of band patch detailed in MS08-067 yesterday, an exploit and worm have already been developed and seen in the wild.  Dave Aitel announced the exploit yesterday in his DailyDave mailing list. SecurityFocus has the exploit available for download hereAlexander has also published his decompiled version of the vulnerable function.  Stephenl has a nice description of how he reverse engineered the patches to determine the specific vulnerability.

The ThreatExpert Blog has a very nice description of how the worm, named Gimmiv.A operates. Gimmiv.A creates three files in the %system%\WBEM\ directory: winbase.dll, basesvc.dll, and syicon.dll.

ThreatExpert reports

“After dropping and loading the aforementioned DLLs, the worm will collect system information from the compromised computer, collect passwords from the Windows protected storage and Outlook Express passwords cache, and post collected details to a remote host. The details are posted in an encrypted form, by using AES (Rijndael) encryption. 

Details collected by Gimmiv.A are then posted to a personal profile of the user “perlbody”, hosted with hosting provider. At the time of this writing, there are 3,695 entries in that file. Every line contains an encrypted string, which could potentially conceal current victims’ details, indirectly indicating how many victims have been compromised by this worm so far.

The most interesting part of this worm is implemented in the DLL basesvc.dll. This DLL is responsible for the network propagation of the worm.”

If you cannot immediately patch your systems, the best defense is to restrict access to ports 139 and 445.

For additional detail, see this Microsoft Security Vulnerability Research & Defense blog posting.

The Microsoft Malware Protection Center has a page dedicated to Gimmiv.A, which they are calling a trojan rather than a worm.

McAfee has a nice description of the exploit code as well.

You can verify your anti-virus vendor detects Gimmiv.A at

Out of the Box, the ASUS Eee PC is Incredibly Insecure

HDM pointed out on the Metasploit blog that the guys from RISE Security rooted an ASUS Eee PC quite easily. They used Metasploit to exploit a Samba vulnerability that was published in July 2007 – almost seven months ago.

Why is ASUS shipping new products with vulnerabilities that are serious enough to allow attackers to gain root access through commonly used security tools such as the Metasploit Framework?

Carl at CandyFOSS doesn’t think this could realistically be exploited, but I’m not so sure.

I’ve searched all over ASUS’s support website, and have not found a downloadable patch for this problem. One of my school districts just ordered 60 Eee PCs , and you can rest assured there’s no way I’m letting these devices out of the box until I can find a fix.

Anyone out there who has one of these machines, can you confirm if there is a patch that is automatically installed through the update process to address this vulnerability?

The ISC has a brief write-up of additional information the Eee PC reveals in it’s default configuration.

MS08-001 details and exploit video

Here is an interesting, albeit highly technical video analyzing a buffer overflow vulnerability described in MS08-001. I knew assembly language back in college, but it was still tough for me to understand how the code analysis was performed. For those who are not familiar with this security bulletin:

According to ISS, who discovered this issue, “Microsoft Windows TCP/IP is the network communication protocol that is used by all Microsoft operating systems. The two components affected by remote code execution vulnerabilities, IGMPv3 (XFID 39452) and MLDv2 (XFID 39453), are enabled by default. Although MLDv2 is available only on Windows Vista for IPv6 support, IGMPv3 is available on all affected platforms. An attacker does not need to invoke any kind of user interaction to exploit this vulnerability. The lack of user interaction, widespread availability of the protocols, and the possibility of complete compromise of targeted systems means that administrators should treat this vulnerability as highly critical.”

According to Steve Gibson in his Security Now podcast episode #126, it’s just a matter of time until someone writes a nasty worm to exploit the vulnerability in the Windows TCP/IP stack described in Microsoft Security Bulletin MS08-001. Microsoft states that an attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.

Interestingly enough, the severity of this vulnerability is different depending on which version of Windows you are running. It’s considered a moderate risk for Windows 2000 SP4, important for Windows Server 2003 SP1 and SP2, and critical for Windows XP SP2, Windows Small Business Server 2003 SP2, and Windows Vista.

Keep an eye on KB 941644 for any new information on this vulnerability. You can also read a three part post on the Microsoft Security Vulnerability Research & Defense Technet blog with lots of technical details. Now, in part three, Microsoft makes it sound difficult, if not highly improbable, to exploit this flaw.

But Dave says on the DailyDave

“You’ll be able to trigger it every time, especially on a local LAN”

and in an article he states

“It reliably crashes Windows machines. In fact, it blue-screened our print server by accident — this is a broadcast attack, after all.”

and Holly on the blog notes

“This leads to one of the things that make this set of vulnerabilities so unique. These issues are kernel-level vulnerabilities in TCP/IP and are so low in the stack that most host-based protection products would miss them. Even if you have IPS in your host product, the standard APIs that protection vendors hook into on XP and Windows 2000 do not provide protection at this low level in TCP/IP” … “So, the problem with most host-based protection against this TCP/IP kernel vulnerability is that many products will never see an attack. Standard AV won’t work and neither would behavior blocking, including generic buffer overflow protection, because they don’t monitor at that low of a level and the exploit would never make it past the TCP/IP stack. For most, the only true way to protect against this attack is to apply the patch or disable multicast functionality in its entirety, which disables a lot of good things like some streaming media applications, some file distribution systems, etc.”

You’ll want to scan your network with a tool like the Microsoft Baseline Security Analyzer (MBSA), which allows administrators to scan local and remote systems for missing security updates as well as common security misconfigurations. Once you identify unpatched machines, get the updates applied as soon as possible, since neither a perimeter nor desktop firewall will protect your Windows machines from potential exploits.

[updated 01-30-2008]

Immunity Inc has a flash video detailing their working exploit of this security problem. It looks like this is no longer at the proof of concept stage.