Direct patch download links for MS10-002 KB978207

Microsoft had released the out of band patch to resolve Internet Explorer vulnerabilities, see KB978207 and MS10-002 for additional details.

The patches for IE6, IE7, and IE8 are available on Windows Update and Microsoft Update.  Unfortunately for me, our business proxy blocks access to these sites.  We also have to go through a corporate vulnerability rating process, and if the vulnerability rates severe enough, a deployment plan will be developed, and tested, and scheduled…. long story short, without intervention on my part, it will be a long time until my machine sees any critical updates.

The ISC has rated this vulnerability at it’s highest risk level, PATCH NOW!

I manually downloaded the patch from the Microsoft download site.  You can find the patch for all OSs and versions of IE here.

Free Microsoft eBook: Windows Vista Resource Kit, Second Edition

Microsoft Press is making the Windows Vista Resource Kit, Second Edition a free download for one month only.

The catch is you have to sign up for the Microsoft Press Book Connection Newsletter, which will give you notification of offers, register, and download the free eBook selection of the month.

The book is written by Mitch Tulloch, Tony Northrup, and Jerry Honeycutt with the Windows Vista Team. If you’d like to purchase the print copy of the book, you can pick it up for $44.09 on, a savings of $25.00.

MS08-067 vulnerability, exploit, and reverse engineering in detail

Since Microsoft released the out of band patch detailed in MS08-067 yesterday, an exploit and worm have already been developed and seen in the wild.  Dave Aitel announced the exploit yesterday in his DailyDave mailing list. SecurityFocus has the exploit available for download hereAlexander has also published his decompiled version of the vulnerable function.  Stephenl has a nice description of how he reverse engineered the patches to determine the specific vulnerability.

The ThreatExpert Blog has a very nice description of how the worm, named Gimmiv.A operates. Gimmiv.A creates three files in the %system%\WBEM\ directory: winbase.dll, basesvc.dll, and syicon.dll.

ThreatExpert reports

“After dropping and loading the aforementioned DLLs, the worm will collect system information from the compromised computer, collect passwords from the Windows protected storage and Outlook Express passwords cache, and post collected details to a remote host. The details are posted in an encrypted form, by using AES (Rijndael) encryption. 

Details collected by Gimmiv.A are then posted to a personal profile of the user “perlbody”, hosted with hosting provider. At the time of this writing, there are 3,695 entries in that file. Every line contains an encrypted string, which could potentially conceal current victims’ details, indirectly indicating how many victims have been compromised by this worm so far.

The most interesting part of this worm is implemented in the DLL basesvc.dll. This DLL is responsible for the network propagation of the worm.”

If you cannot immediately patch your systems, the best defense is to restrict access to ports 139 and 445.

For additional detail, see this Microsoft Security Vulnerability Research & Defense blog posting.

The Microsoft Malware Protection Center has a page dedicated to Gimmiv.A, which they are calling a trojan rather than a worm.

McAfee has a nice description of the exploit code as well.

You can verify your anti-virus vendor detects Gimmiv.A at

Microsoft Active Directory Topology Diagrammer

The Microsoft Active Directory Topology Diagrammer is a really useful tool when documenting Active Directory domains of any size.

With the Active Directory Topology Diagrammer tool, you can read your Active Directory structure through Microsoft ActiveX Data Objects (ADO). The Active Directory Topology Diagrammer tool automates Microsoft Visio to draw a diagram of the Active Directory Domain topology, your Active Directory Site topology, your OU structure or your current Exchange 200X Server Organization.

With the Active Directory Topology Diagrammer tool, you can also draw partial information from your Active Directory, like only one Domain or one site. The objects are linked together, and arranged in a reasonable layout that you can later interactively work with the objects in Microsoft Visio.

The Diagrammer is very flexible and allows the user to include and exclude granular information such as the following:

  1. domain(s) (child etc.)
  2. Site(s )
  3. OUs
  4. Administrative Groups
  5. Exchange connectors (Routing, SMTP, X.400, Notes etc.)
  6. Users in the domain(s)
  7. Trusts
  8. User Count
  9. Global Catalog servers
  10. IP and SMTP Site links
  11. Subnets
  12. Inter/Intra Site Replication Connections
  13. Number of Mailboxes
  14. Application Partitions
  15. Servers and OS version information (with color coding)


In order for the tool to do a Active Directory discover you need to configure the tool to point to a Global Catalog server in the environment.

Supported operating systems are Windows 2000, XP, Server 2003, and Vista. You’l need .NET 2.0 and Visio 2003 or 2007. The Active Directory team has a nice tutorial on how to use this tool, along with the Group Policy Management Console, to document your Active Directory infrastructure.

mrt.exe reports back to Microsoft

Microsoft’s Malicious Software Removal Tool (MRT) helps remove malware infections of specific, prevalent malicious software—including Blaster, Sasser, and Mydoom.

If your machine run Windows 2000, XP, Vista, or Windows Server 2003 and you have Automatic Updates enabled on your computer, MRT is automatically updated on the second Tuesday of each month. After MRT runs, it logs it’s findings to the %windir%\debug directory, which is typically c:\Windows\Debug.

Buried in the fine print on the Microsoft web site is the following sentence:

“Also, please be aware that this tool reports anonymous information back to Microsoft in the event that an infection is found or an error is encountered.”

What information is sent to Microsoft? Here is the current list:

• The name of the malicious software that is detected
• The result of malicious software removal
• The operating system version
• The operating system locale
• The processor architecture
• The version number of the tool
• An indicator that notes whether the tool is being run from Microsoft Update, from Windows Update, from Automatic Updates, from the Download Center, or from the Web site.
• An anonymous GUID
• A cryptographic one-way hash (MD5) of the path and file name of each malicious software file that is removed from the computer

If apparently malicious software is found on the computer, the tool prompts you to send information to Microsoft beyond what is listed above. You are prompted in each of these instances, and this information is sent only with your consent. The additional information includes the following:

• The files that are suspected to be malicious software. The tool will identify the files for you.
• A cryptographic one-way hash (MD5) of any suspicious files that are detected.
No other information is sent to Microsoft.

I’m not sure how others feel, but I don’t like any of my information being sent to Microsoft, whether it be anonymous or not. For example, lets say my machine has an infected copy of wgaremover.exe. I can’t believe that Microsoft doesn’t have ways of connecting this program, which allows you to bypass Windows Genuine Advantage, back to my IP address.

Luckily, KB 891796 describes how to disable this reporting component that sends the results of your scan to Microsoft, along with the information regarding the infected files. You can perform the following registry changes to disable the reporting:

add DontReportInfectionInformation with type REG_DWORD and value data: 1

Logging is automatically disabled if the following registry key value exists:


This registry key value indicates that the computer is connected to an SUS server. You can download an updated version of the Malicious Software Removal Tool here, or the 64-bit version here. Note that KB 890830 states:

“The first time that you download and run the tool by using Automatic Updates, Microsoft Update, or Windows Update, you must be logged on to the computer by using an account that is a member of the Administrators group. After you accept the one-time license terms, you can receive future versions of the tool without being logged on to the computer as an administrator.”

If you are experiencing problems with MRT, consult KB 891717 for troubleshooting guidance.