ReadersZone

On November 11, 2008 Microsoft has releases the security patch for MS08-068.  Microsoft has taken more then seven and half years to patch a security vulnerability in their Windows operating system. According to Microsoft The vulnerability is rated Important on most operating systems, except Vista and Windows Server 2008 where it has a rating of Moderate.

Vulnerability in SMB Could Allow Remote Code Execution, Executive Summary

This security update resolves a publicly disclosed vulnerability in Microsoft Server Message Block (SMB) Protocol. The vulnerability could allow remote code execution on affected systems. An attacker who successfully exploited this vulnerability could install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.

This security update is rated Important for all supported editions of Microsoft Windows 2000, Windows XP, and Windows Server 2003, and Moderate for all supported editions of Windows Vista and Windows Server 2008. For more information, see the subsection, Affected and Non-Affected Software, in this section.

The security update addresses the vulnerability by modifying the way that SMB authentication replies are validated to prevent the replay of credentials. For more information about the vulnerability, see the Frequently Asked Questions (FAQ) subsection for the specific vulnerability entry under the next section, Vulnerability Information.

This vulnerability allows an attacker to redirect an incoming SMB connection back to the machine it came from and then access the victim machine using the victim’s own credentials. (Hence the term “credential reflection”). In typical Windows XP configurations where SMB sharing is enabled and the user is a member of the Administrators group, this allows the attacker to easily take over the machine. Public tools, including a Metasploit module, are available to perform this attack.

To do this attack attacker may use web browser or send and E-Mail to victim and when the web page or E-Mail message is open then it would try to connect to a server that is run by the attacker. After the successful connection with server, the machine will try to steal the network authentication credentials from the victim machines. These network authentication credentials can be used in future to gain access to the victims computer. In cases where the attacker is on the same network as the victim, even “trusted” websites can be leveraged to perform this attack – since network data can be modified before the victim receives it.

Microsoft mentioned that in all the cases the risk comes from machines on the internal network. It is still a good idea to block outbound SMB traffic, but if an attacker is already within the perimeter (or the user is on an untrusted network such as a public Wi-Fi hot-spot), there are mitigations which fall into these categories:

• Disable File and Print sharing (assuming it is not needed on user’s machines).

• Block inbound SMB connections using the Windows Firewall

• Enable IPSec and require it on inbound SMB connections.

• Enable SMB message signing. This can be enabled on select “high value” servers, or on all machines. (Note that there may be a substantial performance impact).

According to Microsoft this security flaw is moderate in Windows Vista and Windows Server 2008 operating system and important for Windows Server200,Windows XP, Windows Serve 2003 and earlier versions of Windows operating system.

Related Articles

• September 2009 Microsoft Security Bulletin Release
• Leveraging and Extending Microsoft SharePoint Server 2010 Identity Features
• Alert – Microsoft Security Advisory 979682 Released
• Beware of Fake Microsoft Security Update Email
• IE8 Beta2 Contains Keystroke Logger