Microsoft Security Bulletin Release Customer Webcast January 2008
Hosts: Tim Rains, Microsoft Security Response Communications
Adrian Stone, Microsoft MSRC
Chat Topic: Security Bulletin Release
Date: Wednesday, January 9, 2008
Please note: Portions of this transcript have been edited for clarity.
The following Q&A was captured from the webcast. This information is provided "AS IS" with no warranties, and confers no rights.
Start of chat:
Q: What are the various attack vectors for MS08-001?
A: The attack vector for MS08-001 is an attacker sending a malformed Internet Group Management Protocol version 3 or Multicast Listener Discovery version 2 router query packet to a host machine. The attacked computer has to be on a network.
Q: For a host without an active multicast address, does an attacker have to send either an evil Internet Group Management Protocol version 3 packet or Multicast Listener Discovery version 2 packet or both?
A: An attacker does not have to send both. An attacker would only have to send attack packets to either depending on what the client system uses.
Q: Are Windows Network Load Balancing clusters using unicast IP addresses assigned to multicast layer-2 addresses affected?
A: They are affected by malformed unicast Internet Group Management Protocol packets. However, standard mitigations such as firewalls apply.
Q: Would Internet Group Management Protocol packets with a time to live greater than one be routed?
A: If it is a unicast packet, there may be some routers which implement special policies and filtering.
Q: If a crafted Internet Group Management Protocol packet is sent to a vulnerable machine, does the group address field of the packet header have any effect on whether or not the packet will successfully exploit the vulnerability?
A: Yes. The vulnerable machine would have to be member of the multicast group.
Q: We do not allow multicast into our demilitarized zone perimeter or virtual private networks. Given that the risk is internal, I would like to know how trivial an exploit might be in relation to how quickly weaponized code might be released.
A: It is very difficult to get remote code execution. However, look for systems that are rebooting unexpectedly. This indicates an attacker may be trying to exploit this vulnerability.
Q: In Microsoft Security Bulletin MS08-001, installing applications that use multicasting could cause the operating system to become vulnerable. Is there a method to identify if a Windows server is actively running the exploitable code?
A: To see if a server is running Internet Group Management Protocol, check the registry key. If the value for IGMPLevel is zero, the server is not vulnerable. You may also use netsh int ip show joins in a command prompt to show the addresses that the server is subscribed to. If the server is subscribed to any other IP in addition to 224.0.0.1, the server is vulnerable. If the server is subscribed to 224.0.0.1 only, it is not vulnerable.
Q: You said MS08-001 was not routable. Is this still true if the routers are setup to forward multicast traffic?
A: No. If routers are set up to forward multicast traffic, you are vulnerable. However, routers are not set up to perform this way by default.
Q: The Internet Security System bulletin related to this patch says remote code execution is possible with both vulnerabilities. The Microsoft vulnerability says a denial of service is only possible with one. Why the difference?
A: Our investigation revealed that only the Internet Group Management Protocol attack vector is vulnerable to a remote code execution and the Internet Control Message Protocol is only vulnerable to a system denial of service. We will work with Internet Security Systems to determine if the Internet Control Message Protocol attack vector is also vulnerable to a remote code execution. It is highly unlikely that the Internet Control Message Protocol vector is vulnerable to the remote code execution.
Q: Is MS08-001 Internet Control Message Protocol similar to the old ping of death?
A: It is not similar. The ping of death sends very large Internet Control Message Protocol packets causing resource consumption. This vulnerability receives fragmented Internet Control Message Protocol router discovery protocol packets. The ping of death is not as tailored as the Internet Control Message Protocol denial of service.
Q: The Secure Windows Initiative blog had a graphic with two different Common Vulnerability and Exposure numbers. What were the old Common Vulnerability and Exposure numbers for?
A: The old Common Vulnerability and Exposure numbers were from our internal pool of Common Vulnerability and Exposure numbers. The old Common Vulnerability and Exposure numbers are not assigned to any security bug. We are using IBMs Common Vulnerability and Exposure numbers for this update and they are 2007-0069 for Internet Group Management Protocol and 2007-0066 for Internet Control Message Protocol.
Q: We use the systeminfo command in some home grown scripts to gather security fix installation statistics. Since last fall the command output seems likely to overflow and gets corrupted towards the end of the list. Will this be corrected?
A: We are not aware of this issue and would encourage you to contact Product Support Services to address it.
Q: Do you know if and when Microsoft will push Windows XP SP3 via automatic update?
A: The release of XP SP3 to automatic update will not happen until after several successful weeks of deployment to Windows Update or Microsoft Update. We will communicate the release date to automatic updates prior to the go-live date to give users adequate time to react.
Q: When installing the MS08-001 patch, systems with Lenovo Think Vantage(TM) Access Connection 4 running versions prior to 4.42 on IBM TP Notebooks lose all network connectivity after rebooting the system. Will you please update the bulletin to make users aware of this?
A: We are not aware of this regression. Please contact Product Support Services for issues found with the update. Product Support Services will work with customers who run into regression after installing the update and we will update the bulletin or provide a fix for affected customers.
Q: Why is MS08-001 rated critical for client operating systems and rated important for server operating systems?
A: Clients are vulnerable by default. Server SKU's are not vulnerable by default and require additional applications or services installed in order to expose themselves to this vulnerability.
Q: Can the Port Reporter tool, KB837243, be used to detect possible attacks using MS08-001?
A: The tool logs TCP and UDP port activity. TCP and UDP are protocols that exist on top of IP. The attack vector exists with Internet Group Management Protocol which also exists on top of IP similar to TCP and UDP traffic. The Port Reporter tool would not be affective in detecting traffic having to do with this vulnerability.
Q: Is there an in the wild exploit for MS08-001?
A: There is no in the wild exploit for MS08-001. However, we still encourage you to install this patch.
Q: The Malicious Software Removal Tool shrunk from 8.50MB in size in December to 7.18MB in size in January. What accounts for over 1.3MB of content?
A: We have regular clean up and improvements to our signatures which replaces old, redundant signatures with more efficient generic signatures. We removed about 100,000 signatures because of the more powerful generic signatures. The Malware Detection Engine is not a factor because we are using the same engine.
Q: Is there a way to deploy KB924423 in Systems Management Server 2003?
A: Since this update isn't classified as a security update, update rollup or service pack, it will not be included in the wssusscn2.cab used by ITMU. You may deploy this update using a standard software update, or create your own catalog and deploy it using the ITCU feature shipped with Systems Management Server 2003 release 2.
Q: Does the Windows Sidebar patch KB943411 also fix the Case of the Frozen Clock Gadget issue documented in Mark Russinovich's blog https://blogs.technet.com/markrussinovich/archive/2007/10/15/2178879.aspx ?
A: Update KB943411 does not correct the memory leak described in Mark's blog. The root cause of this issue is not in Windows Sidebar and a solution is being investigated for a future release.
Q: Why was Internet Explorer patch KB946627 released instead of reissuing MS07-069? On a system without MS07-069 installed, one reboot is required to install the security patch and another is necessary to install KB946627 to fix Internet Explorer.
A: The issue addressed with 946627 was limited to Internet Explorer 6 for XP SP2 users. A re-release of the security update was not warranted.
Q: Will KB946627 be integrated into future Internet Explorer cumulative security updates?
A: The fix for the issue addressed in KB946627 will be addressed in a future Internet Explorer cumulative update at a code level, but the registry update that is applied by KB946627 will not be as it will not be needed.
Q: The lifecycle slide did not state that the Microsoft Java Virtual Machine end of life was December 31, 2007.
A: You are correct that Microsoft can no longer update the Microsoft Java Virtual Machine because of a legal agreement between Microsoft and Sun Microsystems. See https://msdn.microsoft.com/vstudio/java/migrate/msjvm/default.aspx.
Q: What's the URL for the blog?
A: The URL is https://blogs.technet.com/swi/