Security Advisory

Microsoft Security Advisory 958963

Exploit Code Published Affecting the Server Service

Published: October 27, 2008

Microsoft is aware that detailed exploit code demonstrating code execution has been published on the Internet for the vulnerability that is addressed by security update MS08-067. This exploit code demonstrates code execution on Windows 2000, Windows XP, and Windows Server 2003. Microsoft is aware of limited, targeted active attacks that use this exploit code. At this time, there are no self-replicating attacks associated with this vulnerability. Microsoft has activated its Software Security Incident Response Process (SSIRP) and is continuing to investigate this issue.

Our investigation of this exploit code has verified that it does not affect customers who have installed the updates detailed in MS08-067 on their computers.  Microsoft continues to recommend that customers apply the updates to the affected products by enabling the Automatic Updates feature in Windows.

We continue to work with our Microsoft Security Response Alliance (MSRA) and Microsoft Active Protections Program (MAPP) partners so that their products can provide additional protections for customers. We have updated our Windows Live Safety Scanner, Windows Live One Care, and Forefront security products with protections for customers. We have also been working with our partners in the Global Infrastructure Alliance for Internet Safety (GIAIS) program to take steps to help keep attacks from spreading.

Customers who believe they are affected can contact Customer Service and Support. Contact CSS in North America for help with security update issues or viruses at no charge using the PC Safety line (1-866-PCSAFETY). International customers may request help by using any method found at this location: https: (click on the select your region hyperlink in the first paragraph).

Mitigating Factors:

  • Customers who have installed the MS08-067 security update are not affected by this vulnerability.
  • Windows 2000, Windows XP and Windows Server 2003 systems are primarily at risk from this vulnerability. Customers running these platforms should deploy MS08-067 as soon as possible.
  • While installation of the update is the recommended action, customers who have applied the workarounds as identified in MS08-067 will have minimized their exposure and potential exploitability against an attack.

General Information

Overview

Purpose of Advisory: Notification of the availability of a security update to help protect against this potential threat.

Advisory Status: As this issue is already addressed as part of the MS08-067 security bulletin, no additional update is required.

Recommendation: Install the MS08-067 security update to help protect against this vulnerability.

References Identification
CVE Reference CVE-2008-4250
Microsoft Knowledge Base Article 958963
Microsoft Security Bulletin MS08-067
CERT Reference VU#827267

This advisory discusses the following software.

Related Software
Microsoft Windows 2000 Service Pack 4
Windows XP Service Pack 2 and Windows XP Service Pack 3
Windows XP Professional x64 Edition and Windows XP Professional x64 Edition Service Pack 2
Windows Server 2003 Service Pack 1 and Windows Server 2003 Service Pack 2
Windows Server 2003 x64 Edition and Windows Server 2003 x64 Edition Service Pack 2
Windows Server 2003 with SP1 for Itanium-based Systems and Windows Server 2003 with SP2 for Itanium-based Systems

Frequently Asked Questions

What is the scope of the advisory?
Microsoft is aware of public posting of exploit code targeting the vulnerability identified in Microsoft Security Update MS08-067. This affects the software that is listed in the “Overview” section.

Is this a security vulnerability that requires Microsoft to issue a security update?
Microsoft addressed this security vulnerability in MS08-067. Customers who have installed the MS08-067 security update are not affected by this vulnerability. No additional update is required.

What causes the vulnerability?
The Server service does not properly handle specially crafted RPC requests.

What might an attacker use the vulnerability to do?
An attacker could exploit this vulnerability over RPC without authentication to run arbitrary code. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.

What is the Server service?
The Server service provides RPC support, file and print support, and named pipe sharing over the network. The Server service allows the sharing of your local resources (such as disks and printers) so that other users on the network can access them. It also allows named pipe communication between applications running on other computers and your computer, which is used for RPC.

What is RPC?
Remote Procedure Call (RPC) is a protocol that a program can use to request a service from a program located on another computer in a network. RPC helps with interoperability because the program using RPC does not have to understand the network protocols that are supporting communication. In RPC, the requesting program is the client and the service-providing program is the server.

Are there any known issues with installing the Microsoft Security Update that protects against this threat?
No. Microsoft continues to encourage customers to install the update immediately.

Suggested Actions

If you have installed the update released with Security Bulletin MS08-067, you are already protected from the attack identified in the publicly posted proof of concept code. If you have not installed the update, you are encouraged to apply the workarounds identified in MS08-067.

  • Protect Your PC

    We continue to encourage customers to follow our Protect Your Computer guidance of enabling a firewall, getting software updates and installing antivirus software. Customers can learn more about these steps by visiting Protect Your Computer.

  • Keep Windows Updated

    All Windows users should apply the latest Microsoft security updates to help make sure that their computers are as protected as possible. If you are not sure whether your software is up to date, visit Windows Update, scan your computer for available updates, and install any high-priority updates that are offered to you. If you have Automatic Updates enabled, the updates are delivered to you when they are released, but you have to make sure you install them.

  • Apply workarounds listed in the Microsoft Bulletin

    Security Bulletin MS08-067 lists the applicable workarounds that can be used to protect systems from this vulnerability.

Other Information

Resources:

Disclaimer:

The information provided in this advisory is provided "as is" without warranty of any kind. Microsoft disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. In no event shall Microsoft Corporation or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if Microsoft Corporation or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply.

Revisions:

  • October 27, 2008: Advisory published

Built at 2014-04-18T13:49:36Z-07:00 </https:>