MS08-067

Friday, October 24, 2008

0 Comments

Category: Hot News. Tags: , .

MS08067 For only the second time in two years, Microsoft has released a critical patch to the Windows operating system before the normally scheduled monthly patch release cycle. Today’s release is a “level 200″ issue, and could allow a “specially crafted RPC request” to execute computer code on a remote system. An hour-long “by registration only” webcast was held today at 1pm PDT outlining the release. MS08-067 affects all versions of Windows since Windows 2000.

Affected systems

These Windows operating systems are affected and listed as critical: Windows 2000 SP4, XP SP2, XP SP3, XP Professional x64, XP Professional x64 SP2, Server 2003 SP1, Server 2003 SP2, Server 2003 x64, Server 2003 SP1 Itanium and Server 2003 SP2 Itanium.

These Windows operating systems are affected, but only listed as important: Vista SP1, Vista x64, Vista x64 SP1, Server 2008 32-bit, Server 2008 x64 and Server 2008 Itanium.

Bug details

Microsoft’s knowledge base article 958644 contains full details of the vulnerability. The bug requires that the computer be connected to a LAN or the Internet and receive a specially crafted remote RPC (Remote Procedure Call) request that’s sent from the attacker. The vulnerability allows the attacker’s remote code to be executed on the local machine without authentication. The vulnerability exists because the RPC service does not properly handle this particular request.

Any attacker using this method of attack could gain complete control of the affected system. Microsoft’s security bulletin states, “It is possible that this vulnerability could be used in the crafting of a wormable exploit. Firewall best practices and standard default firewall configurations can help protect network resources from attacks that originate outside the enterprise perimeter.”

Need for more timely updates?

The patch released by Microsoft today fixes this critical hole in the middle of their normal monthly patch release cycle. While Microsoft has regular cycles wherein they release the cumulative fixes encountered during the month, several industry insiders would like to see Microsoft release zero-day “beta versions” of fixes. While these may not be the final, best solution Microsoft releases unto the world, they may be sufficient to help immediately stop the proliferation of aberrant code – and potentially up to three or more weeks prior to the day of the next monthly cycle.

Related Posts

  • No related posts

No Comments for this post

No comments yet.

Leave a comment

Name (required) Comment
Mail (required)
Website

Cartoon Network Ben 10 The GameThanksgiving Kitchen HeroBlood Pit 2Ben 10 Cartoon Network All forceCartoon Network Ben10 UltimateCartoon Network Ben 10 Four ArmsCartoon Network Ben 10 CubeCartoon Network Ben10 Jigsaw 2Jigsaw: Coconut ManHammertime (in 60 seconds)