Last Updated: 2008-10-24 13:07:22 UTC
by Mark Hofman (Version: 4)
Update #5 (updated):
As Sourcefire have their sigs available, i would recommend to use these as they have been released via the MAPP program with Microsoft and offer broader coverage.
Some further details are available at the SWI blog in relation to the impact of the netapi32.dll vulnerability.
Christopher at the MSRC blog posted a short while ago more information. There is much more discussion of the inner workings of the discovery and Microsoft's response to this critical vulnerability. Read it at blogs.technet.com/msrc/archive/2008/10/23/ms08-067-released.aspx
As reported earlier today, Microsoft released a critical update today for Windows Operating System. The update addresses a vulnerability with RPC calls which can be referenced from SMB connections. As most of you remember, worms such as Blaster and its kin were able to propagate through RPC/DCOM vulnerabilities and is in a very similar area of code. Microsoft has detected limited, targeted attacks exploiting this flaw in the wild. It is expected that with the release of the update, much more of the hacker community will become aware of how to exploit this and create a major worm outbreak or botnet activity.
On our initial reviewed of the information available from Microsoft, we believe that client computers need to be updated with all due haste. Windows 2000, XP, and Server 2003 are listed as critical. Windows Vista and Server 2008 is only listed as important due to the additional security features with these newer operating systems.
More information is available at www.microsoft.com/technet/security/Bulletin/ms08-067.mspx
Original Post: 2008-10-23 12:16:16 UTC
Microsoft has just released an advance notification of an out-of-band update to be released on 23rd of October. They will hold a special webcast on the 23rd at 1:00 pm PT to discuss the release. The patch will be released at 10.00 am.
The information in the bulletin mentions a remote code exploit, but no further details are provided, however a restart will be required.
Microsoft rates the issue as critical for 2000/XP/2003 and important for vista/2008.
If we get more information we'll update this diary.
ps thanks to some very fast ISC supporters for letting us know.