Threat Level: green Handler on Duty: Johannes Ullrich

SANS ISC: MS11-020 (KB2508429) Upgrading from Critical to PATCH NOW SANS ISC InfoSec Forums

Watch ISC TV. Great for NOCs, SOCs and Living Rooms: https://isctv.sans.edu

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
MS11-020 (KB2508429) Upgrading from Critical to PATCH NOW

Based on notifications received from Microsoft we are upgrading the rating of MS11-020 (KB 2508429, CVE-2011-0661) from Critical to PATCH NOW.  See: http://isc.sans.edu/diary.html?storyid=10693 for the full table.

The Remote Code Exploit is possible without authentication, so this presents a serious risk to internal networks.  Think Downadup/Conficker, or think lateral movement if that will help motivate patching.

Also note that this patch requires a reboot of your system.

Sorry.

-KL

Kevin Liston

292 Posts
ISC Handler
How long it would be take to appear a new Downadup/Conficker reloaded?...Additionally, no problems detected on Win XP SP3 for this patch (including the others).
Anonymous
Downandup/Conficker reloaded? It is still loaded! I bet you find it all over the place still. So reloaded is not even necessary to disrupt things. Retooling, no doubt already planned by someone out there. I know it gives us all work, but hey, enough already!
Al of Your Data Center

80 Posts
Does anyone have any information on if this is being actively worked on?
How worried should we be of this?
Mike

2 Posts
The silence is deafening..

This freaked me out, and I've heard not a word from anyone else. I talked to our TAM at MS and had him check internally, he says no changes to the severity and no new info that he can find.

Until I see this corrobarated somewhere else I can't take action on it. But this vulnerability should be in testing now as direct threat or no, it's bad.
Mike
4 Posts
Sorry, I meant "this patch", not "this vulnerability".
Mike
4 Posts
Don't fret Frank. It's just a Patch now alert. If I had exploit code, I would have raised the infocon to Yellow by now. All I have is a vulnerability that by MS's assessment could be allow unauthenticated remote code execution. Put that one at head of your test/deploy queue.
Kevin Liston

292 Posts
ISC Handler
The upgrade rating of MS11-020 is not on the Security Bulletin of Microsoft nor on the KB Article of the Securty Update. So there is no reason to panic.
This patch can be tested and then applied... Zero should be only considered if mentioned by Microsoft
Kevin Liston
1 Posts
fwiw, applied all 3 'patch now's to about 100 win2k3 and a few 2k8 servers this weekend... all were quick and without issue. rest will be applied very soon
Anonymous

Sign Up for Free or Log In to start participating in the conversation!