Posted on 02/08/2005 2:32:00 PM PST by Eagle9
Microsoft Tuesday released its largest group security patches in nearly a year as it posted 12 security bulletins encompassing 19 vulnerabilities, 14 of which it marked "Critical," its highest patch-now warning.
Among them is a vulnerability that will likely lead to the biggest, baddest worm in since mid-2003, said Mike Murray, the director of research at vulnerability management vendor nCircle.
"There's a clear 'winner' here," said Murray. " MS05-011 fixes a vulnerability in SMB [Server Message Block], which is running on every version of Microsoft's operating systems that a corporation might be using. And it's exploitable remotely, so it doesn't rely on an e-mail or getting someone to a Web site. All the attacker has to do is send a properly-formatted packet and he'll break in.
"It's been a while since we've seen a vulnerability this widespread. This could easily lead to the biggest exploit in over a year," said Murray. "I'd put this in the same class as the vulnerability that led to [2003's] MSBlast. It's serious."
SMB is the standard protocol that Windows uses to share files, printers, and serial ports, and to communicate between computers, particularly between servers and client desktops. A specially-crafted SMB packet sent to a vulnerable PC could, said Microsoft, let an attacker "take complete control of the affected system."
The extent of February's regularly-scheduled was expected, but still difficult to digest at first glance.
Nine of the bulletins impacted various versions of Windows to one extent or another, one each dealt with .Net Framework, SharePoint Services, Windows Media Player/MSN Messenger, and the perennial visitor to the patch process, Internet Explorer. Two revolved around Microsoft Office. (Some of those affecting Windows also affected other components, such as Office or SharePoint, the reason for the count difference.) More than half the bulletins tapped Windows XP Service Pack 2 (SP2) as vulnerable. SP2, Microsoft's massive security update that debuted in October, 2004, was then touted by the Redmond, Wash.-based developer as its biggest security-centric upgrade ever.
The eight bulletins and 14 vulnerabilities marked Critical could all be used by attackers to execute code remotely -- usually only after the user did something, such as visit a malicious Web site or click on a link within an e-mail -- or create a buffer overflow that could then be used to gain control of a machine.
Some of the fixes were more or less expected, said Murray, who noted that they corrected known, if not actually exploited, bugs. fit MS05-009,
that bill, for it patched three vulnerabilities in Windows Media Player 9 and various versions of Microsoft's instant messenger against image-based exploits using PNG-formatted files. Another vulnerability in Media Player 10 and its implementation of digital rights management technologies, however, was not fixed in this month's round of patches.
MS05-012, on the other hand, affected an astonishing array -- 33 by our count -- of Microsoft's operating systems and applications, ranging from Windows XP SP2 to Office XP and Office 2003, and every supported version of Exchange Server since 5.0. This bulletin corrected a problem in processing COM structured storage files, and how they handled OLE (Object Linking and Embedding) input.
Internet Explorer hardly ever goes untouched in a monthly roll-out of patches, and February was no exception. MS05-014, fixed four IE flaws, including a drag-and-drop bug that hackers and phishers have already exploited to plant malicious code and spyware on users' PCs.
But Murray kept coming back to the SMB vulnerability as the big daddy of February.
"Every machine that has ports 139 and 445 open is at risk, and those ports are open on every standard Window box," he said. "Every Windows box is vulnerable."
Although nCircle had only begun its analysis by mid-afternoon Tuesday ET and had not yet determined how easy or difficult it would be to write an exploit for this, Murray noted that SMB is one of the best documented protocols. "SMB is pretty well known by everybody," he said.
His advice? Patch fast.
"I think someone will break [this vulnerability] in the next couple of days, and we'll see a wormable exploit within a week."
Tuesday's patches can be obtained through the usual channels: the Windows Update and Office Update services, or direct download from the Microsoft Web site.
Yes, assuming those ports are blocked from the outside world.
Some ISP's (including Comcast, I think) block traffic on the Netbios ports such as 139 already, before it even reaches you.
At a minimum, anyone with a broadband connection should have a private IP address. This would stop this type of thing from even getting to your computer.
If using Windows 95/98/ME, click on Start/Run and type "winipcfg" and see what IP address is assigned to your network card. If using Windows XP, click Start/All Programs/Accessories/Communications/Network Connections and right-click on Local Area Connection and choose Status, then go to the Support tab.
I forget how to check for NT/2000 via the GUI, but opening a command prompt and typing "ipconfig" will show it to you on NT/2000/XP.
If your IP address starts with anything other than 192.168, 10, or 172.16 through 172.31, then you have a public IP address and could be vulnerable, not just to this thing, but potentially other things. If you do have a private address, it is less likely you are vulnerable.
Thanks, guys. It's tough, sometimes, to figure out how severe some of these hacks are. The virus and tech writers make them sound horrible, the Mac/Win/Linux your system sucks crowd gets into it, and you don't really know what to think.
Let me add to my previous post, quoted above.
If you do have a public IP address, you should quickly figure out how to not have one (i.e. get a firewall), unless you have a good reason for having a public address.
Exactly... and thats what I do. I have all of the browsers I need to test on installed, so I can use whichever I need. But I use the Mozilla Firefox whenever possible.
If you go to www.symantec.com they have a frees ecurity check. All the relevant ports are stealth, which means they don't respond at all.
Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair use of copyrighted works.