Posted by: kurtsh | August 9, 2006

NEWS: The Importance of the Critical Updates from August 8th

UPDATE – 8/9/2006: 
A friend of mine (Blake Handler) let me know that the Department of Homeland Security has posted a warning/announcement about MS06-040 basically stating "patch your systems ASAP".
DHS Recommends Security Patch to Protect Against a Vulnerability Found In Windows Operating Systems
http://www.dhs.gov/dhspublic/display?content=5789
————————–
ORIGINAL TEXT – 8/9/2006:
This is the first time I’ve ever written an entry in my blog about a set of monthly critical updates.
 
If you didn’t already know, this release is labelled a "Level 3 – Critical Update" within Microsoft.  This is the equivalent of "DEFCON 1" (Defense Condition 1) in the Microsoft security world and it means "all hands on deck" for those of us working with the customers in Enterprise Sales.  Premier Support TAMs (TAMs = Technical Account Managers: the guys that do the same thing I do for customers that have Enterprise Sales Agreements with Microsoft, except on the "Premier" side of the house for customers with Enterprise Support Contracts) are required to call their customers and send emails directly to those responsible for security & patching in 24 hours.
 
I’m not going to go over all of these vulnerabilities but just to show how nasty this month’s vulnerabilities are, here’s one English language description:
MS06-040 is a patch to the Server Service – something every Windows NT/2000/XP/2003 desktop and server has, that seals a very serious vulnerability – a buffer overflow – that allows the intruder to gain full administrative rights to the machine.  The buffer overflow in the Server Service in Microsoft Windows 2000 SP4, XP SP1 and SP2, and Server 2003 SP1 allows remote attackers, including anonymous users, to execute arbitrary code by simply transmitting a crafted RPC message.  Besides patching the machine, the vulnerability can be thwarted by Windows Firewall, blocking ports 139 & 445.
As you can see, just this first vulnerability is a REALLY serious problem and it just takes as single RPC message transmission from a hacker’s computer attack a remote system. 
 
So why should you hurry?   Well, this is where is gets really messed up.  You see, the creators of many of the intrusions, viruses, and hacks that you see in the wild these days are from 1 of 2 groups: 
  • Hacker groups that have formed exclusively around Windows vulnerabilities to create zombies that allow them to use your machine for spamming, remote hacking, or other activities. 
  • Actual crime syndicates with a LOT of cash behind them that use these attacks to extract charge card numbers, bank account information, personal data,
Either way, what these folks do is they reverse engineer our patches after we release them to figure out what the vulnerability is so they can take advantage of it.  They may not have known about the vulnerabilities existence before we released the patch however it’s a darned bet that they will within a few days after they’ve dissassembled the patch and done some forensics around the assembly code itself.  Seriously – these guys are downright diabolical. 
 
Bottom line:  This series of updates is really frickin’ important.  Patch every desktop and every server as soon as you can.
 
 
 
Information about each respective patch:

Categories

%d bloggers like this: