Microsoft ‘Out-of-Band’ Security Update (MS08-067) To Be Exploited By Spammers
Email This Post
October 27th, 2008
If you're new here, you may want to subscribe to our RSS feed. Thanks for visiting!
The recent release of the Microsoft Security Bulletin MS08-067 – Critical Vulnerability in Server Service Could Allow Remote Code Execution (958644) is predicted to be used by spammers shortly. Microsoft went to the extreme measure of releasing this patch ‘out-of-band’ because in their words ‘the vulnerability is potentially wormable’ which brings to mind the ‘Blaster’ worm of August 2003 or the Sasser worm of 2004.
The flaw in the basic File and Print service (netapi32.dll) allows anonymous remote connections to compromise and take over any Client PC or Server running the vulnerable versions of Windows. While Microsoft states that using best practices to firewall this service (TCP port 139 and 445) works to keep you safe from a direct attack it still leaves you open to a blended attack or leapfrog attack and this is what the malware writers working for the spammers are going to do.
What the Malware writer will attempt is to utilize a browser vulnerability via a drive by download to take over 1 PC behind your firewall and then use that compromised PC to leverage the netapi32.dll vulnerability to infect ALL the rest of the PC’s behind your firewall. This is a classic case of hard on the outside / soft and chewy on the inside security that has been the standard for many years.
How will the spammers get someone to click on a link for the initial drive by download.. by spamming them of course. The Storm worm and it’s brethren have taught us that when something like this vulnerability comes along it is a very short time between when notice is sent and when they take advantage of it. This highlights the importance of having multiple layers of defense both at your perimeter and inside at the desktop level.
What can you deploy at the perimeter?
A Unified Threat Management (UTM) firewall or two-way Web Filter are good places to start.
What can you deploy inside? No PC these days should be without an Anti-Malware suite – the big brother to the good old Anti-Virus software with additional firewall / root kit / and web filtering protection. Expect more signatures to be released to protect against this vulnerability shortly.
At CudaMail we will be on the lookout for the new surge of spam that is the initial infection vector and will be combating it as quickly as possible but having these additional layers of protection will help when one link slips by into your network via a different attack vector.
You will of course want to update your computers with the patch from Microsoft after careful testing but this is not the last vulnerability in Windows and certainly not the last attack by the malware writers so having extra layers of protection is just a ‘Good Thing’ TM.
Those are my thoughts but maybe I’m just too paranoid … 
- http://www.microsoft.com/technet/security/Bulletin/ms08-067.mspx
- http://support.microsoft.com/kb/958644
- The Spam Cryer
Popularity: 22% [?]
Entry Filed under: Bulletins
1 Comment Add your own
1. pc virus software protect&hellip | October 29th, 2008 at 1:07 am
[...] … of the main advantages and key features of the latest Kaspersky Internet Security software that your computer should have: • Protection from all internet threats • Firewall for additional protection • Updatable virus definition • Effective antivirus software • Free technical support • Protection from … Microsoft ‘Out-of-Band’ Security Update (MS08-067) To Be Exploited By … [...]
Leave a Comment
Some HTML allowed:
<a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>
Trackback this post | Subscribe to the comments via RSS Feed