Microsoft out- of- band Security Bulletin (MS0. Webcast Q& A – MSRCRegister now for the November 2. Security Bulletin Webcast. Security Bulletin Webcast Q& A Index Hosts: Christopher Budd, Security Response Communications Lead Adrian Stone, Lead Security Program Manager (MSRC)Website: Tech. Net/security. Chat Topic: Microsoft out- of- band Security Bulletin (MS0. Tech. Net Webcast Date: Thursday, October 2. Friday, October 2. Note: The below questions were submitted from webcast attendees and are not necessarily in the order they were addressed during webcast. Q: Does it bypass the network security (i. Hibernation will not substitute a reboot. ![]() Q: What are issues with installing this patch on Windows 2. A: There are no known issues reported with this update. Q: On Windows Vista, if User Access Control (UAC) has been disabled, should this be considered critical instead of important? A: If the UAC prompting is disabled, the integrity levels foundational work still works to require authentication. Please refer to the security bulletin for all affected products: http: //www. Q: Will systems lacking the latest current service pack be applicable to receive the security update? A: All supported operating systems/and service packs can and should install the update. Slide 9 says it is un- installable. A: The update is un- installable through Add and Remove programs in Control Panel. Q: What has been the vector of the previous attacks? Microsoft out-of-band Security Bulletin (MS08-067) Webcast Q&A. Isn’t RPC over HTTP just using HTTP to proxy an otherwise. Windows XP SP3 clients are also vulnerable if they have file and printer sharing. Microsoft Windows DCOM RPC Interface Buffer Overrun Vulnerability. Windows XP Home SP1: Microsoft Patch WindowsXP. Weird Issue with RPC over http setup in XPDoesn't really matter if they're important or not! If you can't make them work, it's still a problem! Here is the patch you're looking for: http: //www. Microsoft Windows XP Remote Procedure Call (RPC) Patch. Thanks to Winoscentral. Heads up: You'll love this one, it looks like in order to get Outlook 1. I say apply this patch for a few reasons. Is there a x64 version of patch KB953761 for XP X64 machines. Found discussion on TCP/IP stack repair options for use with Windows XP with SP2/SP3. A security issue has been identified that could allow an unauthenticated remote attacker to compromise your Microsoft Windows-based system and gain control over it. Security Update for Windows XP. Microsoft Security Bulletin MS08-067. A: We believe the primary attack vector for any attacks will be a connection from an attacker to a vulnerable system over TCP ports 1. RPC requests. Q: What happens when a system becomes infected if the update has not been applied and it is applied afterwards? A: The system would have to first be cleaned of the infection and then security update would need to be applied in order to keep the system from being compromised again. ![]() Q: As stated, the server service isn’t accessible through firewalls with default configuration but would it be possible to get infected another way such as by websites (asp or java) that call on the server service? A: The vulnerability is caused by the Windows Server service not properly handling specially crafted RPC requests. Unfortunately the BROWSER service runs in the same svchost so attackers could reach the vulnerable code through the Browser service. ![]() ![]() MS03-026: Buffer Overrun in RPC May Allow Code Execution. More robust protocols, such as RPC over HTTP. Note The Windows XP versions of this patch are packaged as dual-mode packages. NOTE: we previously said that disabling the server service was a mitigation. You need to disable server service and browser service. ASLR, DEP, UAC and other technologies played a role in reducing the impact of this vulnerability in Windows Vista and Windows Server 2. More information about this can be found on Michael Howard’s blog at http: //blogs. Q: Windows Vista & 2. We are continuing to investigate. Q: What methods (network/email/web) can this vulnerability be exploited? There are non- update workarounds published at the SVRD blog http: //blogs. Q: Is there a reason why I would not want to turn the server service off for workstations? A: If the Server service is disabled, you will not be able to share files or printers from your computer. Q: Would an attacker exploit External to Internal? Is there a behavior we can identify and wrap rules around it to prevent exploit? A: The exploits we have seen so far attempt to download a Trojan and run it. Is it actually ready for download? Or when? A: Yes a New Cab was released at 1. AM PST. The WSUS server shows the update as installed 9%. Is anything logged in Event Viewer for example? However, this will only be the case for failed attacks. Successful attacks will not register. Q: Should we do this for the servers that are within our infrastructure behind Checkpoint firewalls? We are deploying this right away to our DMZ servers. A: Yes. The update should be applied to all your systems. Internal systems will not be attacked from the Internet but they will still be vulnerable to internal attacks. So far WSUS has only picked up the critical updates for XP and W2. K3. You are vulnerable if you have file and printer sharing enabled or if your firewall is turned off. Detailed information about this can be found at the SVRD blog http: //blogs. Q: Has the malware samples been shared with other AV vendors for emergency or extra dat / signatures? A: Yes – we have been working with all of our partners including AV vendors. Are the attacks in the wild self- replicating? A: No. Q: Are there known exploits that result in elevated privileges? The update has released in all language versions. Q: MS0. 6- 0. 70 (as well as XP SP3) also appears to supersede MS0. Does that mean that XP SP1/RTM and Server. RTM is NOT affected?? A: No it does not. Those platforms are not supported and our bulletins only discuss supported platforms. Q: Is this Vulnerability related to a prior security update? However, you will still be able to view and use file shares and printer resources on other systems. Q: Any details on current targeting of malware? A: For the most current information about the malware, you can reference the Microsoft Malware Protections Center blog at http: //blogs. Q: It says in the description that a . I think that is horrifying. Could you give any kind of indication how likely this is actually going to occur? A: We know this vulnerability is able to be put into a self- propagating exploit. It is possible that the IDS vendor built protections for that vulnerability that may also applies to this vulnerability. Does Cisco Security Agent (CSA) mitigate the vulnerability? A: It is a stack based buffer overflow. What level of regression testing has been performed? A: A reboot is needed to protect your system and ensure the update has been properly installed. Q: This is a major . A: There are no known issues reported with this update. Q: MS0. 6- 0. 40 introduced a problem where applications that used large amounts of contiguous memory failed. For Forefront for Exchange and Share. Point Server, should they get latest signatures for those too? A: All Forefront products should be able to update to the most recent signatures. Q: I don’t understand. RPC uses 1. 35 and negotiates a port from 1. What do you recommend testing? A: The affected binary updated is netapi. What should I do to satisfy the powers that be, that I’ve thoroughly tested this update? A: The patch involves network file and printer sharing. These will be available for Forefront for Exchange as well. Q: Is Small Business Server 2. A: Yes. Q: What are the names of these Trojans? Are previous service pack levels more vulnerable? A: Windows XP SP1 is currently out of support. Windows XP SP2, Windows XP SP3, and all service packs of Windows Server 2. Q: Does it make a difference if the user is running as admin or just a local user. You can download the update directly. The download links are available in the bulletin. Q: Windows XP Service Pack 1 is not listed in the affected software, does it need the update? A: Windows XP SP1 is not a supported platform. All supported operating systems/and service packs can and should install the update. Windows XP SP3 clients are also vulnerable if they have file and printer sharing enabled or if they have Windows Firewall turned off. Q: Are there any performance impacts of this change, specifically on Exchange servers? A: We have identified no issues with this update; performance or otherwise. Q: How can I tell if any of my workstations have been compromised? Do you know yet? A: We are only aware of limited targeted attacks against Windows XP and Windows 2. Q: Has an HTTP or other web distribution method of this exploit been identified or seen in the wild? A: At this time, we have not seen a web distribution method used or identified. Q: Any known issues thus far with 3rd party applications? A: There are no known issues with this update at this time. Q: Will this affect Virtual Machine (VM) servers? A: Yes. All currently supported versions of Windows are impacted. Please refer to the security bulletin for all affected products Q: Can you elaborate on how we can use Data Execution Prevention (DEP) on our Windows XP machines to protect our computers? A: Take a look at http: //technet. Q: Due to the nature of deploying in a large environment, will you have alerts when a damaging version of the proof of concept that is currently in the wild is seen. Scheduling reboots can take several days to avoid business outages. Outages are acceptable when a worm is active. A: We will continue to update our customers as additional information becomes available through blogs, advisories, etc. Q: I found a blog article that said Microsoft Forefront Client Security malware version 1. This update continues to be important for Vista and Windows Server 2. Windows 2. 00. 0, 2. XP. Q: if the firewall is on, yet you allow RDP (remote desktop), does that prevent the attack? A: Allowing RDP does not prevent the attack. An attacker could exploit external to internal if a perimeter firewall does not block the exploit. The Security Vulnerability Research & Defense (SVRD) blog at < http: //blogs. More- detail- about- MS0. Q: it’s unclear from the “history” explanation. However, if the system does become infected while the VPN client is disabled, it will gain access to port 1. VPN client is enabled. This could potentially (depending on the exact configuration and deployment) allow an attack to take place on the internal network. We recommend installing security updates on internal systems as well. Q: If one is using domain isolation (IPSec/GPO/certificates) are we protected from non- domain machines and domain- joined machines? Can there be an exploit that looks legit in this scenario and still works within domain isolation? A: IPSec can help protect between trusted partners, however does not protect against insider threat attacks. Although IPSec can offer some protection, the vulnerability is still reachable in scenarios such as dual homed systems, or insider threat scenarios. Q: Can one download the individual patch without having to go through windows update.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. Archives
November 2016
Categories |