РУС |
ENG
24 февраля, 2009
Download MS08-065, MS08-067 and MS09-001 Detection Utility
Introduction
Microsoft issued updates (MS08-065, MS08-067 and MS09-001) to fix vulnerabilities in Server service and Message Queuing service. The successful exploitation of these vulnerabilities allows attackers to compromise the target system. MS08-067 vulnerability is actively exploited by attackers now. The best known worm exploited the vulnerability is Conficker/Downadup in different implementations.
All these vulnerabilities are dangerous for companies and individual users in networks where no vulnerability and compliance management mechanisms are applied (such as XSpider, MaxPatrol).
Positive Technologies issued a special network utility to detect that updates from MS08-065, MS08-067 and MS09-001 security bulletins are installed. The utility operates in PenTest mode. This requires no special rights to detect network nodes without updates.
With the utility system administrators can quikly and easily detect vulnerable nodes and install appropriate updates. The utility requires .NET Framework for proper functioning.
You can download the utility here:
http://www.ptsecurity.ru/download/pt-check-09-001.zip
Attention! The utility operates in PenTest mode. Therefore, it cannot detect nodes already infected with worm Conficker.B as it fixes MS08-067 vulnerability. Use audit mechanisms of MaxPatrol or XSpider to check infected systems.
Vulnerabilities details
Details about MS08-065 and MS08-067 vulnerabilities are available in the previous article.
MS09-001 or vulnerabilities in SMB packets processing in Microsoft Windows
MS09-001 security bulletin fixes three vulnerabilities in Microsoft Windows which allows attackers to cause a denial of service or execute arbitrary code.
| WRITE_ANDX Packets Processing Buffer Overflow Vulnerability | |
| Vulnerable systems: | Microsoft Windows 2000, Microsoft Windows XP, Microsoft Windows Server 2003, Microsoft Windows Vista, Microsoft Windows Server 2008 |
| Vulnerable component: | Server service |
| Maximum impact: | Denial of service |
| Exploit in public access: | Yers |
| CVE identifier: | CVE-2008-4114 |
| Exploitation vector: | Remote |
| SecurityLab risk level: | Low |
| Additional conditions: | Attackers need to have access to null session ("\LSARPC")
|
Short description:
The vulnerability exists because of input validation error while processing WRITE_ANDX packets in driver srv.sys. A remote user can cause a denial of service via specially crafted SMB packet. For successful exploitation an anonymous user should have network access to interface which allows null sessions ("\LSARPC"). The vulnerability is known since September 17, 2008.
How to fix:
| SMB NT Trans Requests Processing Buffer Overflow Vulnerability | |
| Vulnerable systems: | Microsoft Windows 2000, Microsoft Windows XP, Microsoft Windows Server 2003 |
| Vulnerable component: | Server service |
| Maximum impact: | Arbitrary code execution |
| Exploit in public access: | No |
| CVE identifier: | CVE-2008-4834 |
| Exploitation vector: | Remote |
| SecurityLab risk level: | Medium |
Short description:
The vulnerability exists because of boundary validation error while processing SMB packets. A remote unauthenticated user could cause a denial of service (system crash) and, possibly, execute arbitrary code via specially crafted values in NT Trans request.
How to fix:
| SMB NT Trans2 Requests Processing Buffer Overflow Vulnerability | |
| Vulnerable systems: | Microsoft Windows 2000, Microsoft Windows XP, Microsoft Windows Server 2003, Microsoft Windows Vista, Microsoft Windows Server 2008 |
| Vulnerable component: | Server service |
| Maximum impact: | Arbitrary code execution |
| Exploit in public access: | No |
| CVE identifier: | CVE-2008-4835 |
| Exploitation vector: | Remote |
| SecurityLab risk level: | Medium |
Short description:
The vulnerability exists because of another boundary validation error while processing SMB packets. A remote unauthenticated user could cause a denial of service (system crash) and, possibly, execute arbitrary code via specially crafted values in NT Trans2 request.
How to fix:
Attention! Blocked access to 139/TCP and 445/TCP ports can affect the following components:
To fix the vulnerability install the following updates:
Windows 2000 SP4:
http://www.microsoft.com/downloads/de...=E0678D14-C1B5-457A-8222-8E7682760ED4
Windows XP SP2/SP3:
http://www.microsoft.com/downloads/de...=EEAFCDC5-DF39-4B29-B6F1-7D32B64761E1
Windows XP Professional x64 Edition (optionally with SP2):
http://www.microsoft.com/downloads/de...=26898401-F669-4542-AD93-199ED1FE9A2A
Windows Server 2003 SP1/SP2:
http://www.microsoft.com/downloads/de...=588CA8E8-38A9-47ED-9C41-09AAF1022E49
Windows Server 2003 x64 Edition (optionally with SP2):
http://www.microsoft.com/downloads/de...=EE59441C-1E8F-4425-AE8D-DEC14E7F13FB
Windows Server 2003 with SP1/SP2 for Itanium-based Systems:
http://www.microsoft.com/downloads/de...=CAEC9321-FA5B-42F0-9F26-61F673FE6EEF
Windows Vista (optionally with SP1):
http://www.microsoft.com/downloads/de...=9179C463-C10A-452A-990F-B7E37CDD889B
Windows Vista x64 Edition (optionally with SP1):
http://www.microsoft.com/downloads/de...=6B26952E-B59D-4B0F-A52D-025E45ECD233
Windows Server 2008 for 32-bit Systems:
http://www.microsoft.com/downloads/de...=7245B411-7C9E-41E5-9841-4C586336086C
Windows Server 2008 for x64-based Systems:
http://www.microsoft.com/downloads/de...=A241EAAD-95A0-442B-978F-F21A6F0C7DB4
Windows Server 2008 for Itanium-based Systems:
http://www.microsoft.com/downloads/de...=AB7C7015-20BB-4A0C-977A-969F4E2A5189
Links
Download MS08-065, MS08-067 and MS09-001 Detection Utility
Новости: