Microsoft closes critical hole in Windows
Microsoft has released two security updates for Windows 2000, XP, Server 2003, Vista, Server 2008 and Office 2003 and later. The patch described in Bulletin MS08-069 closes three holes in Microsoft's XML Core Services 3.0, 4.0, 5.0 and 6.0. Microsoft rates one of the errors as critical, since a visit to a specially crafted website is all it takes to become the victim of an attack. According to the report, the cause of the vulnerability is a memory error that occurs when XML code is being parsed that allows code to be injected and executed. This rating only applies to MSXML version 3.0, but in the other versions the company still rates the threat as high.
Even if they are fully patched, the exploit affects Office 2003 and later versions. This includes the Office 2007 file import filters for earlier versions of Office, which allow Office 2007's XML-based files to be read in previous versions. If these are not installed, though, Office XP and earlier are not affected, so long as they are fully patched up to date – meaning Office XP SP3 and Office 2000 SP3. Users who are not sure if they are fully up-to-date or not can have their Office installation updated for free, automatically, at Office Update.
The second patch, MS08-068, denies attackers the opportunity to launch what are known as SMB reflection attacks. These attacks occur when the operator of a manipulated SMB server sends the NTLM login credentials of a previously attempted login on his server back to the victim, in order to gain access to the victim's PC where he can run programs. To do this, ports 139 and 445 on the victim's PC have to be accessible, which is the case when file and printer sharing is activated on a LAN and the firewall does not block the ports. The now released patch lets Windows recognize the re-sent credentials as invalid.
This problem is actually not new. Microsoft describes this attack, among other things, in an article published in 2005 entitled "How to Shoot Yourself in the Foot with Security, Part 1". Back then, Microsoft had already recommended the preventive measure of activating SMB message signing and this tip is mentioned as a workaround in the bulletin.
According to the Microsoft Exploitability Index, there is already an openly-available exploit for the SMB hole. Microsoft expects an exploit to appear soon for the XML hole saying "Exploit code for information disclosure is likely as this can be used in cross-domain attacks." Users should ensure that the updates are automatically loaded onto their computers.
- Microsoft Security Bulletin Summary for November 2008, summary by Microsoft