Major Windows Security Update Issued
Posted: 2006-08-08 18:00:00 Expiration: 2006-08-15 18:00:00
On August 8, 2006 Microsoft released a patch for a previously undisclosed vulnerability in the Microsoft Windows server service. All Windows XP and 2000 computers are vulnerable.
Background
On August 8, 2006 Microsoft released a patch for a previously undisclosed vulnerability (http://www.microsoft.com/technet/security/Bulletin/MS06-040.mspx) in the Microsoft Windows server service. The server service is responsible for File and Printer Sharing, remote access via Remote Procedure Calls (RPC), and access to computers via named pipes. Microsoft indicated that the vulnerability *is already being exploited* on the Internet.
Impact
An unauthenticated attacker can send a specially crafted message to the Server service and execute the code of his/her choice and take complete control of the vulnerable system.
Platforms Affected
- Microsoft Windows XP (all versions)
- Microsoft Windows Server 2003 (all versions)
- Microsoft Windows 2000 (all versions)
See Microsoft Security Bulletin MS06-040 for a complete list.
Local Observations
The Server service uses TCP ports 139 and 445. The University of Wisconsin-Madison network is already blocking TCP ports 139 and 445 at the network border. *Note:* Though beneficial, these network border blocks aren't effective at stopping attacks that originate from inside our network border (e.g., dial-up, vpn, etc). Therefore, it is important that you follow the recommendations and workarounds listed below.
Recommendations
Apply the patch listed in Microsoft Security Bulletin MS06-040.
IT administrators can use the freely available tool from eEye to scan their networks for potentially un-patched machines.
- Configure a host based firewall, such as the Windows Firewall to block communication to TCP ports 139 and 445 from untrusted networks. More info here.
- For servers with sensitive data, use IPSec to restrict communication to only trusted hosts that also have IPSec configured. More info here.
- Use TCP/IP Filtering to block all unsolicited inbound traffic. More info here
-- DoIT Security