Register now for the January 2009
Hosts: Christopher Budd, Security Response Communications Lead
Adrian Stone, Lead Security Program Manager (MSRC)
Chat Topic: January 2009 Security Bulletin
Date: Wednesday, January 14, 2009
Q: So just to clarify there is no known code in the wild and if there was to be how would it get injected into the environment?
A: Exploitation of this issue would be expected to take place through ports 139/445 (SMB), hence our mitigation recommendation to block these ports at the firewall level. The attacker could create a specially crafted message and send it to these services on a vulnerable host. At this point in time Microsoft is not aware of any public proof of concept code or malware that exploits this vulnerability.
A: The MS09-001 update is superseded only by bulletin MS08-063, the other Server Message Block (SMB) bulletin that we shipped last year was bulletin MS08-068. These are separate updates for SMB and this bulletin MS09-001 as well as MS08-068 should be installed to protect against the vulnerabilities covered in these two bulletins
Q: When will Microsoft release a patch for Advisory 961040?
A: Upon completion of this investigation, Microsoft will take the appropriate action to protect our customers, which may include providing a solution through a service pack, our monthly security update release process, or an out-of-cycle security update, depending on customer needs.
Q: I didn’t understand about the code being known for the DoS and no known code for the Remote Code Execution (RCE) exploit. Can you repeat?
A: While there is code that describes the Denial of Service (DoS) condition (CVE-2008-4114) there has not been any Proof of Concept (POC) posted to exploit this vulnerabilities.
Q: With regards to MS08-070, Visual Basic 6 run time extended files; we use Retina to verify patches on systems on the network. We have many systems that pop for vulnerabilities for this update,
and some machines may show needing multiple files updated. How can these get updated when they don’t have Visual Basic 6 on the system and it’s not available in Windows Server Update Services (WSUS)?
A: Microsoft’s servicing policy is to ship updates specifically targeting Microsoft products, in this case the developer’s environment. Customers that then use our development platform will be able to apply security updates for those platforms (VB, VFP, VS, etc) only when that development platform is present on the system.
Customers may then update their applications and then provide their own updates as needed. For this particular release customers’ applications that do not contain a redistributed ActiveX Control from Visual Basic 6, instead opting to use the hosted version from http://activex.microsoft.com, will not have to update their own applications as the hosted VB6 AXs there have also been updated. Unfortunately, there is no detection method available (ex. registry key) that either Microsoft or customers can use to determine which application installed the ActiveX Control.
Q: How can we know if our computer is affected with the Conficker worm?
A: To be sure, the best way is to scan the machine with an up-to-date Anti-virus (AV). However, the most likely symptom(s) would be the inability to access any of the sites that we list as becoming inaccessible due to the worm as shown in our encyclopedia entry at http://www.microsoft.com/security/portal/Entry.aspx?Name=Worm%3aWin32%2fConficker.B (this is the Malware Portal)
Q: What port would SMB traffic typically traverse?
A: TCP ports 139 and 445
Q: Does the January Malicious Software Removal Tool COMPLETELY clean up the registry of a host infected by the Conficker.B worm?
A: For known variants, yes. At any time, a new variant may show up and this may no longer be true. However, it does not restore the registry and there are elements that have to be restored, such as turning back on AutoUpdate, etc.
Q: Don’t Domain controllers need the ports open to distribute Group Policy?
A: yes the best option is definitely to apply the update as blocking TCP ports 139 and 445 will impact the ability to manage a network.
A: They are very similar. Both are vulnerabilities that zero out too much memory in the kernel. The difference is the SMB command used to reach them.
Q: Is Microsoft aware of any Proof of Concept code that has been released for this vulnerability?
A: At this point in time, we are not aware of any public proof of concept code that’s available for any of the vulnerabilities resolved in this security update.
Q: Does the MS09-001 require a restart on Windows Server 2008?
A: It does NOT require a restart in certain scenarios on Windows Server 2008 and Vista. If serv.sys is in use, then a restart is required. If serv.sys is not in use, then a restart is not required. Customers who manually install update by Windows Update (WU), will not see restart, however customers who get update as part of SMS or WSUS push may see an update. We will update the bulletin restart requirement to reflect this.
Q: How can MS09-001 be exploited? What conditions need to prevail in each of the operating system platform for the vulnerability to be exploited? What is the likelihood of the vulnerability being exploited?
A: Likelihood for code execution is low. A DoS scenario is reliable however a remote code execution is highly unlikely. Please see Exploitability Index for more information
Q: For MS09-001, is an XP client still vulnerable if they do not have any normal shares, and no admin shares? File and printer sharing for MS networks is still bound to the Network Interface Card (NIC) though.
A: Yes, they are vulnerable because of default shares like ipc$ share;
Q: I don’t understand about the code being known for the DoS and not known for the RCE exploit. Can you repeat?
A: While there is code that describes the DoS condition (CVE-2008-4114) there has not been any POC posted to exploit this vulnerabilities.
Q: Is there an easy way to tell which version of the MSRT that I am using?
A: The version of the Malicious Software Removal Tool which is available through Windows Update and through the download center will always be the current version. We recommend that people wishing to use MSRT pull down the current version through one of those channels. More information about MSRT is available in KB 890830 at http://support.microsoft.com/?kbid=890830.
Q: If a system is exploited over the internet using some other vulnerability, can MS09-001 be exploited if SMB ports are blocked.
A: The vulnerabilities that are addressed by this bulletin update are specifically for SMB and specifically for the vulnerabilities described in the bulletin. This update does not address other vulnerabilities that may infected a system
Q: Would it have to be through visiting a website or what would the attack vector be?
A: Attack vector is via TCP port 139 or 445. These ports are usually blocked at the perimeter.
A: No – this issue is not wormable.
Q: Why is the exploitability index a 3 for Denial of Service? Is specific knowledge required about target systems to cause the DoS?
A: The exploitability index of “3” indicates that an exploit for code execution is very unlikely. There is actually already public code that will cause the DoS condition.