June 14th, 2005, 09:05 PM
Microsoft Advisories for June: 10 New, 3 Re-released
Notice they have re-released the TCP/IP patch (MS05-019) as well as the Word patch (MS05-023) both of which are rated critical. They also re-released the ASP.Net patch. Also, there's a patch for Server Message Block (SMB) protocol.
I'm concerned about the SMB and Word advisories so far in my reading. At first glance they seem to have a high potential for worms as well as viruses exploiting but haven't fully researched them.
Share your patching experiences with these with the rest of us if you would.
June 15th, 2005, 09:45 AM
The SMB vulnerability does look to be the most worrying one.
A close read of the details on the Microsoft site show that it is possible for an anonymous remote user to execute arbitary code on the target system.. and that's a possible vector for spreading a worm.
Worse, the workaround is basically to use a firewall to keep traffic off your network. This is fine, but will only work as long as some freaking idiot doesn't bring an infected laptop into your organisation.
And there's more.. there's no patch for NT machines and it looks suspiciously like they might be vulnerable. I know that a *lot* of people have legacy NT servers that they haven't replaced yet. If that's the case then it becomes imperative that nobody strolls in with an infected machine.
June 15th, 2005, 01:26 PM
If you have an NT machine you're concerned about, but can't get rid of, you can sign an agreement with Microsoft (it isn't cheap) to get these security patches for NT.
June 17th, 2005, 10:41 AM
I sat through a presentation on this yesterday and there's no doubt that the SMB is the biggest security threat this year. NT is almost definitely vulnerable in theory, as well as XP/2000/2003.
The only good thing is that it is extremely difficult to exploit the vuln to run arbitary code. However, the analyst said that *are* people who will probably be able to do it. However, creating a DOS attack based on the flaw is much easier.
In any case, once a POC (proof of concept) is released it will probably be only a couple of days before it finds its way into some malware. Of course, if that POC runs arbitary code then we have a very serious problem indeed.
REMEMBER: Although a firewall will mitigate the problem, you will only be protected until either some luser brings an infected laptop into your organisation, or some virus or other malware drops and exploit in after being delivered via email or a browser vulnerability.
So.. patch patch patch patch patch.
Incidentally, for NT servers the eEye Blink product might offer some protection. I'm certainly going to have a look at that product in the next couple of days.