-
October 25th, 2008, 11:49 PM
#21
That's interesting regarding the NICs... I've read other reports of people stating that DHCP wasn't working for them on their wireless after installing the patch. I wonder if it's s trend..
As for how the servers get exploited... malware doesn't have to use a single attack vector.
A workstation may have the MS08-067 patch, but that doesn't mean it can't be infected by a worm that takes advantage of MS08-067 to spread. For example, a unpatched browser vuln could be used to drop the malware on the system, and it can then target unpatched systems on your network.
Maybe not a great amount of risk, but it's something to consider.
-
October 26th, 2008, 02:27 AM
#22
-
October 27th, 2008, 12:20 PM
#23
There's a fairly low-key but worrying bit of malware exploiting this at the moment: http://voices.washingtonpost.com/sec...exploitin.html
Don't been fooled into thinking that a worm exploiting MS08-067 will be just like the ones we saw a few years ago - there are several different ways that a client could get infected with a dropper that will then go off to scan and exploit a network normally protected by a firewall. You could simply add the dropper as a module to a typical drive-by download attack, for example.
POC code has been around for a few days, it clearly is possible to exploit this and the patch has been pretty comprehensively reverse engineered by researchers (and presumably also the bad guys).
If you're running a corporate network, then you should assume that you will eventually get hit by an MS08-067 based worm despite any countermeasures that you have in place. So patch now.
-
October 27th, 2008, 12:49 PM
#24
I am not saying I am not going to patch....I am just saying there are alot of ways to slow down the spread.
and if the client is patched....how does it get infected??
MLF
How people treat you is their karma- how you react is yours-Wayne Dyer
-
October 27th, 2008, 01:18 PM
#25
Originally Posted by morganlefay
I am not saying I am not going to patch....I am just saying there are alot of ways to slow down the spread.
and if the client is patched....how does it get infected??
MLF
The patch fixes against the vulnerability being exploited on the box. That doesn't mean that another piece of malware (a dropper as Dynamoo mentioned) couldn't drop malware on your system that scans your network and exploits unpatched systems.
You're system is protected against being attacked if you've patched, not against attacking other systems.
-
October 27th, 2008, 02:56 PM
#26
Yeap that is a possibility...although unlikely in this environment.
And after monitoring newsgroups\forums and application sites .......I applied the patch to the server.
My point was there was some time.....and the likelyhood of the threat getting past the existing barriers .... firewalls, NAT routers, AUPs etc...the threat to my network was minimal...allowing me time to research and ensure that applying the patch would not affect my network. and application.
Security is fine as long as it does not affect functionality.
MLF
How people treat you is their karma- how you react is yours-Wayne Dyer
-
October 27th, 2008, 05:54 PM
#27
We've applied this patch to a lot of systems (3000+) with no ill-effects so far that can be attributed to it.
The odd thing about these worms is that they can flare up again from time-to-time. We got hit by the old Code Red IIS worm two *years* after it was released, on an unpatched server. We have absolutely no idea how such an old worm managed to get onto our network, but it caused a significant amount of disruption.
-
October 27th, 2008, 09:48 PM
#28
Originally Posted by dynamoo
We've applied this patch to a lot of systems (3000+) with no ill-effects so far that can be attributed to it.
The odd thing about these worms is that they can flare up again from time-to-time. We got hit by the old Code Red IIS worm two *years* after it was released, on an unpatched server. We have absolutely no idea how such an old worm managed to get onto our network, but it caused a significant amount of disruption.
Dragging this even more off topic... My honeypot is hit by slammer on a daily basis...
-
October 28th, 2008, 01:43 PM
#29
Originally Posted by HTRegz
Dragging this even more off topic... My honeypot is hit by slammer on a daily basis...
Well, not really off-topic. It goes to prove that you *think* your safe from a worm attack because it's quite old, but the little buggers are persistent.
Luckily, there doesn't seem to be a concerted effort to exploit this one at the moment.
-
October 30th, 2008, 12:54 AM
#30
Originally Posted by morganlefay
specifically when assessing a threat...as to run around and apply patches untested to a production environment is risky to say the least and I like to see what the mitigating factors are before I patch.
I have seen some hasty patches totally fubar a server \application....
I hear ya. We are patching our servers tonight. We have a ton of applications that have been broken by MS Patches and they had to be thoroughly tested by the apps teams.
Workstations are showing any problems, they have already been patched.
Our environment has users on 24/7 -365, so it's a pain for them when we have to do this, but I like to remind people of this nasty virus outbreak we had a few years ago that brought a lot of our sites down for days.
A few hours is always better than a few days.
Similar Threads
-
By mohaughn in forum Microsoft Security Discussions
Replies: 1
Last Post: August 9th, 2005, 07:37 PM
-
By Tiger Shark in forum Microsoft Security Discussions
Replies: 5
Last Post: January 14th, 2005, 08:47 PM
-
By mohaughn in forum Microsoft Security Discussions
Replies: 2
Last Post: October 13th, 2004, 04:31 AM
-
By spools.exe in forum Microsoft Security Discussions
Replies: 0
Last Post: September 15th, 2003, 09:47 PM
-
By NUKEM6 in forum Non-Security Archives
Replies: 10
Last Post: January 24th, 2002, 06:21 AM
Tags for this Thread
Posting Permissions
- You may not post new threads
- You may not post replies
- You may not post attachments
- You may not edit your posts
-
Forum Rules
|
|