Critical Microsoft Bug Discovered, Patched

By Eric Blair
22:30, October 24th 2008

Microsoft released a security bulletin early on Thursday, detailing and offering a patch for a critical bug in one of Windows’ services that could allow for remote code execution, without any action on the victim’s part. The bug has been considered sufficiently important by Microsoft to release it early, instead of choosing to wait for ‘Patch Tuesday’, the monthly bundle of updates and patches for Windows products.

The most affected versions of Windows are XP, 2000 and Server 2003, Vista and Server 2008 although the latter two are not as vulnerable as the rest. The flaw is present in Windows’ ‘Server’ service, which is used on a Local Area Network to control network resources like file and print servers. The bug allows an attacker to send a message to the service, which would cause a stack buffer overflow that can allow the attacker to execute code on the victim’s computer and take complete control of the system.

Two hours after the security bulletin was released, developers of the Immunity security tools, wrote attack code that exploits the flaw. They proved just how easy and quick it is to write code for this bug.

"It is very exploitable," said Immunity Security Researcher Bas Alberts. "It's a very controllable stack overflow."

A stack Buffer Overflow is a vulnerability permitted by errors in the code of some programs which lets an attacker use the program, in our case the Server service, to ‘bleed’ data into parts of the computer memory which are outside program’s the memory address boundaries, known as a call stack. This gives the attacker access to usually off-limits parts of memory which he could use to execute code on the target machine and compromise it.

The bug, according to Microsoft, could conceivably be used to build a worm – a piece of malware which spreads like a computer virus but does not attach itself to a particular file, but just runs on the infected computers and uses them to propagate itself further, usually just taking up bandwidth, but other times sending spam and similar material as well.

Immunity researchers, however, say that although it is possible to build a worm around this vulnerability, such a worm wouldn’t be able to spread very far; most networks would block the attack at a firewall level.

"I only see it being a problem on internal networks, but it is a very real and exploitable bug," said Alberts.

Microsoft recommends downloading and installing the patch immediately, and in the case where one is on a network where one does not need to share files locally via the NetBIOS protocol, to disable the Server service completely via the management console, as well as to disable and/or remove the “File and Printer Sharing” protocol from one’s network connection(s).