Published: 2008-11-23T17:13+00:00
Last Updated: 2009-01-22T02:28+00:00
TRTA08-297A
Microsoft Windows Server Service RPC Vulnerability
Overview
A vulnerability in the way the Microsoft Windows server service handles RPC requests could allow an unauthenticated, remote attacker to execute arbitrary code with SYSTEM privileges.
Event Information
| Date (UTC) | Description |
| 2009-01-17 05:00 |
SANS Internet Storm Center Investigating and Verifying domains to block (Conficker.B/Downadup.B) As most of us know, investigation and verification of data plays a critical role in protecting our assets. Blind faith in what others say or do may of course lead to a call from a C level asking why his VP of sales cant get to his favorite vacation blog. Todays diary (and the updates that will follow) will share some of the process and findings of my investigation into the wonderful list of domains that was produced by F-secure that we have previously mentioned. |
| 2009-01-16 22:27 |
US-CERT Widespread Infection of Win32/Conflicker/Downadup Worm US-CERT Current Activity US-CERT is aware of public reports indicating a widespread infection of the Win32/Conflicker/Downadup worm. This worm exploits a previously patched vulnerability addressed in Microsoft Security Bulletin MS08-067. This worm attempts to propagate via multiple methods including removable media. |
| 2009-01-06 12:39 |
Symantec Security Response Blog : Malicious Code W32.Downadup Infection Statistics On July 7, Microsoft released a Security Bulletin outlining a vulnerability in the Access Snapshot Viewer ActiveX control. On or about this date, our honeypots began detecting this vulnerability exploited in what I can only describe as a Neosploit wrapper. |
| 2008-12-22 |
Symantec Trojan.Gimfan.A Exploiting Server Service Vulnerability (CVE-2008-4250, MS08-067) |
| 2008-12-05 17:59 |
Symantec ThreatCON (2) => (1) |
| 2008-11-26 16:32 |
SANS Internet Storm Center MS - new malware using an ms08-067 exploit gained momentum In Tuesday's blog "More MS08-067 Exploits" Microsoft said that new malware using an ms08-067 exploit "gained momentum and as a result we see an increased support call volume". |
| 2008-11-25 04:48 |
Microsoft Security Response Center Blog MS08-067 Update: November 25 Recently we've received a string of reports from customers that have yet to apply the update and are infected by malware. These most recent reports have a common malware family, and the folks in the Microsoft Malware Protection Center (MMPC) have provided detailed information regarding this latest threat. The detailed write-ups regarding this threat can be found here and here. It's important to note that customers who have installed MS08-067 are not affected. |
| 2008-11-22 18:14 |
Symantec ThreatCON (2) => (2) Symantec has released detections for a new worm named W32.Downadup that is exploiting Windows 2000 computers over TCP port 445. Server Service Vulnerability (CVE-2008-4250, MS08-067) |
| 2008-11-21 16:33 |
Symantec ThreatCON (2) => (2) Symantec TMS sensors are observing a rise in activity over TCP port 445 that appears to be related to exploitation of MS08-067. Server Service Vulnerability (CVE-2008-4250, MS08-067) |
| 2008-11-21 |
Symantec W32.Downadup Exploiting Server Service Vulnerability (CVE-2008-4250, MS08-067) |
| 2008-11-21 |
Trend Micro WORM_DOWNAD.A Exploiting Server Service Vulnerability (CVE-2008-4250, MS08-067) |
| 2008-11-16 22:54 |
Bugtraq Microsoft Windows Server Service (MS08-067) Exploit Server Service Vulnerability (CVE-2008-4250, MS08-067) #Cid: srvsvcexpl.rar #Cid: 31874.py #Tested: Windows 2000 #Tested: Windows 2003 Server SP2 |
| 2008-11-05 15:31 |
SANS Internet Storm Center ms08-067 exploitation by 61.218.147.66 They have sample packets of the exploit and the call back shell. They show an example of libemu's sctest. They find the exploiting ip 61.218.147.66. That IP is definitely sequentially scanning ip addresses for tcp 445 looking for vulnerable systems so blocking it at your enterprise gateway is recommended. |
| 2008-11-04 10:00 |
JPCERT/CC JPCERT-AT-2008-0019: Increased activity targeting TCP port 445 |
| 2008-11-03 20:13 |
Symantec ThreatCON (2) => (2) Microsoft has released the MS08-067 bulletin to patch a critical flaw being exploited in the wild. We strongly urge users to update immediately and to filter TCP ports 139 and 445. Server Service Vulnerability (CVE-2008-4250, MS08-067) |
| 2008-11-03 18:54 |
SANS Internet Storm Center MS08-067 Worm in the wild? (Version: 3) The "Worm" appears to be spreading over local network. Port 445. Speaking from a Snort perspective, as pointed out in the VRT blog, not only does this worm trigger off of the new rules that Sourcefire has written for Snort for the newest 08-067 vulnerability, but this particular variant of the worm triggers an older rule that VRT wrote for 06-040. |
| 2008-11-03 18:54 |
US-CERT Worm Exploiting Microsoft MS08-067 Circulating US-CERT Current Activity US-CERT is aware of public reports of a worm circulating that has the capability of exploiting the recently patched vulnerability described in Microsoft Security Bulletin MS08-067. |
| 2008-11-03 13:34 |
F-Secure Worm Exploiting MS08-067 in the Wild F-Secure Weblog : News from the Lab Code building on the proof of concept binaries that were mentioned last week has moved into the wild. We've received the first reports of a worm capable of exploiting the MS08-067 vulnerability. The exploit payload downloads a dropper that we detect as Trojan-Dropper.Win32.Agent.yhi. |
| 2008-11-03 |
Trend Micro WORM_WECORL.A Exploiting Server Service Vulnerability (CVE-2008-4250, MS08-067) |
| 2008-11-03 |
Trend Micro WORM_KERBOT.A Exploiting Server Service Vulnerability (CVE-2008-4250, MS08-067) |
| 2008-11-02 |
Symantec W32.Wecorl Exploiting Server Service Vulnerability (CVE-2008-4250, MS08-067) |
| 2008-11-02 |
Trend Micro TROJ_DUCKY.O Exploiting Server Service Vulnerability (CVE-2008-4250, MS08-067) |
| 2008-11-02 |
Trend Micro TROJ_DUCKY.M Exploiting Server Service Vulnerability (CVE-2008-4250, MS08-067) |
| 2008-10-31 18:00 |
IBM Internet Security Systems AlertCon (2) => (1) The threat level has been reduced to AlertCon 1 due to absence of any widespread exploitation of MS08-067. Server Service Vulnerability (CVE-2008-4250, MS08-067) |
| 2008-10-31 12:53 |
F-Secure Proof of Concept Binaries for MS08-067 Targeting English Windows OS's F-Secure Weblog : News from the Lab We are seeing the first Proof of Concept binaries that target the MS08-067 vulnerability on the following English localized systems: Windows XP Service Pack 2, Windows XP Service Pack 3, Windows 2003 Service Pack 2 |
| 2008-10-28 |
Bugtraq MS Windows Server Service Code Execution Exploit (MS08-067) Server Service Vulnerability (CVE-2008-4250, MS08-067) #Cid: 31874.c |
| 2008-10-27 23:43 |
Microsoft Microsoft Security Advisory (958963): Exploit Code Published Affecting the Server Service Microsoft is aware that detailed exploit code demonstrating code execution has been published on the Internet for the vulnerability that is addressed by security update MS08-067. This exploit code demonstrates code execution on Windows 2000, Windows XP, and Windows Server 2003. Microsoft is aware of limited, targeted active attacks that use this exploit code. At this time, there are no self-replicating attacks associated with this vulnerability. |
| 2008-10-26 |
Bugtraq MS Windows Server Service Code Execution Exploit (MS08-067) (cn univ.) Server Service Vulnerability (CVE-2008-4250, MS08-067) MS08-067 Exploit for CN by EMM #Cid: 2008-MS08-067.rar |
| 2008-10-25 16:29 |
ThreatExpert Gimmiv.A exploits critical vulnerability (MS08-067) Server Service Vulnerability (CVE-2008-4250, MS08-067) |
| 2008-10-25 |
SecuriTeam Blogs Microsoft Windows RPC Vulnerability MS08-067 (CVE-2008-4250) FAQ - October 2008 Server Service Vulnerability (CVE-2008-4250, MS08-067) |
| 2008-10-24 20:27 |
Symantec Trojan.Gimmiv.A Exploiting Server Service Vulnerability (CVE-2008-4250, MS08-067) |
| 2008-10-24 18:34 |
Symantec ThreatCON (2) => (2) Microsoft has released the MS08-067 bulletin to patch a critical flaw being exploited in the wild by at least one piece of malicious code. We strongly urge users to update immediately and filter TCP ports 139 and 445. Server Service Vulnerability (CVE-2008-4250, MS08-067) |
| 2008-10-24 01:33 |
JPCERT/CC JPCERT-AT-2008-0018: Vulnerability in Microsoft Server Service |
| 2008-10-24 |
Trend Micro TSPY_GIMMIV.A Exploiting Server Service Vulnerability (CVE-2008-4250, MS08-067) |
| 2008-10-23 23:43 |
Emerging Threats Gimmiv.A exploits critical vulnerability (MS08-067) Server Service Vulnerability (CVE-2008-4250, MS08-067) |
| 2008-10-23 21:12 |
US-CERT TA08-297A: Microsoft Windows Server Service RPC Vulnerability Via US-CERT Mailing List |
| 2008-10-23 21:00 |
IBM Internet Security Systems AlertCon (1) => (2) The threat level has been elevated to AlertCon 2 due to an out-of-cycle security advisory issued by Microsoft, MS08-067. Server Service Vulnerability (CVE-2008-4250, MS08-067) |
| 2008-10-23 20:58 |
SANS Internet Storm Center Microsoft out-of-band patch - Severity Critical (Version: 3) Microsoft has just released an advance notification of an out-of-band update to be released on 23rd of October. They will hold a special webcast on the 23rd at 1:00 pm PT to discuss the release. The patch will be released at 10.00 am. |
| 2008-10-23 19:06 |
Sophos Troj/Gimmiv-A Exploiting Server Service Vulnerability (CVE-2008-4250, MS08-067) |
| 2008-10-23 17:58 |
Microsoft MS08-067: Out-of Band Microsoft Security Bulletin Summary for October 23, 2008 Via Microsoft newsletters This security update resolves a privately reported vulnerability in the Server service. The vulnerability could allow remote code execution if an affected system received a specially crafted RPC request. On Microsoft Windows 2000, Windows XP, and Windows Server 2003 systems, an attacker could exploit this vulnerability without authentication to run arbitrary code. |
| 2008-10-23 17:45 |
Symantec ThreatCON (2) => (2) Microsoft has just released MS08-067 to patch a critical flaw affecting Windows 2000, XP, 2003, Vista, and Server 2008. This issue is being actively exploited in the wild. Users should patch immediately. Server Service Vulnerability (CVE-2008-4250, MS08-067) |
| 2008-10-23 11:47 |
US-CERT Microsoft Releases Advance Notification for Out-of-Band October Security Bulletin US-CERT Current Activity Microsoft has issued a Security Bulletin Advance Notification indicating the upcoming release of an out-of-band bulletin. The notification states that this is a Critical bulletin and is for Microsoft Windows. Release of this bulletin is scheduled for Thursday, October 23. |
| 2008-10-23 10:33 |
Microsoft Security Response Center Blog MS08-067 Released This security update resolves a vulnerability in the Server service that affects all currently supported versions of Windows. Windows XP and older versions are rated as "Critical" while Windows Vista and newer versions are rated as "Important". Because the vulnerability is potentially wormable on those older versions of Windows, we're encouraging customers to test and deploy the update as soon as possible. |
| 2008-10-23 04:50 |
Microsoft MS08-067: Out-of-Band Microsoft Security Bulletin Advance Notification for October 23, 2008 Via Microsoft newsletters |
| 2008-10-23 |
Microsoft TrojanSpy:Win32/Gimmiv.A Exploiting Server Service Vulnerability (CVE-2008-4250, MS08-067) |
| 2008-10-23 |
McAfee Exploit-MSExcel.p Exploiting Server Service Vulnerability (CVE-2008-4250, MS08-067) |
| 2008-10-23 |
Bugtraq Microsoft Windows Server Service RPC Handling Remote Code Execution Vulnerability Server Service Vulnerability (CVE-2008-4250, MS08-067) MS Windows Server Service Code Execution PoC (MS08-067) #Cid: 2008-ms08-067.zip #Cid: 31874.zip |
| 2008-10-23 |
IBM Internet Security Systems Microsoft Windows Server Service RPC Code Execution Server Service Vulnerability (CVE-2008-4250, MS08-067) Microsoft Windows Server Service could allow a remote attacker to execute arbitrary code on the system, caused by a vulnerability in the Remote Procedure Call (RPC) service. |
| 2008-10-22 |
Trend Micro WORM_GIMMIV.A Exploiting Server Service Vulnerability (CVE-2008-4250, MS08-067) |
Other Information
| CVE |
CVE-2008-4250 |