Windows Server Service Buffer Underflow Vulnerability

 

Overview

This vulnerability affects all currently supported versions of Windows, can be exploited without end users lifting a finger, and in some experts' eyes, rivals the bug that led to 2003's destructive MSBlast attack.

 

Action Required

**** NOTE **** Properly configured SecureIT customers are protected from this new vulnerability and no action is required by those customers.

 

For non-SecureIT customers, we strongly advise that you do the following:

 

  1. Go to the Microsoft Windows Update site and download and install all missing Microsoft patches.

 

  1. Make sure that you have a software firewall installed and enabled on your computer, whether it is the Windows XP firewall or a third-party firewall that you have purchased.

 

  1. Go to http://www.microsoft.com/technet/security/bulletin/ms06-040.mspx and under “Vulnerability Details” click on “Workarounds for Buffer Overrun in Server Service Vulnerability – CVE – 2006-3439” and follow the stated instructions.  Read these instructions carefully and ensure that making those changes will not affect your current working conditions.

 

I. Description

A stack-based buffer overflow exists in the Microsoft Server service. This vulnerability may allow a remote, unauthenticated attacker to execute arbitrary code with SYSTEM privileges.

 

 

Microsoft Server Service

MS06-040 includes the following information:

The Server service provides RPC support, file print support and named pipe sharing over the network. The Server service allows the sharing of your local resources (such as disks and printers) so that other users on the network can access them. It also allows named pipe communication between applications running on other computers and your computer, which is used for RPC.

 

Microsoft Remote Procedure Call (MS RPC) and Server Message Block (SMB)

RPC provides a mechanism that allows a program to execute a procedure on a remote system in a way that is transparent to the calling program. MS RPC is the Microsoft implementation of RPC. Windows services that use MS RPC may use SMB named pipes as the transport service for MS RPC calls.

The Problem

A stack-based buffer overflow exists in the Microsoft Server service. If a remote attacker sends a specially crafted packet to a vulnerable Windows system, that attacker may be able to trigger the buffer overflow.  There have been reports that this vulnerability is actively being exploited.

 

II. Impact

A remote, unauthenticated attacker who successfully exploits this vulnerability could take complete control of the affected system.

 

III. What Systems Are Affected?

·        Microsoft Windows 2000 Service Pack 4

·        Microsoft Windows XP Service Pack 1

·        Microsoft Windows XP Service Pack 2

·        Microsoft Windows XP Professional x64 Edition

·        Microsoft Windows Server 2003

·        Microsoft Windows Server 2003 Service Pack 1

·        Microsoft Windows Server 2003 for Itanium-based Systems

·        Microsoft Windows Server 2003 with SP1 for Itanium-based Systems

·        Microsoft Windows Server 2003 x64 Edition

 

IV. What is SecureIT Services Doing to Ensure PCs are Protected?

·        All affected computers are being updated utilizing our SecureIT Windows Updater and through our regularly scheduled SecureIT updates.  This ensures a primary and backup method to eliminate any potential issues.

·        SecureIT Services is pushing out an update that restricts anonymous SMB access to customers’ computers by utilizing the techniques shown in Microsoft Knowledge Base Article 246261.  Anonymous SMB access to SAM accounts is restricted in Windows XP and Windows Server 2003 by default.