Out-of-cycle Security Patch Posts to Fix Huge, Gaping RPC Hole

Normally, Microsoft reserves its security patches, fixes, updates, and other software tweaks and maneuvers for the second Tuesday in each month, aka “Patch Tuesday.” Yesterday afternoon I was somewhat surprised to see various sources trumpeting the release of an out-of-schedule security patch through Windows Update on the fourth Thursday in October.

As described in Knowledge Base article 958644 and MS Security Bulletin MS08-067, this update addresses a vulnerability in the Windows Server service. The Server service is a critical portion in any modern Windows OS that responds to incoming network communication requests; it has been part of the Windows kernel since the LAN Manager days. In fact, this service is called the LAN Manager Server in the “Server service configuration and tuning” article (KB 128167). It”s also managed via a Registry key named LanmanServer in the HKLMSYSTEMCurrentControlSetServices sub-tree.

In short, the Server service is so entrenched in Windows operating systems that even Windows Server 2008 installations that lack a GUI-the so-called “Server Core” minimalist version-can fall prey to this vulnerability. That explains why every Windows OS from Server 2008 and Vista, to Windows XP, Windows Server 2003, and Windows 2000, in 64- and 32-bit flavors, and server and workstation versions, where applicable, is included in this security update.

Why all this hoopla? According to Brian Livingston”s Windows Secrets Newsletter, “this is the first time in 1-1/2 hears that Microsoft has released an emergency fix outside of its montly Patch Tuesday cycle.” The reason is that Microsoft discovered an RPC (remote procedure call) attack that could propagate around internal networks and the Internet with no user action needed to help it spread. Modern versions of Windows that predate User Account Control (UAC), such as XP, Windows Server 2003, and all flavors of Windows 2000, are especially susceptible to this vulnerability. At the same time, most AV vendors have also released updates to defend against this kind of attack, but Livingston”s newsletter reports “there are already nine different strains of viruses” that seek to exploit this vulnerability.

As with other patches that replace kernel files, Windows will request you to restart your PC after the patch is installed. In writing the story on this RPC vulnerability for the Windows Secrets Newsletter, writer Susan Bradley also urges administrators and users to reboot their PCs before installing the patch, just to make doubly darn sure the machine will reboot properly once the patch has been installed (the update process requires a successful restart/reboot for the patch to be completely and properly applied). Then when you reboot the machine after installation, you can be reasonably sure it will complete the installation process following a second successful restart.

If you haven”t already installed this patch, please do so now. It only replaces a single Windows file-namely Netapi32.dll-and is therefore unlikely to cause any incompatibility problems, either for server or desktop machines. For more technical information about the actual vulnerability, see Dan Kaplan”s “Separate proofs-of-concept released after rushed Windows fix” at SC Magazine or this blog on MS08-067 at Securiteam.


Please note: this blog is a copy of a blog I wrote forĀ  Techtarget”s IT Knowledge Exchange this afternoon, entitled “Out-of-schedule Security Patch Posts to Windows Update


Leave a Reply

Your email address will not be published. Required fields are marked *