Microsoft Security Bulletin MS11-083 - Critical

Discussion in 'other security issues & news' started by Hungry Man, Nov 8, 2011.

Thread Status:
Not open for further replies.
  1. Hungry Man

    Hungry Man Registered Member

    Joined:
    May 11, 2011
    Posts:
    9,148
    https://technet.microsoft.com/en-us/security/bulletin/ms11-083

    Microsoft Security Bulletin MS11-083 - Critical

    lol wonderful


    Vulnerability in TCP/IP Could Allow Remote Code Execution (2588516)

     
    Last edited: Nov 8, 2011
  2. wat0114

    wat0114 Guest

    Quite a serious one, actually, based on the Executive Summary.

    As a Workaround:

    Another reason why even a cheap home-grade router is a highly recommended investment :) (where's YeoldStoneCat when you need him? :D )
     
  3. Hungry Man

    Hungry Man Registered Member

    Joined:
    May 11, 2011
    Posts:
    9,148
    Yep, I'm behind a Firewall'd router and any portscanner shows me as stealthed on all ports.

    Anyone not behind one... your firewall doesn't do a whole lot right now! =p
     
  4. wat0114

    wat0114 Guest

    Yeah, this is interesting; I've never seen a vulnerability like this come up as long as I can remember, though maybe I've missed something over the years.
     
  5. Hungry Man

    Hungry Man Registered Member

    Joined:
    May 11, 2011
    Posts:
    9,148
  6. MrBrian

    MrBrian Registered Member

    Joined:
    Feb 24, 2008
    Posts:
    6,032
    Location:
    USA
  7. wat0114

    wat0114 Guest

    The difference I see with that one (and others I've seen similar to it) is that the request does not have to get past any closed firewall ports. This vulnerability, however, hammers away at and breeches a closed port.

    *EDIT*

    thank you MrBrian! so now I'm not so sure about this?? In the link MrBrian provides, they mention a large number of packets against a port where no service is listening on, which implies to me that no software firewall would be involved in the fist place? Does this seem right? IOW, even with just Windows fw or another 3rd-party fw, this exploit could be stopped?
     
    Last edited by a moderator: Nov 8, 2011
  8. Hungry Man

    Hungry Man Registered Member

    Joined:
    May 11, 2011
    Posts:
    9,148
    Basically, they don't consider it too much of a threat because almost everyone is behind some kind of router or layer that'll protect against it.

    Kinda silly for them to think that that's an excuse.
     
  9. Hungry Man

    Hungry Man Registered Member

    Joined:
    May 11, 2011
    Posts:
    9,148
    It will run with the Firewall.

    You bombard a port with UDP packets and because of the way it keeps track of them you get an overflow.
     
  10. MrBrian

    MrBrian Registered Member

    Joined:
    Feb 24, 2008
    Posts:
    6,032
    Location:
    USA
    From Microsoft Leaves Duqu Worm Exploit Unpatched:
     
  11. MrBrian

    MrBrian Registered Member

    Joined:
    Feb 24, 2008
    Posts:
    6,032
    Location:
    USA
    There is vulnerable Windows code that is handling the incoming packets. I'm not sure if a third-party software firewall would make any difference.
     
  12. wat0114

    wat0114 Guest

    Hi MrBrian,

    I'm wondering what your take is on their workaround:

    "Block unused UDP ports at the perimeter firewall"

    ?

    At first I took "perimeter firewall" as meaning hardware firewall, but now I'm starting to think it could be built-in as in Windows fw or 3rd-party sofwtare firewall. When the Executive Summary stated "closed port" I assumed, maybe incorrectly, that they meant closed by a built-in firewall, but now I'm thinking they just mean closed because no service is listening on it. If the latter is true, they could do a better job of clarifying that the built-in Windows fw or any 3rd-party fw could also be used as a Workaround.
     
  13. Hungry Man

    Hungry Man Registered Member

    Joined:
    May 11, 2011
    Posts:
    9,148
    I don't know enough about the attack to say whether 3rd party firewalls would stop it. It depends if windows still logs the packets, which is possible since the firewall service still runs.
     
  14. Hungry Man

    Hungry Man Registered Member

    Joined:
    May 11, 2011
    Posts:
    9,148
    Perimeter firewall means router or if you're on a more complicated network it can be a number of devices. For a home user, router.
     
  15. wat0114

    wat0114 Guest

    Darn, we are cross-posting :ouch: :D Okay, thanks for the clarification :)

    That's how I interpret perimeter firewall as well: a router or other type of hardware firewall appliance.
     
  16. MrBrian

    MrBrian Registered Member

    Joined:
    Feb 24, 2008
    Posts:
    6,032
    Location:
    USA
    See Hungry Man's response.
     
  17. wat0114

    wat0114 Guest

    Oh, because Windows might still log the packets, which is what the :

    means in the exploit assessment?

    *EDIT*

    never mind. I think you mean the "perimeter firewall" meaning?
     
  18. MrBrian

    MrBrian Registered Member

    Joined:
    Feb 24, 2008
    Posts:
    6,032
    Location:
    USA
    Yeah, use a router :thumb:.
     
  19. MrBrian

    MrBrian Registered Member

    Joined:
    Feb 24, 2008
    Posts:
    6,032
    Location:
    USA
    From Microsoft patch snuffs out major worm potential:
     
  20. Hungry Man

    Hungry Man Registered Member

    Joined:
    May 11, 2011
    Posts:
    9,148
    Basically you flood a port with UDP packets. Windows keeps track of this. The issue is that it keeps track of it poorly and unfortunately keeping track of strings and logs is very important because when you don't... you get an overflow, which can give access.
     
  21. wat0114

    wat0114 Guest

    Very good, got it :)


    Good point, I think you're right on this. However, from the second link mrBrian posted (thank you again):

    sorry to keep yammering away about this, but this kind of stuff fascinates me, especially with regards to network and firewall :)

    The way I interpret, yet again, is that they are talking about a port not protected by a firewall, whether that be perimeter, software, or Windows' built-in. Remember the Blaster worm of circa 2003, it is easily stopped by even enabling Windows firewall. This exploit appears as similar to that one, and stopped by Windows or a 3rd-party firewall, although I do agree routers are best for basic blocking of Intyernet "noise". Oh well, fun stuff to discuss :)
     
  22. MrBrian

    MrBrian Registered Member

    Joined:
    Feb 24, 2008
    Posts:
    6,032
    Location:
    USA
    There still has to be packet handling code, even if nothing is listening on a given port. Unfortunately, in this case, there is a vulnerability in said code.
     
  23. Hungry Man

    Hungry Man Registered Member

    Joined:
    May 11, 2011
    Posts:
    9,148
    When they say unprotected I think they're referring to a hardware firewall/ router type thing.

    Whether you use Windows or 3rd party the Firewall service should still run and will probably still record this stuff.

    I don't know enough about it to say "Oh, this will work on anyone using any firewall" but I would not be surprised.

    I'll look into it more. It's clear that Windows firewall is running it's just not clear what they mean by "protected." I think they mean hardware firewall on the network.
     
  24. Hungry Man

    Hungry Man Registered Member

    Joined:
    May 11, 2011
    Posts:
    9,148
    This is UDP packets to a closed port, not a listening service or anything like that. So this will work even if the port is closed.
     
  25. Hungry Man

    Hungry Man Registered Member

    Joined:
    May 11, 2011
    Posts:
    9,148
Loading...
Thread Status:
Not open for further replies.