Happy Birthday MS08-067

Thursday, October 06, 2011



Three years ago, a vulnerability was discovered that to this very day systems still fall victim to.  

The vulnerability is a flaw in the Windows Server Service that when a specially crafted RPC request was sent could allow remote code executions.  

This vulnerability affected Windows 2000, XP, Server 2003, Vista, and server 2008 and has been assigned CVE-2008-4250.

imageWhat’s the big deal?  It is 2011!  The simple fact is there are un-patched systems still out there. 

(http://twitpic.com/6t1xhz picture from Mubix)

From systems buried in corporate environments, to others just sitting there on the internet waiting to be compromised, this vulnerability just doesn’t want to die. 

Why aren’t they patched yet? Let’s look at the simple math of patching a large corporate environment. 

If a large corporation has 10,000 systems that can be affected by MS08-078, and all but 1 percent are patched, that leaves 100 systems vulnerable. 

A corporation might not even be able to patch this issue depending on what legacy equipment is being used or depending on the size of the environment they may not even know the systems are vulnerable.

Relying on anti-virus (a/v) to protect the system is just not enough.  Metasploit, which is commonly used to exploit this vulnerability, has some of the best a/v avoidance encoding around.  The only solutions are to patch and protect sensitive ports.

As a Penetration Tester, this vulnerability is sought out because it is highly reliable and very low risk.  As an attacker, the simple fact is the attack still works.  The vulnerability was widely used in conjunction with the conficker worm, which affected more than seven million systems.  

This vulnerability is loved by Penetration Testers and hackers so much that during Derbycon an actual birthday party was thrown. The vulnerability even got a birthday cake as seen below.  Finally, I would like to wish MS08-067 a personal happy birthday; may you have three more years in you. 

MS08-067 Timeline


Cross-posted from blog.securestate.com

Possibly Related Articles:
Microsoft Patching Windows Vulnerabilities Operating Systems Metasploit MS08-067
Post Rating I Like this!
f8lerror It really is amazing how often this vulnerability is found. I agree that something must break the initial patch. Either that or nobody patches.
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.