Microsoft Server Service Exploit

Overview

Microsoft has released Security Advisory 958963 to confirm the public availability of exploit code affecting the Windows Server Service vulnerability addressed in the Microsoft Security Bulletin. The Advisory states that this exploit code is shown to result in code execution on Windows Server 2003, Windows XP, and Windows 2000 systems.

Details

The vulnerability (CVE-2008-4250) was announced October 23, 2008 in a special, out-of-band, Microsoft Security Bulletin MS08-067 and affects users of Microsoft Windows based desktops, laptops, and servers (see the full list of vulnerable products). The vulnerability is caused by Windows Server service improperly handling specially crafted Remote Procedure Call (RPC) requests.

There are reports of new worms in the wild exploiting this vulnerability. The worms, intercepted on Chinese-language versions of Windows, are used to install a Trojan downloader, a denial-of-service bot, and a rootkit to maintain presence on infected machines. One of the two worms spotted is capable of conducting DDoS (distributed denial-of-service) attacks against several Chinese sites, including the major search engines, Google and Baidu. These attacks use portions of the publically available proof-of-concept code. For more information, visit The Microsoft Security Response Center (MSRC).

Protection

SmartDefense research teams have reviewed examples of publicly available exploit codes and confirmed that the recently released SmartDefense protection will detect and block these exploits. This protection has been available since October 23, 2008. See CPAI-2008-158.