As Jeff and I were talking about the evolution of security beyond the firewall in our webinar yesterday, along comes an out of cycle critical patch from Microsoft that proved our point nicely. Security bulletin MS08-067 reveals a previously unknown way to inject code into remote Windows systems due to a flaw in the RPC server. Within hours of the Microsoft bulletin, news of a trojan exploiting this flaw in the wild arrived.
This ranks as one of the most serious Windows flaws disclosed recently and affects almost every flavor of Windows. The Microsoft patch is rated critical for eleven variations of Windows XP, Windows 2000 and 2003. For Vista and Windows Server 2008, it was considered only ‘important’ due to the improved ability of those operating systems to defeat remote code execution attacks. What makes this particular issue even more insidious is that the RPC server can be exposed to attack when a desktop firewall is running, simply by turning on file or printer sharing.
A network vulnerability like this lends itself to worms like Zotob which wreaked havoc a few years ago and took down several networks. I speculated this morning that exploits would be stealthier this time around and aimed at monetizing security breaches. Sure enough, the Gimmiv.A trojan reported yesterday is a network aware trojan that attempts to exploit this flaw against PC’s on the local network. If it succeeds, it quietly steals passwords from the Windows and Outlook password cache and posts them to a Web site.
Traveling back to Seattle yesterday, I used the free Wi-Fi at San Jose airport. This morning when I came into the office, my laptop hadn’t received the Windows update and the Napera N24 immediately notified me. I was given a one hour deadline in which to install, which I promptly did.
That led me to wonder what the situation would be like if our network was unprotected. If I had neglected to install this Windows update and went traveling again tomorrow, it is likely my laptop would be exposed to this trojan. If I was running XP and had file or printer sharing enabled, the laptop is likely to be compromised. On an unprotected network, I could have easily waltzed past the corporate firewall, plugged in my compromised laptop and started infecting other PC’s.
Microsoft’s quick response is admirable, but the question IT managers need to ask themselves today is simple. How confident are you that users walking into your office today have installed this patch before they connect? Plenty of industry studies show that at least half of corporate PC’s won’t update in a timely fashion. Given that at least one exploit is already in the wild, and more are undoubtedly on the way, that’s a universe of opportunity for the bad guys in the coming weeks.
![Reblog this post [with Zemanta]](http://img.zemanta.com/reblog_e.png?x-id=278b34c0-b070-4298-9d5f-d2b4a078e585)
