November Microsoft Security Bulletin

There are only 2 vulnerabilities patched in this month’s Microsoft Security Bulletin.

MS08-068 addresses a relatively old, publically disclosed vulnerability in SMB protocol which allows an attacker to take control over the target system, by reflecting and replaying the NTLM credentials to the target system. This attack is more effective on systems belonging to a domain. Windows XP and Windows Vista systems default to treating all network logons as if they are the Guest user, which makes the attack less effective on most of the home systems which would usually be targeted. Furthermore, the fact that most of the Windows systems are protected by the Windows Firewall by default gave us enough reasons to assign the Medium threal level in our analysis of MS08-068.

Guys from Microsoft Security Responce Centre have written a very good description of this vulnerability describing the reasons why the attack is not as effective on Windows Vista and Windows Server 2008.

There are several publicly available exploits for MS08-068, the most notable one being part of the Metasploit framework. If the attack is successful, the exploit creates a randomly named service on the target system pointing to a previously uploaded file.

MS08-069 addresses several vulnerabilities in Microsoft XML Core Services which may allow the attacker to create a web page that will cause the browser to execute code supplied by the attacker. At this moment there are no known exploits for this vulnerability in the wild. Microsoft exploitability index specifies that the consistent exploit is likely to be created and there are no reasons not to trust it. We have assigned this vulnerability threat level High in our analysis of MS08-069.