其危害程度毫不逊于当年波及80%以上Windows用户的"冲击波"病毒。
对于Windows 2000、XP和Server 2003,无需认证便可以利用这个漏洞;对于Windows Vista和Server 2008,可能需要进行认证。 目前这个漏洞正在被名为TrojanSpy:Win32/Gimmiv.A和TrojanSpy:Win32/Gimmiv.A.dll的木马积极的利用。网上已出现了利用该漏洞的蠕虫病毒(Win32/MS08067.gen!A)。据360安全专家分析,这一漏洞的危害极为严重,黑客仅根据IP地址便可随意发起攻击,简直是"指哪打哪",而且感染性非常强,只要远程执行一段下载恶意程序的代码,不但能随意弹出广告、盗取用户账号,还可以控制本机进而攻击其他用户,使破坏力持续放大,局域网的用户一旦有一个中招病毒就会迅速扩散。被认为是微软近一年半以来首次打破每月定期安全公告的惯例而发布更新。
解决办法1:
微软官方补丁下载地址:
PoC已经被发布,请大家尽快转告安装补丁。我们已经看到大陆地区访问Update的客户端数量有少量减少,不过现在告诉所有人"请恢复启用Windows Automatic Update安装MS08-067,这么做不会下载正版验证WGA",就像说"这狗不咬人"一样。所以下面把补丁的链接地址直接贴出,方便有所顾虑的用户尽快安装,谢谢!
解决办法1: 微软官方补丁下载地址: PoC已经被发布,请大家尽快转告安装补丁。我们已经看到大陆地区访问Update的客户端数量有少量减少,不过现在告诉所有人"请恢复启用Windows Automatic Update安装MS08-067,这么做不会下载正版验证WGA",就像说"这狗不咬人"一样。所以下面把补丁的链接地址直接贴出,方便有所顾虑的用户尽快安装,谢谢! 中文版的MS08-067补丁: 英文版的MS08-067补丁: Microsoft Windows 2000 Service Pack 4 解决办法2: 禁用Server和Computer Browser服务。 在Windows Vista和Windows Server 2008上,阻断受影响的RPC标识符。在命令提示符中运行以下命令: netsh>rpc 在防火墙阻断TCP 139和445端口。 黑客眼中的MS08-067 First Glimpse into MS08-067 Exploits In The Wild On closer analysis, Spy-Agent.da.dll seeks out potentially vulnerable Windows machines in the local network, and sends maliciously crafted DCERPC requests to exploit the Server Service (SvrSvc). When successful, hardcoded shellcode embedded within the malware, is executed on the targeted machines to download Spy-Agent.da (or possibly other variants or files) from a web server hosted in Japan. Just hours following the patch release, public source code has already been seen distributing on the Internet. What more can I say ? Patch your systems ! Yes, NOW ! Spy-Agent.da and Spy-Agent.da.dll are now detected using the current 5414 DATs. SeeDave's blog for McAfee's coverage. Actually, This is not a stack overflow, but a stack overrun vulnerability. There are two copies, the first copy is OK, but when there is another "..\", it will lead to start the another copy (repeat the first copy codes), the second copy firstly does not calculate the base pointer correctly (firstly it is basePointer-2, so the 'JZ' checking in the loop of searching character '\' will never come ture), that lead to get an unexpected stack pointer which is below the base pointer, after the wrong calculation, it starts the second copy and uses the unexpected pointer as the first parameter of function "wcscpy()", therefore, the wrong-calculation memory will be rewritten. The EIP will be controlled in the main function, probably. 引用大牛蛙的话:做盗版的"受害者"好过做盗贼的受害者,看黑色桌面好过让黑客看到你的桌面。 下图是SWI给出的各平台受MS08-067的影响图中文版,请参考。 微软发布额外安全更新MS08-067-紧急(更新补丁下载地址) http://blog.duba.net/read.php?27 前些天微软的"黑屏"验证计划真是闹得肥肥羊羊,真比微软做广告推广来的容易多啦,话说大陆大半个天都是微软的啦,oO,正版验证也好,黑屏也好,只要微软不使诈,就不会中招的啦,想必也不会对大多数人造成伤害,哈哈哈:P 。 另外看到啦个很寒的个评论"微软威胁到了中国的国家安全",说的不是没有道理,只是,只是政治的事我不懂,也说不清,关于这个评论也不说啥啦,自己掂量吧!! 相关链接: Microsoft 安全公告 MS08-067 http://www.microsoft.com/china/technet/security/bulletin/MS08-067.mspx Microsoft Windows Server Service RPC Vulnerability http://www.us-cert.gov/cas/techalerts/TA08-297A.html MS08-067 Released http://blogs.technet.com/msrc/archive/2008/10/23/ms08-067-released.aspx Windows Server服务RPC请求缓冲区溢出漏洞(MS08-067) http://www.sebug.net/vulndb/4288/ MS08-067 http://wiki.clin003.com/wiki/MS08-067 Why Microsoft's SDL Missed MS08-067 in their own words http://www.cgisecurity.org/2008/10/why-microsofts.html Get Protected, Now! http://blogs.technet.com/mmpc/archive/2008/10/23/get-protected-now.aspx http://clin003.com/safe/security-update-vulnerability-patch-1552.shtml MS08-067 and the SDL
Windows XP 安全更新程序 (KB958644)
Windows 2000 安全更新程序 (KB958644)
Windows Server 2003 安全更新程序 (KB958644)
Windows XP Service Pack 2
Windows XP Service Pack 3
Windows XP Professional x64 Edition
Windows XP Professional x64 Edition Service Pack 2
Windows Server 2003 Service Pack 1
Windows Server 2003 Service Pack 2
Windows Server 2003 x64 Edition
Windows Server 2003 x64 Edition Service Pack 2
Windows Server 2003 with SP1 for Itanium-based Systems
Windows Server 2003 with SP2 for Itanium-based Systems
Windows Vista and Windows Vista Service Pack 1
Windows Vista x64 Edition and Windows Vista x64 Edition Service Pack 1
Windows Server 2008 for 32-bit Systems
Windows Server 2008 for x64-based Systems
Windows Server 2008 for Itanium-based Systems
netsh
然后在netsh环境中输入以下命令:
netsh rpc>filter
netsh rpc filter>add rule layer=um actiontype=block
netsh rpc filter>add condition field=if_uuid matchtype=equal data=4b324fc8-1670-01d3-1278-5a47bf6ee188
netsh rpc filter>add filter
netsh rpc filter>quit
使用个人防火墙,如Internet连接防火墙。
MS Windows Server Service Code Execution PoC (MS08-067)
So play around a bit, you'll get it working reliably…
Tracking MS08-067
While we haven't seen widespread exploitation of this issue, there have been reports of a certain file, "n2.exe," being downloaded on compromised computers. This file copies another piece of malicious code onto the compromised computer. Symantec products already detect both of these files as Infostealer.
评论