The Department of Homeland Security (DHS) yesterday issued an unusual press release urging Windows users to apply a specific security patch from Microsoft. That patch, MS06-040, was just released as part of Microsoft’s monthly cycle of security updates, so most home users should already be secure. IT departments and home users who have disabled automatic updates should install the patch as soon as possible. As the DHS ominously notes, "attempts to exploit vulnerabilities in operating systems routinely occur within 24 hours of the release of a security patch."
While the DHS rarely issues patch advisories, the department seems keen to prevent massive damage from another worm like MSBlast, which made the rounds several years ago and brought down computers around the world. The concern appears to be justified; both CERT and Microsoft claim that they have already seen code which exploits this particular vulnerability.
The problem was found in the Server service, which is responsible for file and printer sharing, among other things. The service does not properly check the length of Remote Procedure Call (RPC) messages, and a purposely malformed RPC can trigger a buffer overflow and allow the attacker to execute any code with full system privileges. It doesn’t affect all versions of Windows equally, though; Microsoft notes that "Windows 2000 systems are primarily at risk due to the unique characteristics of the vulnerability and affected code path."
For those users who have not yet patched their machines, the government recommends that they block access to Server Message Block (SMB) services from untrusted networks and disable anonymous SMB access. The new patch fixes the problem by having the Server service validate RPC messages before passing them to the appropriate buffer.
Because the DHS warning was so unusual, it has prompted some wild talk that the Microsoft security patch is, in reality, a government surveillance tool designed to spy on Windows users around the world. While this makes for some entertaining speculation, it’s the sort of thing that would single-handedly eviscerate Microsoft’s business, and would no doubt be uncovered quickly by security researchers. The user backlash from such a program would be little short of astonishing.
We’ll leave our tinfoil hats in the Orbiting HQ Storage Module this time.