MS08-067 - Microsoft Update - Critical

Microsoft Security Bulletin MS08-067 – Critical

Vulnerability in Server Service Could Allow Remote Code Execution (958644)

Published: October 23, 2008

Version: 1.0

General Information

Executive Summary

This security update resolves a privately reported vulnerability in the Server service. The vulnerability could allow remote code execution if an affected system received a specially crafted RPC request. On Microsoft Windows 2000, Windows XP, and Windows Server 2003 systems, an attacker could exploit this vulnerability without authentication to run arbitrary code. It is possible that this vulnerability could be used in the crafting of a wormable exploit. Firewall best practices and standard default firewall configurations can help protect network resources from attacks that originate outside the enterprise perimeter.

This security update is rated Critical for all supported editions of Microsoft Windows 2000, Windows XP, Windows Server 2003, and rated Important for all supported editions of Windows Vista and Windows Server 2008. For more information, see the subsection, Affected and Non-Affected Software, in this section.

The security update addresses the vulnerability by correcting the way that the Server service handles RPC requests. For more information about the vulnerability, see the Frequently Asked Questions (FAQ) subsection for the specific vulnerability entry under the next section, Vulnerability Information.

Recommendation. Microsoft recommends that customers apply the update immediately.

Affected and Non-Affected Software

The following software have been tested to determine which versions or editions are affected. Other versions or editions are either past their support life cycle or are not affected. To determine the support life cycle for your software version or edition, visit Microsoft Support Lifecycle.

Affected Software

Operating System	Maximum Security Impact	Aggregate Severity Rating	Bulletins Replaced by this Update
Microsoft Windows 2000 Service Pack 4	Remote Code Execution	Critical	MS06-040
Windows XP Service Pack 2	Remote Code Execution	Critical	MS06-040
Windows XP Service Pack 3	Remote Code Execution	Critical	None
Windows XP Professional x64 Edition	Remote Code Execution	Critical	MS06-040
Windows XP Professional x64 Edition Service Pack 2	Remote Code Execution	Critical	None
Windows Server 2003 Service Pack 1	Remote Code Execution	Critical	MS06-040
Windows Server 2003 Service Pack 2	Remote Code Execution	Critical	None
Windows Server 2003 x64 Edition	Remote Code Execution	Critical	MS06-040
Windows Server 2003 x64 Edition Service Pack 2	Remote Code Execution	Critical	None
Windows Server 2003 with SP1 for Itanium-based Systems	Remote Code Execution	Critical	MS06-040

 

 

If you have any questions as to whether or not your systems have this update or others please let me know. Each network is at different stages but it’s important that all computers (if possible) be updated regularly. That doesn’t mean that every update is necessarily good for you computer either. For instance if you had XP Pro with a 64 bit processor and had Auto Update turned on you could likely suffer from the Service Pack 3 update until Microsoft recently fixed that issue.

 

Sincerely,

 

David Cochrane

Senior Network Specialist

D&K Enterprise

Bridging the gap between humans and technology.

100 N. Federal Highway, Suite 840

Fort Lauderdale, Fl 33301

Phone  (954) 622-8424

Fax      (954) 622-8425

 

Managed IT Service Experts

 

Award Winning Web/Graphic/Multimedia Design

 

 

 

 

---

 

This message (including any attachments) contains confidential information intended for specific individuals and purpose, and is protected by law.  If you are not the intended recipient, you should delete this message.
Any disclosure, copying, or distribution of this message, or the taking of any action based on it, is strictly prohibited. [v.E.1.2]

 

Keep Your Small Business Safe

1. Set up your defenses.

Do you have adequate firewalls and antivirus software to protect you from hackers who could steal your customers and company identity? “If you leave your doors open, eventually you will be robbed,” says Martin Rico, chief executive of Inspired eLearning, a San Antonio-based company that develops security awareness training programs for companies. “The same is true for your network. Hackers and identity thieves use automated programs to scan every computer on the Internet looking for easy targets.” A good Internet router will have an on-board firewall. But don’t forget to turn it on, he say.

Likewise, the best security software goes beyond standard protection to improve the performance of your computer. Windows OneCare, for example, protects against viruses, spyware, and hackers. It also backs up all your important files and tunes up your PC by routinely defragmenting your hard drive and compressing temporary files. Plus, it automatically downloads security fixes, the importance of which is discussed later.

Microsoft also provides security updates regularly.

		Learn how to run your business from virtually anywhere. Get your FREE Mobile Business resource kit. Order today

Top of page

2. Stay abreast of the threat.

A recent phishing scam in Brazil caused Web browsers to land on criminal sites that looked identical to well-known bank sites. The phishers used HTML e-mails encoded with malicious Trojan horse programs. If the security settings on a recipient's computer were too low, just opening the e-mail would make changes to an essential Windows component.

Top of page

3. Encrypt everything.

Any sensitive data, or information that might help an ID thief or hacker, should be aggressively encrypted, says Lisa Sotto, a head of New York-based Hunton & Williams LLP’s privacy and information management team. “Encrypt all company laptops,” she advises. “And don’t allow the transfer of sensitive company data electronically unless it is encrypted.” Sotto also advises that you upgrade your systems frequently with the latest protective software to make sure your systems are as secure as possible. (For technology newcomers: To encrypt a computer is to assign a secret code that prevents unauthorized parties from accessing your data.)

Top of page

4. Get help from your employees.

Human error, or lack of attention to detail, is one of the biggest risks to a company’s security, according to Steven Domenikos, chief executive of IdentityTruth, a security firm in Waltham, Mass. “There are some basic techniques that can be embraced by employees, like changing passwords periodically and using general security and software tools to ensure that their home computers are safeguarded against attacks and malicious programs,” he says. Hackers have created programs that are designed to grab information from your computer, without you ever knowing it.

Top of page

5. Don’t store credit card numbers.

“Never, never, never,” says Richard Stiennon, chief marketing officer for Fortinet, a security software company in Sunnyvale, Calif. “You do not need it, the Payment Card Industry Standard forbids you to store them, and it’s too risky.” Plus, there’s one more reason you should avoid keeping credit card numbers: If you don’t have them, you can’t lose them. And a hacker or identity thief can’t get to them, either.

Top of page

6. Buy a shredder – and use it.

Documents with confidential information can fall into the wrong hands when they aren’t properly disposed of, says Tim Rhodes, chief executive of WebArgos, a data security firm in Boise, ID. “I know this is basic, but I can’t overstate the importance of using a shredder. In one study we are about to publish, only 50 percent of United States employees are compliant with their company’s shredding policies.” One of the challenges faced by small businesses is home-based employees, who may not have a shredder and put sensitive documents in the trash.

Top of page

7. Mind your mobile devices.

“A laptop computer is stolen approximately every 53 seconds and only three percent are ever recovered,” says MacDonnell Ulsch, director of technology risk management for Jefferson Wells, a Brookfield, Wis., company that provides internal auditing and technology risk management services. “A business executive on a flight recently placed a Blackberry on her seat while placing her briefcase in the overhead bin. In those few seconds, her Blackberry, which was unencrypted, was stolen.” He recommends reminding employees of the dangers they face when they travel with their mobile devices, and encourages them to report a loss immediately.

Top of page

8. Run your updates.

Hackers are constantly discovering and exploiting new vulnerabilities in computer operating systems and networks. “Keep your systems patched,” says Bret Padres, director of incident response, at Mandiant, an information systems company in Alexandria, Va. “You should have Automatic Updates enabled on your Windows-based computers. As security fixes are released from Microsoft, your computer systems will be automatically updated.”

Top of page

9. Research your Internet service provider.

Unfortunately, the company providing your business with Internet access can offer easy access to your private information. “Not all ISPs are created equal, especially in terms of their commitment to security,” says Roger Thompson, chief technology officer for Exploit Prevention Labs, a security software developer in New Kingston, Pa. His advice? Before signing up for service, ask if they’ve ever been hacked. “Just see what they say. If, for example, they blame their users for having their passwords guessed, that’s not a good sign,” he says.

Top of page

10. Know what to do when it happens.

Have a security compliance plan in place, advises Judd Rousseau, chief operating officer Identity Theft 911, a company that develops identity theft resolution, education and deterrence products in Scottsdale, Ariz. “This is an inexpensive way to make sure you have addressed the areas where you need to make sure to have safeguards in place, as well as have a plan in case a breach does occur,” he says.

Top of page

Implementing these simple strategies will make it difficult for an identity thief to steal from your company or customers. But Rich Baich, principal at Deloitte & Touche warns it only takes one careless employee to render all of these precautions meaningless.

Baich tells the story of a small real estate company that fell victim to identity theft. “The thieves assumed the business name and obtained business credit cards, business loans, business bank accounts and a tax identification number,” he remembers. Within a few months, the real company began receiving telephone calls from creditors and collection agencies.

The company filed police reports, hired an attorney and contacted three credit bureaus, trying to contain the damage. Iin the end, the identity thieves were found and arrested.

So how did they find the information they needed to pull off the crime? Turns out they didn’t even have to hack into the company’s computers to get the data. They found everything they needed in its dumpster.

---

Christopher Elliott Christopher Elliott writes about business travel and mobile computing, and publishes a weekly travel newsletter. You can e-mail him or visit his Web site. For customer support options, tailored business advice, and a single point of access for Microsoft's small-business solutions, see the Microsoft Small Business Center home page.

 

The Mojave Operating System

NAS or SAN: Is one better for business continuity?

Different storage schemes work best for different companies. These are some of the trade-offs that will have to go into your choice.

 

Unless your business is a small shop with a handful of machines, direct attached storage (DAS) is not going to cut it for backup purposes. Backing up several individual hard drives onto an external disk quickly turns into an IT management nightmare.

If an organization has several machines connected to a LAN, it’s wiser to use some form of network storage, both to simplify data management in everyday life and to simplify backup with automation and fast data transfer. But which storage method lends itself better to backup and disaster recovery,

network attached storage (NAS) or a storage area network (SAN)? There’s no one right answer, and increasingly the best answer is both.

NAS: Cheaper, easier, but less robust

For small and medium businesses with smaller data demands, NAS storage works well, both as a main storage method and as a backup option. Despite falling prices for SAN systems, NAS is still a cheaper option. It’s centralized and simple for IT to manage and fast enough as long as you don’t have massive stores of data. NAS appliances are pretty much plug and play; just connect them and start serving or storing files.

From a NAS appliance, IT can easily back up to a tape drive or another disk. And NAS is a file-based protocol, which enables intelligent file management, unlike with SAN’s data-blocks protocol. Support for common file systems means that users of heterogeneous operating systems have equal access to data. However, NAS has some disadvantages that make it less than ideal for business continuity. First, because data transfer occurs over a LAN, backing up large amounts of data can slow down the whole network and take a toll on everyday tasks. And the same centralization that makes a NAS appliance easy to manage also makes it a single point of failure on a network.

Scalability has long been an issue with NAS, too. Traditionally, increasing capacity with a NAS device means upgrading to a bigger appliance; NAS appliances cannot ordinarily be pooled into one storage entity. However, virtualization technology now makes it possible for an existing NAS to scale into a larger solution and for resources to be pooled into one virtual storage device.

SAN: Speed and scalability at the expense of simplicity

It’s possible to put together a backup and business-continuity solution in a NAS-only environment. But, in many ways, SAN was made for backup. SAN is designed to move large blocks of data from one place to another over a Fibre-Channel or iSCSI connection, making it much faster than NAS. SAN devices can be clustered to provide automated fail-over from one server to another and to avoid a single point of failure.

Devices can mirror one another for redundancy — for example, in the main system and a backup system. Because SAN operates as a separate network from the LAN, it can perform continuous data backup without taxing the whole office network. Finally, because data is recognized on a SAN system by logical units rather than file units, a SAN solution is highly scalable. You can keep pooling more storage together on a SAN or link multiple SANs to backup to a disaster recovery site, even remotely.

So why isn’t every business using SAN for storage and backup? Although prices are coming down with the advent of iSCSI as an alternative to Fibre-Channel connections, SANs are still far more expensive than their NAS counterparts. And although iSCSI is less complicated than Fibre-Channel, SANs are still more complicated to configure and to manage than a plug-and-play NAS device connected to another disk or tape backup.

Another disadvantage is that because SAN data is measured and transferred in blocks, it’s more difficult to manage files intelligently than it is with NAS, and it does not support heterogeneous operating environments. Unless an organization needs extremely high availability for large amounts of data, the cost and complexity of a SAN far outweigh its advantages for many  businesses.

The best of both worlds — combining SAN and NAS

As SAN and NAS become more alike and more compatible, many businesses are opting for a solution that uses SAN and NAS together. NAS appliances with Fibre-Channel or iSCSI connections can be integrated into a SAN, which gives you both the file-serving control and manageability of NAS up front with the backup speed, availability and scalability of the back-end SAN.

Multiple NAS appliances can be clustered on a SAN to enable automated fail-over. Some businesses even combine NAS, iSCSI SAN and Fibre-Channel SAN into an all-encompassing solution. If your organization can afford it, many vendors such as HP offer solutions that combine NAS and SAN,

with either Fibre-Channel NAS devices or a NAS head on a SAN back end. Combination solutions are more expensive than a NAS-only option, but many still provide a lower cost of ownership than a high-end Fibre-Channel SAN.

When choosing a solution that’s right for your business, consider your needs and your budget. A trusted advisor can help you assess how much availability, backup and storage space your business requires and help you assemble a storage system that will keep you going when the unexpected strikes.

Going Green with Technology in the Workplace

Energy conservation and responsible environmentalism isn’t something we usually equate with technology and computers, but there are a number of ways to practice “going green” with technology. Below are six great ways to conserve energy and resources in the workplace:

                1. Cut down on the usage of electricity, hardware, paper and toner. Taking a minimalistic approach to these things will benefit the environment, as well as your wallet. Make sure you check the color settings on your printer. Often inkjet or laser printers are set at a high saturation level. Calibrating your printer’s settings can save considerable money over time and produce better looking documents. Use a floor lamp with an energy efficient bulb, rather than overhead lights. Not only will you save time and energy, but low lighting is easier on the eyes as you work on your computer.

                2. Providing networking systems that are easier to maintain will save a lot of time as well as resources. You’ll benefit from systems that are built around your specific niche, and an organized networking system will reduce resources needed to maintain the network.

                3. Setting up a remote, electronic management system will give you faster resolution of trouble ticket issues which will increase productivity, help you measure chronic areas of concern to troubleshoot and increase employee and customer satisfaction.

                4. Virtualizing the work environment so employees have the capability to work from home can greatly increase productivity. Your carbon footprint will be reduced by decreasing the amount of daily gasoline used and pollution-causing emissions.

                5. Combating spyware and adware inadvertently downloaded on machines can be costly both in dollars and staff time. Using content filter solutions for the Internet will reduce or eliminate those problems and increase staff productivity and efficiency, as well as creating a safer Internet environment.

                6. Voice Over Internet Protocol (VoIP) phones can save considerable money and time. By routing phone calls over the Internet, your phone number is associated with a phone and not a location, so there are no charges for adding or moving a phone. Costs are lower for VoIP phones versus landline phone services and can be integrated with computer applications such as email, fax, web conferencing and video phone. Use VoIP phones to greatly reduce your phone bill and expand your ability to serve customers.

===========================================================================

David Cochrane is owner and senior network specialist for D&K Enterprise, LLC, an Information Technology company headquartered in Ft. Lauderdale, Florida. D&K Enterprise provides virtual IT services for clients on a nationwide basis. For more information, visit www.dandkenterprise.com

 

Introducing Managed IT Services to Kalamazoo, Michigan

Businesses like those in Kalamazoo could highly benefit from the services and expertise we offer. D&K Enterprise, LLC, provides unique managed Information Technology (IT) services to businesses in a variety of industries.

 

My company began in Fort Lauderdale, Florida, and our base operations are there, but I’ve kept close ties personally and professionally in Michigan. My wife and I both attended Hope College, and we have family and friends in Kalamazoo. We are dedicated to the idea of bringing business back to Michigan. It is important to bring new job opportunities and get involved with the community that has meant so much to us.

 

We bring many combined years of experience to assist businesses like yours by integrating servers, workstations, Voice over Internet Protocol (VoIP) phone systems, printers, faxes, paperless systems and more. D&K Enterprise is known as a company with integrity that continues to raise the standards when it comes to computer networking.

 

Our mission is to complement your IT department, or fulfill all your IT needs, by providing excellent network engineering and administration to maximize your ability to grow. We believe in continually educating ourselves on current technologies and techniques and are committed to maintaining high customer satisfaction, competitive prices, and strong business relationships.

 

Cloud Computing: Could it be the next Telco trend?

If you don’t know what cloud computing is you should check out http://www.gridfiber.com. They list several sites which explain the Grid computing concept. I predict that 35 years from now most schools, government building, and physics labs will be working off this mass-data transit system. Many businesses and residences will also be transitioning to this ultra efficient grid internet system.