Microsoft Patches Critical Active Directory Vulnerability

October Patch Tuesday Active Directory

Vulnerabilities in Active Directory are pretty rare, and this is the first such glitch to appear since 2001, according to Erick Schultze, chief technology officer at Shavlik Technologies, a St. Paul, Minn.-based security vendor, and a former Microsoft employee.

In Security Bulletin MS08-060, Microsoft noted that the vulnerability affects Active Directory on Microsoft Windows 2000 Server, but only those configured as domain controllers. The problem stems from the server's inability to handle specially-crafted requests using the Lightweight Directory Access Protocol (LDAP), according to the bulletin.

The implications of this vulnerability are particularly grave because Active Directory provides access to all PCs within an organization, and a successful exploit could give miscreants the ability to delete user accounts, lock out users, add their own new user accounts, delete files, install services, and remove Web services, Schultze said.

Ben Greenbaum, senior research manager for Symantec Security Response, says that because Active Directory maintains login credential and is responsible for holding and applying security policy information, attackers could have a veritable field day with a successful exploit.

"For an attacker to control that would be a significant victory," Greenbaum said.

This Patch Tuesday is also the first for which Microsoft is issuing security threat ratings using its own Exploitability Index, a three-level scoring system that predicts the likelihood that hackers will be able to develop effective exploit code.

For the Active Directory vulnerability (MS08-060), Microsoft issued an exploit rating of 'inconsistent,' meaning that hackers will likely be able to use the vulnerability to launch denial of service attacks, but will have a tougher time writing code to fully exploit the flaw.

Another critical patch (MS08-059) fixes vulnerability in Microsoft Host Integration Server, which attackers could exploit by sending specially-rigged Remote Procedure Call (RPC) requests to an affected system. While only certain types of enterprise customers run Host Integration Server, Microsoft issued an exploit rating of 'consistent,' meaning that hackers would be likely to develop effective exploit code.

Microsoft also released a cumulative critical patch (MS08-058) for six different vulnerabilities in Internet Explorer, two of which it rated as 'consistent.' The IE vulnerabilities are rated 'critical' for Internet Explorer 5.01 and Internet Explorer 6 Service Pack 1, and 'important' for Internet Explorer 7, according to the bulletin.

Also on the client side, Microsoft issued a critical cumulative patch (MS08-057) for three critical vulnerabilities in Microsoft Excel, which, if fully exploited, could enable remote code execution and the full range of badness that this type of entails. However, Microsoft rated only one of these as 'consistent,' or likely to produce effective exploit code.