MS08-003 Security Update for Active Directory

Microsoft released a security update for Active Directory and Active Directory Application Mode (ADAM) today. The accompanying security bulletin marks this update as important.

Rating a Security update as Important means the update fixes

a vulnerability whose exploitation could result in compromise of the confidentiality, integrity, or availability of users data, or of the integrity or availability of processing resources.

Since this is only the second time a security update is issued for Active Directory in recent times I felt it was necessary to tell you al this patch is important. (not critical though, like the last one)

 

Vulnerability

The vulnerability is due to improper validation of specially crafted LDAP requests. An attacker who successfully exploited this vulnerability could cause the computer to stop responding and automatically restart.

To view this vulnerability as a standard entry in the Common Vulnerabilities and Exposures list, see CVE-2008-0088.

Affected platforms

The vulnerability exists on all supported Service Pack levels of Windows 2000 Server and Windows Server 2003. (including x64 and Itanium versions)  Active Directory Application Mode (ADAM) on Windows XP also needs patching. Especially Windows 2000 Active Directory Domain Controllers need to be patched.

Pick your favorite Operating System from this list and start patching!

Known problems

Microsoft finished internal testing of the update and found no problems after applying the package in several scenarios. You should be safe installing this update.

 

Workarounds

If you're not ready applying the patch, because you're can't reboot your servers outside some ridiculous service window, you don't trust test procedures or want/need to deploy the patches in a test environment first, please take a look at one of the two workarounds Microsoft posted, which might be useful in your Active Directory scenario:

  • Block TCP ports 389 and 3268 at the perimeter firewall
    These ports are used to initiate a connection with the affected component. Blocking it at the enterprise firewall, both inbound and outbound, will help prevent systems that are behind that firewall from attempts to exploit this vulnerability. We recommend that you block all unsolicited inbound communication from the Internet to help prevent attacks that may use other ports. For more information about ports, see the TCP and UDP Port Assignments Web site.
  • To help protect from network-based attempts to exploit this vulnerability, block the affected ports by using IPSec on the affected systems.
    Use Internet Protocol security (IPSec) to help protect network communications. Detailed information about IPSec and about how to apply filters is available in:

 

Concluding

I know a lot of administrators that don't update their Active Directory Domain Controllers automatically. I know an even bigger group that doesn't patch their systems in the first week.

Active Directory can be seen as the crown jewels of your security infrastructure. Why else would Microsoft advice you to place two Active Directory Domain Controllers for each domain? When you lose your Active Directory everything else falls apart around you.

When it comes to your crown jewels you should make sure your security is up to date!

Download here.

Further reading

Active Directory & ADAM security bulletin…
Microsoft Security Bulletin MS08-003 – Important
Microsoft Security Bulletin MS07-039 – Critical
Vulnerability in Windows Active Directory Could Allow Remote Code Execution (926122)
Vulnerability in Active Directory Could Allow Denial of Service (946538)
February 2008 Monthly Bulletin Release
MSRC February 2008 Monthly Release

leave your comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.