• How Cisco Security Agent provides full protection against MS08-067
MS08-06 Vulnerability
On October 23, 2008, Microsoft released a Windows operating system vulnerability announcement (Microsoft Security Bulletin MS08-067). The system flaw is due to the improper handling of specially crafted Remote Procedure Call (RPC) requests. This weakness, if not remediated, allows an attacker to potentially take complete control of an affected computer. Noticeable activities have been observed to exploit this security flaw. Compromised computers will not only cause sensitive data loss, but they may also be used for further malicious activities such as sending spam, launching attacks, or storing stolen data.
Cisco Recommendations
Cisco recommends that customers take full action to mitigate risks caused by this type of threats. A holistic security program with an end-to-end security architecture offers the best protection. We encourage our customers to take the following steps:
1. Review the threat information on MS08-067 (Microsoft Windows Server Service Remote Procedure Call Request Handling Code Execution Vulnerability) and monitor its development. The Cisco Security Center provides the latest and most thorough security alert information: http://www.cisco.com/security
2. Identify affected systems and secure them, including disabling services that are not in use, installing the security patches and fixes, and deploying network-level protection (IPS and firewall) as appropriate. As always, it is prudent to evaluate the potential impact before deploying any new solutions.
3. Ensure that up-to-date antivirus and host-based intrusion prevention systems are in place.
Cisco®Security Agent protects against this attack with default policies. Cisco Security Agent is the first endpoint security offering in the industry that combines zero-update attack defense, policy-driven data loss prevention, and signature-based antivirus detection in a single agent. http://www.cisco.com/go/csa
Cisco Security Agent delivers "always-vigilant security": Your system is always protected, even when you are not on the corporate network. The information below describes how Cisco Security Agent protects against MS08-067.
Cisco Security Agent (Versions 5.x and 6.0) Provides Full Protection Against MS08-067
Cisco Security Agent Version 5.x stops exploits of MS08-067 by blocking inbound null session requests. This closes the possibility of unauthenticated exploitation (for example, via a worm). This is the default configuration. No additional action is required by Cisco Security Agent customers if they use the default configuration.
Cisco Security Agent Version 6.0 extends this protection by automatically creating a custom buffer overflow signature for code that exploits MS08-067. Agents automatically create signatures for these exploits, and install them after seeing subsequent attacks that match the signature. This eliminates the possibility of exploitation from authenticated sources (e.g., by remote systems offering login credentials, rather than unauthenticated connections via null session). This is also the default configuration. No additional action is required by Cisco Security Agent customers if they use the default configuration.
