Microsoft Patch Tuesday - March 2010 - "It Won't Happen To Me" Edition
There are many reasons why attackers may target your organization: they could be after your intellectual property, they may have political reasons or there may be financial motivations (if you have credit card data stored on your network). I've often heard people say, "Why would someone want to attack us?" The question should really be phrased, "Why would someone need to attack us?" Often you are targeted not because of who you are, but what you have. Google hosts email accounts that are interesting to certain parties. You may be a university with plenty of bandwidth or a business partner with a company who makes electronics that the attacker is after. The point is that you can't limit the reasons why you are going to be attacked. You have to secure your network with the mindset that someone will eventually come after you.
This brings us to this month's "Patch Tuesday". Two bulletins have been released by Microsoft, and I've included some examples of how they can be used for targeted attacks:
- MS10-016 - Nessus Plugin ID 45020 (Credentialed Check) - This bulletin discloses vulnerabilities associated with Windows Movie Maker that occur when a user opens a Windows Movie Maker file. While this may be used in some targeted attacks, I suspect that not many organizations have this software widely deployed. However, the interesting thing about this vulnerability is that Movie Maker is built-in to certain versions of Windows Vista, which makes uninstallation very difficult. This means even if you are not using the software, you still need to apply the patches. While Movie Maker may not be the most popular client application available, as a penetration tester I would search for it anyway. For example, I found a web site that is hosting a forum for Windows Movie Maker users. A query for "running version" results in several pages of matches. You can even be more specific with your search and enter "2.1", which is the vulnerable version running on Windows XP. Most of the posts are made by people looking for help with a specific version of Movie Maker and they will reveal this information during troubleshooting. An attacker just needs to associate the forum userid or email with the target they are going after for a potentially successful attack to be well under way.
- MS10-017 - Nessus Plugin ID 45021 (Credentialed Check) - This bulletin discloses seven different vulnerabilities in Microsoft Excel. I find it interesting to review the disclosure timeline on some of these vulnerabilities. For example, CVE-2010-0263 was disclosed to Microsoft on July 14, 2009, and was just recently fixed. Core Security also reported (CVE-2010-0243) on September 4, 2009.
Microsoft ranks this vulnerability as "Important". The vulnerability itself does not exploit a remotely accessible network service and execute remote code, but that doesn't mean an attacker cannot use this information to construct specifically targeted attacks. Consider the following Google query:
filetype:xls inurl:xls site:.gov
The above search (as of today) returns 3,560,000 results (coincidentally, this number was the largest out of ".com", ".edu" and ".mil" top level domains). While this may not seem relevant, what stops an attacker from downloading all of the spreadsheets posted by a particular organization and analyzing the document metadata? Metadata is information contained within a document that can reveal the software type, version and platform it is running on in addition to the user who created it. With this information you could easily launch a targeted email attack. In fact, the attackers could have enough information to launch automated attacks that read the document metadata from a target's web site and then send the appropriate malicious Microsoft Excel document. While malicious PDF documents are all the rage these days with attackers, there is no reason why they cannot easily make a shift or use Microsoft Office documents along with the more traditional PDF attacks. One could make the argument that the attackers could do the same with PDF documents (and they probably are), but since malicious PDFs are something that organizations are now expecting, attackers may choose to mix up their attack vectors.