Attackers have been very naughty, IT departments have been mostly nice and Microsoft has fulfilled the role of “Bad Santa”. This holiday season, Microsoft has filled your stockings with 17 security bulletins fixing 40 vulnerabilities. But where does that leave us?
What Else Could You Say?
Note: The word "could" appears in the title of all 17 security bulletins this month
I could say a lot of things about this month's Microsoft Patch Tuesday release. I could say that you should apply patches (except that my boss hates the word “should”). I could say that despite all of the patches released, there are still most likely to be 0-day exploits for several unpublished vulnerabilities. I could also say that your organization needs a solid patch management program. I could say, well, you get the point. After more than a year of writing up each one of the Microsoft Security bulletins, there's a lot I could say. The fact remains that several trends continue in the Microsoft "Black Tuesday" madness:
- Various individuals and organizations continue to tell you how to prioritize the application of patches
- Microsoft will continue to downplay the extent of the vulnerabilities being released and patched
- Organizations will take time to patch all of the vulnerabilities released each month
The big question remains, what is the best course of action? Who am I to say, but I will take a stab at what I believe you can do to protect yourselves:
- Be Bold - Let’s face it, hundreds, if not thousands, of computers are running vulnerable software on your network right now. Big vendors such as Microsoft, Adobe and Oracle are patching their products as fast as they can. You have to balance availability with risk and get the patches out as soon as possible. Most patches, including most of those provided by Microsoft this month, require a reboot. I believe what many will realize is that business operations will be just fine if you push some patches out and schedule reboots. More than ever before, attackers are focusing on the desktop and preying on victims browsing the web, chatting on Facebook and clicking on links from instant messages. A little inconvenience for your users may cause them to complain, but this has little to do with the bottom line and keeping the business going.
- Be Thorough - Rebooting all the systems in your environment is no easy task, and neither is keeping up with all the machines coming and going on your network. Applying patches is no longer enough; you need to verify that patches are installed and activated. There are several situations where this is not such a cut and dry issue. For example, multiple versions of a software package could be installed on the system, and only the most recent version receives a patch.
- Realize Your Perimeter Doesn't Exist - While firewalls and antivirus software may buy you time, they don't fix the problems of insecurity on your systems. The sense of "perimeter" we once had should have completely faded away at this point. Between wireless technology, users browsing the web, reading email, using Twitter, USB drives and smartphones, there is little you can do to prevent attackers from getting on the "inside" of the network. Secure your network as such, from the inside out. This means identifying your data and putting layers of defense around it that take into account that evil bad guys may gain access to the surrounding network.
- Pretend You Are Running Windows 2000 SP1 - Okay, I'm joking here a bit. However, I believe this to be a valuable lesson. Just for fun, pretend that you can't apply patches to your hosts. What now? What kinds of protections would you put in place to protect your assets? This will look different for many organizations, but I bet you can use your skills to come up with some pretty effective and even creative methods of defense against attackers without applying patches. Now take all that creative genius and go implement some of it on your network. You can also do this exercise with your other lines of defense and start to build a more comprehensive and resilient defensive strategy for your organization.
To further aid in your efforts to evaluate the dangers of the vulnerabilities addressed by Microsoft Patch Tuesday, Tenable's Research team has published plugins for each of the security bulletins issued this month:
- MS10-090 - Nessus Plugin ID 51162 (Credentialed Check)
- MS10-091 - Nessus Plugin ID 51163 (Credentialed Check)
- MS10-092 - Nessus Plugin ID 51164 (Credentialed Check)
- MS10-093 - Nessus Plugin ID 51165 (Credentialed Check)
- MS10-094 - Nessus Plugin ID 51166 (Credentialed Check)
- MS10-095 - Nessus Plugin ID 51167 (Credentialed Check)
- MS10-096 - Nessus Plugin ID 51168 (Credentialed Check)
- MS10-097 - Nessus Plugin ID 51169 (Credentialed Check)
- MS10-098 - Nessus Plugin ID 51170 (Credentialed Check)
- MS10-099 - Nessus Plugin ID 51171 (Credentialed Check)
- MS10-100 - Nessus Plugin ID 51172 (Credentialed Check)
- MS10-101 - Nessus Plugin ID 51173 (Credentialed Check)
- MS10-102 - Nessus Plugin ID 51174 (Credentialed Check)
- MS10-103 - Nessus Plugin ID 51175 (Credentialed Check)
- MS10-104 - Nessus Plugin ID 51176 (Credentialed Check)
- MS10-105 - Nessus Plugin ID 51177 (Credentialed Check)
- MS10-106 - Nessus Plugin ID 51178 (Credentialed Check)
The above list is light on details, as it’s much of the same thing we've seen before. I believe I've covered all of the hidden treasures inside Microsoft Patch Tuesday, and hopefully worked to raise awareness of the dangers, patch prioritization, Microsoft's language used to describe severity and more. As such, future posts on Microsoft Patch Tuesday will likely simply announce the patches and plugins and make an interesting point or two. Hopefully by now, our readers have learned about all the pitfalls associated with Microsoft Patch Tuesday.
If ever you wish to go back and read all of the details associated with our Microsoft Patch Tuesday coverage, you can access them using the blog category "Microsoft Patch Tuesday".
- Microsoft Security Bulletin Summary for December 2010
- OSVDB Microsoft Bulletins - Complete Reference
- December 2010 Security Bulletin Release (Microsoft Security Response Center Blog)
Microsoft 2010 Patch Tuesday Chronicles from the Tenable Security Blog:
- Microsoft Patch Tuesday Roundup - November 2010 - "Stuck In The Mud" Edition
- Microsoft Patch Tuesday Roundup - October 2010 - "Nightmare" Edition
- Microsoft Patch Tuesday Roundup - September 2010 - "Silent but deadly" Edition
- Microsoft Patch Tuesday Roundup - August 2010 - "Geronimo!" Edition
- Microsoft Patch Tuesday Roundup - July 2010 - "Jedi Mind Trick" Edition
- Microsoft Patch Tuesday Roundup- June 2010 - "Everything is Vulnerable" Edition
- Microsoft Patch Tuesday Roundup- May 2010 - "Language Barrier" Edition
- Microsoft Patch Tuesday Roundup- April 2010 - "Superman" Edition
- Microsoft Patch Tuesday Roundup- March 2010 - "It Won't Happen To Me" Edition
- Microsoft Patch Tuesday Roundup- February 2010 - "From Microsoft with Love" Edition
- Microsoft Patch Tuesday Roundup- January 2010 - "Aged Cheese" Edition