Microsoft Patch Tuesday

Remote Access Woes: Microsoft Windows Remote Desktop Protocol (RDP)

by Paul Asadoorian
June 15, 2012

The Trouble with Remote Access

Remote access protocols are certainly one of the long-standing topics discussed when it comes to information security. Most security practitioners have had to deal with the threats and risks posed by the wide range of protocols used to remotely manage and access systems, including Telnet, SSH, RDP, and even third-party providers such as GoToMyPC. Convenience is heavily weighed against security, as users and administrators require access to the systems, yet security in the forms of authentication and encryption seemingly "get in the way." This debate has come up in my career more times than I care to remember. When I first set out to help make systems more secure, one of the first actions I proposed was to remove Telnet from all of my UNIX (Solaris and Linux at the time) systems. Turns out it was a valuable lesson for me as I learned that while technically not so challenging, convincing 25 or more developers that they had to use an SSH client rather than the built-in Telnet utility was the most challenging aspect of that project.

The same debate occurred later in my career when I was tasked with helping the newly-created Windows systems administrators group secure their brand-new Windows domain environment. I had a similar conversation about Microsoft Terminal Services, which uses the RDP (Remote Desktop Protocol). At the time, in the default configuration, an attacker could perform MiTM attacks to obtain the username and password, in addition to logging the keystrokes sent to the systems being managed. Again, technically there was an easy fix (change some settings on the servers, and use a compatible client on the management systems). However, the real challenge was persuading the administrators to make the switch, as they had always just used the default configuration and, by their own account, "nothing bad ever happened." In this case, I had to use a demo and perform an attack, with permission, of course, against an administrator. Once they saw it, the progression to a properly-configured and more secure RDP implementation was underway immediately.

Microsoft Patch Tuesday - January 2012

by Paul Asadoorian
January 11, 2012

The first round of security bulletins from Microsoft this year raises some interesting questions about the vulnerabilities being patched. I found the following three advisories particularly interesting:

From MS12-002:

The vulnerability could allow remote code execution if a user opens a legitimate file with an embedded packaged object that is located in the same network directory as a specially crafted executable file. An attacker who successfully exploited this vulnerability could gain the same user rights as the logged-on user.

MS12-002 is ranked by Microsoft as important. Sure, it does require that the user browse file systems, however users can be baited, or even forced, to browse to a network share. Social engineering attacks can lure victims to specific sites, and SMB share paths can be embedded inside web pages and URLS, forcing the user to browse to a share or even a specific file.

Microsoft Patch Tuesday - December 2011

by Paul Asadoorian
December 13, 2011

"From Redmond with Love"

Recently, I had a chance to talk with Katie Moussouris, leader of the Security Community Outreach and Strategy team at Microsoft. The interview helped me realize that Microsoft has a lot to offer when it comes to not just fixing vulnerabilities in their own products, but other companies' software as well:

  • Microsoft has a team of people on the MSVR (Microsoft Vulnerability Research) who look for vulnerabilities in third-party software and help the third-parties fix the issues.
  • MSVR practices Coordinated Vulnerability Disclosure, a term coined by the team and encompasses a philosophy for vulnerability disclosure (and one that omits the word "responsible" due to its misconstrued meanings).
  • Microsoft is showing others how to create more secure software through their SDL program (I hope Adobe is adopting this, and if they have, their implementation is falling short).
  • Microsoft has attempted to tell us where they document security vulnerabilities found internally, but this article seems to talk about variants, which are an off-shoot of the publicly disclosed vulnerabilities, not new vulnerabilities discovered internally by Microsoft. However, I am told that Microsoft does in fact document internally discovered vulnerabilities, but it's not as widely publicized as the monthly bulletins.
  • If you have the skills to come up with the next latest and greatest memory protection design, Microsoft could give you as much as $200,000 as part of the Blue Hat Prize contest.

One thing is for sure, I don't believe that Microsoft isn't trying to create more secure software. In fact, this month's MSRC post shows that critical vulnerabilities reported by outside parties continue to be on the decline. Some may argue that it's because people are not disclosing the vulnerabilities to Microsoft, and while that could be true, they deserve some of the credit for making efforts to improve software security.

Microsoft Patch Tuesday Roundup - November 2011

by Paul Asadoorian
November 9, 2011

The most interesting, and concerning, vulnerability patched this month is the remote TCP/IP code execution flaw fixed with MS11-083. The flaw can be triggered by sending a large number of UDP packets to a non-listening port on a remote host. There are several ways in which this could happen very easily, such as a poorly configured firewall, or an open port on a firewall that is allowing traffic the host is no longer listening on.

Microsoft Patch Tuesday Roundup - October 2011

by Paul Asadoorian
October 12, 2011

This month Microsoft released 8 security bulletins, including patches for some interesting vulnerabilities. For example, MS11-075, MS11-076, and MS11-077 all address a type of vulnerability triggered by a user accessing a file share. In Microsoft's own words the user must "open a legitimate file that is located in the same network directory as a specially crafted dynamic link library (DLL) file". MS11-077 describes a similar vulnerability, that achieves the same effect using a font file (.fon extension). In all cases, the vulnerability can be triggered when accessing an SMB or WebDAV share. Vulnerabilities such as these allow attackers to compromise vulnerable systems as they are encountered. It can be a difficult problem to solve, as finding all of the files triggering the exploit could be difficult, especially if you have a very large network with several file shares. Of course, the best solution is to apply the patches provided by Microsoft across your environment.

In MS11-082, Microsoft describes "vulnerabilities [that]could allow denial of service if a remote attacker sends specially crafted network packets to a Host Integration Server listening on UDP port 1478 or TCP ports 1477 and 1478." The risk, in Microsoft's eyes, is minimal as "Firewall best practices" should protect you. Firewalls, really? Anyone who's had a user workstation compromised should have realized that firewalls do little to protect the "internal" network.

To help evaluate the vulnerabilities addressed by Microsoft’s Patch Tuesday, Tenable's Research team has published Nessus plugins for each of the security bulletins issued this month:

Microsoft Patch Tuesday Roundup - September 2011

by Paul Asadoorian
September 13, 2011

Sensitive Data is More than "Important"

All but one of this month's Microsoft Patch Tuesday updates relates to Microsoft Office applications and/or Windows components that handle documents (such as RTF, TXT, and Word Document files as described in MS11-071). The three Office-related bulletins are listed as "important" on the Microsoft site, despite the fact that they allow for remote code execution. Another bulletin, MS11-074, announces issues with Microsoft's SharePoint, a server application for sharing information and managing documents.

While I don't recommend completely ignoring Microsoft's risk categories, developing your own metrics for risk classification can go a long way to improving your defenses and patch management programs. Vulnerabilities that target Microsoft Office users who have access to sensitive data are a higher priority to patch. It’s critical to know where sensitive data lies so that you can identify if the data is at risk from these vulnerabilities. SecurityCenter's management and Nessus's auditing capabilities provide you with valuable information to identify where sensitive data resides in your network and help you prioritize your patch schedule.

For example, Nessus can perform a variety of content checks to look for credit card, financial, personal, copyrighted and other types of sensitive data. The dashboard below summarizes a variety of different types of sensitive data audits:


One of the things I like best about the dashboard shown above (which can be downloaded from this entry on the SecurityCenter Dashboard Site) is that you can overlay other types of results, such as the systems that contain vulnerabilities for which an exploit exists. If I had to prioritize a patch rollout, I might start with systems that have access to sensitive data and also have vulnerabilities that can be easily exploited.

To help evaluate the vulnerabilities addressed by Microsoft’s Patch Tuesday, Tenable's Research team has published Nessus plugins for each of the security bulletins issued this month:

Microsoft Patch Tuesday Roundup - August 2011

by Paul Asadoorian
August 10, 2011

A few interesting notes on this month's Microsoft Patch Tuesday release:

  • Windows DNS servers are vulnerable to remote exploitation. However, they must implement a specific configuration.
  • We've released a new plugin to detect the Remote Desktop Web Access service on Windows.
  • Another five vulnerabilities in Internet Explorer have been fixed. I believe this to be one of the more critical things to patch. While Microsoft claims there are no known exploits, no one can be certain.

To further aid in your efforts to evaluate the exposures presented by the vulnerabilities addressed by Microsoft’s Patch Tuesday, Tenable's Research team has published Nessus plugins for each of the security bulletins issued this month:

Microsoft Patch Tuesday Roundup - July 2011

by Paul Asadoorian
July 13, 2011

Remote exploits come in many different shapes, forms and sizes. Listening services, web browsers and wireless technologies can all contain vulnerabilities that allow for "remote exploitation". The difficult part is defining just how "remote" an attacker needs to be. Obviously, the exposed network service could theoretically be exploited by anyone connected to the Internet. Web browser exploits require that a user visit a site (by choice or surreptitiously) that loads malicious code. Wireless technologies such as Bluetooth require that you be in range. Here's where it gets interesting! There are many situations where end users could be in range of attackers, including conferences, coffee shops, airports, or even right in your own facility. Having said that, it would be difficult for these attacks to target a specific organization unless you were physically on-site, which occurs less frequently than someone attacking you over the Internet. However, we should note that Bluetooth uses the 2.4 GHz spectrum for communications and can be extended using the same or similar gear as WiFi.


(Click for larger image)

In honor of MS11-053, I dug out my Bluetooth wireless kit. Pictured above is a "cantenna" attached to an older long-range Class 1 Cisco-Linksys USBBT100 Bluetooth USB Adapter with an external antenna connector.

Microsoft Patch Tuesday Roundup - June 2011

by Paul Asadoorian
June 15, 2011

Keeping Tabs On Patches

Let’s face it; we all have to deal with patches. Everyone from an IT systems administrator to your grandma has to face the challenges of patches. Whether you have a home computer that you use to browse the web, a phone that you occasionally check email from, or 10,000 enterprise desktops spread across three continents, you're dealing with patches. Regardless of your situation, you need to be able to answer two basic questions:

  • Which patches are missing?
  • Which patches have been successfully installed?

If you only have one computer in the house, it probably annoys you to some degree when it’s time to apply patches, indicating that you are in fact missing patches. This answers the first question above, but the operating systems themselves have few measures for success. There are many situations that cause patches to fail, or leave vulnerable software behind after an update, that can easily be missed by the average user. Your so-called "smart-phone" is even worse. Since most users do not connect their phones to their computers, or the carrier is blocking operating system updates, you may never be able to answer the first question (I guess that's one reason why RIM maintains a prominent presence in the enterprise, as they answer both questions very well with respect to Blackberry users in your environment). Never knowing that you even require patches to be installed is a big problem, as well as knowing if they even applied successfully.

A Much Larger Problem

Enterprises with 10,000 or more desktops exacerbate the problem of patch tracking. With so many devices that require patches, things are bound to go wrong! Lately I've been using dashboards in Tenable's SecurityCenter, and thanks to Tenable CEO/CTO Ron Gula, I have some interesting SecurityCenter 4.2 "dashboards" to help me track patches. Here's just one example:

Click for larger image

Microsoft Patch Tuesday Roundup - May 2011

by Paul Asadoorian
May 11, 2011

If You Are Using WINS, You Are Not WINNING

WINS, or Windows Internet Name Service exists so that NetBIOS hosts can communicate with TCP/IP hosts. Wait, did we just step into the network protocol time machine? In fact, we did! NetBIOS was developed for IBM in 1983 by a company called Sytec, and later adopted by Microsoft (See "Understanding NetBIOS and Windows Server 2003" for more historical information on our journey back in time). So the big question remains, why are people still running WINS and/or NetBIOS? My guess is that a vendor provided you a solution, stuck you with an operating system that is old and outdated, and now you’re stuck maintaining the application and operating system (refer to Rafal Los's great post: Supporting "Unmaintainable" Applications).

Any time you can enable yourself to rid the network and systems of old protocols, it’s a win for security. The harder part is ridding your network of the things that rely on those protocols. Once you get there however, not only will you have a network that is easier to maintain (lets face it, WINS was one more thing to go wrong with Windows networking), it will be slightly more secure as well.

MS11-035 addresses a privately reported, remotely exploitable, vulnerability in WINS, as if the attackers need something else they "could" exploit.


"To The Cloud!"