Microsoft Patch Tuesday

Microsoft Patch Tuesday Roundup - April 2011

by Paul Asadoorian
April 13, 2011

It's very exciting (depending on your perspective) when there is a record-breaking Microsoft Patch Tuesday! April 2011 is the largest Patch Tuesday release in history, with 17 bulletins covering 64 different vulnerabilities across several products. While everyone is beating the "Microsoft Patch Tuesday Crisis Drum", attackers are continuing to have success breaking into major organizations using the "exploit du jour", some social engineering methods or a combination of both.

RallyToThePatch.jpg
Rally to patch your systems!

What I would like to suggest is a weekly, or even daily, "patch rally". Patching needs to be an ongoing process of checking to see if patches are available, applying the patches, and then verifying that the patches have been applied and installed properly. I don't think we need to "take time to stop and patch"; we just need to patch as a normal, everyday, regular business operation. It's sad that we have to install more software to fix broken software, but it has become the way of the IT world. If your business cannot sustain being patched, the you've probably chosen the wrong software and configurations and your business will likely be negatively affected. The negative effects happen in two ways: 1) you install the patches and your system and/or software fails as a result of a bug in either the software or the software patch or 2) you don't apply the patch and attackers compromise the system and ruin the integrity of the system and the data contained therein. So, hence my cry to "rally to the patch"!

Microsoft Patch Tuesday Roundup - March 2011

by Paul Asadoorian
March 10, 2011

Another Microsoft Patch Tuesday is upon us. This month I was surprised that two vulnerabilities making headlines recently were not included in this Microsoft Patch Tuesday, namely the 0-day Windows SMB Vulnerability and the reported “Pwn2Own” IE vulnerability. The best way to remediate any vulnerability is to apply a patch provided by the vendor, and it’s puzzling why Microsoft is delaying the release of patches for these widely publicized vulnerabilities.

To further aid in your efforts to evaluate the exposures presented by the vulnerabilities addressed by Microsoft’s Patch Tuesday, Tenable's Research team has published Nessus plugins for each of the security bulletins issued this month:

Microsoft Patch Tuesday Roundup - February 2011

by Paul Asadoorian
February 9, 2011

And the race is on to apply patches to the Microsoft Windows systems in your environment! One of the bulletins this month, MS011-04, fixes remotely exploitable issues in the IIS FTP service. To me, FTP falls in the same category as Telnet, which is "You should be using SSH instead". Despite the lack of security that FTP offers, it still appears to be wildly popular decades later. I performed some searches using "SHODAN", "The Computer Search Engine", which scours the Internet looking for open ports, services and banners. I told it to find systems with port 21 (FTP) open and got the following results:

  • United States: 27,355
  • China: 15,341
  • India: 11,122
  • Egypt: 10,476
  • Thailand: 10,068

Microsoft Patch Tuesday Roundup - January 2011

by Paul Asadoorian
January 12, 2011

The first Microsoft bulletin of the year, MS11-01, only affects Windows Vista and is classified by Microsoft as "important". For those not running Vista, this patch can safely be ignored. It’s easier for smaller organizations to keep up with operating system upgrades and patches on desktop systems. However, if your organization has over 10,000 desktops, upgrading all of them is a daunting task. I really like the idea of using "cloud computing" for this purpose. Yes, I’m suggesting that we use “cloud computing” to improve security! However, in this case, I am talking about a cloud that operates and is managed within the organization, not by a third party. If you are planning on putting your applications and data in, for example, Amazon’s cloud, then you are outsourcing your security to Amazon. It may be better to implement your own cloud to control the security and data. Rather than hosting all of your software and data on a laptop or desktop, the laptop or desktop just gives you access to the applications and data. This is not a new concept, but as more and more laptops will be lost or stolen and client-applications will have vulnerabilities, I believe it’s a logical solution to the problem.

cloudsecurity-fence-sm.jpg

While many talk about the dangers of the cloud, can we actually use the cloud to improve security?

Microsoft Patch Tuesday Roundup - December 2010 - "Bad Santa" Edition

by Paul Asadoorian
December 15, 2010

MadSanta-SM.jpg

Attackers have been very naughty, IT departments have been mostly nice and Microsoft has fulfilled the role of “Bad Santa”. This holiday season, Microsoft has filled your stockings with 17 security bulletins fixing 40 vulnerabilities. But where does that leave us?

What Else Could You Say?

Note: The word "could" appears in the title of all 17 security bulletins this month

I could say a lot of things about this month's Microsoft Patch Tuesday release. I could say that you should apply patches (except that my boss hates the word “should”). I could say that despite all of the patches released, there are still most likely to be 0-day exploits for several unpublished vulnerabilities. I could also say that your organization needs a solid patch management program. I could say, well, you get the point. After more than a year of writing up each one of the Microsoft Security bulletins, there's a lot I could say. The fact remains that several trends continue in the Microsoft "Black Tuesday" madness:

Microsoft Patch Tuesday Roundup - October 2010 - "Nightmare" Edition

by Paul Asadoorian
October 14, 2010

"One, two, attackers are coming for you…"

In yet another record setting Patch Tuesday, Microsoft has provided fixes for 81vulnerabilities covering just about every supported Microsoft product. No matter how you slice or dice it, patches will need to be distributed throughout your environment on a large scale. There are several articles available to help you prioritize the installation of these patches. The matrix of which patches are important and the mitigating factors are simply dizzying and confusing. The Microsoft Research & Defense blog put up a post that details some of the attack vectors for each vulnerability and information about the mitigations. The blog tries to paint a prettier picture, but in the end, it’s an all-out bloodbath of vulnerabilities, exploits and patches.

nightmare-on-elm.jpg

"Nine, ten, thanks to Microsoft, administrators will never sleep again." Okay, "never" is a bit strong. Certainly, administrators will lose some sleep due to not only Microsoft updates, but Oracle patches as well (81 vulnerabilities have been patched in the latest round by Oracle).

Microsoft Patch Tuesday Roundup - September 2010 - "Silent but deadly" Edition

by Paul Asadoorian
September 15, 2010

"Silent" Worms: Stuxnet

The vulnerability patched with MS10-061 is perhaps one of the most interesting we've covered in a "Patch Tuesday" post this year. The vulnerability was discovered when antivirus researchers at Kaspersky Lab analyzed malware called "Stuxnet". The malware was one of the first worms to use the LNK vulnerability, and contained code to exploit three other vulnerabilities, the print spooler vulnerability patched by MS10-061 and two other unnamed privilege escalation vulnerabilities that have yet to be patched. Its not everyday that we hear of malware in the wild exploiting 4 0-day vulnerabilities.

I am not easily impressed (in fact, I am even less than impressed) with the capabilities of most malware in the wild. However, there are some facts about the "Stuxnet" malware that do impress me:

  • Stuxnet also contains an exploit for a vulnerability from 2008. It will only execute this exploit if it determines it is inside an organization using SCADA systems and not a typical corporation.
  • Stuxnet was written specifically to attack control systems, and is the first publicly known malware to contain a rootkit for PLCs, devices that control SCADA systems. The rootkit silently waits for commands.
  • Stuxnet gains access to control systems using default passwords and is rumored to have compromised 14 different control systems-based organizations.
  • Stuxnet was first thought to primarily use USB devices to propagate (likely to get around "air gapped" security measures)

There was an interesting quote from Symantec that stated, "Symantec gained control of the domain used to send commands to infected machines shortly after Stuxnet was discovered". Apparently, this turned over control of Stuxnet-infected systems to Symantec. I just don't understand the logic behind the malware authors; if they had used fast flux, they may still have control over the botnet they seemed to have worked so hard to implement.

ninjainfest.jpg

There are actually 6 ninjas in the above picture… can you spot them all?

Microsoft Patch Tuesday Roundup - August 2010 - "Geronimo!" Edition

by Paul Asadoorian
August 12, 2010

This month's Patch Tuesday has been described by some as a "hot mess of vulnerabilities". This record-breaking Patch Tuesday contains 15 security bulletins that fix 34 vulnerabilities. While many people have been quick to classify which of these are "critical", I believe that criticality and risk are best determined by the affected organization, not third parties. However, I do recommend that everyone review the information presented, especially the resources prepared by the Internet Storm Center and the Open Source Vulnerability Database. Both of these sources pull in all of the relevant information about each security bulletin, providing a more complete picture to help evaluate your own prioritization efforts. The bulletins prepared by Microsoft are still not exploring the various aspects of each vulnerability and specifically do not always specify whether or not vulnerabilities can be exploited.

The "Mitigating Factors"

In the MS10-047 and MS10-048 security bulletins, which cover eight separate vulnerabilities, Microsoft states the following as a mitigating factor:

"Mitigation refers to a setting, common configuration, or general best-practice, existing in a default state, that could reduce the severity of exploitation of a vulnerability. The following mitigating factors may be helpful in your situation:

An attacker must have valid logon credentials and be able to log on locally to exploit this vulnerability. The vulnerability could not be exploited remotely or by anonymous users."

I don't like to point fingers or call people out, but Microsoft’s statement is not true. The statement that an attacker "must have" valid logon credentials is a bit concerning. If "logon credentials" are something that you have in your possession, such as a pen or a mouse, then the attacker does not need them. An attacker can certainly convince an already logged in user to execute the code to perform the privilege escalation. In this scenario, the attacker does not "have" the logon credentials. They are currently able to execute code as a non-privileged user, which is a completely different situation. The vulnerability can be executed remotely, provided you have already exploited a vulnerability that has granted you permissions to execute code as a non-privileged user. This is a very common method of attack, as users can be tricked into running all sorts of programs, code from a web site, email attachments and more. There are certain advantages to being logged in to a system as an administrator or with SYSTEM privileges, such as accessing files, installing keystroke loggers and sniffing the network.

parachute.jpg

Microsoft Patch Tuesday Roundup - July 2010 - "Jedi Mind Trick Edition"

by Paul Asadoorian
July 15, 2010

Which Vulnerabilities Are You Looking For?

When Microsoft releases their patches each month, I find it interesting to review the criticality of each vulnerability. Microsoft has, in their typical fashion, used some very interesting wording to describe the latest batch of vulnerabilities. When reading each security bulletin, I try to imagine the worst-case scenario and look at the glass as half empty. Microsoft seems to paint a picture and believes the glass to be half full by using phrases such as:

In MS10-042: "The vulnerability cannot be exploited automatically through e-mail." - I believe what they are stating here is that the user can't just open up an email to have the exploit trigger. Instead, the user has to either open an attachment or click on a link. I can tell you from first-hand experience that it’s not difficult to get someone to click on a link. Typically, you just need to tell them that they've qualified for a free iPad. Getting the user to open an attachment is a little bit trickier, and usually requires more research about the target audience and/or organization. However, this does not mean the attack can't scale to trick thousands of people, as did an email appearing to come from the World Cup with an Excel document attached. The Excel document posed as a schedule for the World Cup, but really contained malware that attempted to infect the end-user's computer.

ob1-mind.jpg

"These aren't the vulnerabilities you're looking for. You can go about your business."

Pages