Microsoft Patch Tuesday

Microsoft Patch Tuesday Roundup - June 2010 - “Everything is Vulnerable” Edition

by Brian Martin
June 9, 2010

Here we go again - another massive “Patch Tuesday”, brought to you by Microsoft. This particular bundle addresses 34 vulnerabilities in Windows, IE, Office, .NET Framework, IIS and Sharepoint, a tie for the largest vulnerability count in a single Microsoft Patch Tuesday to date. The advisories include a wide range of vulnerabilities including code execution, privilege escalation, information disclosure, denial of service and cross-site scripting (XSS).

Among the vulnerabilities addressed in June’s updates are two issues that were recognized by Microsoft in February and April. Three of the ten updates have been given severity ratings of “critical” while the other seven are rated as “important”. Six updates affect the Windows operating system, including Microsoft’s newest OS, Windows 7. As always, Tenable has released Nessus plugins to perform credentialed checks to detect each of these vulnerabilities and help aid your remediation processes.

Patch Tuesday Breakdown and Thoughts:

Microsoft Patch Tuesday Roundup - May 2010 - Language Barrier Edition

by Paul Asadoorian
May 13, 2010

Microsoft's Language

No, I'm not talking about C# or Visual Basic, I'm referring to Microsoft's very own version of the English language ("Minglish"?). An example of the Microsoft variation on the English language is shown here:

"The vulnerability could allow remote code execution if a user visits a malicious e-mail server."

We've addressed the "could allow" statement in a previous post (for example, changing your shoes “could allow” you to win the lottery). We've also addressed the "remote code" execution and dug into what that really means. In this case, it takes on a slightly different meaning from the traditional remote buffer overflow or client-side attacks. The part that is brand new to the "Minglish" language is "if a user visits a malicious e-mail server". Let me get this straight: you not only have to be running the vulnerable software but must also think to yourself, "Gee, I wonder what a malicious e-mail server looks like? I think I will re-configure my email client to connect to pop3.evilbadguy.com and find out".

sign_forest.jpg

I think what they are trying to say is that "Some digging may have occurred, which could allow a person to fall in a hole. No public falling has occurred."

Microsoft Patch Tuesday Roundup - April 2010 - Superman Edition

by Paul Asadoorian
April 14, 2010

It’s A Bird, It’s a DoS, It’s Remote Code Execution!

I've always cautioned people about the danger of disregarding vulnerabilities that are labeled as "Denial of Service" (Such as MS10-014 from February) for a couple of reasons. First, when a bug exists in the code that allows something to "crash", there is usually a potential that the "crash" could somehow allow for code execution (remember that a buffer overflow is just a controlled crash). Second, when code is being analyzed so that the bug can be fixed, the surrounding code is often analyzed to be certain there are no other bugs or vulnerabilities. This analysis could lead to the disclosure of other vulnerabilities or a new way to turn a DoS into remote code execution. This appears to be the case with MS10-20, which was first publicly disclosed as a DoS bug in the SMB client. Microsoft is now reporting it as a vulnerability that "could” allow remote code execution. Upon further inspection, the security bulletin reports five vulnerabilities related to the SMB client that are patched in MS10-20. The first is the original DoS bug reported by Laurent Gaffie to the Full Disclosure mailing list on November 11, 2009. The general consensus was to dismiss this bug because it was "just a DoS".

supergeek-sm.jpg

Microsoft Patch Tuesday - March 2010 - "It Won't Happen To Me" Edition

by Paul Asadoorian
March 10, 2010

Attacks Happen

There are many reasons why attackers may target your organization: they could be after your intellectual property, they may have political reasons or there may be financial motivations (if you have credit card data stored on your network). I've often heard people say, "Why would someone want to attack us?" The question should really be phrased, "Why would someone need to attack us?" Often you are targeted not because of who you are, but what you have. Google hosts email accounts that are interesting to certain parties. You may be a university with plenty of bandwidth or a business partner with a company who makes electronics that the attacker is after. The point is that you can't limit the reasons why you are going to be attacked. You have to secure your network with the mindset that someone will eventually come after you.

This brings us to this month's "Patch Tuesday". Two bulletins have been released by Microsoft, and I've included some examples of how they can be used for targeted attacks:

Microsoft Patch Tuesday - February 2010 - "From Microsoft with Love" Edition

by Paul Asadoorian
February 10, 2010

Patch Tuesday Gives Birth to "Zombie Wednesday"

The Tenable research team spent the night writing 14 new plugins to check for the latest round of Microsoft patches. While many will have to schedule patch installations, those who run with full automatic updates enabled are theoretically all patched by now. However, it doesn't hurt to check with a quick Nessus patch audit.

Microsoft is in Love With the Word "Could"

There are several terms used by Microsoft throughout their advisories that spread uncertainty about the risk of the vulnerabilities presented. The excessive use of the world "could" is one such example. In the MS10-002 bulletin Microsoft states:

"An attacker who successfully exploited this vulnerability could gain the same user rights as the local user. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights."

I “could” also win the lottery, inherit millions of dollars and walk on water. In the case of this exploit "could" is an exceptionally bad word choice as there are several example videos showcasing the exploit in action using open-source software. The other issue with the above statement is the obligatory "users with less rights on the system will be less impacted". Someone should tell the Microsoft PR team that there are two privilege escalation exploits on the list this month, and one has been widely publicized for almost a month. On that note, let’s take a closer look at the 14 bulletins and 26 vulnerabilities that were patched this month.

Microsoft Patch Tuesday - January 2010 - "Aged Cheese" Edition

by Paul Asadoorian
January 14, 2010

Stinky, Aged Operating System?

It’s that time of the month again - Microsoft patch Tuesday of course! This month I expected to research several different vulnerabilities, how they work, methods to detect them, etc. However, Microsoft is only patching one vulnerability this month. I can’t believe there is only one vulnerability this month! In any case, this month's vulnerability occurs in the way applications handle Embedded OpenType fonts. I was a bit puzzled as to why so much effort was going into font rendering until I discovered that it is common for web sites to implement different languages and have them display correctly to the end user (primarily for “non-English” languages). The vulnerability is triggered when a user renders fonts on a web page or by opening a Microsoft Office document that contains embedded fonts. An interesting fact about this bulletin (which only covers one CVE entry, CVE-2010-0018) is:

"This security update is rated Critical for Microsoft Windows 2000, and is rated Low for Windows XP, Windows Server 2003, Windows Vista, Windows Server 2008, Windows 7, and Windows Server 2008 R2."

Microsoft Patch Tuesday - December 2009 - "Specially Crafted" Edition

by Paul Asadoorian
December 11, 2009

Another Tuesday, another round of security bulletins from Microsoft. Are you patched? Nessus contains credentialed local checks for all Microsoft security bulletins.

"Specially Crafted"

I have always wondered what the term "specially crafted" really means. What is "special"? Merriam-Webster defines it as "distinguished by some unusual quality". "Unusual" is relative, and means that someone has defined what "usual" means. This is where we start to enter a grey area. How do we determine what is "special" if the "usual" is not clearly defined? In this case, I'm talking about RFCs, the documents used to define what "usual" means with respect to Internet protocols. One of the vulnerabilities this month has to do with IPSec and specifically ISAKMP, the key management protocol. Apparently a "specially crafted" packet will cause this service to eat up CPU cycles and cause a DoS condition. These flaws are common, but my concern is that this condition may not always be caused by a malicious attacker using a tool such as Scapy. For example, a VPN client might send "specially crafted" packets because the programmer, who wrote the client software, misinterpreted the RFC. I wish that Microsoft would be a little more forthcoming regarding the details of the flaw, particularly how difficult it is to exploit.

"Could Allow"

I am also somewhat puzzled by the term "could allow". When using it in the context of remote exploits, it’s even more confusing. A vulnerability either allows or does not allow remote code to be executed. Sure, there are mitigating factors, but if the vulnerability does allow for remote code execution, then Microsoft should just come out and say it. When you are reading security bulletins from Microsoft, keep in mind that "could allow" really means "allows under certain circumstances".

Patch Tuesday - November 2009

by Paul Asadoorian
November 13, 2009

Another Tuesday, another round of security bulletins from Microsoft. Are you patched? Nessus contains credentialed local checks for all security bulletins, and a network-based uncredentialed check for MS09-064.

Severity is a Matter of Perspective

What struck me as interesting this month are the severity ratings. Microsoft publishes these ratings as a guide to help customers evaluate the vulnerability risk. In many cases, they seem to be doing their customers a disservice. For example, a remotely exploitable vulnerability in Microsoft Word or Excel could be leveraged by attackers to compromise desktop systems. These types of vulnerabilities are frequently exploited by attackers and penetration testers alike to gain access to sensitive information. The advice I always give to organizations is to evaluate each vulnerability with respect to how it affects your business, not what has been published by the vendor.

In addition, if the evaluation of severity is coming from a vendor, it should adhere to some industry accepted standard calculation, such as the CVSS score. Nessus plugins use this scale (1-10, with 10 being the most severe) as a rating for the severity of the vulnerability. While Microsoft rates MS09-067 (a vulnerability in which arbitrary code can be executed as a result of opening an Excel file) as important, Nessus gives it a CVSS score of 9.3. Use these ratings as a guide to develop your patching strategy. For example, if you heavily use Excel, you will need to patch right away. If you do not use Excel, then it is not as critical to patch. You could employ a temporary solution for mitigation by blocking incoming Excel file attachments while you focus on vulnerabilities that pose a bigger risk.

Microsoft "Patch Tuesday" - The Aftermath

by Paul Asadoorian
October 19, 2009

Black Tuesday

This month Microsoft released 13 new security advisories. While 13 sounds like a moderate number, digging into each of the security advisories reveals that each one actually patches multiple vulnerabilities, bringing the grand total to 34 individual vulnerabilities. Couple that with the recent Adobe announcements disclosing 29 vulnerabilities with the Adobe Reader product and release of the associated patches and administrators have their work cut out for them (note that Nessus plugins have been released to detect these vulnerabilities, refer to plugin id 42119 and 42120). Assessing the risk for your organization when there are this many patches in common software can be a daunting task, but an important one. While both Microsoft and Adobe attach a severity rating to each advisory, organizations need to evaluate the risk each vulnerability poses to their specific environment and implement a patching cycle that is most effective at reducing risk for them. For example, the Microsoft IIS FTP server remote exploit vulnerability has a “critical” rating, but if you are already implementing mitigating factors, or are not running IIS on mission critical systems, then you will want to focus your efforts on getting other patches tested and installed first.

Pages