Facebook Google Plus Twitter LinkedIn YouTube RSS Menu Search Resource - BlogResource - WebinarResource - ReportResource - Eventicons_066 icons_067icons_068icons_069icons_070

Microsoft Patch Tuesday - March 2010 - "It Won't Happen To Me" Edition

Attacks Happen

There are many reasons why attackers may target your organization: they could be after your intellectual property, they may have political reasons or there may be financial motivations (if you have credit card data stored on your network). I've often heard people say, "Why would someone want to attack us?" The question should really be phrased, "Why would someone need to attack us?" Often you are targeted not because of who you are, but what you have. Google hosts email accounts that are interesting to certain parties. You may be a university with plenty of bandwidth or a business partner with a company who makes electronics that the attacker is after. The point is that you can't limit the reasons why you are going to be attacked. You have to secure your network with the mindset that someone will eventually come after you.

This brings us to this month's "Patch Tuesday". Two bulletins have been released by Microsoft, and I've included some examples of how they can be used for targeted attacks:


  • MS10-016 - Nessus Plugin ID 45020 (Credentialed Check) - This bulletin discloses vulnerabilities associated with Windows Movie Maker that occur when a user opens a Windows Movie Maker file. While this may be used in some targeted attacks, I suspect that not many organizations have this software widely deployed. However, the interesting thing about this vulnerability is that Movie Maker is built-in to certain versions of Windows Vista, which makes uninstallation very difficult. This means even if you are not using the software, you still need to apply the patches. While Movie Maker may not be the most popular client application available, as a penetration tester I would search for it anyway. For example, I found a web site that is hosting a forum for Windows Movie Maker users. A query for "running version" results in several pages of matches. You can even be more specific with your search and enter "2.1", which is the vulnerable version running on Windows XP. Most of the posts are made by people looking for help with a specific version of Movie Maker and they will reveal this information during troubleshooting. An attacker just needs to associate the forum userid or email with the target they are going after for a potentially successful attack to be well under way.
  • MS10-017 - Nessus Plugin ID 45021 (Credentialed Check) - This bulletin discloses seven different vulnerabilities in Microsoft Excel. I find it interesting to review the disclosure timeline on some of these vulnerabilities. For example, CVE-2010-0263 was disclosed to Microsoft on July 14, 2009, and was just recently fixed. Core Security also reported (CVE-2010-0243) on September 4, 2009.

    Microsoft ranks this vulnerability as "Important". The vulnerability itself does not exploit a remotely accessible network service and execute remote code, but that doesn't mean an attacker cannot use this information to construct specifically targeted attacks. Consider the following Google query:

    filetype:xls inurl:xls site:.gov

    The above search (as of today) returns 3,560,000 results (coincidentally, this number was the largest out of ".com", ".edu" and ".mil" top level domains). While this may not seem relevant, what stops an attacker from downloading all of the spreadsheets posted by a particular organization and analyzing the document metadata? Metadata is information contained within a document that can reveal the software type, version and platform it is running on in addition to the user who created it. With this information you could easily launch a targeted email attack. In fact, the attackers could have enough information to launch automated attacks that read the document metadata from a target's web site and then send the appropriate malicious Microsoft Excel document. While malicious PDF documents are all the rage these days with attackers, there is no reason why they cannot easily make a shift or use Microsoft Office documents along with the more traditional PDF attacks. One could make the argument that the attackers could do the same with PDF documents (and they probably are), but since malicious PDFs are something that organizations are now expecting, attackers may choose to mix up their attack vectors.

Subscribe to the Tenable Blog

Subscribe
Try for Free Buy Now

Try Tenable.io

FREE FOR 60 DAYS

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Sign up now.

Buy Tenable.io

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

65 assets

$2,190.00

Buy Now

Try for Free Buy Now

Try Nessus Professional Free

FREE FOR 7 DAYS

Nessus® is the most comprehensive vulnerability scanner on the market today. Nessus Professional will help automate the vulnerability scanning process, save time in your compliance cycles and allow you to engage your IT team.

Buy Nessus Professional

Nessus® is the most comprehensive vulnerability scanner on the market today. Nessus Professional will help automate the vulnerability scanning process, save time in your compliance cycles and allow you to engage your IT team.

Buy a multi-year license and save

Try for Free Buy Now

Try Tenable.io Web Application Scanning

FREE FOR 60 DAYS

Enjoy full access to our latest web application scanning offering designed for modern applications as part of the Tenable.io platform. Safely scan your entire online portfolio for vulnerabilities with a high degree of accuracy without heavy manual effort or disruption to critical web applications. Sign up now.

Buy Tenable.io Web Application Scanning

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

5 FQDNs

$3,578.00

Buy Now

Try for Free Contact Sales

Try Tenable.io Container Security

FREE FOR 60 DAYS

Enjoy full access to the only container security offering integrated into a vulnerability management platform. Monitor container images for vulnerabilities, malware and policy violations. Integrate with continuous integration and continuous deployment (CI/CD) systems to support DevOps practices, strengthen security and support enterprise policy compliance.

Buy Tenable.io Container Security

Tenable.io Container Security seamlessly and securely enables DevOps processes by providing visibility into the security of container images – including vulnerabilities, malware and policy violations – through integration with the build process.

Learn More about Industrial Security

Get a Demo of Tenable.sc

Please fill out the form below with your contact information and a sales representative will contact you shortly to schedule a demo. You may also include a short comment (limited to 255 characters). Please note that fields with asterisks (*) are mandatory.