Facebook Google Plus Twitter LinkedIn YouTube RSS Menu Search Resource - BlogResource - WebinarResource - ReportResource - Eventicons_066 icons_067icons_068icons_069icons_070

Microsoft Patch Tuesday Roundup - August 2010 - "Geronimo!" Edition

This month's Patch Tuesday has been described by some as a "hot mess of vulnerabilities". This record-breaking Patch Tuesday contains 15 security bulletins that fix 34 vulnerabilities. While many people have been quick to classify which of these are "critical", I believe that criticality and risk are best determined by the affected organization, not third parties. However, I do recommend that everyone review the information presented, especially the resources prepared by the Internet Storm Center and the Open Source Vulnerability Database. Both of these sources pull in all of the relevant information about each security bulletin, providing a more complete picture to help evaluate your own prioritization efforts. The bulletins prepared by Microsoft are still not exploring the various aspects of each vulnerability and specifically do not always specify whether or not vulnerabilities can be exploited.

The "Mitigating Factors"

In the MS10-047 and MS10-048 security bulletins, which cover eight separate vulnerabilities, Microsoft states the following as a mitigating factor:

"Mitigation refers to a setting, common configuration, or general best-practice, existing in a default state, that could reduce the severity of exploitation of a vulnerability. The following mitigating factors may be helpful in your situation:

An attacker must have valid logon credentials and be able to log on locally to exploit this vulnerability. The vulnerability could not be exploited remotely or by anonymous users."

I don't like to point fingers or call people out, but Microsoft’s statement is not true. The statement that an attacker "must have" valid logon credentials is a bit concerning. If "logon credentials" are something that you have in your possession, such as a pen or a mouse, then the attacker does not need them. An attacker can certainly convince an already logged in user to execute the code to perform the privilege escalation. In this scenario, the attacker does not "have" the logon credentials. They are currently able to execute code as a non-privileged user, which is a completely different situation. The vulnerability can be executed remotely, provided you have already exploited a vulnerability that has granted you permissions to execute code as a non-privileged user. This is a very common method of attack, as users can be tricked into running all sorts of programs, code from a web site, email attachments and more. There are certain advantages to being logged in to a system as an administrator or with SYSTEM privileges, such as accessing files, installing keystroke loggers and sniffing the network.

parachute.jpg


This one is the real kicker: In MS10-049, Microsoft lists the following in the "Mitigating Factors" section:

"Web sites that do not host content via SSL, but only serve content via HTTP (clear text) connections are not affected."

While it is true that this vulnerability does not affect HTTP connections; it’s certainly NOT a mitigating factor for the end result of the vulnerability to allow the attacker to inject data into existing data streams. A great example of this attack in action via HTTP is to use it on a wireless network using a tool called "Airpwn". Imagine being on a wireless network and loading malicious JavaScript into everyone's web browser, no matter the site they were connecting to. This is possible because, unless protections are built into the application, HTTP streams do not usually protect themselves from data injection.

Let’s put this in terms that everyone can understand:

A parachute manufacturer discloses that vulnerabilities exist in certain models and versions of the "Windows" parachute line. However, the manufacturer claims you are not vulnerable when jumping out of an airplane without a parachute.

Patched Quicker Than...

"Ten months after public disclosure the majority of the industry has a fix," said Marsh Ray, a software developer at two-factor authentication service [...] "I think it's about as good a time as any to declare victory on that project."

Source: Microsoft purges Windows of serious SSL vuln

Ten months to fix a hole in a major protocol such as SSL and we're partying like its 1999? I think the attackers are partying like its 1999, exploiting the vulnerability while everyone spins their wheels. Don't get me wrong, it’s a major effort to fix bugs in a protocol, but I believe we need to have better goals to fix things much faster than 10 months.

Audit, Patch, Rinse, Repeat


latherrinserepeat.png

To further aid in your efforts to evaluate the dangers of the Microsoft Patch Tuesday mayhem, Tenable's research team has published plugins for each of the security bulletins issued this month:

Resources