Which Vulnerabilities Are You Looking For?
When Microsoft releases their patches each month, I find it interesting to review the criticality of each vulnerability. Microsoft has, in their typical fashion, used some very interesting wording to describe the latest batch of vulnerabilities. When reading each security bulletin, I try to imagine the worst-case scenario and look at the glass as half empty. Microsoft seems to paint a picture and believes the glass to be half full by using phrases such as:
In MS10-042: "The vulnerability cannot be exploited automatically through e-mail." - I believe what they are stating here is that the user can't just open up an email to have the exploit trigger. Instead, the user has to either open an attachment or click on a link. I can tell you from first-hand experience that it’s not difficult to get someone to click on a link. Typically, you just need to tell them that they've qualified for a free iPad. Getting the user to open an attachment is a little bit trickier, and usually requires more research about the target audience and/or organization. However, this does not mean the attack can't scale to trick thousands of people, as did an email appearing to come from the World Cup with an Excel document attached. The Excel document posed as a schedule for the World Cup, but really contained malware that attempted to infect the end-user's computer.
In MS10-043: "successful code execution is unlikely due to memory randomization" - Attackers will usually find a way to get around or defeat built-in operating system protections (for example, "Flaw In Microsoft's Hypervisor Lets Attackers Bypass DEP, ASLR"). Don't let your guard down when there seems to be protections in place. Correct the problem at its root and patch the vulnerability.
In MS10-044 " an attacker would have no way to force users to visit these Web sites", I disagree with this statement and believe that attackers have several ways of forcing a user to load content in a web browser. In order to exploit vulnerabilities the user does not have to "visit a web site", but their browser must process the code. Hidden iFrames are just one example where code can be loaded in your browser and perform evil things - all without the knowledge of the user. Persistent XSS is another example of a place where attackers can hide malicious code inside web sites that you "trust" (as was the case with the recent flaw in YouTube).
In MS10-045: "Do not open e-mail attachments from untrusted sources or that you receive unexpectedly from trusted sources" - As stated above, tricking users into clicking on links, opening attachments or accepting bogus certificates is not difficult. For some great examples of how this can be accomplished check out "SET", the "Social Engineering Toolkit". It’s a suite of tools that helps you clone web sites, create fake certificates for Java applets and send attacks to end-users.
The SANS Internet Storm center puts out a list each month that contains their own ranking system. It’s a great reference for those looking to gain more insight into the threats posed by vulnerabilities each month. To further aid in your efforts to evaluate the dangers of the Microsoft Patch Tuesday mayhem, Tenable's research team has published plugins for each of the security bulletins issued this month (they are available in the feed as of Tuesday July 13, 2010 at 11:00PM):
- MS10-042 - Nessus Plugin ID 47710 (Credentialed Check) - This was the vulnerability uncovered by Tavis Ormandy and a public exploit exists.
- MS10-043 - Nessus Plugin ID 47710 (Credentialed Check) - Protections in memory exist, but patches should still be applied ASAP.
- MS10-044 - Nessus Plugin ID 47712 (Credentialed Check) - Two vulnerabilities in ActiveX will likely lead to attackers exploiting these flaws sooner rather than later.
- MS10-045 - Nessus Plugin ID 46313 (Credentialed Check) - Ranked as "Important", but likely critical for reasons mentioned above.
Windows XP SP2 is now at end of life and Microsoft will no longer be issuing patches (including security related ones) for it. Tenable has updated the Nessus plugin titled "Windows Service Pack Out of Date" (plugin id 26921) to include Windows XP SP2 in the list of unsupported operating systems.
- Microsoft Security Bulletin Summary for July 2010
- OSVDB Microsoft Bulletins - Complete Reference
- Microsoft Patch Tuesday - June 2010 - “Everything is Vulnerable” Edition
- Microsoft Patch Tuesday - May 2010 - Language Barrier Edition
- Microsoft Patch Tuesday - April 2010 - Superman Edition
- Microsoft Patch Tuesday - March 2010 - "It Won't Happen To Me" Edition
- Microsoft Patch Tuesday - February 2010 - "From Microsoft with Love" Edition
- Microsoft Patch Tuesday - January 2010 - "Aged Cheese" Edition