"One, two, attackers are coming for you…"
In yet another record setting Patch Tuesday, Microsoft has provided fixes for 81vulnerabilities covering just about every supported Microsoft product. No matter how you slice or dice it, patches will need to be distributed throughout your environment on a large scale. There are several articles available to help you prioritize the installation of these patches. The matrix of which patches are important and the mitigating factors are simply dizzying and confusing. The Microsoft Research & Defense blog put up a post that details some of the attack vectors for each vulnerability and information about the mitigations. The blog tries to paint a prettier picture, but in the end, it’s an all-out bloodbath of vulnerabilities, exploits and patches.
"Three, four, better lock your door."
With so many vulnerabilities being patched this month, the need for a solid patch management program is clear. This means:
- Having a process to identify and review the patches and vulnerabilities affecting your environment. There are a few ways to accomplish this, however OSVDB has a nice free service that allows you to choose what software or vendors you are interested in and sends you the information on only those vulnerabilities.
- Working with your systems administrators to implement your process and procedures for applying patches throughout your environment. This means working out appropriate times to install patches and reboot systems so the patches take effect. It also means that you need to work with systems administrators to prioritize which patches are applied first. I wouldn't focus too much on this activity as the patches all need to get installed at some point and the longer you drag out the process the more vulnerable you are to attacks.
- The final stage is to constantly monitor your environment for missing patches. The process of installing patches is "messy" and your environment is dynamic (machines are constantly moving around, going off the network and coming back on). Processes need to be in place to check the patch level of all systems and (most importantly) put that information in the hands of people who can apply the patches.
To further aid in your efforts to evaluate the dangers of the Microsoft Patch Tuesday mayhem, Tenable's Research team has published plugins for each of the security bulletins issued this month:
- MS10-071 - Nessus Plugin ID 49948 (Credentialed Check) - 10, count them, 10 vulnerabilities in Internet Explorer versions 6, 7 and 8 on just about every platform.
- MS10-072 - Nessus Plugin ID 49949 (Credentialed Check) - This one is a bit misleading as it allows for cross-site scripting (XSS) attacks in Microsoft SharePoint. However, the title refers to it as "HTML Sanitization". Organizations need to run through the scenarios as to how a XSS vulnerability in Sharepoint could affect them and lead to access to sensitive information that would typically be stored in Sharepoint.
- MS10-073 - Nessus Plugin ID 49950 (Credentialed Check) - Organizations need to pay close attention to privilege escalation exploits as it’s the difference between an attacker installing a keystroke logger or not. There are three privilege escalation vulnerabilities patched in this bulletin, including CVE-2010-2743, which was used by the Stuxnet malware.
- MS10-074 - Nessus Plugin ID 49951 (Credentialed Check) - A buffer overflow in the MFC libraries.
- MS10-075 - Nessus Plugin ID 49952 (Credentialed Check) - "However, Internet access to home media is disabled by default." Any time a vendor comes out and says, "This service is not typically exposed to the Internet", they can usually be proven wrong once someone scans the Internet for the affected port. Apple has also had problems with RTSP in its QuickTime product.
- MS10-076 - Nessus Plugin ID 49953 (Credentialed Check) - A vulnerability in the embedded TruType font that was originally disclosed to TippingPoint via the Zero Day Initiative (ZDI) program on June 23, 2010.
- MS10-077 - Nessus Plugin ID 49954 (Credentialed Check) - I agree with the SANS ISC on this one: patch now! Both servers running IIS and clients (via a web browser) could fall victim to this vulnerability.
- MS10-078 - Nessus Plugin ID 49955 (Credentialed Check) - More font vulnerabilities.
- MS10-079 - Nessus Plugin ID 49956 (Credentialed Check) - Fixes 11 vulnerabilities in Microsoft Word.
- MS10-080 - Nessus Plugin ID 49957 (Credentialed Check) - Fixes 13 vulnerabilities in Microsoft Excel.
- MS10-081 - Nessus Plugin ID 49958 (Credentialed Check) - Heap overflow in the Comctl32 library that can be exploited if a user visits a web page containing the exploit code.
- MS10-082 - Nessus Plugin ID 49959 (Credentialed Check) - A vulnerability in Windows Media Player affecting Windows XP/Vista, Windows 7, and Windows Server 2003/2008. Since Windows Media Player contains vulnerabilities, why not just remove it from your systems? I did a little research and found it’s not too easy. In fact, Microsoft offers two methods of removal and the first method states "If Windows Media Player 11 is not removed, try Method 2." This does not inspire confidence in Method 1.
- MS10-083 - Nessus Plugin ID 49960 (Credentialed Check) - Fixes a vulnerability in Wordpad and the Windows shell that allows remote code execution. All a user has to do is open a shortcut file when accessing a file or WebDAV share (or WordPad document) to become compromised. Any time a remote exploit can spread by living on network shares, the chances for propagation are much greater.
- MS10-084 - Nessus Plugin ID 49961 (Credentialed Check) - A stack-based buffer overflow in the Remote Procedure Call Subsystem (RPCSS) allowing for local privilege escalation.
- MS10-085 - Nessus Plugin ID 49962 (Credentialed Check) - Denial of service vulnerability in ISS web servers running SSL. Don't worry though, "By default, IIS is not configured to host SSL Web sites." Good thing it’s not common for web sites to use SSL… oh, wait…
- MS10-086 - Nessus Plugin ID 49963 (Credentialed Check) - A vulnerability in the disk clustering services creates backup volumes that allow everyone to read, edit or delete files. This could leave the door wide open to attackers or insiders looking for information that has been protected by file system permissions.
- Assessing the risk of the October security updates
- Microsoft Security Bulletin Summary for October 2010
- OSVDB Microsoft Bulletins - Complete Reference
- Microsoft Patch Tuesday Roundup - September 2010 - "Silent but deadly" Edition
- Microsoft Patch Tuesday Roundup - August 2010 - "Geronimo!" Edition
- Microsoft Patch Tuesday Roundup - July 2010 - "Jedi Mind Trick" Edition
- Microsoft Patch Tuesday Roundup- June 2010 - "Everything is Vulnerable" Edition
- Microsoft Patch Tuesday Roundup- May 2010 - "Language Barrier" Edition
- Microsoft Patch Tuesday Roundup- April 2010 - "Superman" Edition
- Microsoft Patch Tuesday Roundup- March 2010 - "It Won't Happen To Me" Edition
- Microsoft Patch Tuesday Roundup- February 2010 - "From Microsoft with Love" Edition
- Microsoft Patch Tuesday Roundup- January 2010 - "Aged Cheese" Edition