Facebook Google Plus Twitter LinkedIn YouTube RSS Menu Search Resource - BlogResource - WebinarResource - ReportResource - Eventicons_066 icons_067icons_068icons_069icons_070

Microsoft "Patch Tuesday" - The Aftermath

Black Tuesday

This month Microsoft released 13 new security advisories. While 13 sounds like a moderate number, digging into each of the security advisories reveals that each one actually patches multiple vulnerabilities, bringing the grand total to 34 individual vulnerabilities. Couple that with the recent Adobe announcements disclosing 29 vulnerabilities with the Adobe Reader product and release of the associated patches and administrators have their work cut out for them (note that Nessus plugins have been released to detect these vulnerabilities, refer to plugin id 42119 and 42120). Assessing the risk for your organization when there are this many patches in common software can be a daunting task, but an important one. While both Microsoft and Adobe attach a severity rating to each advisory, organizations need to evaluate the risk each vulnerability poses to their specific environment and implement a patching cycle that is most effective at reducing risk for them. For example, the Microsoft IIS FTP server remote exploit vulnerability has a “critical” rating, but if you are already implementing mitigating factors, or are not running IIS on mission critical systems, then you will want to focus your efforts on getting other patches tested and installed first.


"Remote Code Execution"

Microsoft tends to lump two types of remote code execution vulnerabilities together: those that do not require action on the user’s part and those that do. For example, a vulnerability that can be sent to a system without action required by a user (such as the IIS FTP vulnerability) is deemed as remote code execution. However, a vulnerability that can be exploited and requires a user to visit a web page or open a crafted document is also deemed a remote code execution vulnerability. Realize that there is a difference between the two and be certain to prioritize your patch installation and testing accordingly.

Another interesting quote from the advisories is: "In all cases, however, an attacker would have no way to force users to visit these Web sites." - This is an interesting mitigating factor that only applies to targeted attacks. In reality, attackers are going to rely on the fact that most people browse the web and go to several different web sites per day. The attackers strategy is to just "go fishing" and trying to catch as many "fish" as possible. If they can get a banner ad on a popular site, they will use it as a mechanism to compromise systems and go back later to see what they "caught". Most likely the victim system in this scenario will become part of a botnet.

Patching & Verification

In the coming weeks, organizations will be spending a considerable amount of time testing and applying all these new Microsoft and Adobe patches. Tenable's Nessus vulnerability scanner can be used with and without credentials to scan both the network and systems to verify that the patches have been applied and that any required actions (such as a reboot) have been performed to put them into effect. . Following is a breakdown of the patches that have been released by Microsoft in the latest "Patch Tuesday" set and the associated Nessus plugins:

Conclusion

Protecting your network and systems from vulnerabilities should be part of your normal, everyday IT operations. While this is not an easy task, especially for large organization with several applications to regression test, it is extremely important. Attackers may very well be exploiting the vulnerabilities you are attempting to patch. Tenable's Nessus vulnerability scanner can help organizations ensure that patches have been applied properly and identify new machines that are missing patches. For most vulnerability tests, Nessus will need credentials; however there are two remotely exploitable vulnerabilities that Nessus can reliably check for without credentials.

References

Misleading Patch Audits