Facepalm: Microsoft (sort of) sends patches via e-mail

In general, I think most companies are doing better in security than before.  They at least are admitting that they have to pay attention to it, and Microsoft has made huge changes in its programming and business practices that have made it far more difficult to break into systems than it used to be.  But there’s still room for improvement, and it’s a change that needs to happen sooner rather than later because it’s undermining a key aspect of user security awareness.

Continue reading “Facepalm: Microsoft (sort of) sends patches via e-mail”

Microsoft Patch Overview for February 2013

These are based in part on my experiences watching Microsoft software and reflect my own opinion where it deviates from Microsoft’s advice. There may be some people interested in an alternate, practical view from someone who will look to target these kinds of things in the future.  I try not to get too technical, but for something like this, there’s only so much techno-jargon that can be removed before it gets distilled down to “Just patch!”  But if none of the following makes sense to you, that’s probably a good path to follow just in case.

Notes and Observations

  • Twelve bulletins were released covering 57 vulnerabilities.
  • This isn’t quite as bad as it sounds (but you should still patch them all).  One of the vulnerabilities, MS13-009, addresses more than a dozen vulnerabilities in Internet Explorer and should be patched pretty much immediately.  Another, MS13-016, addresses 30 in the kernel-mode driver, but these are tricky race conditions that allow privilege escalation and don’t worry me all that much.
  • However, MS13-010 is being used to some extent in the wild.  There is a component of the vulnerability that can be used for information disclosure.  This may be why Microsoft issued two patches for IE instead of one.  If you can’t install -009, at least install -010.
  • The apparent focus du jour for vulnerability researchers is the Use After Free vulnerability.  I’ll admit that I’m not up to date on this particular one, but I’ll see what I can come up with in the near future.
  • There’s a patch for an Exchange Server vulnerability that involves viewing Paradox database files in Outlook Web Access.  I haven’t seen mention of Paradox in years.  But I mention this not just for the historical oddity.  There really is the ability to view such files, and Microsoft admits that it’s not documented.  Be aware of this not just with Microsoft, but with other companies that can read many file formats.  They have to have parsers, and they’re often not as good as the original vendor’s (and some of them aren’t that good, either).
  • Nevertheless, I grouped it as one of two items to patch sometime in the next 90 days.  I’m really not that concerned that someone is going to try to craft a Paradox DB file for this when there are better ways to attack the user.  The other one I’m not worried about is a Network File System (NFS) issue since almost no one uses it in this context.

Continue reading “Microsoft Patch Overview for February 2013”

Microsoft Patch Overview for January 2013

This is based on something that I used to do for a former workplace, usually on patch release day. Patch release day is the second Tuesday of each month, also known as Black Tuesday, especially since other companies have taken to releasing on the same day. It’s not uncommon to see Adobe release Flash and Reader updates on the same day.

These are based in part on my experiences watching Microsoft software and reflect my own opinion where it deviates from Microsoft’s advice. There may be some people interested in an alternate, practical view from someone who will look to target these kinds of things in the future.  I try not to get too technical, but for something like this, there’s only so much techno-jargon that can be removed before it gets distilled down to “Just patch!”  But if none of the following makes sense to you, that’s probably a good path to follow just in case.

Updated 14 Jan 2013 at 17:15 CST: Microsoft released MS13-008 today to address a flaw in Internet Explorer.  The post has been updated to address that.

Notes and Observations

  • Seven bulletins were released covering 12 vulnerabilities. One of the vulnerabilities, MS13-002, has numerous patches depending on the version(s) of XML Core Services installed on a system.
  • The first bulletin, MS13-001, is a print spooler vulnerability that allows code to run as SYSTEM. Print spoolers have been prime targets in the past. This should be a priority for patching on all of your systems.
  • An additional patch, MS13-008, for Internet Explorer 6, 7, and 8 has been released out-of-band on 14 January 2013.  It addresses a vulnerability that is widely and currently being exploited by attackers.  This should be a priority for patching
  • The patch for MS13-007 appears to simply change a default setting. This strikes me as a problem because it might be turned back on by someone who may or may not know of the potential consequences or by someone who has an ulterior motive. Troubleshooting may become difficult at that point if it’s enabled to set up a denial of service condition. A check of the box will show that it’s completely patched but the system is still experience resource exhaustion. This seems to me more a band-aid than a patch.
  • There is no Internet Explorer patch this month. The vulnerability affecting Internet Explorer 6, 7, and 8 that was discovered and publicized at the end of December is still not formally patched, exploit code is public, and its use has been seen in the wild. Microsoft has published a “one-click” fix for it, but it has to be implemented separately from automatic patch downloads.
    • Advice for enterprise users: If possible, make sure that you have something newer than IE8. This isn’t always possible either because you’re on Windows XP or you have software that doesn’t work with anything newer. You also may not be able to use an alternate browser. In this case, look into rolling out the fix above or installing the Enhanced Mitigation Experience Toolkit (EMET). The benefit of EMET is that it works against a wide variety of attacks for which there may be no fix. Support is limited and it’s not perfect, but it can help in some cases before the attack is even known.
    • Advice for home users: Make sure you have the newest available version of Internet Explorer available. For Windows XP, this is IE8. For Vista and 7, this is IE9. For Windows 8 and RT, this is IE10. If you have Windows XP, try to use a different browser (Firefox, Chrome, Opera, or Safari) if at all possible. Installing EMET probably wouldn’t hurt, either.
  • Of the five patches that affect a swath of Windows products, only two of them affect Windows XP. I’m not sure if this is just an oddity or a sign that XP’s code has reached a new maturity level. I suspect it’s the former, but it will still be interesting to watch.
  • Microsoft finished up last year with 83 bulletins. That sounds like a lot, but it’s better than the 100 published the year before and many of the 2012 bulletins were variations on a library load path vulnerability. They started last year with seven bulletins, the same as this year. Maybe this year will see a continued decline.

Chart Guidance

  • Enterprise Severity denotes the timetable in which I believe enterprises should try to patch the affected vulnerabilities and may differ from Microsoft’s severity decision. Differences are usually based on historic targeting habits of attackers who go after certain vulnerabilities (SMB, RDP, print spoolers) more often. The need for effective patch review is not removed, of course, and different businesses have different needs. In some cases, there may be mitigating factors that may allow a somewhat more relaxed timetable. Nevertheless, those rated with a severity of 1: Critical should be considered to be priority in almost any environment.
    • Enterprise Severity Levels:
      1. Critical: Currently being exploited, publicly available exploit code, and/or likely to be easily exploitable in the very near future. Patch within 7 days.
      2. High: Not known to be public or public with strong mitigating factors. Patch within 30 days.
      3. Low: Not known to be public and not likely to be a reliable exploit. Patch on next scheduled update cycle or within 90 days.
  • Home Severity is not included because it is almost always the same: patch it as soon as it’s released! It’s extremely rare for a patch to break things (only one patch that I can think of was re-released last year for breaking something, and even then it affected a minority of users), so it’s best to just install every patch as it’s released.
  • Patches are almost always published right around 10:00 Pacific Time on the second Tuesday of each month. Occasional out-of-band patches are also published, but these are uncommon and address vulnerabilities known to be widely exploited.

January 2013 Microsoft Security Bulletin Overview

ID Affected Products Title and Summary Severity/
Impact
Notes Enterprise Severity
MS13-001 Windows 7

Windows Server 2008
(Core affected)
Vulnerability in Windows Print Spooler Components Could Allow Remote Code Execution Critical
Remote Code Execution

EI: 1
Addresses 1 issue

Not known to be public

Flaw in handling specially-crafted print jobs

Code executes with system privileges

Likely to be a target for potential attackers

1: Critical

Patch within 7 days
MS13-002 Windows XP
Windows Vista
Windows 7
Windows 8
Windows RT

Windows Server 2003
Windows Server 2008
Windows Server 2012
(Core affected)

Office 2003
Office 2007
Office Compatibility Pack
Word Viewer

Expression

WebGroove Server 2007
Sharepoint Server 2007

Vulnerabilities in Microsoft XML Core Services Could Allow Remote Code Execution Critical
Remote Code Execution

EI: 1

Addresses 2 issues

Not known to be public

Code executes with current user privileges

2: High

Patch within 30 days

MS13-003 System Center Operations Manager 2007 Vulnerabilities in System Center Operations Manager Could Allow Elevation of Privilege Important
Elevation of Privilege

EI: 1

Addresses 2 issues

Not known to be public

Reflected cross-site scripting (XSS) vulnerability in SCOM Web Console allows attacker to take action or retrieve information as logged-in user.

2: High

Patch within 30 days

MS13-004 Windows XP
Windows Vista
Windows 7
Windows 8
Windows RT

Windows Server 2003
Windows Server 2008
Windows Server 2012
(Core affected)
Vulnerabilities in .NET Framework Could Allow Elevation of Privilege Important
Elevation of Privilege

EI: 1

Addresses 4 issues

Not known to be public

An attacker could perform one of several actions against a system including reading otherwise inaccessible memory contents or taking complete control of a system. This applies to both servers running a .NET web application and to clients using a browser to access that web application.

2: High

Patch within 30 days

MS13-005 Windows Vista
Windows 7
Windows 8
Windows RT

Windows Server 2008
Windows Server 2012
(Core affected)
Vulnerability in Windows Kernel-Mode Driver Could Allow Elevation Important
Elevation of Privilege

EI: 1


Addresses 1 issue

Not known to be public

Code may be run at a higher privilege.  An attack against an administrative user could take complete control of the system.  An attack against a lower-privilege user could still gain privileges usually denied.

2: High

Patch within 30 days

MS13-006 Windows Vista
Windows 7
Windows 8
Windows RT

Windows Server 2008
Windows Server 2012
(Core affected)
Vulnerability in Microsoft Windows Could Allow Security Feature Bypass Important
Security Feature Bypass

EI: N/A

Addresses 1 issue

Not known to be public

A man-in-the-middle attacker can force a silent downgrade of encrypted traffic to SSLv2 which may allow the use of weak, breakable ciphers.

3: Low

Patch on next cycle or within 90 days

MS13-007 Windows Vista
Windows 7
Windows 8
Windows RT

Windows Server 2008
Windows Server 2012
(Core affected)
Vulnerability in Open Data Protocol Could Allow Denial of Service Important
Elevation of Privilege

EI: 3

Addresses 1 issue

Not known to be public

Using a few specially-crafted HTTP requests, an attacker can trigger replication of data and exhaust system resources, triggering a denial of service.

The patch disables WCF Replace by default and can still be enabled even with this patch installed.

3: Low

Patch on next cycle or within 90 days

MS13-008 Internet Explorer 6
Internet Explorer 7
Internet Explorer 8
Security Update for Internet Explorer Critical
Remote Code ExecutionEI: 1
Addresses 1 issueKnown to be public and to be currently and widely exploited
Code executes with current user privileges
 1: CriticalPatch within 7 days

Exploitability Index:
1. Consistent code exploit likely
2. Inconsistent code exploit likely
3. Functioning exploit code unlikely

Highest exploitability of a cumulative patch

Critical Java update released: To update or uninstall? That is the question…

Today, Oracle released an update for Java 7 that addresses a security flaw found a few days ago and which is currently being exploited.  Those who have Java installed and need it should update to it by going to www.java.com and installing it from there.

This is the fourth major security fix release in the last five months for Java 7.  This latest fix addresses a flaw that exists all the way back into Java 6 and possibly earlier.  This and other problems have led many security experts to call for Java to be simply removed from everything that you run.

It’s not that simple.

Continue reading “Critical Java update released: To update or uninstall? That is the question…”