Microsoft Patch Tuesday - January 2010 - "Aged Cheese" Edition

Stinky, Aged Operating System?

It’s that time of the month again - Microsoft patch Tuesday of course! This month I expected to research several different vulnerabilities, how they work, methods to detect them, etc. However, Microsoft is only patching one vulnerability this month. I can’t believe there is only one vulnerability this month! In any case, this month's vulnerability occurs in the way applications handle Embedded OpenType fonts. I was a bit puzzled as to why so much effort was going into font rendering until I discovered that it is common for web sites to implement different languages and have them display correctly to the end user (primarily for “non-English” languages). The vulnerability is triggered when a user renders fonts on a web page or by opening a Microsoft Office document that contains embedded fonts. An interesting fact about this bulletin (which only covers one CVE entry, CVE-2010-0018) is:

"This security update is rated Critical for Microsoft Windows 2000, and is rated Low for Windows XP, Windows Server 2003, Windows Vista, Windows Server 2008, Windows 7, and Windows Server 2008 R2."

How many people are still using Windows 2000? It’s an interesting question, and very tough to estimate. Personally, I have seen a few Windows 2000 systems on every network that I have encountered. Without fail, they are running unpatched versions to support older hardware and software that would break if new patches were installed. However, this is a limited view of the Windows 2000 landscape. For a more complete picture, I turned to the new search engine called "Shodan". Shodan is a computer search engine that allows you to find systems running particular services exposed to the Internet. To find exposed Windows 2000 systems we can key in on the IIS banner and enter the search string "Microsoft\/5.0". IIS 5.0 will only run on Windows 2000 systems, so fingerprinting the web server in this case gives us some indication that it is Windows 2000 (banners could be changed by the end user and skew the results). Furthermore, the numbers below are according to Shodan, which does not provide a complete picture of the Internet. The results are still quite interesting as Shodan found the following systems running IIS/5.0 (and likely Windows 2000 as a base operating system):

• United States: 153,553
• Germany: 18,001
• Canada: 13,484
• China: 9,565

The grand total is 280,309 systems are running Windows 2000! It seems that operating systems get old, but never seem to die. Therefore, it’s critical to identify them in your environment, include them in your patch management system and have a plan to replace them with newer operating systems as they become available.

Patch Tuesday Breakdown and Thoughts

This month there is only one plugin to cover the one vulnerability patched by Microsoft:

• MS10-001 - Vulnerability in the Embedded OpenType Font Engine Could Allow Remote Code Execution - Nessus Plugin ID 43865 (Credentialed Check) - Nessus contains a plugin to check for this vulnerability when scanning a host using credentials.

I also recommend the following plugins to detect unsupported operating systems (Windows 2000 is still supported, but is one of the older Microsoft operating systems to carry the "supported" tag):

• Plugin 12521 - MacOS X Version Unsupported (Local)
• Plugin 19699 - Windows NT 4.0 Unsupported Installation Detection
• Plugin 21626 - Windows 95/98/ME Unsupported Installation Detection
• Plugin 22313 - Microsoft Exchange Server Unsupported Version Detection
• Plugin 33850 - Unsupported Linux / Unix Operating System

Running these plugins against your entire network (all IP addresses without exclusions) may yield some interesting results and detect systems and devices that you never knew existed on the network.