Microsoft Patch Tuesday Roundup - August 2010 - "Geronimo!" Edition

This month's Patch Tuesday has been described by some as a "hot mess of vulnerabilities". This record-breaking Patch Tuesday contains 15 security bulletins that fix 34 vulnerabilities. While many people have been quick to classify which of these are "critical", I believe that criticality and risk are best determined by the affected organization, not third parties. However, I do recommend that everyone review the information presented, especially the resources prepared by the Internet Storm Center and the Open Source Vulnerability Database. Both of these sources pull in all of the relevant information about each security bulletin, providing a more complete picture to help evaluate your own prioritization efforts. The bulletins prepared by Microsoft are still not exploring the various aspects of each vulnerability and specifically do not always specify whether or not vulnerabilities can be exploited.

The "Mitigating Factors"

In the MS10-047 and MS10-048 security bulletins, which cover eight separate vulnerabilities, Microsoft states the following as a mitigating factor:

"Mitigation refers to a setting, common configuration, or general best-practice, existing in a default state, that could reduce the severity of exploitation of a vulnerability. The following mitigating factors may be helpful in your situation:

An attacker must have valid logon credentials and be able to log on locally to exploit this vulnerability. The vulnerability could not be exploited remotely or by anonymous users."

I don't like to point fingers or call people out, but Microsoft’s statement is not true. The statement that an attacker "must have" valid logon credentials is a bit concerning. If "logon credentials" are something that you have in your possession, such as a pen or a mouse, then the attacker does not need them. An attacker can certainly convince an already logged in user to execute the code to perform the privilege escalation. In this scenario, the attacker does not "have" the logon credentials. They are currently able to execute code as a non-privileged user, which is a completely different situation. The vulnerability can be executed remotely, provided you have already exploited a vulnerability that has granted you permissions to execute code as a non-privileged user. This is a very common method of attack, as users can be tricked into running all sorts of programs, code from a web site, email attachments and more. There are certain advantages to being logged in to a system as an administrator or with SYSTEM privileges, such as accessing files, installing keystroke loggers and sniffing the network.

This one is the real kicker: In MS10-049, Microsoft lists the following in the "Mitigating Factors" section:

"Web sites that do not host content via SSL, but only serve content via HTTP (clear text) connections are not affected."

While it is true that this vulnerability does not affect HTTP connections; it’s certainly NOT a mitigating factor for the end result of the vulnerability to allow the attacker to inject data into existing data streams. A great example of this attack in action via HTTP is to use it on a wireless network using a tool called "Airpwn". Imagine being on a wireless network and loading malicious JavaScript into everyone's web browser, no matter the site they were connecting to. This is possible because, unless protections are built into the application, HTTP streams do not usually protect themselves from data injection.

Let’s put this in terms that everyone can understand:

A parachute manufacturer discloses that vulnerabilities exist in certain models and versions of the "Windows" parachute line. However, the manufacturer claims you are not vulnerable when jumping out of an airplane without a parachute.

Patched Quicker Than...

"Ten months after public disclosure the majority of the industry has a fix," said Marsh Ray, a software developer at two-factor authentication service [...] "I think it's about as good a time as any to declare victory on that project."

Source: Microsoft purges Windows of serious SSL vuln

Ten months to fix a hole in a major protocol such as SSL and we're partying like its 1999? I think the attackers are partying like its 1999, exploiting the vulnerability while everyone spins their wheels. Don't get me wrong, it’s a major effort to fix bugs in a protocol, but I believe we need to have better goals to fix things much faster than 10 months.

Audit, Patch, Rinse, Repeat

To further aid in your efforts to evaluate the dangers of the Microsoft Patch Tuesday mayhem, Tenable's research team has published plugins for each of the security bulletins issued this month:

• MS10-047 - Nessus Plugin ID 48284 (Credentialed Check) - Windows kernel vulnerabilities lead to privilege escalation.
• MS10-048 - Nessus Plugin ID 48284 (Credentialed Check) - More privilege escalation vulnerabilities in the Windows kernel, specific to kernel-mode drivers. ImmunitySec has released an exploit for their CEU customers (Video).
• MS10-049 - Nessus Plugin ID 48286 (Credentialed Check) - This update fixes the issues in SSL referenced above, including the TLS/SSL Renegotiation Vulnerability disclosed in November 2009.
• MS10-050 - Nessus Plugin ID 48287 (Credentialed Check) - Movie Maker vulnerabilities that are exploitable when an end user opens a Movie Maker project file are fixed in this bulletin.
• MS10-051 - Nessus Plugin ID 48284 (Credentialed Check) - XML Core service vulnerability fixed: this is your standard browser-based exploit for select Windows operating systems using XML Core services 3.0.
• MS10-052 - Nessus Plugin ID 48289 (Credentialed Check) - Mpeg Layer-3 codec vulnerability affecting Windows XP and Windows Server 2003.
• MS10-053 - Nessus Plugin ID 48290 (Credentialed Check) - IE vulnerabilities including a cross-domain bug and several memory corruption vulnerabilities.
• MS10-054 - Nessus Plugin ID 48291 (Credentialed Check) - It never ceases to amaze me how vulnerabilities keep appearing in the SMB code-base. People are still finding remote code execution vulnerabilities in this service, which for internal networks can be a huge problem as stated in the SC magazine article:

"The SMB pool overflow vulnerability should be a real concern for enterprises," said Joshua Talbot, security intelligence manager at Symantec Security Response. "Not only does it give an attacker system-level access to a compromised SMB server, but the vulnerability occurs before authentication is required from computers contacting the server. This means any system allowing remote access and not protected by a firewall is at risk."

Source: Microsoft lists 4 of its record 14 patches as high priority

I believe this is correctly stated. Many may argue that since the SMB related ports are not exposed to the Internet and Windows has a built-in firewall, that this is not as large a problem as we think (Fyodor presented at Defcon 18 this year and presented data that showed SMB was exposed to the Internet). In reality, exploiting this vulnerability on the internal network will likely lead to many computers being compromised and we will likely see malware authors adopt exploits for this vulnerability in the near future if they can be executed reliably.


• MS10-055 - Nessus Plugin ID 48292 (Credentialed Check) - Fixes a vulnerability in the Cinepak Codec, proving further that users should not trust media files as they could contain exploits and malicious payloads.
• MS10-056 - Nessus Plugin ID 48293 (Credentialed Check) - Fixes several issues with Microsoft Office, including vulnerabilities in RTF formatted documents. Expect to see attackers send RTF documents to your end users to exploit these flaws.
• MS10-057 - Nessus Plugin ID 48294 (Credentialed Check) - Stack-based buffer overflow in MS Office 2002 Excel. Found by Core Security. It’s interesting to see vulnerabilities in older Office products. Some may dismiss them and say, "Who is still running Office 2002 anyway?" The fact is that most people do not use 80% of the features in their Office suite, so what is the incentive to upgrade?
• MS10-058 - Nessus Plugin ID 48295 (Credentialed Check) - Fixes a DoS vulnerability in IPv6 and a local privilege escalation vulnerability (integer overflow) in the TCP/IP stack.
• MS10-059 - Nessus Plugin ID 48296 (Credentialed Check) - The Tracing service contains two vulnerabilities that have been fixed. I found it interesting that Microsoft states there was public disclosure of the vulnerability, yet I can find no "trace" of one.
• MS10-060 - Nessus Plugin ID 48297 (Credentialed Check) - Standard vulnerabilities that can be exploited when a user vists a web site. One vulnerability is associated with .NET, and the other with Silverlight.

Resources

• Microsoft Security Bulletin Summary for August 2010
• OSVDB Microsoft Bulletins - Complete Reference
• Microsoft Patch Tuesday Roundup - July 2010 - "Jedi Mind Trick Edition"
• Microsoft Patch Tuesday - June 2010 - "Everything is Vulnerable" Edition
• Microsoft Patch Tuesday - May 2010 - Language Barrier Edition
• Microsoft Patch Tuesday - April 2010 - Superman Edition
• Microsoft Patch Tuesday - March 2010 - "It Won't Happen To Me" Edition
• Microsoft Patch Tuesday - February 2010 - "From Microsoft with Love" Edition
• Microsoft Patch Tuesday - January 2010 - "Aged Cheese" Edition