Microsoft "Patch Tuesday" - The Aftermath

Black Tuesday

This month Microsoft released 13 new security advisories. While 13 sounds like a moderate number, digging into each of the security advisories reveals that each one actually patches multiple vulnerabilities, bringing the grand total to 34 individual vulnerabilities. Couple that with the recent Adobe announcements disclosing 29 vulnerabilities with the Adobe Reader product and release of the associated patches and administrators have their work cut out for them (note that Nessus plugins have been released to detect these vulnerabilities, refer to plugin id 42119 and 42120). Assessing the risk for your organization when there are this many patches in common software can be a daunting task, but an important one. While both Microsoft and Adobe attach a severity rating to each advisory, organizations need to evaluate the risk each vulnerability poses to their specific environment and implement a patching cycle that is most effective at reducing risk for them. For example, the Microsoft IIS FTP server remote exploit vulnerability has a “critical” rating, but if you are already implementing mitigating factors, or are not running IIS on mission critical systems, then you will want to focus your efforts on getting other patches tested and installed first.

"Remote Code Execution"

Microsoft tends to lump two types of remote code execution vulnerabilities together: those that do not require action on the user’s part and those that do. For example, a vulnerability that can be sent to a system without action required by a user (such as the IIS FTP vulnerability) is deemed as remote code execution. However, a vulnerability that can be exploited and requires a user to visit a web page or open a crafted document is also deemed a remote code execution vulnerability. Realize that there is a difference between the two and be certain to prioritize your patch installation and testing accordingly.

Another interesting quote from the advisories is: "In all cases, however, an attacker would have no way to force users to visit these Web sites." - This is an interesting mitigating factor that only applies to targeted attacks. In reality, attackers are going to rely on the fact that most people browse the web and go to several different web sites per day. The attackers strategy is to just "go fishing" and trying to catch as many "fish" as possible. If they can get a banner ad on a popular site, they will use it as a mechanism to compromise systems and go back later to see what they "caught". Most likely the victim system in this scenario will become part of a botnet.

Patching & Verification

In the coming weeks, organizations will be spending a considerable amount of time testing and applying all these new Microsoft and Adobe patches. Tenable's Nessus vulnerability scanner can be used with and without credentials to scan both the network and systems to verify that the patches have been applied and that any required actions (such as a reboot) have been performed to put them into effect. . Following is a breakdown of the patches that have been released by Microsoft in the latest "Patch Tuesday" set and the associated Nessus plugins:

• MS09-050 - Nessus Plugin ID 42106 (Credentialed Check) & Nessus Plugin ID 40877 (Uncredentialed Network Check, only applies to CVE-2009-3103) - Finally we get a patch for Windows Vista and Server 2008 systems that fixes a remotely exploitable flaw in the SMBv2 protocol. This vulnerability can be reliably exploited on 32-bit systems. In fact it was used in the Louisville Infosec CTF event by the winning team. Unfortunately, they accidentally compromised the event organizer's machine, who happened to be running Windows Vista and was plugged into the CTF network!
• MS09-051 - Nessus Plugin ID 42107 (Credentialed Check) - "Audio File Of Doom" - This gives new meaning to the term "Rick Roll" and is triggered when a user accesses certain audio files using Windows media player.
• MS09-052 - Nessus Plugin ID 42108 (Credentialed Check) - More Windows Media Player vulnerabilities, this one dealing with WMP files.
• MS09-053 - Nessus Plugin ID 42109 (Credentialed Check) & Nessus Plugin ID 40825 (Uncredentialed Check) - Microsoft IIS FTP server DoS and remote code execution vulnerability.
• MS09-054 - Nessus Plugin ID 42110 (Credentialed Check) - Four different "remote code" execution vulnerabilities in Internet Explorer in what looks to be most IE versions on most Windows platforms.
• MS09-055 - Nessus Plugin ID 42111 (Credentialed Check) - Specific ActiveX vulnerability that allows remote code execution.
• MS09-056 - Nessus Plugin ID 42112 (Credentialed Check) - Fixes the SSL NULL Byte attack discovered by both Moxie Marlinspike and Dan Kaminsky. The "Mitigating Factors" section reads: "Microsoft has not identified any mitigating factors for this vulnerability.", underscoring the immediate need for the availability of this patch.
• MS09-057 -Nessus Plugin ID 42113 (Credentialed Check) - A Vulnerability in the indexing service ActiveX control, exploitable by visiting a web site.
• MS09-058 - Nessus Plugin ID 42114 (Credentialed Check) - If an attacker were to exploit any of the browser or ActiveX control vulnerabilities released this month and wants to elevate privileges on the machine, they can use one of two kernel vulnerabilities in MS09-058 to do it.
• MS09-059 - Nessus Plugin ID 42115 (Credentialed Check) - Denial of service vulnerability in the LSASS authentication process due to an integer overflow.
• MS09-060 - Nessus Plugin ID 42116 (Credentialed Check) - Microsoft Active Template Library (ATL) vulnerability which can be exploited through a web browser via an ActiveX control that is associated with MS Office products.
• MS09-061 - Nessus Plugin ID 42117 (Credentialed Check) - A Vulnerability in .NET and SilverLight that allows remote code execution on clients visiting web sites and on IIS servers where an attacker can upload .NET programs and execute them.
• MS09-062 - Nessus Plugin ID 42118 (Credentialed Check) - This is one of the highest risk vulnerabilities announced this month by Microsoft. While there appears to be no exploit code known in the general community, this is still a dangerious situation since attackers could have developed code and kept it out of circulation. The vulnerability can be exploited by a vulnerable system that renders an image file (PNG, TIFF and WMF are just a few of the formats). Given that most web sites contain pictures that are uploaded by users, this could be a commonly exploited vulnerability. Did you see my new profile picture? It’s a new one of me dressed up like an exploit, just in time for Halloween.

Conclusion

Protecting your network and systems from vulnerabilities should be part of your normal, everyday IT operations. While this is not an easy task, especially for large organization with several applications to regression test, it is extremely important. Attackers may very well be exploiting the vulnerabilities you are attempting to patch. Tenable's Nessus vulnerability scanner can help organizations ensure that patches have been applied properly and identify new machines that are missing patches. For most vulnerability tests, Nessus will need credentials; however there are two remotely exploitable vulnerabilities that Nessus can reliably check for without credentials.

References

Misleading Patch Audits