Recently in Technology Category

June is a big month for Microsoft patches, there are 10 bulletins covering 34 vulnerabilities. Four bulletins address 0-day issues, the most significant being MS10-035, which fixes the 0-day published by Core Security for an information disclosure vulnerability originally published in February 2010. It also fixes the PWN2OWN vulnerability that security researcher Peter Vreugdenhil used to win ZDI'S competition at CANSECWEST, not a 0-day but high profile as it bypassed all built-in protections such as DEP and ASLR by combining multiple attack methods. MS10-039 addresses a second 0-day, the vulnerability in SharePoint, described by Microsoft in KB983438. MS10-032 and MS10-041 are the additional updates that fix vulnerabilities that were previously disclosed.

The most critical bulletins this month are MS10-035 for Internet Explorer, MS10-033 for DirectShow, and MS10-038 for Excel in Microsoft Office. All versions of IE, including IE8 are affected by MS10-035. There are 6 vulnerabilities in the update, 2 critical and it has an overall exploitability index of 1, indicating that an exploit is expected within 30 days. MS10-033 is a vulnerability in the MJPEG codec and affects a large number of Microsoft products, but its main attack vector is going to be through media files delivered through the Internet to Windows Media Player or IE. Excel has 14 vulnerabilities covered by MS10-038, with 11 in Office XP and only 3 in more recent versions (2003,2007). These vulnerabilities can be used to trigger code execution when a malicious file is opened by the user. The new Office 2010, which is scheduled to be released later this month, is not affected by any of the vulnerabilities.

MS10-032 addresses a local escalation of privilege vulnerability. While it is not remotely exploitable through any Microsoft product, 3rd party applications could expose it and provide a remote attack possibility.

MS10-040 is a remotely exploitable vulnerability in all versions of IIS, but it is present only if the administrator has downloaded and installed the Channel Binding Update and enabled Windows Authentication. It further requires an account on the system, reducing the number of vulnerable hosts to a small subset.

In related news, Adobe which published an advisory for a critical 0-day vulnerability in Flash and Reader on Friday, announced that they will provide patches on June 10th and June 29th, respectively, 2 dates that IT administrators should track closely as exploits for the vulnerability are widely available.

References:

• Microsoft SRD Blog
• Peter Vreugdenhil's research site
• Adobe APSA10-01 Advisory

Microsoft released its June 2010 advance notification for next week's Patch Tuesday. We will see 10 security bulletins addressing a total of 34 vulnerabilities. Of the 10 bulletins, 3 are categorized as critical, allowing an attacker to take full control of the targeted machine, while the remaining 7 are ranked as important. The critical vulnerabilities affect all Windows OS versions (including Windows 7) and Internet Explorer, the important ones cover Windows and Office.

The June release is a large update and will keep system administrators busy, even if they have migrated to Windows 7 already (the end of life date for Windows XP SP2 is coming closer and Windows 7 is certainly one of the options to migrate to...)

Microsoft will also address 2 currently open vulnerabilities: in SharePoint (detailed in advisory KB983438) and an information leakage in Internet Explorer, explained in advisory KB980088

Some of the patches, including one of the critical ones require a machine reboot after installation.

References:

• Microsoft June 2010 Advance Bulletin
• MSRC Blog

Microsoft's release for May 2010 contains 2 Bulletins (MS10-030 and MS10-031) fixing 2 vulnerabilities, one of its low impact releases. MS10-031 is for Microsoft Office and addresses a remote code execution vulnerability present in all versions, Office XP, 2003 and 2007. Its exploitability index is 2, so exploit code within the next 30 days is unlikely. Microsoft's blog post at the SRD goes into further detail on the difficulties in writing a working exploit. While the bulletin only carries a severity of "important", we consider it to be the more urgent of today's release.

The second bulletin MS10-030 fixes a vulnerability in Windows Outlook Express and Windows Mail, both mail clients for the POP/IMAP protocols. The vulnerability allows remote code execution and is classified as "critical". Successful exploitation however is unlikely (exploitability index = 2) as it requires extensive user involvement including setting up an e-mail account on a malicious server. We don't see Outlook Express/Windows Mail being used in the enterprise but smaller businesses could be affected.

Microsoft did not address the recent SharePoint vulnerability (KB983438). We recommend looking into the advisory and implementing the suggested work-around which restricts the access to the Help functionality in SharePoint.

Oracle/Sun today released an update to Java that addresses the 0-day from last week.

Ryan Naraine at Threatpost has a good writeup and screenshots showing the blocking of the testurl that Tavis Ormandy Included in his initial disclosure.

We recommend immediate installation as the exploit has apparently been sighted already on a number of websites

Microsoft's patch release for April contains 11 bulletins covering 25 vulnerabilities. The bulletins address a wide array of operating systems and software packages, IT administrators with a good inventory of their installed base will have an easier time evaluating which machines need patches.

Microsoft patches 2 open 0-day vulnerabilities - MS10-020 for the SMBv2 Denial of Service vulnerability, only present on Windows 7 and Windows Server 2008 (KB977544) and MS10-022 for the F1 attack through Internet Explorer (KB981169). MS10-020 fixes other SMB vulnerabilities as well and is a critical update for all platforms.

The most critical bulletins this month are MS10-026, MS10-027 and MS10-019. MS10-026 addresses a DirectShow vulnerability that can be exploited through visualizing a media file which can lead to remote code execution. MS10-027 is a Windows Media Player Active X control vulnerability which can lead to similar results. Both are relatively easy to exploit and have a low exploitability index, however Windows 7 users are not affected by either of the vulnerabilities. MS10-019 addresses a flaw in the Windows Authenticode algorithm involved during the installation process of new software. The flaw allows for a downgrade from the current v2 Authenticode algorithm to the deprecated v1 algorithm. If an attacker follows this downgrade with an attack on v1 (a sophisticated multi-stage attack), he could pass off malicious install packages as legitimately signed by major manufacturers. This vulnerability has a exploit rating of difficult, meaning that even advanced attackers will take a while to come up with the necessary exploit code - still we recommend patching this during the normal cycle for all machines.

MS10-025 is a critical Windows Media Services vulnerability but only affects Windows 2000. Windows 2000 Server will have its extended Support retired in mid-July of this year and will then cease to receive security updates. Organizations that still use Windows 2000 need to evaluate a migration strategy.

The remaining bulletins are ranked as important and moderate - MS10-028 is a file format attack against Visio, which can result in remote code execution. MS10-023 is a similar attack against Microsoft Publisher. As these software packages are not widely installed a good inventory will be helpful in evaluating the exposure. MS10-021 is an interesting side effect created by registry linking. MS10-024 is a Denial of Service vulnerability in the SMTP server of Windows 2003-64bit only and MS10-029 an IPv6/IPv4 packet envelope vulnerability that can lead to information disclosure.

This is a big release for Microsoft, addressing a wide selection of software. IT administrators probably will not have all of the included software packages and configurations installed in their environment and therefore will need to install only a subset of the 11 bulletins.

In addition Adobe released their quarterly patches for Adobe Reader and Acrobat on Windows, Mac OS X and Unix. The update is critical and fixes multiple 15 vulnerabilities with a maximum exposure of "remote code execution".

References:

• SRD Blog post by Jonathan Ness/Andrew Roths @ MSRC Engineering with more details
• MSRC Blog post with Exploitability Index
• Information on the new Adobe updater

Microsoft will release MS10-018 a patch for the critical Internet Explorer 0-day vulnerability KB981374 out of band tomorrow, on March 30th. Microsoft's decision to accelerate the release rather than waiting until next Patch Tuesday on April 13th is an indication that attacks against the "iepeers" vulnerability are on the rise.

Similar to what happened with the last IE 0-day patch MS10-002, Microsoft is including fixes for 9 other vulnerabilities, so the patch is critical for ALL versions of IE

If you are still using IE6 or IE7, patch immediately. But even if you are on IE8 you should patch as quickly as possible, as attackers will start reverse engineering the flaws addressed and preparing corresponding exploits within the week.

Kudos to Microsoft for their quick turn-around on this vulnerability.

October's 2009 Microsoft Patch Tuesday is a massive release with 13 advisories covering 34 vulnerabilities. 2 advisories address last month's 0-day vulnerabilities - SMBv2 and FTP for IIS in a very quick turn-around. However another 6 vulnerabilities are tagged as having information disclosed publicly before today's patch release. Of the total set of vulnerabilities a full 22 are of critical severity and should be addressed as quickly as possible. A large selection of software is affected: all versions of Windows (including Windows 7), Windows Media Player, Office and also Silverlight - Microsoft's new rich media development tool. Internet Explorer also receives an update for 2 critical vulnerabilities - one of them disclosed at the Black Hat Security conference.

MS09-054 is a fix for critical vulnerabilities in all versions of Internet Explorer and interestingly can also affect non-Microsoft software - namely Firefox the browser from Mozilla. The Microsoft .Net runtime installs a plug-in into Firefox that allows XAML Browser Applications (XABP) to be launched through Firefox and serves as a conduit to the vulnerable component of Windows.

The biggest set of vulnerabilities this month is addressed by MS09-062, which fixes 8 flaws in the GDI+ graphics library. This library is widely used in applications as diverse as Microsoft Office, Visual Studio development tools, SQL Server and even Forefront Security Client.

Another set of 2 vulnerabilities disclosed at Black Hat (video presentation here and here - worth watching) is addressed by MS09-056. It provides a fix to the CryptoAPI library and the much talked about "Null prefix certificate" which allows for the impersonation of an arbitrary SSL certificate by embedding a NULL character at the right spot in the certificate request. Earlier this month a certificate was leaked to the full disclosure mailing list that impersonated www.paypal.com. The vulnerability is rated only as "important", because it does not allow the attacker to take over the machine, but it can be used to steal the user's credentials to any web site.

Important: Adobe released their patch for Adobe Reader, the popular PDF viewer. Adobe Reader versions 7, 8 and 9 are vulnerable on all versions Windows and Mac OS X. Adobe had acknowledged the existence of exploits focused on v9 and Windows last week. This is a critical update that should be applied as soon as possible.

References:

• Microsoft Security Bulletin
  
• Qualys Security Alert
  

This month Microsoft released 5 critical advisories, addressing a total of 8 vulnerabilities. The focus is on the Windows Operating System family and all versions are affected. The notable exception is Windows 7 which is a pleasant surprise and most likely an outcome of the additional security measure implemented in this latest version of Windows.

MS09-045 and MS09-047 are client side vulnerabilities affecting indirectly Internet Explorer and Windows Media Player. They require user actions for a successful exploit, but attackers have the necessary tools in place to entice users to visit infected web pages and open malicious media files. MS09-048 is a "classical" network vulnerability of a type that we have not seen in a while: it is located in the TCP/IP network stack of Windows 2008 and Vista and can be exploited through the network, however Microsoft rates the exploitation difficulty as high. MS09-049 is a very interesting attack on the WLAN auto-configuration service of Vista and Windows 2008, it requires a malicious Access Point to be in WIFI range, which limits the number of machines that can be attacked at any given time. We recommend that customers focus on MS09-045 and MS09-047 due the high likely hood of exploits.

As previously announced Microsoft did not address the IIS FTP 0-day vulnerability that was made public last week. In addition yesterday a security researcher disclosed a vulnerability in the file sharing protocol (SMB2) of Vista, 2008 and potentially Windows 7. We expect Microsoft to monitor the extent of exploitation of these 2 new vulnerabilities and continue to provide guidance for workarounds.

Update: Microsoft has acknowledged the SMB2 vulnerability and provided a workaround in advisory 975497, suggesting to disable the SMB2 protocol, machines would then fallback to the older SMB protocol for filesharing.

References:

• Microsoft Security Bulletin
  
• Qualys Security Alert
  

Yesterday the Mozilla foundation announced on their security blog that Firefox will start checking for outdated Flash plug-ins. This is a great way of improving the security of web browsers, Flash is often used by attackers to exploit client machines and unfortunately notoriously difficult to update, requiring (on Windows) different update packages for Internet Explorer and all other browsers.

Now we just need to convince Hillary Clinton to let the Department of State use Firefox.



As you can see this worked fine for me on my Mac under Firefox 3.0.14

June's Patch Tuesday is generating major workload for IT administrators. Microsoft released their biggest number of patches in recent memory, not only for Windows systems, but also for their Mac Office suite. Adobe has patches for their Reader product for Windows, Mac and Unixes and Apple released a production version of Safari 4 for Mac OS X and Windows.

Microsoft's 10 bulletins patch a total of 31 vulnerabilities, extending to almost all of their products on both servers and workstations. Most urgent on the server side are MS09-018 for the Active Directory vulnerabilities and MS09-020 for the IIS/WebDAV vulnerabilities, as both are categorized as critical and have the highest rating (Consistent exploit code likely) in the Microsoft exploitability index. MS09-022 - Windows Print Spooler is rated critical as well, affects both servers and workstations and so has a higher exposure potential than the other server based vulnerabilities. MS09-25 brings 4 updates for the Windows base operating system kernels and even the new Vista and 2008 versions are affected by 3 of them.

On the workstation side, beyond MS09-022 and MS09-025 we have the updates for Internet Explorer, Word, Excel and Windows Search. MS09-019 has patches for 8 IE vulnerabilities for all versions from IE5 to IE8 - however it is interesting to note that IE8 is only affected by a single vulnerability, which was recently disclosed at the CanSecWest conference in the Pwn2Own contest sponsored by TippingPoint's ZDI.

As expected we did not see a patch for DirectShow vulnerability, acknowledged by Microsoft 10 days ago in KB971778. While they have the patch it is still undergoing Quality Assurance and Stability testing. For Macintosh users, Microsoft provided the patch for last month's disclosed vulnerabilities - MS09-017 for PowerPoint. Both users of Office 2004 and Office 2008 are advised to upgrade to fix a Remote Code execution issue.

As Adobe had announced previously they also published their quarterly patches this 2nd Tuesday of the month. Currently we see that a patch has been released, but there is no further detail available as to the vulnerabilities covered.

Update: The Adobe advisory is out and it shows a total of 14 vulnerabilities. The patch covers Adobe Reader on Windows and Macintosh. Unix users will have to wait until June 16th to get their fixes.

References:

• Qualys Security Alert

Microsoft just published their advance notice for June's Patch Tuesday. After the rather light weight release of last month, which only addressed PowerPoint on Windows, this month's release covers all major areas with 10 updates. Two are critical updates for Windows (out of a total of 6), there is one critical update for Internet Explorer and three critical updates for Microsoft Office.

Mac OS X users, which have seen their fair share of action recently on the OS side and with QuickTime need to pay attention as well, Microsoft will release an update for the Powerpoint vulnerabilities that they disclosed last month for both Windows and Mac platforms, but at the time only provided patches for Windows.

We will not see a fix for the DirectShow vulnerability KB971778 disclosed last week. While they have a fix it is still undergoing Quality Assurance and Stability testing.

2 months ago at RSA 2009, Rich Mogull from Securosis mentioned an interesting project that they are working on: Project Quant. The project focuses on measuring the patch management process in all stages involved, from monitoring for new threats and patches, to evaluation and testing, through deployment and verification. Now that they have refined this lifecycle, they need input from you - real life production users that can tell how much time is spent on each of these activities. He has published an online survey, which is the first step of gathering production data.

This is an exciting project and the results will be made publicly available. I expect them to provide high quality insight into the cost of patching. Recommended.

PS: The full scope and intentions of the project are outlined in the initial post

Qualys estimates that about 30 percent of Windows-based computers remain vulnerable to infection because they have not been updated with the patch.

Methodology
In December 2008, Qualys' customers performed scans on over 9 Million IP addresses. There is some duplication as some customers scan multiple times in a given month, but the majority of customers are on a 30 day cycle in their scan schedules. The majority of these scans are against Windows machines as they are the most prevalent in our customers' networks. It is safe to say that data is based on Millions of IP addresses scanned.

What class of virus is it and have you seen something like it before?
This worm is a sophisticated piece of software, beyond exploiting MS08-067 it uses a number of other techniques to propagate, i.e. network shares and removable media such as USB thumb drives. It has a variety of interesting mechanisms to trick the user into executing it, such as changing the icon and message in the autorun dialog. It also uses an innovative way to assure that its control channel, where it receives its commands from, is not shutdown. It contacts a large number of dynamically named URLs for commands, making it harder to shut down the worm down. It is definitely a intelligently designed worm, demonstrating that worm writers are constantly innovating to keep their business moving.
 
Why is it so pervasive when the vector was supposedly patched by Microsoft?
Our scanning data indicates that many machines are not patched yet, even 2 months after the release of the patch by MSFT. We derive our numbers from enterprise customers and SMB, but in areas where non-licensed machines are in use the ratio of unpatched machines must significantly higher due to the difficulty of getting and installing patches and the fear of detection.
 
Is the security community responding fast enough to the threat?
The security community is doing excellent work around that vulnerability and the exploiting worm. But overall IT is not reacting fast enough, as our data reveals and as can be seen by the extent of the damage that the worm is doing. Patch cycles have to be accelerated. Machines that require longer patch cycles (due to their criticality) need to have additional security settings and/or technologies installed that can help mitigate the effects.

In general, we suggest providing general comments to the above questions hinting towards the patching data only to substantiate your claims since the last comments we provided him were very data specific.

During the year-end slowdown Qualys analyzed anonymous data captured by us during our global vulnerability scans. The analysis focuses on critical Microsoft patches published in the second half of 2008 to reduce the initial dataset.
 
Within the 20+ patches we can clearly see three distinct groups with different occurrence profiles:
 

• The first group contains the major Windows operating system and Microsoft Office vulnerabilities, with Office being the clear leader with a frequency of up to 25 % more than Windows OS patches.
  
• The second group are less frequently installed components in both Windows and Office, such as Office document filters (i.e. MS08-044) or VB runtime components (MS08-070) - they have less than 30% of the occurrence frequency of the first group.
  
• At a distant third, we see vulnerabilities in specialized parts of the operating system - the SNA communications connector (MS08-059) and the Windows Media encoder (MS08-053). These make up less than 2% of the overall mix.
  
• As a general trend, after about 30 days the majority of systems have the patches applied and the fix rate then slows down. This applies to all groups, even the comparatively low frequency group three follows this pattern of initial activity.
  
• On a side note group three also contains the only vulnerability that was limited to Windows Vista - MS08-075 - giving us an indication of the low numbers of deployed Vista installations in enterprises.

In our statistical data for MS08-067 we see it being patched at about the same rate as other critical patches. Over 50% of all machines are patched after approximately 30 days. After that period we see the patch rates go down and the overall number of machines that are attackable only slowly diminishing.  Unfortunately this leaves enough machines to be exploited by the "Conficker" worm types even today, over 45 days later.

We would have liked to see a faster reaction by the computer users given the significance of the patch but there still seems to be a barrier to reach everybody and make them understand the urgency of patching.

This vulnerability in Microsoft SQL Server product is highly critical as it allows the attacker to remotely control the database and the underlying server. DBAs should immediately review the work-arounds provided in the advisory and implement them as soon as possible. MS SQL-Server is a highly popular product as we have seen in April of this year, when a SQL-Injection vulnerability that specifically targeted MS-SQL server driven websites was used to redirect users to websites serving malware. The effects of this attack are still out on the internet, as we can still see sites that have fallen victim to the attack and that have not been restored to an exploit free state.

The potential exists for leakage of private data and major disruptions in critical MS SQL driven applications, such as e-commerce and HR. On the positive side we believe that companies have aggressively firewalled off their MS SQL server from being accessible directly on the internet after the traumatic Slammer worm in 2003 which should provide some protection from direct attacks. However a smart attacker can easily pair this exploit with another attack mechanism such as phishing to get behind the corporate firewalls and then attack all accessible MS SQL server installations.

We expect that Microsoft is currently working on patch and will release it out of band. Differently from the recent release of the Internet Explorer patch the deployment will be slow. MS SQL is part of the core server infrastructure of many enterprise companies and is subject to lengthy patch and testing cycles and before any such fix can be deployed.

As we expected Microsoft is releasing an out-of-band patch tomorrow 12/17 for a critical Internet Explorer 7 vulnerability. The browser flaw had been disclosed roughly one week ago as a zero day vulnerability and active exploits have been around the internet for that timeframe as well. The work-arounds provided by Microsoft were very technical and quite cumbersome to implement making it imperative for Microsoft to release a fix as quickly as possible.

Given the typical requirements for developing, testing and packaging the changes to a program as widely deployed as Internet Explorer we have seen one of the fastest turnarounds possible. Moving faster would require having specific mechanisms in the base code of the application allowing to push out changes in a less disruptive way and would require an extensive rewrite of Internet Explorer. Other browser providers have an edge here as they already have update mechanisms included in their products.

In the past month November, Microsoft released only 2 Security bulletins, both of critical severity. However in late October, MSFT released a fix for potentially very exploitable vulnerability (MS08-067 RPC Server) out-of-band, in itself already an indication of its high severity and its potential to develop into an aggressively replicating worm. We took a look at patching trends related to this publicized vulnerability.

Specifically, we monitored between 200,000 and 300,000 scans per day. The graph above shows the trends.

Customer Patching Trends
We have used our vulnerability statistics capabilities to track the evolution of the vulnerabilities to see how Microsoft customers apply these patches.

• Unfortunately, no. The emergency patch (MS08-67) didn't show erratic  reductions in occurrences of vulnerabilities and it appears customers were  patching at a normal rate.
• However, for the last week we see a fairly rapid reduction in  vulnerability numbers indicating that after a large scale worm was announced  and confirmed (Trend Micro mentions over 500,000 machines infected, Symantec  mentions major activity in their honey nets), customers are stepping up their  patch activity.
• Over the last month and a half we have seen the occurrence of MS08-067 drop from a high value of 8 to close to 2 this week, and overall 70%  reduction.

MS08-067, 68 and 69 Trends
PLEASE NOTE: The information below is based off normalized data, the Y-axis represents the number of vulnerabilities identified / total number of scans. The X -axis represents the dates. Normalizing the data was required in order to fairly represent the data in a graphical form. If you use the graphic, please attribute to Qualys.