Archive for October, 2009

Self-updating Apps Are Unreliable

October 30, 2009 · Filed under Patch Management · Tagged

Many programs today have self-updating technology built right in the program.  Add-on programs will scan every so often to an update server to see if the application needs updating.  A few of these programs that have these mechanisms are Adobe (reader, flash) and Apple (iTunes, QuickTime) client programs.

These programs do help home users keep their products patched.  But in a corporate network, these self-updating programs are not solutions to patch management.  These programs are basically left to mercy of the end user and client system.

  • Users can simply decline the update / Users may not know the importance of patching and ignore the updated needed message
    Not all users on a corporate network are security savvy, especially with patching.  Users are bombarded with messages each day on their computer.  A reminder pops up for a business meeting.  UAC in Windows Vista asks for user permission to run a program.  If a pop up comes up asking for patching, how can you be sure if he/she has actually accepted the update?
  • The update program can fail at any time
    An update program can simply fail to execute at any time.  These failures are more common than you think.  I have a test machine that has Adobe Reader installed on it.  The installation method I chose installed the self updating application.  One problem:  for three straight months, the program has failed to work.  The machine does not specify that I am missing patches (3 versions to be specific), and only presents this error message each time when checking for updates.adobeupdateerror
    Note:  This program initially worked, and I have done nothing on my machine to tamper with this update program.
  • There are no reporting measures
    As an administrator, how do you know the machine is patched?  Did the user accept the update?  Is the updater program actually working as intended?  Leaving programs in self patching mode does not allow any type of roll up reporting to occur.  Managing patches on a single system is easy with manually checking a system’s patch state.  But for small businesses up to large corporations, patch management systems with reporting is key to ensure compliance.

In my example above, we have a case of an update program failing for no apparent reason on a target machine.  If this was a computer somewhere on my network, a vulnerable version of a highly targeted program exists.  This could have been identified months ago through a true patch management solution.

Plain and simple:  Don’t put blind trust in self updating software.

- Jason Miller

Comments (1) »

New Version Of Firefox Released

October 28, 2009 · Filed under Patch Management · Tagged ,

Mozilla has released a new version of their FireFox browser today.

Firefox 3.5.4: addresses 6 Critical, 3 Moderate and 2 Low software vulnerabilities

Firefox 3.0.14:  addresses 5 Critical, 3 Moderate and 2 Low software vulnerabilities

 - Jason Miller

Leave a comment »

Windows 7 – Not Just A New User Experience

October 26, 2009 · Filed under Microsoft Security and Systems Management · Tagged

Last week marked the arrival of Windows 7 to the market.  We had the operating system in our hands for the past couple of months and have done some extensive testing with it.  It is definitely a bit snappier in terms of speed compared to Windows 7.

On the security side of Windows 7, you shouldn’t be looking for anything major.  This release was focused on the user experience.  A lot of the features introduced in Windows 7 address the “black eyes” the Windows Vista operating system received during its release.

Although, there are some worthwhile security improvements in Windows 7 to take note of: 

  • Improved UAC
    Depending on how you view the changes made to UAC, you may either consider the changes as a step forward or a step backwards.  Microsoft made UAC less intrusive.  They received feedback on the UAC security feature presenting too many pop-ups that created a very frustrating user experience.  Users will now be presented less UAC pop-ups.
     
  • Bitlocker to Go
    In Windows Vista, Microsoft introduced the Bitlocker technology that allowed local hard drive encryption.  This was a great feature, but it lacked the breadth for an ever changing IT world.  USB flash drives and USB hard drives are very common in the work place now and deserve the attention from security minded people.  Laptops can be, and have been, stolen that can lead to data disclosure.  But, mobile storage devices are extremely common and can easily be lost or stolen.  With Bitlocker to Go, Microsoft has extended their encryption technology to cover these devices.
     
  • AppLocker
    Acceptable use software policies on networks can be a giant pain for many administrators today.  Commonly, IT policies restrict what applications can be used on a network and for a good reason.  With each additional application on a computer, the threat risk increases exponentially.  Operating systems are not the only software that can have software vulnerabilities.  With the addition of AppLocker, administrators can specify exactly which programs can be run on a desktop computer.  In the past, this has been somewhat achievable through Windows Software Restriction Policies.  This technology was especially cumbersome and time consuming.  In addition, users could easily circumvent application rules by simply updating the software to a new version.  With AppLocker, administrators are now armed with a smarter and more robust software application control technology.
     
  • Windows Biometric Framework
    It is really strange to be in the year 2009 and talking about Windows and Biometrics as both of these technologies have been around for years.  Administrators implementing biometrics have the burdensome task of implementing third party software with their networks in order to implement security.  I have been there before and have spent many hours setting up and troubleshooting fingerprint biometric environments.  In Windows 7, Microsoft has introduced a new common programming interface for biometric providers.  This will allow a unified system for new technologies that implement this framework.  What does this mean for you?  A simple, reliable and easy to implement biometric solution for your company.  Although this technology will not have an immediate impact on your networks, Microsoft has laid the groundwork for the future of biometrics.

 

 - Jason Miller

Leave a comment »

Happy Anniversary MS08-067

October 22, 2009 · Filed under Microsoft Security and Systems Management · Tagged ,

Tomorrow will mark the one year anniversary of the MS08-067 software vulnerability in the Windows Server Service.  This is the vulnerability the Conficker worm exploited.

Microsoft released this patch “out-of-band”, unbeknownst, to the security industry.  When I looked at this security bulletin in detail, I was instantly alarmed.  The vulnerability allowed remote code execution as well as being out-of-band.  Well, ok, this may sound like a lot of vulnerabilities Microsoft patches each month.

This security bulletin was different for two reasons:

  1. This vulnerability affected the Windows Server Service.  Ah, but what uses that service?  Pretty much every computer running Windows has this service running and could be exploited.
  2. This vulnerability did not require any authentication to be exploited.  In other words, an attacker does not need to supply a login to exploit the vulnerability.

These combinations made the vulnerability extremely alarming and a potential hotbed for a new worm outbreak.  We had made some announcements regarding this vulnerability in October, warning people to patch their systems as soon as possible.  On a ranking of how bad this vulnerability was, we gave it 10 out of 10.

Fast forward to February 2009.  A new worm hits the Internet attacking the software vulnerability.  Shockingly, this worm rapidly spread to millions of computer across the globe.  These computers did not have the patch applied that was released 4 months earlier.

The worm itself did not deliver a payload, so the hype around the vulnerability quickly turned to frustration by people.  “Why all the warning around MS08-067 and Conficker?  Nothing happened!  This was a bunch of media hype trying to scare us!”

Plain and simple:  We got lucky with this vulnerability as it did not deliver pain like the Code Red Worm.  Next time, we might not be as lucky.

A valuable lesson we all should take from this:  Don’t ignore patches.  They are your first line of defense against virus and worm outbreaks.

- Jason Miller

Leave a comment »

Case of the Mystery Security Patch

October 19, 2009 · Filed under Patch Management · Tagged

One of our customers today pointed out a patch we had missed on October’s Patch Tuesday.  This was very strange as we are quite meticulous at making sure all security patches are covered.

The patch in question is KB974554.  According to the patch knowledge base article, it is part of the MS09-060 security bulletin.  The affected product for the patch is Office Outlook 2003.

Interesting, the MS09-060 bulletin notes that KB973705 is the patch for Office Outlook 2003.  Also, the bulletin page mentions nothing of KB974554.

After looking closely at the knowledge base article for KB973705, there is a “Known Issues…” note:

 After you install this update, the Outlook View Control may not function in those programs that use Forms 2.0 functionality. To resolve this issue, install the following security update for Microsoft Office 2003:

974554 MS09-060: Description of the security update for Office 2003: October 13, 2009

Ah, this is a bug fix for a security bulletin.  A bulletin released on the same day.

Was this the case where Microsoft found an issue with a patch but decided to not announce it and release a second patch to fix the issue?

If you have installed KB973705 and you use Forms 2.0 in Outlook 2003, you should look at applying this patch.  Reading the details for KB974554, the page lists the patch as security patch.  The patch appears to be a non-security update that fixes a bug for the security patch.  Nonetheless, I wouldn’t take chances and apply to the patch to your Office Outlook 2003 machines after applying KB973705.

- Jason Miller

Leave a comment »

October Patch Tuesday Overview

October 13, 2009 · Filed under Current Threats and Vulnerabilities, Microsoft Security and Systems Management, Patch Management · Tagged ,

Microsoft has released 13 new security bulletins in the October 2009 version of Patch Tuesday.  Eight bulletins are rated with a severity rating of Critical.  The remaining five security bulletins have a severity rating of Important.  For the first time, Windows 7 and Windows 2008 R2 are affected by security bulletins.  The sheer volume of bulletins and subsequent patches this month will likely give administrator fits.

 

Two previously active Microsoft Security Advisories have been closed out:

Security Advisory 975497: Vulnerabilities in SMB Could Allow Remote Code Execution
Security Advisory 975191: Vulnerabilities in the FTP Service in Internet Information

These security advisories have been addressed with the new security bulletins MS09-050 and MS09-053.  MS09-050 resolves three software vulnerabilities and is rated Critical.  A user can send malicious networking packets to a target system that can lead to remote code execution on the target system.  This code was already publically available, so the likelihood of a new major outbreak is unlikely.  MS09-053 resolves two software vulnerabilities in the FTP service.  These vulnerabilities could result in remote code execution on the target machine.  The vulnerabilities covered by these bulletins were both publically known.

 

The User Experience:

Two bulletins affect the “User Experience” this month.  MS09-054 is Microsoft’s cumulative security update for the Internet Explorer browser.  This bulletin addresses four vulnerabilities, one that is publically known, and is rated Critical.  Users can be affected if they visit a specially crafted web page.  This can lead to remote code execution.  MS09-062 affects GDI+.  The bulletin addresses an issue where specially crafted images can be embedded in web pages.  If a user visits a specially crafted web page, a vulnerability can be exploited that can lead to remote code execution.  In addition, opening specially crafted Microsoft Office documents can result in remote code execution as well.  These will probably be the most targeted as both attack vectors have a large user base and require simple navigation to a malicious web site.  In both cases, users must be enticed to visit a malicious web site or open a malicious Office document.

 

The Media Experience:

The next two bulletins affect media playing on target systems.  MS09-051 affects the Windows Media Runtime component.  If a user opens a malicious streaming media file (ASF), an attacker could gain complete control of the system through remote code execution.  An attacker would need to entice a user to visit a website or opening a file to exploit this vulnerability.  This bulletin is rated as Critical and addresses two software vulnerabilities.  One of these vulnerabilities is publically known.  MS09-052 is very similar to the previous security bulletin.  This bulletin affects Windows Media Player, addresses one software vulnerability, and is rated Critical.  The vulnerability has the same attack vectors as MS09-051 with one more addition.  With Windows Media Player, a user would simply need to navigate to a directory containing a malicious file through explorer.  Simply browsing to the folder, and not opening the file, will trigger the exploit.

 

ATL Part Two:

A few months back, Microsoft released an out-of-band that addressed software vulnerabilities with ATL components.  This month, Microsoft is back with a few more patches that address ATL issues.  First, MS09-055 is a bulletin that will place Active-X killbits on a machine.  This will prevent malicious Active-X controls from opening.  This bulletin fixes one software vulnerability and will block 15 malicious Active-X controls from running.  There were reports of exploits in the wild taking advantage of this vulnerability.  MS09-060 addresses three vulnerabilities in ATL Active-X controls in Microsoft Office.  Users can be affected if they are enticed into navigating to a malicious website that can lead to remote code execution.  This bulletin is rated as Critical.

 

The Rest:

MS09-061 addresses three vulnerabilities affecting .NET and Silverlight 2 and is rated Critical.  If a user visits a malicious website, an attacker can gain Remote Code execution.

MS09-057 addresses one vulnerability in the Windows Indexing Service and is rated Important.  Like other vulnerabilities, it requires a user to navigate to a malicious website.  But, the user needs to have a vulnerable binary on the target system for the exploit to work.  This could lead to remote code execution on the target system.  Based on the difficulty of the attack scenario, an exploitation outbreak on the vulnerability is lower than the other User Experience vulnerabilities.

MS09-058 addresses three vulnerabilities in the Windows Kernel.  This bulletin is rated as Important.  An attacker would need to have access to a target system before being able to exploit this vulnerability.  If successful, the attacker could cause a Denial of Service or elevate their privileges on the system.  In order to exploit this vulnerability, an attacker would need to combine this exploit with additional exploits to gain access to the target system.

MS09-056 addresses two vulnerabilities in CryptoAPI and is rated Important.  This vulnerability can lead to a spoofing attack.  If an attack is successful, an attacker can impersonate another user by displaying a digital certificate that appears to be legitimate.

MS09-059 addresses one vulnerability in Local Security Authority Subsystem (LSASS) and is rated Important.  This vulnerability can lead to a Denial of Service attack.  If an attack is successful, the target system could automatically restart itself causing a Denial of Service.

 

Adobe:

As this is October, Adobe has also released their quarterly security bulletins for Adobe Acrobat and Reader.  Adobe will be releasing Adobe Reader and Acrobat for versions 9.1.3, 8.1.6 and 7.1.3.

 

Re-released:

Microsoft has re-released a new major revision to MS08-069.  This bulletin now includes patches affecting Windows 7 and Windows 2008 R2.

 

If you are a Shavlik NetChk product user, it is important to note the change in our XML data release schedule for this patch Tuesday.  We are breaking our releases in two releases instead of one release.  The reasoning behind this is the amount of data that needs to be entered, tested and released for use.  We will first be focusing on the eight critical Microsoft security bulletins.  When testing passes, we will release the XML.  After the release, we will immediately be working on the remaining five important Microsoft security bulletins, Adobe security bulletins and Microsoft re-releases.

If you would like more information on each of these bulletins, I will be detailing each Security Bulletin during our monthly Patch Tuesday webinar tomorrow.  Webinar registration is located here.

Happy patching and good luck to everyone this month!

- Jason Miller

Comments (2) »

October Patch Tuesday Advanced Notification

October 8, 2009 · Filed under Current Threats and Vulnerabilities, Patch Management · Tagged ,

Microsoft announced their October Patch Tuesday Advanced Notification today. Get ready for one of the biggest Patch Tuesdays ever. Microsoft is planning on releasing 13 new Security Bulletins. Eight of the bulletins are rated as Critical, and five of the bulletins are rated as important.

As you can see, this is the largest Patch Tuesday in the past two years.

2008patch

 2009patch

The sheer number of planned released bulletins is enough to give administrators nightmares. Adding on top of this, the sheer number of products that are affected by these bulletins is unreal.  Included in this list are the first Security Patches for Windows 7 and Windows 2008 R2.

Affected products

  • Windows 2000 SP4
  • Windows XP (x86, x64)
  • Windows 2003 (x86, x64)
  • Windows Vista (x86, x64)
  • Windows 2008 (x86, x64)
  • Windows 7 (x86, x64)
  • Windows 2008 (x86, x64)
  • Windows 2008 R2
  • Internet Explorer 5, 6, 7, 8
  • Office XP, 2003, 2007
  • Outlook 2002, 2003, 2007
  • Visio 2002 Project 2002
  • Visio Viewer 2002, 2003, 2007
  • Word Viewer, 2003
  • Excel Viewer, 2003
  • PowerPoint Viewer 2007
  • Office Compatibility Pack 2007
  • Expression Web
  • Office Groove 2007
  • SQL Server 2000 Reporting Services
  • SQL Server 2005
  • Silverlight 2
  • Visual Studio .NET 2003, 2005, 2008
  • Visual FoxPro 8.0, 9.0
  • Forefront Client Security

With this being the October version of patch Tuesday, Adobe will also be releasing their quarterly scheduled security updates for Adobe Acrobat and Reader. Today, they announced their plans for Patch Tuesday with Security Advisory APSB09-15. Adobe is reporting a zero day vulnerability currently being affected in the wild for Adobe Reader and Acrobat. They are planning on releasing security patches for the following products:

  • Adobe Reader and Acrobat 9.1.3.
  • Adobe Reader and Acrobat 8.1.6

These are both currently rated as Critical by Adobe.

As with any Patch Tuesday, keep an eye on other vendors who may join in with security patches during the day. It is not uncommon for vendors such as Mozilla and Apple to release patches as well.

-Jason

Leave a comment »

Mass Microsoft Hotmail Account Information Leaked

October 6, 2009 · Filed under Current Threats and Vulnerabilities · Tagged

On October 1st, an anonymous user posted login information for Windows Live accounts which contained usernames and passwords for accounts starting with the letters A and B.  These accounts included any email address from hotmail.com, live.com and MSN.com.

According to Microsoft, the list of usernames and passwords were likely the result of a phishing attack.  They added there was no breach internally at Microsoft that led to this data theft.

You should change your password as soon as possible if you think you have an affected account.  Also, Microsoft has an excellent article in their Online Safety Center that can aid in the recognition of phishing attempts. 

SANs is reporting that Gmail and Yahoo accounts were also affected by this disclosure.  If this is correct, these passwords should be changed as well.

An important note:  If you receive an email informing you to change your password on one of these accounts, check to see if it is a phishing attempt.  The likelihood of a spam-phish attempt for this issue will happen in the coming days.  If you choose to change your password, change it through the normal channels, not through an email link.

Leave a comment »

Q3 2009 Patch Management Roundup

October 2, 2009 · Filed under Patch Management · Tagged

I have just finished compiling the patch stats for Q3, and vendors released a large number of security patches over the past 3 months.  The number of non-Microsoft bulletins that could be considered typical “business use” applications were almost as high as the number of bulletins for Microsoft applications.  Here’s the breakdown:

It just goes to show:  Patch management is not only a Microsoft Issue.

22 Microsoft Security Bulletins

18 Non-Microsoft Security Bulletins

  • 2 Apple Safari
  • 3 Apple iTunes (iTunes 9.0 was not security related)
  • 1 Apple QuickTime
  • 3 Sun Java
  • 1 Mozilla Thunderbird
  • 6 Mozilla Firefox
  • 1 Adobe Shockwave
  • 1 Adobe Acrobat/Reader
  • 2 Adobe Flash

Shavlik customers were protected with 68 Security bulletins this quarter.  This equated to 348 individual patches.  It has been a long week, so next week I will distinguish the differences between a Security Patch and a Security Bulletin and why it is important to know the differences between the two.

Leave a comment »