 |
|
|
Security Center
Resources
|
 Archive
 From the Desk of the CTOEric SchultzeReflections on the September 2008 Microsoft patch release All four security bulletins this month are rated Critical, and all four relate to problems when a user visits an evil website (or listens to an audio stream from a malicious website). In other words, focus on patching your end-user machines first rather than the servers in your datacenter. Since these exploits require users to perform actions on their computers, like visiting a website, servers in a datacenter are less prone to be exploited as user's aren't typically browsing the Internet from these servers. Of the four bulletins released this month, MS08-052 is the most important one to patch first. MS08-052 impacts the graphics engine on Windows XP and later systems. The graphics engine is part of all Operating Systems, and is also included with Microsoft Office and Microsoft SQL Server products, among others. You may need to install multiple patches on your system to address this issue, where each patch updates a different component on your computer. Unfortunately, Microsoft hasn't made it easy to determine which collection of patches you may need on each system - making it more likely that some systems will go unpatched for some portion of affected products. Also, the security bulletin doesn't make it very clear as to which patches in this bulletin will be patched with WSUS vs. the patches you'll need to install manually. Bulletins MS08-053 and MS08-054 relate to Windows Media items. 08-053 is an improperly marked ActiveX control that can execute code on your system if you visit an evil website. 08-054 can exploit your system if you're enjoying streaming audio files with Windows Media Player 11. (maybe cutting edge aint so grand?!) Finally, MS08-055 is a flaw with URI protocol handling and Microsoft OneNote 2007. Similar in style to the Firefox vs. Microsoft debates from July of 2007, clicking on a hyperlink that has a URL with onenote:// as the protocol may cause code to execute on your machine (you must have OneNote installed on your machine to be vulnerable). Microsoft fixed the "shellexecute" flaw that lead to the Firefox debacle (MS07-061) - however, this new onenote:// flaw is slightly different and isn't addressed by the MS07-061 patch. Reflections on July 2008 Microsoft Patch Day One could say it's a pretty quiet Microsoft patch release day. Microsoft only released 4 security bulletins, labeling all as Important (none as Critical). Of the four bulletins, one relates to a flaw in Outlook Web Access (OWA) that could allow an attacker to read, create, send, or delete emails on behalf of the unwitting OWA user, patching the OWA Exchange 2003 or 2007 Server corrects this. Beware, it's a very large patch. A second bulletin is specific to SQL Server, and when I say SQL Server, I mean ALL versions of SQL Server. SQL Server 7 through SQL Server 2005, including MSDE and WMSDE installations, are impacted (including WSUS installs running WMSDE). This vulnerability allows 'authenticated' attackers to potentially access information that they shouldn't be able to access. The bar is set very high for the attacker here - it's not a simple type of exploit that most corporate users could pull off. A third bulletin relates to just Windows Vista and Windows Server 2008. If a user on one of these systems receives an email with a malicious saved-search file, and opens this file and re-saves it, then evil code may run on their system. Also, if a user visits an evil website where this saved-search file resides, code may be executed on the user's system. It's unclear from Microsoft's bulletin whether the user must download and save the saved-search file to their own system, or if this exploit happens simply by visiting the evil website. Earlier in the bulletin, Microsoft states that a user "open and save a specially crafted saved-search file with an affected version of Windows Explorer". Then it goes on to say that in a web-based scenario, visiting a malicious website could allow this to happen. Microsoft should really review their bulletins and make it a little more clear (or less confusing) about what actions really trigger this event. The fourth bulletin this month relates to DNS services - both the DNS server and the DNS client. All Operating Systems other than Vista are impacted. With respect to this issue, attackers can remotely poison a DNS Server or DNS Cache with incorrect Internet domain names to IP address mappings, causing users to surf to erroneous web locations. The biggest beef I have with this month's group of patch releases is the classification of vulnerabilities that Microsoft has chosen to use. In some cases, it's rather absurd. In the case of MS08-040 (SQL Server), Microsoft calls this 'Important', but the attacker can 'execute code of the attacker's choice'. Microsoft doesn't label this as 'code execution', but rather as 'escalation of privilege', because the attacker must be an 'authenticated attacker'. Raise of hands - "who's an 'authenticated' hacker"? It sure seems like Microsoft is re-writing their definitions this month. They've downgraded 'code execution' attacks if the attacks happen to come from 'authenticated users'. And it's not longer called 'code execution’; it's called 'privilege escalation'. I can see where Microsoft is coming from, and it's a very rosy side of Redmond. The other bulletins also seem to be downgraded in terms of severity because of what Microsoft believes to be 'additional steps that must be taken and/or limits of what can be done' (my terms). In one case, the vulnerability is downgraded because a user must save a file to their disk (leave it 'Critical' and downplay the likelihood of attack instead) and in another case, the vulnerability is downgraded because the user can only spoof your email, delete your mail, etc. rather than delete other files on your system. Who's Microsoft to say that your email isn't super critical? Protection against Safari Microsoft has issued a Security Advisory to alert folks to a security risk if they are running Apple's Safari web browser on a Microsoft system. (www.microsoft.com/technet/security/advisory/953818.mspx) What is the issue? The Safari web browser doesn't prompt users before downloading and saving files to their system. In contrast, both Internet Explorer and Mozilla Firefox prompt users before saving downloaded files to the system. This 'oversight' on Apple's part can put users at risk. Specifically, visiting a malicious website with Safari can cause an unintended download of software to the machine. This software can also be automatically executed on the machine - all without the user's consent. In short - a very bad thing. While Apple considers adding a 'feature' to prompt users before downloading files, and while Microsoft ponders if it can do anything via a security patch, the best advice is not to use Safari. (Shavlik customers running NetChk Protect can perform a NonBizWare spyware scan to help identify Safari installations and automatically remove them as desired.) Microsoft Update - Not Up To The Job This month's release of Microsoft security updates underscores the risk in relying on Microsoft's patch management tools. Specifically, the Microsoft update mechanism found in Windows Update, Microsoft Update, SMS, and SCCM only scans for 75% of the security bulletins released this month. (And within that 75%, these tools don't scan for certain older versions of products, like those running Office 2000 applications.) MS08-029 addresses a vulnerability in the Microsoft security suite of tools that include the Microsoft malware engine, including Windows Live OneCare, Antigen for Exchange, Windows Defender, and Forefront Client Security, among others. Unfortunately, Windows update technologies won't tell you which of your systems are vulnerable - much less which systems you have that even run these applications. Users are left on their own to launch these applications and update them. Although these applications "provide built-in mechanisms for automatic detection and deployment of updates" they leave enterprises without the ability to centrally identify their risk, report on their security posture, or have any knowledge about their level of vulnerability to this issue. Microsoft Update and the WSUS engine was supposed to be the one-stop shop to understand Microsoft patch status across the enterprise. Of course, this assumes that all Microsoft products work with the Microsoft Update engine. With the advent of the Live product line and the Microsoft security suite, they seem to believe that these products are 'above' the need to provide central update management capabilities with their peer software applications. Security Bulletin MS08-029 discusses a security vulnerability that, while it cannot remotely take over your system, can be used to cause widespread denial of service, or when combined with other exploits, can be used to enable an attacker to gain additional access to a system (by forcing a reboot which may in turn aid other exploits in need of a system restart). In either event, I don't want this on my network, and I'd like to know how prevalent these applications are. Until Microsoft can report centrally on the patch management status for all of its applications, I'll stick with my thesis - Microsoft Update is not up to date. MS08-021 Being Exploited I don’t mean to tell you ‘I told you so’, but I will. I told you so. As we discussed in the April post patch day webinar, MS08-021 is the most important patch to get installed from the April patch release. eWeek is reporting that an exploit was released in the wild for the graphic image exploit vulnerability a mere 2 days after the patch was released. More info here: Reflections on April 2008 patch day All 8 bulletins this month are client side vulnerabilities. IOW, your system is safe unless a user logs in and opens documents, reads email, or visits an evil website on that computer. Systems where no one logs on and does this (ie Servers in data center) are safe. Of the five OS-related vulnerabilities this month, four impact Vista and Windows Server 2008. The most critical to get installed away are MS08-021, MS08-022, and MS08-024. Of these, MS08-021 is the most important, as it can be exploited by all three attack vectors: visiting an evil website, opening an evil document, or reading an evil email. MS08-021 is a flaw in the way that image files are processed - an evil graphic file can execute code on your system. This is the third such evil graphic file attack since January of 2006. MS08-022 is a flaw in jscript and vbscript in IE6 and earlier versions of IE. Visit an evil website and you'll get hacked. This is the patch that was delayed from the January release cycle. MS08-024 is a flaw in all versions of IE - visit an evil website and you'll get hacked. MS08-025 is a privilege escalation vulnerability that can allow a user to elevate themselves from user to admin. This can also be exploited by any of the other vulnerabilities announced this month. IOW, visit an evil website and it can execute code on your system to make you an admin - then the evil website can do anything on your system that it wants. IOW, from what I can tell, this vulnerability erases the mitigation that MS provides for all earlier patches about - 'the evil code will only execute with the permissions of the logged on user - therefore you are safer if you are logged on with a non administrative account).' Supporting Virtualization I'm really excited to talk about one of our upcoming features - specifically, support for Virtualization. Shavlik already supports patch and configuration management for virtual systems on your network. A running virtual system is just like a real system to Shavlik NetChk Protect and NetChk Compliance. You can scan and patch these virtual systems today to ensure that your running VMs are protected. Now Shavlik is taking things to the next level. Upcoming releases of Shavlik NetChk Protect will enable you to scan and patch OFFLINE virtual images. Offline images are those that aren't currently powered on. You may have hundreds of offline virtual images in your VM repository - these VMs are powered on for hours or days and may be powered off again until the next month when they are needed. It's important to ensure that these systems are patched as soon as they are brought online, else you place your network at risk from these unpatched systems. Shavlik NetChk Protect makes it easy patch these systems. Simply reference the offline image or folder of images in a NetChk machine group and perform a scan like usual. The Protect scan engine will perform a full patch assessment of each image and results are displayed alongside results for running systems (you'll be able to differentiate images from running systems in the results view). Patching these offline images is similarly simple. Highlight the images and patches you'd like to install and select 'deploy' from the Shavlik menu. The patches will be copied to the offline images and will be installed the moment that the virtual image is started (or according to its scheduled deployment time). What's really nice about this feature is the ability to patch not only the VM images that you know about (ESX SAN drive, folder of MS Virtual Server images, etc) but you can also scan desktops and servers for presence of VMware Workstation, VMware Server, and Microsoft Virtual PC images. Additional information about the offline virtual scanning and patching functions are available in Shavlik Knowledge Base Article SKB 5788. Speeding up agentless deployment with distribution servers I thought I'd take this time to share an idea that might help you speed up the agentless patch deployment process. Turns out, some work we did to support agent-based deployments can provide a big benefit for agentless deployments. In a standard agentless deployment, the NetChk console pushes each patch or group of patches to each remote system. If there are two patches to push to each of 1,000 systems, the console will push 2,000 patches total. The console can push to 64 machines simultaneously - so it may take some time to push out all of the patches all of the machines. The patch push can also consume a lot of network bandwidth, especially if pushing patches to a large number of systems across a slow link. We can address both speed and bandwidth issues for agentless deployments via the use of distribution servers. The term 'distribution server' is really a misnomer. It's not really a server at all. Instead, a distribution server is simply a UNC file share or a web share on a workstation or server machine. Let's start with the simple scenario: use the NetChk console as a distribution server. On the NetChk console, share out the C:\Program Files\Shavlik Technologies\NetChk\Patches\en-us (or similar) folder with read-only permissions for a specific netchk patch user account. This 'share' is your distribution server. Next, go to tools-distribution servers to define the distribution server share you just created. Select New on the servers tab and then select the UNC radio button. Enter the UNC path to the share (ex. \\console\patchrepository) and the username and password for the account that has read-only access to this share (don't worry, this password info is encrypted). There's no need to enter synchronization data at the bottom of this window because the console patch repository is the same location as the distribution server share. On the IP ranges tab of the distribution server window, create an IP range for your network. If you want all of your machines to use the same distribution server, you may enter 0.0.0.0 - 255.255.255.255. Assign the distribution server you just created to this IP range. Finally, go to the deployment template that you'd like to use and select the distribution servers tab. Check the box to deploy patches using distribution servers. Set the randomization number of minutes (if desired) and also decide if you want the target systems to download the patches from the vendor websites directly if the machines can't contact the distribution server. Here is where the magic happens. When you go to deploy patches using this deployment template, the patches won't be pushed to each systems. Instead, the NetChk console will push a very small deployment instruction set to each machine (and the Shavlik Scheduler, if not already present) and will schedule that instruction set to execute at the scheduled deployment time. When this deployment time occurs, the system will realize that it doesn't have the necessary patches to deploy, it will read the instruction set to obtain the distribution server information, and it will then login to the distribution server and download the specified patches. The above process will speed up the deployment process, however, the overall bandwidth hit against the network will be the same as if the console was doing a normal patch push. To conserve bandwidth and better handle remote sites, consider the following: Create one distribution server at each remote site. This can be the UNC style distribution server we created above, or an http or https website at each remote site. The distribution server UNC or web share can reside on workstation or server class machines - whatever is 'always available' at the remote site. (Keep in mind that workstation class machines may only support ten concurrent sessions for UNC and web connections). When defining the distribution servers, create groups of IP addresses - one group for each remote site - and assign the IP ranges to the distribution server at that site. This will ensure that the machines at remote site A will download their patches over the local area network from the distribution server at site A, thus reducing your network bandwidth over the slow link back to the NetChk console. Make sure to run the distribution server sync function to ensure that the remote distribution servers have a full copy of the patches from the console. The above process is a unique method to leverage distribution servers (normally reserved for agent-based deployments) to aid in the speed and network bandwidth utilization when performing agentless deployments. Reflections on March 2008 Patch Day It’s an all Office patch day today. More to the point, an all Excel day. Nine of the twelve vulnerabilities addressed this month relate to Microsoft Excel. The twelve vulnerabilities were encapsulated in 4 security bulletins – each one patching an Office related client side vulnerability. Order of importance to patch for the month: MS08-015, MS08-014, MS08-016, MS08-017. MS08-014 MS08-015 MS08-016 MS08-017 |