Back to qualys.com
90 posts

Mini Patch Tuesday July 2009 – Extremely urgent

As announced last week Microsoft today released 2 bulletins, one addressing Internet Explorer (MS09-034) and the other addressing the ATL component of Visual Studio (MS09-035). The release outside of their normal patch window means that exploits for this vulnerability have been spotted in the wild and IT administrators should treat the fixes as high priority.

The main attack vector that the current exploit is using is browsing with Internet Explorer. An end-user browsing the Internet with a vulnerable version of IE can get their system taken over simply by looking at a websites that have malicious tables or ATL objects. To increase their reach, attackers have been using web application vulnerabilities to put these type of exploits on common, non-malicious sites, that end-users would not suspect of. Once infected the attacker can add the system to their botnet or use it to attack other machines inside the network where the system is hosted. This second mode of use of an infected computer is increasingly common and can lead to indirect exploitation of systems within corporate networks that do not even have external connectivity or a browser installed.

Ryan Smith will present on the issue at BlackHat in Las Vegas tomorrow and has a small preview up on his site….

Two High Profile Zero-Day Vulnerabilities Announced

This has been an exciting week in the security space, first Adobe and and now Microsoft have announced that they will deliver out-of-band patches next week:

Both vulnerabilities are rated critical and are found in very common software components – all versions of IE (6,7 and 8) are vulnerable, while Adobe says that updates will be shipped for Flash 9 and 10 and also Adobe Reader 9. IT administrators should prepare for a quick turnaround.

Patch Tuesday Bottomline – July 2009

Microsoft’s July Security Bulletin does not have any surprises due to the intense pre-release activity around the 3 zero-day advisories that came out in the last 6 weeks. Microsoft had already announced that they would address 2 advisories with patches MS09-028 and MS09-032 for DirectShow and Microsoft Video respectively. Yesterday’s zero-day is left for later and users should apply the work-around published in KB973472. The 3rd critical vulnerability addressed is MS09-029 OpenType Font Engine which applies to all versions of Windows, Vista and 2008 included.These 3 advisories should be addressed immediately as they allow the attacker to fully control the victim’s computer.

Microsoft proxy server ISA 2006 has a vulnerability rated as "important" that allows remote unauthenticated users to access the server. However paired with a knowledge of the administrators user name attackers can take full control of the server. As administrator usernames are often easy to guess this vulnerability deserves special attention, if IT organizations are using ISA with the Radius configuration. This vulnerability is covered in MS09-031. The ISA blog has some more in depth information.

MS09-030 is an advisory for the Publisher component in the MS Office 2007 suite is rated as "important" as well, but can be used to take full control of the system if the victim is logged in as administrator. If an organization uses Publisher or has it installed as part of Office 2007, this should be treated as "critical" as well.

Microsoft also provided patches for their virtualization product VPC and Virtual Server on all versions (MS09-033) preventing an elevation of privilege in the guest operating system. This is classified as "important" because local access to the guest OS is required. This bulletin is interesting because this vulnerability is introduced by the fact that the OS is running under a virtual environment and allows the user to access to privileged kernel mode.

In addition we are working on the Oracle CPU patch release and are monitoring the Firefox 3.5 zero-day.

References:

Zero-day advisory for Microsoft Office Web Components ActiveX

We just released our QID 110101 which detects the Microsoft Office Web Components ActiveX zero-day vulnerability that Microsoft released today as KB973472. Similar to last weeks zero-day vulnerability Microsoft is providing a workaround using their Fixit program.

The main attack vector is again Internet Explorer, a user can be infected by browsing a website that hosts the exploit without further interaction with a so called "drive-by" exploit. There have been a number of sightings already, which have prompted Microsoft for this out-of-band release – for more information take a look at SANS.

QualysGuard will not raise the vulnerability if you have the described workaround applied which inhibits the OWC10 and OWC11 classids that are susceptible to the attack. We will be enhancing the detection as more information about workarounds and patches becomes available. Due to the timing we do not expect this vulnerability to be addressed tomorrow at Patch Tuesday.

Serious Zero-Day Vulnerability for Microsoft Video ActiveX Exploited in the Wild

Microsoft released advisory KB972890 yesterday for a zero-day vulnerability found by ISS, warning of an attack on an ActiveX control for Microsoft Video. The main attack vector is for the user to browse a website that has the exploit installed with Internet Explorer- further interaction is not necessary, the attack is of the type called "drive-by". This makes the attack very dangerous as there is very little that Internet Explorer users can do to defend themselves. Security news here and here report that thousands of websites have started serving the exploits already, which is supported by the in-depth information that we are getting from our iDefense feed which has a long list of sites that are serving the exploits.

The described work arounds involve disabling 40+ classids in the registry, which should be scriptable by IT administrators. The Microsoft support website has a FixIt link which individual users can use to apply those changes to the registry.

QualysGuard detects this zero-day vulnerability as QID 90510, but does not raise it if you have the described workaround applied. We will be enhancing the detection as more information about workarounds and patches becomes available.

How do you deal with ActiveX controls, do you disable them in your default builds ? Let me know by sending feedback. We also will discuss this issue on our upcoming panel at the Black Hat security conference in Las Vegas with the present industry experts.

Patch Tuesday Bottomline – June 2009

June’s Patch Tuesday is generating major workload for IT administrators. Microsoft released their biggest number of patches in recent memory, not only for Windows systems, but also for their Mac Office suite. Adobe has patches for their Reader product for Windows, Mac and Unixesand Apple released a production version of Safari 4 for Mac OS X and Windows.

Microsoft’s 10 bulletins patch a total of 31 vulnerabilities, extending to almost all of their products on both servers and workstations. Most urgent on the server side are MS09-018 for the Active Directory vulnerabilities and MS09-020 for the IIS/WebDAV vulnerabilities, as both are categorized as critical and have the highest rating (Consistent exploit code likely) in the Microsoft exploitability index. MS09-022 – Windows Print Spooler is rated critical as well, affects both servers and workstations and so has a higher exposure potential than the other server based vulnerabilities. MS09-25 brings 4 updates for the Windows base operating system kernels and even the new Vista and 2008 versions are affected by 3 of them.

On the workstation side, beyond MS09-022 and MS09-025 we have the updates for Internet Explorer, Word, Excel and Windows Search. MS09-019 has patches for 8 IE vulnerabilities for all versions from IE5 to IE8 – however it is interesting to note that IE8 is only affected by a single vulnerability, which was recently disclosed at the CanSecWest conference in the Pwn2Own contest sponsored by TippingPoint’s ZDI.

As expected we did not see a patch for DirectShow vulnerability, acknowledged by Microsoft 10 days ago in KB971778. While they have the patch it is still undergoing Quality Assurance and Stability testing. For Macintosh users, Microsoft provided the patch for last month’s disclosed vulnerabilities – MS09-017 for PowerPoint. Both users of Office 2004 and Office 2008 are advised to upgrade to fix a Remote Code execution issue.

As Adobe had announced previously they also published their quarterly patches this 2nd Tuesday of the month. Currently we see that a patch has been released, but there is no further detail available as to the vulnerabilities covered.

Update: The Adobe advisory is out and it shows a total of 14 vulnerabilities. The patch covers Adobe Reader on Windows and Macintosh. Unix users will have to wait until June 16th to get their fixes.

References:

Microsoft Patch Tuesday Bottomline – April 2009

Microsoft’s Security bulletin for April brought a total of 8 advisories covering 23 (21 distinct, 2 are covered in multiple advisories) vulnerabilities in Windows and Office. The most interesting part of the bulletin is the elevated number of vulnerabilities that have known exploits. 6 vulnerabilities have already been used by attackers and 4 have a proof of concept or attack plan published. For IT administrators this means that their window to patch is rapidly shrinking, when before weeks were an acceptable timeframe, now days seems more adequate.

The most urgent patches to apply are the advisories that have working exploits – MS09-009 for Office/Excel, MS09-010 for Windows/Office and MS09-012 for Windows. Microsoft’s Internet Explorer cumulative patch MS09-014 has proof of concept code available for at least one its covered vulnerabilities and thus has a high exploitability index of 1 (consistent exploit code likely). All, but MS09-012 are rated as critical on all of Microsoft’s operating systems, meaning that the attacker can gain complete control over the affected systems and apply even to Microsoft newer OS versions such as Vista and Server 2008.

Users who have updated already to Internet Explorer 8 are not affected by MS09-014, another indicator of the significant amount of work Microsoft has invested into this new browser and an incentive to move towards that version of IE as quickly as possible.

The vulnerability addressed by MS09-016 is the only one that is remotely exploitable. It affects Microsoft’s ISA product used in securing and proxying companies' internet connections. As it is limited to a denial of service condition it was rated as Important. Further its exploitability index has the lowest value of 3 (Functioning exploit code unlikely), meaning that it is difficult to write a successful and consistent exploit

References:

Time to Upgrade – IE6 vs IE7 Dynamics

This week we looked at patterns in the deployment of the recent Internet Explorer patch MS09-002. Our main interest was to see if there were any changes in its deployment speed compared to previous IE patches. Considering that an exploit became available roughly a week after the release of the patch we thought that companies would accelerate the deployment given that the existence of the exploit makes the threat concrete. We normalized the detection data from MS09-002 and Microsoft’s last cumulative patch to Internet Explorer MS08-073 to put them to the same scale and overlaid them in the same graph. To our surprise we found that nothing changed – no acceleration of patching, the curves follow a remarkably similar pattern:

MS09_002_compared.png

However we noticed one anomaly – the absolute values (numbers found for each vulnerability) varied by a power of 10. MS09-002, which is only applicable to Internet Explorer 7 had much lower numbers, and plotting them to a common scale we found the difference to be between 80-90%. This means that Internet Explorer 6 continues to be the more prominent browser in the Enterprise.

MS09_002_compared_common.png

Unfortunately this is bad news! IE7 is a much better browser than IE6 as IE7 has improved performance, compliance to standards and contains additional security features. Despite the public trend on the Internet that illustrates IE7 has surpassed IE6 in mid 2008, according to our live data enterprises persist on using what is tried and true. This is not only slowing the adoption of new technologies, but also affects the overall security of these companies and makes them more susceptible to attacks. In my experience with working with enterprise customers, this behavior still exists as IT teams try to control what version of the software end-users are allowed to use.  This is a disservice to them and to all of us in this industry.

Recommendations:

  • Migrate away from Internet Explorer 6 – your most viable options at this point in time are IE7 and Firefox 3.
  • Evaluate the potential impact of patching browsers in a faster rhythm – this would be a side benefit when the choice is Firefox but could also be implemented using Internet Explorer

Reference sites:

Should MSFT Rethink the IE Patching Cycle?

The browser is the most popular used application to access the Internet. Microsoft Internet Explorer has the highest market share with over 60 %, making it on the average desktop the best attack target for malicious content. Therefore IE vulnerabilities should be given the highest priority and patched promptly. Yet, when we look at our data, this is not what happens. Our cumulative anonymously gathered data shows that overall users treat browser patches just like all other patches. IE’s patch deployment cycle correlates very closely with that of other patches, critical or non-critical, even though exploits for browser vulnerabilities start appearing within days of their public release (see MS09-002).ms09_002.png

We believe that IE patches are well understood and tested so extensively by Microsoft that they should be deployed promptly. An extensive in house testing period is probably not warranted for most companies as the impact on business critical applications is limited.  To improve the patch deployment speed for IE an interesting approach would be to remove IE from the monthly patching cycle all together and integrate automatic patching capabilities directly into the browser. Microsoft should rethink the patching cycle for IE and enable fast patching for IE similar to other browser vendors, such as Google’s Chrome and Mozilla’s FireFox, which require little or no interaction from the user. IE8 could be a great opportunity to investigate such a capability.

IE7 Exploit: MS Releases Out-of-Band Patch

As we expected Microsoft is releasing an out-of-band patch tomorrow 12/17 for a critical Internet Explorer 7 vulnerability. The browser flaw had been disclosed roughly one week ago as a zero day vulnerability and active exploits have been around the internet for that timeframe as well. The work-arounds provided by Microsoft were very technical and quite cumbersome to implement making it imperative for Microsoft to release a fix as quickly as possible.

Given the typical requirements for developing, testing and packaging the changes to a program as widely deployed as Internet Explorer we have seen one of the fastest turnarounds possible. Moving faster would require having specific mechanisms in the base code of the application allowing to push out changes in a less disruptive way and would require an extensive rewrite of Internet Explorer. Other browser providers have an edge here as they already have update mechanisms included in their products.