Microsoft’s Security bulletin for April brought a total of 8 advisories covering 23 (21 distinct, 2 are covered in multiple advisories) vulnerabilities in Windows and Office. The most interesting part of the bulletin is the elevated number of vulnerabilities that have known exploits. 6 vulnerabilities have already been used by attackers and 4 have a proof of concept or attack plan published. For IT administrators this means that their window to patch is rapidly shrinking, when before weeks were an acceptable timeframe, now days seems more adequate.
The most urgent patches to apply are the advisories that have working exploits – MS09-009 for Office/Excel, MS09-010 for Windows/Office and MS09-012 for Windows. Microsoft’s Internet Explorer cumulative patch MS09-014 has proof of concept code available for at least one its covered vulnerabilities and thus has a high exploitability index of 1 (consistent exploit code likely). All, but MS09-012 are rated as critical on all of Microsoft’s operating systems, meaning that the attacker can gain complete control over the affected systems and apply even to Microsoft newer OS versions such as Vista and Server 2008.
Users who have updated already to Internet Explorer 8 are not affected by MS09-014, another indicator of the significant amount of work Microsoft has invested into this new browser and an incentive to move towards that version of IE as quickly as possible.
The vulnerability addressed by MS09-016 is the only one that is remotely exploitable. It affects Microsoft’s ISA product used in securing and proxying companies' internet connections. As it is limited to a denial of service condition it was rated as Important. Further its exploitability index has the lowest value of 3 (Functioning exploit code unlikely), meaning that it is difficult to write a successful and consistent exploit
During the year-end slowdown Qualys analyzed anonymous data captured by us during our global vulnerability scans. The analysis focuses on critical Microsoft patches published in the second half of 2008 to reduce the initial dataset.
Within the 20+ patches we can clearly see three distinct groups with different occurrence profiles:
- The first group contains the major Windows operating system and Microsoft Office vulnerabilities, with Office being the clear leader with a frequency of up to 25 % more than Windows OS patches.
- The second group are less frequently installed components in both Windows and Office, such as Office document filters (i.e. MS08-044) or VB runtime components (MS08-070) – they have less than 30% of the occurrence frequency of the first group.
- At a distant third, we see vulnerabilities in specialized parts of the operating system – the SNA communications connector (MS08-059) and the Windows Media encoder (MS08-053). These make up less than 2% of the overall mix.
- As a general trend, after about 30 days the majority of systems have the patches applied and the fix rate then slows down. This applies to all groups, even the comparatively low frequency group three follows this pattern of initial activity.
- On a side note group three also contains the only vulnerability that was limited to Windows Vista – MS08-075 – giving us an indication of the low numbers of deployed Vista installations in enterprises.
This vulnerability in Microsoft SQL Server product is highly critical as it allows the attacker to remotely control the database and the underlying server. DBAs should immediately review the work-arounds provided in the advisory and implement them as soon as possible. MS SQL-Server is a highly popular product as we have seen in April of this year, when a SQL-Injection vulnerability that specifically targeted MS-SQL server driven websites was used to redirect users to websites serving malware. The effects of this attack are still out on the internet, as we can still see sites that have fallen victim to the attack and that have not been restored to an exploit free state.
The potential exists for leakage of private data and major disruptions in critical MS SQL driven applications, such as e-commerce and HR. On the positive side we believe that companies have aggressively firewalled off their MS SQL server from being accessible directly on the internet after the traumatic Slammer worm in 2003 which should provide some protection from direct attacks. However a smart attacker can easily pair this exploit with another attack mechanism such as phishing to get behind the corporate firewalls and then attack all accessible MS SQL server installations.
We expect that Microsoft is currently working on patch and will release it out of band. Differently from the recent release of the Internet Explorer patch the deployment will be slow. MS SQL is part of the core server infrastructure of many enterprise companies and is subject to lengthy patch and testing cycles and before any such fix can be deployed.
In the past month November, Microsoft released only 2 Security bulletins, both of critical severity. However in late October, MSFT released a fix for potentially very exploitable vulnerability (MS08-067 RPC Server) out-of-band, in itself already an indication of its high severity and its potential to develop into an aggressively replicating worm. We took a look at patching trends related to this publicized vulnerability.
Specifically, we monitored between 200,000 and 300,000 scans per day. The graph above shows the trends.
Customer Patching Trends
We have used our vulnerability statistics capabilities to track the evolution of the vulnerabilities to see how Microsoft customers apply these patches.
- Unfortunately, no. The emergency patch (MS08-67) didn’t show erratic reductions in occurrences of vulnerabilities and it appears customers were patching at a normal rate.
- However, for the last week we see a fairly rapid reduction in vulnerability numbers indicating that after a large scale worm was announced and confirmed (Trend Micro mentions over 500,000 machines infected, Symantec mentions major activity in their honey nets), customers are stepping up their patch activity.
- Over the last month and a half we have seen the occurrence of MS08-067 drop from a high value of 8 to close to 2 this week, and overall 70% reduction.
MS08-067, 68 and 69 Trends
PLEASE NOTE: The information below is based off normalized data, the Y-axis represents the number of vulnerabilities identified / total number of scans. The X -axis represents the dates. Normalizing the data was required in order to fairly represent the data in a graphical form. If you use the graphic, please attribute to Qualys.