Back to qualys.com
75 posts

Analysis of Critical Microsoft Patches in the Second Half of 2008

MSFT-Patch-Trends-08-PII.png

During the year-end slowdown Qualys analyzed anonymous data captured by us during our global vulnerability scans. The analysis focuses on critical Microsoft patches published in the second half of 2008 to reduce the initial dataset.
 
Within the 20+ patches we can clearly see three distinct groups with different occurrence profiles:
 

  • The first group contains the major Windows operating system and Microsoft Office vulnerabilities, with Office being the clear leader with a frequency of up to 25 % more than Windows OS patches.
  • The second group are less frequently installed components in both Windows and Office, such as Office document filters (i.e. MS08-044) or VB runtime components (MS08-070) – they have less than 30% of the occurrence frequency of the first group.
  • At a distant third, we see vulnerabilities in specialized parts of the operating system – the SNA communications connector (MS08-059) and the Windows Media encoder (MS08-053). These make up less than 2% of the overall mix.
  • As a general trend, after about 30 days the majority of systems have the patches applied and the fix rate then slows down. This applies to all groups, even the comparatively low frequency group three follows this pattern of initial activity.
  • On a side note group three also contains the only vulnerability that was limited to Windows Vista – MS08-075 – giving us an indication of the low numbers of deployed Vista installations in enterprises.

Conficker Worm: Patching is Not Fast Enough

In our statistical data for MS08-067 we see it being patched at about the same rate as other critical patches. Over 50% of all machines are patched after approximately 30 days. After that period we see the patch rates go down and the overall number of machines that are attackable only slowly diminishing.  Unfortunately this leaves enough machines to be exploited by the "Conficker" worm types even today, over 45 days later.

We would have liked to see a faster reaction by the computer users given the significance of the patch but there still seems to be a barrier to reach everybody and make them understand the urgency of patching.

Patch Tuesday: December 08

This vulnerability in Microsoft SQL Server product is highly critical as it allows the attacker to remotely control the database and the underlying server. DBAs should immediately review the work-arounds provided in the advisory and implement them as soon as possible. MS SQL-Server is a highly popular product as we have seen in April of this year, when a SQL-Injection vulnerability that specifically targeted MS-SQL server driven websites was used to redirect users to websites serving malware. The effects of this attack are still out on the internet, as we can still see sites that have fallen victim to the attack and that have not been restored to an exploit free state.

The potential exists for leakage of private data and major disruptions in critical MS SQL driven applications, such as e-commerce and HR. On the positive side we believe that companies have aggressively firewalled off their MS SQL server from being accessible directly on the internet after the traumatic Slammer worm in 2003 which should provide some protection from direct attacks. However a smart attacker can easily pair this exploit with another attack mechanism such as phishing to get behind the corporate firewalls and then attack all accessible MS SQL server installations.

We expect that Microsoft is currently working on patch and will release it out of band. Differently from the recent release of the Internet Explorer patch the deployment will be slow. MS SQL is part of the core server infrastructure of many enterprise companies and is subject to lengthy patch and testing cycles and before any such fix can be deployed.

IE7 Exploit: MS Releases Out-of-Band Patch

As we expected Microsoft is releasing an out-of-band patch tomorrow 12/17 for a critical Internet Explorer 7 vulnerability. The browser flaw had been disclosed roughly one week ago as a zero day vulnerability and active exploits have been around the internet for that timeframe as well. The work-arounds provided by Microsoft were very technical and quite cumbersome to implement making it imperative for Microsoft to release a fix as quickly as possible.

Given the typical requirements for developing, testing and packaging the changes to a program as widely deployed as Internet Explorer we have seen one of the fastest turnarounds possible. Moving faster would require having specific mechanisms in the base code of the application allowing to push out changes in a less disruptive way and would require an extensive rewrite of Internet Explorer. Other browser providers have an edge here as they already have update mechanisms included in their products.

November 2008: MSFT Patch Release Trends

msft_patch_release_trends.png

In the past month November, Microsoft released only 2 Security bulletins, both of critical severity. However in late October, MSFT released a fix for potentially very exploitable vulnerability (MS08-067 RPC Server) out-of-band, in itself already an indication of its high severity and its potential to develop into an aggressively replicating worm. We took a look at patching trends related to this publicized vulnerability.

Specifically, we monitored between 200,000 and 300,000 scans per day. The graph above shows the trends.

Customer Patching Trends
We have used our vulnerability statistics capabilities to track the evolution of the vulnerabilities to see how Microsoft customers apply these patches.

  • Unfortunately, no. The emergency patch (MS08-67) didn’t show erratic  reductions in occurrences of vulnerabilities and it appears customers were  patching at a normal rate.
  • However, for the last week we see a fairly rapid reduction in  vulnerability numbers indicating that after a large scale worm was announced  and confirmed (Trend Micro mentions over 500,000 machines infected, Symantec  mentions major activity in their honey nets), customers are stepping up their  patch activity.
  • Over the last month and a half we have seen the occurrence of MS08-067 drop from a high value of 8 to close to 2 this week, and overall 70%  reduction.

MS08-067, 68 and 69 Trends
PLEASE NOTE: The information below is based off normalized data, the Y-axis represents the number of vulnerabilities identified / total number of scans. The X -axis represents the dates. Normalizing the data was required in order to fairly represent the data in a graphical form. If you use the graphic, please attribute to Qualys.