Archive for July, 2008

Reflections on July 2008 Microsoft Patch Day

One could say it’s a pretty quiet Microsoft patch release day. Microsoft only released 4 security bulletins, labeling all as Important (none as Critical).

Of the four bulletins, one relates to a flaw in Outlook Web Access (OWA) that could allow an attacker to read, create, send, or delete emails on behalf of the unwitting OWA user, patching the OWA Exchange 2003 or 2007 Server corrects this. Beware, it’s a very large patch.

A second bulletin is specific to SQL Server, and when I say SQL Server, I mean ALL versions of SQL Server. SQL Server 7 through SQL Server 2005, including MSDE and WMSDE installations, are impacted (including WSUS installs running WMSDE). This vulnerability allows ‘authenticated’ attackers to potentially access information that they shouldn’t be able to access. The bar is set very high for the attacker here – it’s not a simple type of exploit that most corporate users could pull off.

A third bulletin relates to just Windows Vista and Windows Server 2008. If a user on one of these systems receives an email with a malicious saved-search file, and opens this file and re-saves it, then evil code may run on their system. Also, if a user visits an evil website where this saved-search file resides, code may be executed on the user’s system. It’s unclear from Microsoft’s bulletin whether the user must download and save the saved-search file to their own system, or if this exploit happens simply by visiting the evil website. Earlier in the bulletin, Microsoft states that a user “open and save a specially crafted saved-search file with an affected version of Windows Explorer”. Then it goes on to say that in a web-based scenario, visiting a malicious website could allow this to happen. Microsoft should really review their bulletins and make it a little more clear (or less confusing) about what actions really trigger this event.

The fourth bulletin this month relates to DNS services – both the DNS server and the DNS client. All Operating Systems other than Vista are impacted. With respect to this issue, attackers can remotely poison a DNS Server or DNS Cache with incorrect Internet domain names to IP address mappings, causing users to surf to erroneous web locations.

The biggest beef I have with this month’s group of patch releases is the classification of vulnerabilities that Microsoft has chosen to use. In some cases, it’s rather absurd. In the case of MS08-040 (SQL Server), Microsoft calls this ‘Important’, but the attacker can ‘execute code of the attacker’s choice’. Microsoft doesn’t label this as ‘code execution’, but rather as ‘escalation of privilege’, because the attacker must be an ‘authenticated attacker’. Raise of hands – “who’s an ‘authenticated’ hacker”?

It sure seems like Microsoft is re-writing their definitions this month. They’ve downgraded ‘code execution’ attacks if the attacks happen to come from ‘authenticated users’. And it’s not longer called ‘code execution’; it’s called ‘privilege escalation’. I can see where Microsoft is coming from, and it’s a very rosy side of Redmond.

The other bulletins also seem to be downgraded in terms of severity because of what Microsoft believes to be ‘additional steps that must be taken and/or limits of what can be done’ (my terms). In one case, the vulnerability is downgraded because a user must save a file to their disk (leave it ‘Critical’ and downplay the likelihood of attack instead) and in another case, the vulnerability is downgraded because the user can only spoof your email, delete your mail, etc. rather than delete other files on your system. Who’s Microsoft to say that your email isn’t super critical?

Leave a comment »