More information, and an official apology, on MS09-001

I’ve received queries from press, end users, and vendors about my commentary on patch Tuesday and would like to take this time to provide some background on what lead to my comments as well as a slightly tempered position on the patch itself.

On patch Tuesday, I read the 09-001 bulletin. Upon reading about the issue I immediately got a bad feeling about it. Unauthenticated exploitation via SMB protocol is really bad. Prior history shows that this can lead to really evil things, including events similar to blaster and sasser.

Our PR firm was hounding me to push out commentary to the press, so I gave them what I knew (see below). My commentary was spot on – at least with as much as was what written in the security bulletin itself (http://www.microsoft.com/technet/security/Bulletin/MS09-001.mspx).

It wasn’t until a few hours later when I was able to catch my breath and do further perusal that I stopped by to view Microsoft’s short version of the security bulletins for January (http://www.microsoft.com/technet/security/bulletin/ms09-jan.mspx). In this spot, they include the exploitability index for each of the bulletins released during the month. For MS09-001, they rated it a ‘3 – functioning exploit code unlikely’. They also included a link to a blog post with more information (http://blogs.technet.com/swi/archive/2009/01/09/ms09-001-prioritizing-the-deployment-of-the-smb-bulletin.aspx)

In this blog post, Microsoft explains that the likelihood of exploitation is mitigated by the vast amount of information that the attacker must have about a particular machine in order to exploit that machine using the 09-001 vulnerability. Specifically, they say,

“Controlling what data is overwritten is difficult. To exploit this type of kernel buffer overrun, an attacker typically needs to be able to predict the layout and contents of memory. The memory layout of the targeted machine will depend on various factors such as the physical characteristics (RAM, CPUs) of the system, system load, other SMB requests it is processing, etc.”

Had I read this before I released my patch commentary, I would have modified my comments to say,

“This is potentially a very bad flaw – but Microsoft has assured us that the knowledge required to exploit this is quite high, is unlikely to be available to the attacker, and even in those cases where the information can be obtained, the ability to actually get exploitable code is infinitesimally small, therefore the risk on this should be considered as something lower than the ‘Critical’ rating which Microsoft has assigned.”

I would have continued on to say,

“Unauthenticated SMB flaws are similar in nature to what was exploited in the Blaster and Sasser worms. While these ports are usually blocked on Internet firewalls and personal firewalls, these ports are typically left open in a corporate network. If a worm is released, and that worm makes it into a corporate network, it will make swiss cheese of that network relatively quickly. Fortunately, it appears that the likelihood of a worm for this vulnerability is very low.”

And if I was feeling particularly fiesty, I would also ask,

“Why doesn’t Microsoft include the exploitability index in the bulletin itself? Why must I visit other variants of the bulletin to obtain this information, and then a third location to read details that tell me that the Critical issue of which I was alerted probably isn’t that Critical after all? Make it easy – include the Exploitability Index in the bulletin!”

So here’s my official apology for crying wolf on this issue when I should have done my due diligence and read all three Microsoft locations before offering my opinion on this issue.

That being said… you should still get this patch installed on your systems.

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: