Reflections on February 2009 Patch Day

A seemingly light batch of patches this month, trailing an even lighter, single patch release in January. Two Critical items released – including patches for Internet Explorer 7 and Microsoft Exchange Server. Additionally, two Important items released – for Microsoft SQL Server and Visio.

MS09-002 is a typical IE patch – purported to protect a user if surfing to an evil website. What’s unusual this month is that the vulnerability is only present in Internet Explorer 7. This leads to the question “what did Microsoft put in IE7 that they didn’t put in earlier versions that leads to this exploit, and why didn’t their new security testing program catch this vulnerability?” Microsoft says that it’s easy for hackers to create an evil webpage to exploit this issue.

MS09-003 is a Critical patch for Exchange Server (versions 2000, 2003, 2007) that could lead to code execution and/or Denial of Service. The attacker can send a malformed winmail.dat file to an Exchange Server in hopes of having that server execute code of their choosing. (winmail.dat files are configuration files that instruct the email client how to render and display Rich Text Formatted documents.) Alternatively, the attacker can send a series of packets to the Exchange Server in an attempt to take down the mail services – creating a denial of service attack. Microsoft says that inconsistent exploit code is likely to be released.

MS09-004 is probably the most interesting patch this month. This patch addresses the zero-day SQL Server flaw reported by Sec-Consult on December 9th, 2008. This flaw enables attackers to execute code of their choice on the affected SQL Server. The bar for exploitation is raised slightly in that the attacker must already have authenticated access to the SQL Server in order to pull of this exploit. However, unauthenticated attackers (since when you do authenticate your attacker anyway?) can still leverage this flaw if they can plant their code using SQL Server injection techniques via poorly coded websites. Proof of concept code has been published on the Internet, however, Microsoft says they have not seen proof of exploitation (maybe they aren’t looking hard enough?). I’d probably rate this patch as Critical – given the end result capable. I’m guessing Microsoft has downgraded this severity because of the “authentication” requirement. (Although they give this a ‘1’ in the exploitability index – saying that consistent exploit code is likely.)

MS09-005 is an Important patch for Visio. Open a malformed Visio document and the evildoer can run code on your system in the context of your currently logged on account. Microsoft says this was privately reported and they’ve seen no reports of exploitation. They recommend not opening Visio documents from untrusted sources.

I recommend a two pronged approach to patching this month. Two patches are for Server issues (09-003 and 09-004 – Exchange and SQL) and two are for client side applications (09-002 and 09-005 – IE7 and Visio). Give the two server patches to the Server maintenance team and ask that they install these two as soon as possible – given what I believe is the severity of these issues. Give the two client side patches to the desktop team and have them install these patches in the next update cycle or as they see fit – but no need to burn the weekend candle for these.

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: