Archive for March, 2009

Reflections on March 2009 Patch Day

Three new security bulletins released today. All three of today’s bulletins apply to the Operating System, though some apply to a smaller subset of machines, and each has a completely different impact on the end user experience (or lack of experience if you aren’t exploited).

The most Critical of today’s patches is MS09-006 which could allow an attacker to take complete control of your computer if you view a website, email, or document that contains an evil graphic or picture. Also Critical (in my mind, though Microsoft rates it Important), is a set of patches for Windows DNS Servers. Attackers can leverage this flaw to redirect Internet traffic to look-alike websites in hopes of gathering sensitive user information. Lastly, Microsoft issued a patch to correct an issue where attackers can access restricted websites that require certificates, even though they don’t have this certificate.

I recommend installing MS09-006 and MS09-008 right away – and while you’re at it, go ahead and install MS09-007 – that way you can install patches for all three vulnerabilities at the same time and leverage the same system reboot to complete the patch installation. Being OS patches, they should all be should be relatively simple to install.

Microsoft did NOT release a patch for the Excel zero day vulnerability. Maybe we can expect this as an out of band patch later this month?

Also, Adobe has just released a new version of Adobe Reader 9 to correct a zero day vulnerability that was previously announced.

DETAILS
MS09-006
follows a long line of vulnerabilities that can be exploited when viewing maliciously created graphic images. This time, the flaw exists in the way that the Operating System parses and displays WMF and EMF formatted images. The flaw actually resides in the Windows kernel – but is only exploited when managing the malformed pictures. All that the attacker needs do is encourage a victim to view a specially formatted image and the attacker can run code on the victim’s system. The evil code will execute with system privileges – even if the user wasn’t logged on as an administrator. With system privileges, the evil code can access, copy, or delete any files on the system, create or delete user accounts, change passwords, or install backdoors. IOW, nasty stuff.

While the common attack vector may be via images hosted on a website of questionable repute, the attack can also be spawned by viewing emails or documents with embedded images. Once again, don’t open documents or emails from people you don’t know. Don’t rule out hacks spawned from evil images hosted on Facebook.

This patch should be very safe to deploy and requires a reboot. Best to patch this first on machines where end-users exist – laptops, desktops, etc., then deploy to servers (where users are less likely to be reading emails, opening documents, or surfing the web.)

This patch applies to all Operating Systems and replaces MS08-061 (a kernel patch), which itself replaces MS08-025 (an earlier kernel patch).

MS09-007 is a seemingly innocuous spoofing vulnerability that can actually post great concern for certain types of users. This vulnerability can be used to connect to a website or resource that requires certificate-based authentication. Usually, this means that only users with the required certificate can access the site. However, in this scenario, an attacker could access the restricted site even though they don’t have the necessary certificate. In order to pull this off, the attacker needs to have a copy of the site’s public authentication certificate – which is something that is most easily obtained if the attacker has full access to the victim’s computer (and if this is the case, far worse things can happen).

Many users don’t ever do anything with certificate-based authentication for secure sites. Those that do probably use an Active Directory based certificate store, which thwarts this attack. Those that do use local accounts and certificates are most at risk from this vulnerability and should install the patch right away. All others can roll it out as they see fit – though if you’re rolling out MS09-006, just go ahead and roll this out at the same time and leverage the shared reboot.

This vulnerability impacts all Operating Systems. The Patch supersedes the one released for MS07-031, which also addressed an schannel vulnerability.

MS09-008 addresses a vulnerability in DNS and WINS services that could allow an attacker to insert bad data into a DNS (or WINS) Server, thereby redirecting people’s traffic to potentially evil websites. The security bulletin doesn’t list any workarounds, nor does it imply any pre-requisites on the part of the attacker, meaning it could be possible for a remote, unauthenticated attacker to modify a vulnerable DNS Server and redirect their site’s users. Assuming this knowledge is correct, that would make this a Critical issue, rather than a severity if Important, in my eyes.

The sole purpose of a DNS Server is to direct individuals to the proper end-location. If an unauthenticated remote attacker can modify these instructions and redirect people to bogus websites then the DNS Server isn’t doing its job and should be considered compromised. That’s a pretty serious situation – attackers can setup look-a-like websites hoping to entice users to enter sensitive information (though the redirection attack is thwarted by using SSL).

Any way I look at it, this should be a Critical patch to install on all DNS Servers right away. (Maybe Microsoft rated this Important as the level of effort to pull of this attack is so great that the likelihood of exploitation is minimal? However, exploit code was released for an earlier, similar exploit.) A similar patch was released for WINS servers to handle a similar type of attack, though limited to the internal WINS Server and its network.

This patch supersedes MS08-037 (a prior DNS Spoofing issue) and requires a reboot.

Advertisements

Leave a comment »