Reflections on June 2009 Patch Day

Microsoft released 10 security bulletins this month. Eight of the ten were assigned exploitability indices of ‘1 – Consistent Exploit Code Likely’. This means hackers could have access to exploit code fairly soon – which means the patches should be installed sooner rather than later. Five of the ten security bulletins discuss ‘server-side’ vulnerabilities (vs. client-side vulnerabilities). More on server-side vs. client-side in a future post.

See the end of this post for recommendations on which to install first.

MS09-018: Vulnerabilities in Active Directory Could Allow Remote Code Execution (971055)
MS09-018 is a Critical server-side vulnerability in the Active Directory services of Windows 2000 and Windows Server 2003 domain controllers (or Active Directory Application Mode on XP and WS03 servers). By submitting a specially formatted LDAP request to the AD server, the attacker can execute code of their code on Windows 2000 AD servers (what I call a true ‘remote code execution’ vulnerability). On Windows Server 2003, the attacker can cause a Denial of Service condition and otherwise make a mess of an ordinarily pleasant day.

For the attack to be successful against Windows 2000 DCs, the attacker simply needs to target their attack against LDAP ports (tcp 389, 636, 3268, or 3269). While these ports are traditionally blocked at Internet firewalls, these ports are wide open for attack on most internal networks. The attacker doesn’t need any special authentication to attack Windows 2000 servers. Once they launch the code, they can take any action they wish against the domain controller. If I were the attacker, I’d go after the SAM database that contains all of the Domain User’s password hashes.

For Windows Server 2003, the attack is somewhat mitigated in that the attacker must have some level of credentials to the domain controller. In most instances, this means the attacker must be a member of the domain which he or she is attacking. The vulnerability is rated Important in WS03 as it doesn’t allow code execution – it just jams up the server from doing what it should.

I’d recommend patching Windows 2000 AD servers as soon as possible. I’d also patch Windows Server 2003 systems quickly, as you don’t want disgruntled employees launching the tool of the week to down your domain controllers.

MS09-019: Cumulative Security Update for Internet Explorer (969897)
Another month, another Critical IE cumulative patch. This particular patch corrects a flaw uncovered at the recent CanSecWest conference that enabled someone to hack a Vista machine via IE8. It also corrects a handful of other issues identified in all versions of Internet Explorer.

The IE8 issue impacts Windows XP systems when browsing evil Internet websites. Vista and WS08 systems are protected against evil Internet sites because of DEP and ASLR built-in protections. Vista systems can be vulnerable to evil Intranet sites if other security configs on the Vista box have been weakened. In any event, it’s nice that this zero-day flaw in IE8 has been corrected. Go apply the patch.

The remaining issues addressed in the bulletin impact IE versions 5, 6 and 7. Exploitation can range from information disclosure to what Microsoft calls remote code execution (and I call local code execution). Workaround: don’t visit evil websites.

This is a client-side collection of vulnerabilities as they require someone at the target system to take an action on the machine in order to allow the vulnerabilities to execute. Therefore, this attack is more likely to impact your end-user workstations than your datacenter servers.

MS09-020: Vulnerabilities in Internet Information Services (IIS) Could Allow Elevation of Privilege (970483)
Another patch for a zero-day vulnerability, this bulletin addresses the IIS WebDAV issue announced by Microsoft last month. This vulnerability allows remote attackers to bypass the WebDAV authentication settings on an IIS server, potentially allowing them to read files on the webserver. The issue is somewhat mitigated, however, because the file system ACLs are still observed.

While this vulnerability doesn’t allow the attacker to write files to or execute code on the server, it might allow them to read enough information from the server that they can exploit other services on the box (think SQL server). See my prior post, New Microsoft IIS Zero-Day Vulnerability, on this issue for more information.

MS09-021: Vulnerabilities in Microsoft Office Excel Could Allow Remote Code Execution (969462)
In the fifth Excel patch we’ve seen since last August, Microsoft is hoping they’ve nailed the door shut on malicious file parsing bugs. Multiple vulnerabilities with Excel file parsing were addressed in the 09-021 patch.

The Excel 2000 platform is rated as Critical, whereas Excel 2002-2007, SharePoint, and Excel converters are rated Important. Excel 2000 is rated Critical because it lacks the open dialog confirmation window that exists in later releases. This means if you have Excel 2000 installed and you visit an evil web page, the web page can open Excel and launch the evil document without your knowledge. You’re hacked. In Excel 2002 and later, the evil document wouldn’t open automatically; rather, it would prompt you if you wish to open the file. If the evil file does execute, it runs under the context of the currently logged on user (typical of a client-side vulnerability).

MS09-022: Vulnerabilities in Windows Print Spooler Could Allow Remote Code Execution (961501)
MS09-022 is a server-side vulnerability that can be exploited by sending RPC packets to the print spooler on the target system. RPC is the same mechanism used in the Blaster\Sasser\Conficker worms. Remote RPC uses tcp ports 139 and/or 445.

In this instance, the attacker can execute code on Windows 2000 systems remotely; however, the attacker must first install a print server on their own machine, then send RPC packets to the target system, instructing the target to connect to the rogue print server. When the target system enumerates the sharename of the rogue server, the attacker’s code can execute on the remote system.

Windows XP and later systems aren’t vulnerable to this attack; however, they are vulnerable to several other attacks. In the first, a locally logged on user can read or print any file on the system, even if they don’t have access to the file. The local attacker can specify the file they want to read as a separator page – thus allowing it to be viewed. The second attack is a privilege escalation attack. The attacker can send RPC packets to the target system, convincing it to load an evil printdriver dll. Once this happens, the attacker can execute code on the system. In order for this to happen the attacker must have the ‘manage printers’ capability (which is granted to locally logged on users).

For Windows 2000, this is a Critical issue. For Vista and WS08, this is Important. For XP and WS03 systems, this is rated Moderate.

MS09-023: Vulnerability in Windows Search Could Allow Information Disclosure (963093)
If a user running Windows XP or Windows Server 2003 performs a Windows Search on their machine, the search results could cause malicious scripts to execute that would display information from the target system. This attack requires that the target system be running Windows Search. It also requires that the attacker place a specially crafted file on the target user’s computer.

If this evil file is indexed by the search engine (whether it be an email message, document, or data file) AND appears at the top of a search result (performed by the user) html script embedded in the evil file can execute on the target system. The attacker’s script could access data on the system and forward this back to the attacker. Alternatively, if the evil file is not returned at the top search result, the script will still execute if the user selects and previews the search result for the evil file.

The above scenario is seemingly complex – probably what helped to get it rated Moderate rather than Important. Also, Windows Search is not installed on these platforms by default. If you’re a hacker looking to read data on a system, I’d look to other exploits before attempting this one. Windows Search has had two prior security updates: MS09-015 and MS08-075.

MS09-024: Vulnerability in Microsoft Works Converters Could Allow Remote Code Execution (957632)
This is a client-side vulnerability that could allow an attacker to execute on a user’s computer should they open a malformed Works document (.wps). As with other Office vulnerabilities, Office 2000 is rated Critical as the malformed document could open automatically and without warning when the user visits an evil website. For Office 2002, Office 2003, Office 2007 SP1, and users running Works 8.5 or 9, the malformed Works file wouldn’t open automatically, but would present an open confirmation dialog box before opening. The attacker could also email the malformed document to other users. When the unsuspecting users (and those not trained to not open unusual files from unknown individuals) open the Works document, it will execute code on their system.

The code will execute with the same level of permissions as the currently logged on user (administrator, in many cases) and can do anything the logged on user can do. This patch replaces MS08-072 for Works 8.5.

MS09-025: Vulnerabilities in Windows Kernel Could Allow Elevation of Privilege (968537)
Microsoft refers to MS09-025 as a local code execution vulnerability. In other words, the attacker must be logged on to the local machine and execute code locally in order for the vulnerability to be exploited. Once the attackers code has been initiated, it will run as LocalSystem and can grant the attacker administrative access.

While this exploit might be most beneficial to (the few) computer users who don’t have admin permissions to their local systems, the exploit can also be leveraged by folks who do terminal services to remote computers, and in some cases, to users who have code upload capabilities to hosted web servers.

Because it requires that the user have some level of access to execute code on the target system, Microsoft has rated this Important. Microsoft also says that proof of concept code has been released for several of the vulnerabilities addressed by this patch. This patch replaces MS09-006 (which was Critical).

MS09-026: Vulnerability in RPC Could Allow Elevation of Privilege (970238)
RPC vulnerabilities usually scare the pants off of me. In this instance though, it’s not so bad. Microsoft assures us that their Operating Systems are not vulnerable to this attack by default – none of their RPC services suffer from this issue. They mention that third party products could be vulnerable as they leverage an RPC runtime file that could be susceptible to this issue.

In order to pull off this attack, a remote attacker would need to send carefully constructed packets to a vulnerable RPC service on the target machine. Third party apps can choose any tcp or udp ports to use for their services – it’s not as easy as saying tcp 139 or 445. Third party services that implement tight authentication and security over their RPC services are less likely to be susceptible to exploitation. To be sure that you’re safe, install this patch and ask your vendors if they include any code that looks like the examples here: http://tinyurl.com/nsoqn6.

MS09-027: Vulnerabilities in Microsoft Office Word Could Allow Remote Code Execution (969514)
Same type of issue as MS09-021. Open a malformed Word document and it hacks your system. I’m tired of these. ‘Nuff said.

Recommended order of deployment:

First: MS09-018 (Win2K), MS09-019 (IE), MS09-020 (IIS)

After: all the rest

Disclaimer: adjust these recommendations for the assets on your network

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: