Archive for Patch Management

SANS instructor: “Avoid Adobe… security appears out of control”

Stephen Northcutt, an instructor for SANS and President of SANS Technology Institute, cautions users against using Adobe products due to an increasing number of Adobe security vulnerabilities that have been reported this year.  In the SANS NewsBites Vol 11 #61 (8/4/2009), Stephen says:

“I think organizations should avoid Adobe if possible.  Adobe security appears to be out of control, and using their products seems to put your organization at risk. Try to minimize your attack surface. Limit the use of Adobe products whenever you can.”  http://www.sans.org/newsletters/newsbites/newsbites.php?vol=11&issue=61  (link may not be live yet)

There have been four patches (year to date) in 2009 for Adobe Reader\Acrobat, compared to 3 security patches for Adobe Reader\Acrobat in all of 2008.

Other common desktop applications and their security patch counts since Jan 1, 2009:

8 9 patches for Mozilla Firefox
4 patches for Microsoft Internet Explorer
4 patches for Apple Safari
4 patches for Adobe Reader\Acrobat
3 patches for Adobe Flash
2 patches for Adobe Shockwave
2 patches for Apple Quicktime
2 patches for Apple iTunes

Comments (4) »

ActiveX Killbits

Beginning in May 2008, Microsoft has released cumulative patches to install ActiveX Killbits.  Below is an analysis of the killbits released via these patches to date.  The analysis was performed against patches for Windows XP, however, it is assumed that these killbits are applicable to all Operating Systems.

As of July 27, 2009:

Total Killbits applied by latest cumulative patch (MS09-032): 175

Monthly Count
May 2008: 4
June 2008: 3
August 2008: 96
October 2008: 12
February 2009: 10
June 2009: 5
July 2009: 45 

Vendor Count
Akamai: 1
Aurigma: 74
BackWeb: 1
Ebay: 2
HP: 23
HusDawg: 1
Microgaming: 2
Microsoft 67
PhotoStockPlus: 1
RIM: 1
Yahoo: 2

Details for each Killbit (including links to advisories)

(download PDF here)

May-08 {22FD7C0A-850C-4A53-9821-0B0915C96139} Yahoo Yahoo! MediaGrid
May-08 {314111B8-A502-11D2-BBCA-00C04F8EC294} Microsoft Microsoft Help 2.0 Contents
May-08 {314111C6-A502-11D2-BBCA-00C04F8EC294} Microsoft Microsoft Help 2.0 Index
May-08 {5F810AFC-BB5F-4416-BE63-E01DD117BD6C} Yahoo Yahoo! DataGrid
Jun-08 {3BEE4890-4FE9-4A37-8C1E-5E7E12791C1F} Microsoft SpSharedRecognizer
Jun-08 {40F23EB7-B397-4285-8F3C-AACE4FA40309} BackWeb BackWeb Lite Install Runner
Jun-08 {47206204-5ECA-11D2-960F-00C04F8EE628} Microsoft SpSharedRecoContext
Aug-08 {00D46195-B634-4C41-B53B-5093527FB791} Aurigma Aurigma Image Uploader
Aug-08 {0270E604-387F-48ED-BB6D-AA51F51D6FC3} Aurigma Aurigma Image Uploader
Aug-08 {038F6F55-C9F0-4601-8740-98EF1CA9DF9A} Aurigma Aurigma Image Uploader
Aug-08 {05CDEE1D-D109-4992-B72B-6D4F5E2AB731} Aurigma Aurigma Image Uploader
Aug-08 {0B9C0C26-728C-4FDA-B8DD-59806E20E4D9} Aurigma Aurigma Image Uploader
Aug-08 {0C378864-D5C4-4D9C-854C-432E3BEC9CCB} HP HP eDiag
Aug-08 {101D2283-EED9-4BA2-8F3F-23DB860946EB} Aurigma Aurigma Image Uploader
Aug-08 {108092BF-B7DB-40D1-B7FB-F55922FCC9BE} Aurigma Aurigma Image Uploader
Aug-08 {14C1B87C-3342-445F-9B5E-365FF330A3AC} HP HP Instant Support
Aug-08 {17E67D4A-23A1-40D8-A049-EE34C0AF756A} HP HP eDiag
Aug-08 {1E0D3332-7441-44FF-A225-AF48E977D8B6} Aurigma Aurigma Image Uploader
Aug-08 {285CAE3C-F16A-4A84-9A80-FF23D6E56D68} Aurigma Aurigma Image Uploader
Aug-08 {2875E7A5-EE3C-4FE7-A23E-DE0529D12028} Aurigma Aurigma Image Uploader
Aug-08 {2C2DE2E6-2AD1-4301-A6A7-DF364858EF01} Aurigma Aurigma Image Uploader
Aug-08 {3604EC19-E009-4DCB-ABC5-BB95BF92FD8B} Aurigma Aurigma Image Uploader
Aug-08 {3D6A1A85-DE54-4768-9951-053B3B02B9B0} Aurigma Aurigma Image Uploader
Aug-08 {41473CFB-66B6-45B8-8FB3-2BC9C1FD87BA} Aurigma Aurigma Image Uploader
Aug-08 {42C68651-1700-4750-A81F-A1F5110E0F66} HP HP eDiag
Aug-08 {44A6A9CA-AC5B-4C39-8FE6-17E7D06903A9} Aurigma Aurigma Image Uploader
Aug-08 {4614C49A-0B7D-4E0D-A877-38CCCFE7D589} Aurigma Aurigma Image Uploader
Aug-08 {4774922A-8983-4ECC-94FD-7235F06F53A1} HP HP eDiag
Aug-08 {47AF06DD-8E1B-4CA4-8F55-6B1E9FF36ACB} Aurigma Aurigma Image Uploader
Aug-08 {497EE41C-CE06-4DD4-8308-6C730713C646} Aurigma Aurigma Image Uploader
Aug-08 {5C6698D9-7BE4-4122-8EC5-291D84DBD4A0} Aurigma Aurigma Image Uploader
Aug-08 {60178279-6D62-43AF-A336-77925651A4C6} HP HP eDiag
Aug-08 {6470DE80-1635-4B5D-93A3-3701CE148A79} HP HP eDiag
Aug-08 {652623DC-2BB4-4C1C-ADFB-57A218F1A5EE} Aurigma Aurigma Image Uploader
Aug-08 {65FB3073-CA8E-42A1-9A9A-2F826D05A843} Aurigma Aurigma Image Uploader
Aug-08 {66E07EF9-4E89-4284-9632-6D6904B77732} Aurigma Aurigma Image Uploader
Aug-08 {68BBCA71-E1F6-47B2-87D3-369E1349D990} Aurigma Aurigma Image Uploader
Aug-08 {692898BE-C7CC-4CB3-A45C-66508B7E2C33} Aurigma Aurigma Image Uploader
Aug-08 {6981B978-70D9-40B9-B00E-903B6FC8CA8A} Aurigma Aurigma Image Uploader
Aug-08 {69C462E1-CD41-49E3-9EC2-D305155718C1} Aurigma Aurigma Image Uploader
Aug-08 {6C095616-6064-43CA-9180-CF1B6B6A0BE4} Aurigma Aurigma Image Uploader
Aug-08 {6CA73E8B-B584-4533-A405-3D6F9C012B56} Aurigma Aurigma Image Uploader
Aug-08 {6E5E167B-1566-4316-B27F-0DDAB3484CF7} Aurigma Aurigma Image Uploader
Aug-08 {73BCFD0F-0DAA-4B21-B709-2A8D9D9C692A} Aurigma Aurigma Image Uploader
Aug-08 {76EE578D-314B-4755-8365-6E1722C001A2} Aurigma Aurigma Image Uploader
Aug-08 {784F2933-6BDD-4E5F-B1BA-A8D99B603649} HP HP eDiag
Aug-08 {7A12547F-B772-4F2D-BE36-CE5D0FA886A1} Aurigma Aurigma Image Uploader
Aug-08 {7EB2A2EC-1C3A-4946-9614-86D3A10EDBF3} Aurigma Aurigma Image Uploader
Aug-08 {833E62AD-1655-499F-908E-62DCA1EB2EC6} Aurigma Aurigma Image Uploader
Aug-08 {86C2B477-5382-4A09-8CA3-E63B1158A377} Aurigma Aurigma Image Uploader
Aug-08 {8C7A23D9-2A9B-4AEA-BA91-3003A316B44D} Aurigma Aurigma Image Uploader
Aug-08 {8CC18E3F-4E2B-4D27-840E-CB2F99A3A003} Aurigma Aurigma Image Uploader
Aug-08 {8DBC7A04-B478-41D5-BE05-5545D565B59C} Aurigma Aurigma Image Uploader
Aug-08 {905BF7D7-6BC1-445A-BE53-9478AC096BEB} Aurigma Aurigma Image Uploader
Aug-08 {910E7ADE-7F75-402D-A4A6-BB1A82362FCA} HP HP eDiag
Aug-08 {916063A5-0098-4FB7-8717-1B2C62DD4E45} Aurigma Aurigma Image Uploader
Aug-08 {926618A9-4035-4CD6-8240-64C58EB37B07} Aurigma Aurigma Image Uploader
Aug-08 {9275A865-754B-4EDF-B828-FED0F8D344FC} Aurigma Aurigma Image Uploader
Aug-08 {93441C07-E57E-4086-B912-F323D741A9D8} HP HP eDiag
Aug-08 {93C5524B-97AE-491E-8EB7-2A3AD964F926} Aurigma Aurigma Image Uploader
Aug-08 {947F2947-2296-42FE-92E6-E2E03519B895} Aurigma Aurigma Image Uploader
Aug-08 {974E1D88-BADF-4C80-8594-A59039C992EA} Aurigma Aurigma Image Uploader
Aug-08 {977315A5-C0DB-4EFD-89C2-10AA86CA39A5} Aurigma Aurigma Image Uploader
Aug-08 {9BAFC7B3-F318-4BD4-BABB-6E403272615A} Aurigma Aurigma Image Uploader
Aug-08 {A233E654-53FF-43AA-B1E2-60DA2E89A1EC} Aurigma Aurigma Image Uploader
Aug-08 {A3796166-A03C-418A-AF3A-060115D4E478} Aurigma Aurigma Image Uploader
Aug-08 {A73BAEFA-EE65-494D-BEDB-DD3E5A34FA98} Aurigma Aurigma Image Uploader
Aug-08 {A7866636-ED52-4722-82A9-6BAABEFDBF96} Aurigma Aurigma Image Uploader
Aug-08 {A95845D8-8463-4605-B5FB-4F8CFBAC5C47} HP HP eDiag
Aug-08 {AA13BD85-7EC0-4CC8-9958-1BB2AA32FD0B} Aurigma Aurigma Image Uploader
Aug-08 {AB049B11-607B-46C8-BBF7-F4D6AF301046} HP HP eDiag
Aug-08 {AB237044-8A3B-42BB-9EE1-9BFA6721D9ED} HP HP eDiag
Aug-08 {AE2B937E-EA7D-4A8D-888C-B68D7F72A3C4} Aurigma Aurigma Image Uploader
Aug-08 {AE6C4705-0F11-4ACB-BDD4-37F138BEF289} Aurigma Aurigma Image Uploader
Aug-08 {B0A08D67-9464-4E73-A549-2CC208AC60D3} Aurigma Aurigma Image Uploader
Aug-08 {B26E6120-DD35-4BEA-B1E3-E75F546EBF2A} Aurigma Aurigma Image Uploader
Aug-08 {B60770C2-0390-41A8-A8DE-61889888D840} Aurigma Aurigma Image Uploader
Aug-08 {B85537E9-2D9C-400A-BC92-B04F4D9FF17D} Aurigma Aurigma Image Uploader
Aug-08 {B95B52E9-B839-4412-96EB-4DABAB2E4E24} Aurigma Aurigma Image Uploader
Aug-08 {B9C13CD0-5A97-4C6B-8A50-7638020E2462} HP HP eDiag
Aug-08 {BA162249-F2C5-4851-8ADC-FC58CB424243} Aurigma Aurigma Image Uploader
Aug-08 {BF931895-AF82-467A-8819-917C6EE2D1F3} HP HP eDiag
Aug-08 {C70D0641-DDE1-4FD7-A4D4-DA187B80741D} HP HP eDiag
Aug-08 {C86EE68A-9C77-4441-BD35-14CC6CC4A189} Aurigma Aurigma Image Uploader
Aug-08 {C94188F6-0F9F-46B3-8B78-D71907BD8B77} HP HP eDiag
Aug-08 {CB05A177-1069-4A7A-AB0A-5E6E00DCDB76} Aurigma Aurigma Image Uploader
Aug-08 {CC7DA087-B7F4-4829-B038-DA01DFB5D879} Aurigma Aurigma Image Uploader
Aug-08 {CDAF9CEC-F3EC-4B22-ABA3-9726713560F8} HP HP eDiag
Aug-08 {CF08D263-B832-42DB-8950-F40C9E672E27} Aurigma Aurigma Image Uploader
Aug-08 {CF6866F9-B67C-4B24-9957-F91E91E788DC} HP HP eDiag
Aug-08 {D986FE4B-AE67-43C8-9A89-EADDEA3EC6B6} Aurigma Aurigma Image Uploader
Aug-08 {DC4F9DA0-DB05-4BB0-8FB2-03A80FE98772} HP HP eDiag
Aug-08 {DE233AFF-8BD5-457E-B7F0-702DBEA5A828} HP HP eDiag
Aug-08 {E12DA4F2-BDFB-4EAD-B12F-2725251FA6B0} HP HP eDiag
Aug-08 {E1A26BBF-26C0-401D-B82B-5C4CC67457E0} Aurigma Aurigma Image Uploader
Aug-08 {E4C97925-C194-4551-8831-EABBD0280885} Aurigma Aurigma Image Uploader
Aug-08 {E6127E3B-8D17-4BEA-A039-8BB9D0D105A2} Aurigma Aurigma Image Uploader
Aug-08 {F1F51698-7B63-4394-8743-1F4CF1853DE1} Aurigma Aurigma Image Uploader
Aug-08 {F399F5B6-3C63-4674-B0FF-E94328B1947D} Aurigma Aurigma Image Uploader
Aug-08 {F6A7FF1B-9951-4CBE-B197-EA554D6DF40D} Aurigma Aurigma Image Uploader
Aug-08 {F89EF74A-956B-4BD3-A066-4F23DF891982} Aurigma Aurigma Image Uploader
Aug-08 {FA8932FF-E064-4378-901C-69CB94E3A20A} Aurigma Aurigma Image Uploader
Aug-08 {FC28B75F-F9F6-4C92-AF91-14A3A51C49FB} Aurigma Aurigma Image Uploader
Oct-08 {0002E500-0000-0000-C000-000000000046} Microsoft OWC.Chart.9 
Oct-08 {0002E510-0000-0000-C000-000000000046} Microsoft OWC.Spreadsheet.9
Oct-08 {0002E511-0000-0000-C000-000000000046} Microsoft OWC9 Control
Oct-08 {0002E520-0000-0000-C000-000000000046} Microsoft OWC.PivotTable.9
Oct-08 {0002E530-0000-0000-C000-000000000046} Microsoft OWC.DataSourceControl.9
Oct-08 {AED98630-0251-4E83-917D-43A23D66D507} Microgaming Microgaming Download Helper
Oct-08 {F0E42D50-368C-11D0-AD81-00A0C90DC8D9} Microsoft Snapshot Viewer for Microsoft Access
Oct-08 {F0E42D60-368C-11D0-AD81-00A0C90DC8D9} Microsoft Snapshot Viewer for Microsoft Access
Oct-08 {F2175210-368C-11D0-AD81-00A0C90DC8D9} Microsoft Snapshot Viewer for Microsoft Access
Oct-08 {67A5F8DC-1A4B-4D66-9F24-A704AD929EEE} HusDawg Husdawg System Requirements Lab
Oct-08 {E48BB416-C578-4A62-84C9-5E3389ABE5FC} PhotoStockPlus PhotoStockPlus Uploader Tool
Oct-08 {FA91DF8D-53AB-455D-AB20-F2F023E498D3} Microsoft SQL Report Services Client Printing
Feb-09 {0ECD9B64-23AA-11D0-B351-00A0C9055D8E} Microsoft Hierarchical FlexGrid Control for VB6
Feb-09 {1E216240-1B7D-11CF-9D53-00AA003C9CB6} Microsoft Capicom
Feb-09 {248DD896-BB45-11CF-9ABC-0080C7E7B78D} Microsoft Capicom
Feb-09 {3A2B370C-BA0A-11D1-B137-0000F8753F5D} Microsoft Charts Control for VB6
Feb-09 {4788DE08-3552-49EA-AC8C-233DA52523B9} RIM Blackberry Application Web Loader
Feb-09 {6262D3A0-531B-11CF-91F6-C2863C385E30} Microsoft FlexGrid Control for VB6
Feb-09 {B09DE715-87C1-11D1-8BE3-0000F8754DA1} Microsoft Windows Common Control for VB6
Feb-09 {C932BA85-4374-101B-A56C-00AA003668DC} Microsoft Masked Edit Control for VB6
Feb-09 {CDE57A43-8B86-11D0-B3C6-00A0C90AEA82} Microsoft DataGrid  Control for VB6
Feb-09 {FFBB3F3B-0A5A-4106-BE53-DFE1E2340CB1} Akamai Akamai Download Manager
Jun-09 {00000032-9593-4264-8B29-930B3E4EDCCD} HP Virtual Rooms
Jun-09 {4C39376E-FA9D-4349-BACC-D305C1750EF3} Ebay Enhanced Picture Services
Jun-09 {648A5600-2C6E-101B-82B6-000000000014} Microsoft MSCOMM32.OCX ATL Loader in VB6
Jun-09 {C3EB1670-84E0-4EDA-B570-0B51AAE81679} Ebay Enhanced Picture Services
Jun-09 {D8089245-3211-40F6-819B-9E5E92CD61A2} Microgaming FlashXControl
Jul-09 {011B3619-FE63-4814-8A84-15A194CE9CE3} Microsoft msvidctl.dll
Jul-09 {0149EEDF-D08F-4142-8D73-D23903D21E90} Microsoft msvidctl.dll
Jul-09 {0369B4E5-45B6-11D3-B650-00C04F79498E} Microsoft msvidctl.dll
Jul-09 {0369B4E6-45B6-11D3-B650-00C04F79498E} Microsoft msvidctl.dll
Jul-09 {055CB2D7-2969-45CD-914B-76890722F112} Microsoft msvidctl.dll
Jul-09 {0955AC62-BF2E-4CBA-A2B9-A63F772D46CF} Microsoft msvidctl.dll
Jul-09 {15D6504A-5494-499C-886C-973C9E53B9F1} Microsoft msvidctl.dll
Jul-09 {1BE49F30-0E1B-11D3-9D8E-00C04F72D980} Microsoft msvidctl.dll
Jul-09 {1C15D484-911D-11D2-B632-00C04F79498E} Microsoft msvidctl.dll
Jul-09 {1DF7D126-4050-47F0-A7CF-4C4CA9241333} Microsoft msvidctl.dll
Jul-09 {2C63E4EB-4CEA-41B8-919C-E947EA19A77C} Microsoft msvidctl.dll
Jul-09 {334125C0-77E5-11D3-B653-00C04F79498E} Microsoft msvidctl.dll
Jul-09 {37B0353C-A4C8-11D2-B634-00C04F79498E} Microsoft msvidctl.dll
Jul-09 {37B03543-A4C8-11D2-B634-00C04F79498E} Microsoft msvidctl.dll
Jul-09 {37B03544-A4C8-11D2-B634-00C04F79498E} Microsoft msvidctl.dll
Jul-09 {418008F3-CF67-4668-9628-10DC52BE1D08} Microsoft msvidctl.dll
Jul-09 {4A5869CF-929D-4040-AE03-FCAFC5B9CD42} Microsoft msvidctl.dll
Jul-09 {577FAA18-4518-445E-8F70-1473F8CF4BA4} Microsoft msvidctl.dll
Jul-09 {59DC47A8-116C-11D3-9D8E-00C04F72D980} Microsoft msvidctl.dll
Jul-09 {7F9CB14D-48E4-43B6-9346-1AEBC39C64D3} Microsoft msvidctl.dll
Jul-09 {823535A0-0318-11D3-9D8E-00C04F72D980} Microsoft msvidctl.dll
Jul-09 {8872FF1B-98FA-4D7A-8D93-C9F1055F85BB} Microsoft msvidctl.dll
Jul-09 {8A674B4C-1F63-11D3-B64C-00C04F79498E} Microsoft msvidctl.dll
Jul-09 {8A674B4D-1F63-11D3-B64C-00C04F79498E} Microsoft msvidctl.dll
Jul-09 {9CD64701-BDF3-4D14-8E03-F12983D86664} Microsoft msvidctl.dll
Jul-09 {9E77AAC4-35E5-42A1-BDC2-8F3FF399847C} Microsoft msvidctl.dll
Jul-09 {A1A2B1C4-0E3A-11D3-9D8E-00C04F72D980} Microsoft msvidctl.dll
Jul-09 {A2E3074E-6C3D-11D3-B653-00C04F79498E} Microsoft msvidctl.dll
Jul-09 {A2E30750-6C3D-11D3-B653-00C04F79498E} Microsoft msvidctl.dll
Jul-09 {A8DCF3D5-0780-4EF4-8A83-2CFFAACB8ACE} Microsoft msvidctl.dll
Jul-09 {AD8E510D-217F-409B-8076-29C5E73B98E8} Microsoft msvidctl.dll
Jul-09 {B0EDF163-910A-11D2-B632-00C04F79498E} Microsoft msvidctl.dll
Jul-09 {B64016F3-C9A2-4066-96F0-BD9563314726} Microsoft msvidctl.dll
Jul-09 {BB530C63-D9DF-4B49-9439-63453962E598} Microsoft msvidctl.dll
Jul-09 {C531D9FD-9685-4028-8B68-6E1232079F1E} Microsoft msvidctl.dll
Jul-09 {C5702CCC-9B79-11D3-B654-00C04F79498E} Microsoft msvidctl.dll
Jul-09 {C5702CCD-9B79-11D3-B654-00C04F79498E} Microsoft msvidctl.dll
Jul-09 {C5702CCE-9B79-11D3-B654-00C04F79498E} Microsoft msvidctl.dll
Jul-09 {C5702CCF-9B79-11D3-B654-00C04F79498E} Microsoft msvidctl.dll
Jul-09 {C5702CD0-9B79-11D3-B654-00C04F79498E} Microsoft msvidctl.dll
Jul-09 {C6B14B32-76AA-4A86-A7AC-5C79AAF58DA7} Microsoft msvidctl.dll
Jul-09 {CAAFDD83-CEFC-4E3D-BA03-175F17A24F91} Microsoft msvidctl.dll
Jul-09 {D02AAC50-027E-11D3-9D8E-00C04F72D980} Microsoft msvidctl.dll
Jul-09 {F9769A06-7ACA-4E39-9CFB-97BB35F0E77E} Microsoft msvidctl.dll
Jul-09 {FA7C375B-66A7-4280-879D-FD459C84BB02} Microsoft msvidctl.dll

Leave a comment »

Horseshoes and Hand Grenades

Like the old saying goes, “Close only counts in horseshoes and hand grenades.”

I’ve developed a corollary this week, “The ‘number of flaws’ only matters to VA scanners and journalists.”

I’ve read many news releases this week talking about the record number of flaws/vulnerabilities that Microsoft fixed in the June ’09 Patch Tuesday release. For the record, I’m saying ‘Not Relevant’.

Let’s take MS09-019 as an example. MS09-019 is a cumulative update for Microsoft Internet Explorer. The Microsoft bulletin details eight individual flaws that were addressed by the patches referenced in the security bulletin. Each flaw can be exploited in the same manner – visit an evil website and the evil website can run code on your system. And the closely related ‘the evil code will run in the context of the currently logged on user’.

As a Systems Administrator, one thing is clear to me: if my users visit an evil website, their machine’s can be exploited. How do I rectify this? I can apply the suggested patch.

Do I care that there were eight different underlying flaws that would lead to the evil code execution? No.

Do I need to take eight different steps to protect myself from this vulnerability? No.

Can I patch my systems to protect them from only 7 of the 8 vulnerabilities? No.

What I do care about is the amount of effort required to protect my machines from this issue. That answer is ‘1’. 1 patch will protect me from these issues – whether there is only 1 listed flaw, or 17 listed flaws. One patch does the trick.

Microsoft issued ten security bulletins covering some much larger number of flaws (I won’t list that number here, because I can’t be bothered to count something that is irrelevant). As a Systems Administrator, I should look at my maximum effort as something up to ’10’. Some of the bulletins may be for products that don’t impact me; therefore, the number could be somewhat lower. Some months, Microsoft has released more than 10 bulletins. That tells me more work is required. Other months, Microsoft has only released one bulletin – therefore seemingly less effort required to fix my systems then when 10 bulletins appear.

If Microsoft only released one bulletin in a month, and that bulletin addressed 52 issues, does that mean it’s almost twice as much effort to remediate my systems vs. a month that had 10 bulletins but a purported lower number of vulnerabilities? No.

Could Microsoft manipulate the way that they call out the flaws in their bulletins? Sure. Does Microsoft list out all of the additional variants that they found internally when researching the externally reported flaw? No sir. This could hike the flaw numbers much higher. Could Microsoft combine like flaws into single reported flaws? Yes – though they’d need to appease the individuals who reported the items to them, so they each get their day in the sun.

And how about those VA scanners?
Each of the flaws discussed above gets a unique CVE number. Vulnerability Scanner vendors input definitions to their products by CVE number. When I scan my system that is missing just one patch (MS09-019) I get 8 ‘vulnerabilities’ flagged on my machine – one for each of the ‘flaws’ in the 09-019 bulletin. Doesn’t help me remediate my system. Makes it look like a lot of work to get these items remediated, when in reality, it just needs one patch.

All of the above is irrelevant. I care about the number of patches.

To that end, how many patches were released on the June 2009 patch day? Have any journalists mentioned this? Not that I’ve seen. The number of patches released is, at the end of the day, a better reflection of the amount of effort required to make your company secure.

I frequently hear people ask “how many patches did Microsoft release today?” and the answer is something along the lines of “10 today”. No, this is the number of security bulletins released. The number of patches is something else entirely.

For June 2009, Microsoft released 64 unique security bulletin-related patches. This includes English x86 and x64 (but not ia64.) 362 meg, if you care to know. (multi-national organizations need to multiply the number of patches by the number of languages they manage)

Worst case, I have a subset of up to 64 different patches to apply to each of my systems. The tough part is figuring out which ones go to which systems. Those companies that do patch management by hand are in a world of hurt – there’s no way to manage each of these by hand. But I digress…

Let’s start a new trend – let’s talk about the true numbers on patch day – those that reflect the actual level of effort – not those that allow journalists to go for sensationalism or help Mozilla justify themselves vs. Microsoft.

Leave a comment »

Reflections on June 2009 Patch Day

Microsoft released 10 security bulletins this month. Eight of the ten were assigned exploitability indices of ‘1 – Consistent Exploit Code Likely’. This means hackers could have access to exploit code fairly soon – which means the patches should be installed sooner rather than later. Five of the ten security bulletins discuss ‘server-side’ vulnerabilities (vs. client-side vulnerabilities). More on server-side vs. client-side in a future post.

See the end of this post for recommendations on which to install first.

MS09-018: Vulnerabilities in Active Directory Could Allow Remote Code Execution (971055)
MS09-018 is a Critical server-side vulnerability in the Active Directory services of Windows 2000 and Windows Server 2003 domain controllers (or Active Directory Application Mode on XP and WS03 servers). By submitting a specially formatted LDAP request to the AD server, the attacker can execute code of their code on Windows 2000 AD servers (what I call a true ‘remote code execution’ vulnerability). On Windows Server 2003, the attacker can cause a Denial of Service condition and otherwise make a mess of an ordinarily pleasant day.

For the attack to be successful against Windows 2000 DCs, the attacker simply needs to target their attack against LDAP ports (tcp 389, 636, 3268, or 3269). While these ports are traditionally blocked at Internet firewalls, these ports are wide open for attack on most internal networks. The attacker doesn’t need any special authentication to attack Windows 2000 servers. Once they launch the code, they can take any action they wish against the domain controller. If I were the attacker, I’d go after the SAM database that contains all of the Domain User’s password hashes.

For Windows Server 2003, the attack is somewhat mitigated in that the attacker must have some level of credentials to the domain controller. In most instances, this means the attacker must be a member of the domain which he or she is attacking. The vulnerability is rated Important in WS03 as it doesn’t allow code execution – it just jams up the server from doing what it should.

I’d recommend patching Windows 2000 AD servers as soon as possible. I’d also patch Windows Server 2003 systems quickly, as you don’t want disgruntled employees launching the tool of the week to down your domain controllers.

MS09-019: Cumulative Security Update for Internet Explorer (969897)
Another month, another Critical IE cumulative patch. This particular patch corrects a flaw uncovered at the recent CanSecWest conference that enabled someone to hack a Vista machine via IE8. It also corrects a handful of other issues identified in all versions of Internet Explorer.

The IE8 issue impacts Windows XP systems when browsing evil Internet websites. Vista and WS08 systems are protected against evil Internet sites because of DEP and ASLR built-in protections. Vista systems can be vulnerable to evil Intranet sites if other security configs on the Vista box have been weakened. In any event, it’s nice that this zero-day flaw in IE8 has been corrected. Go apply the patch.

The remaining issues addressed in the bulletin impact IE versions 5, 6 and 7. Exploitation can range from information disclosure to what Microsoft calls remote code execution (and I call local code execution). Workaround: don’t visit evil websites.

This is a client-side collection of vulnerabilities as they require someone at the target system to take an action on the machine in order to allow the vulnerabilities to execute. Therefore, this attack is more likely to impact your end-user workstations than your datacenter servers.

MS09-020: Vulnerabilities in Internet Information Services (IIS) Could Allow Elevation of Privilege (970483)
Another patch for a zero-day vulnerability, this bulletin addresses the IIS WebDAV issue announced by Microsoft last month. This vulnerability allows remote attackers to bypass the WebDAV authentication settings on an IIS server, potentially allowing them to read files on the webserver. The issue is somewhat mitigated, however, because the file system ACLs are still observed.

While this vulnerability doesn’t allow the attacker to write files to or execute code on the server, it might allow them to read enough information from the server that they can exploit other services on the box (think SQL server). See my prior post, New Microsoft IIS Zero-Day Vulnerability, on this issue for more information.

MS09-021: Vulnerabilities in Microsoft Office Excel Could Allow Remote Code Execution (969462)
In the fifth Excel patch we’ve seen since last August, Microsoft is hoping they’ve nailed the door shut on malicious file parsing bugs. Multiple vulnerabilities with Excel file parsing were addressed in the 09-021 patch.

The Excel 2000 platform is rated as Critical, whereas Excel 2002-2007, SharePoint, and Excel converters are rated Important. Excel 2000 is rated Critical because it lacks the open dialog confirmation window that exists in later releases. This means if you have Excel 2000 installed and you visit an evil web page, the web page can open Excel and launch the evil document without your knowledge. You’re hacked. In Excel 2002 and later, the evil document wouldn’t open automatically; rather, it would prompt you if you wish to open the file. If the evil file does execute, it runs under the context of the currently logged on user (typical of a client-side vulnerability).

MS09-022: Vulnerabilities in Windows Print Spooler Could Allow Remote Code Execution (961501)
MS09-022 is a server-side vulnerability that can be exploited by sending RPC packets to the print spooler on the target system. RPC is the same mechanism used in the Blaster\Sasser\Conficker worms. Remote RPC uses tcp ports 139 and/or 445.

In this instance, the attacker can execute code on Windows 2000 systems remotely; however, the attacker must first install a print server on their own machine, then send RPC packets to the target system, instructing the target to connect to the rogue print server. When the target system enumerates the sharename of the rogue server, the attacker’s code can execute on the remote system.

Windows XP and later systems aren’t vulnerable to this attack; however, they are vulnerable to several other attacks. In the first, a locally logged on user can read or print any file on the system, even if they don’t have access to the file. The local attacker can specify the file they want to read as a separator page – thus allowing it to be viewed. The second attack is a privilege escalation attack. The attacker can send RPC packets to the target system, convincing it to load an evil printdriver dll. Once this happens, the attacker can execute code on the system. In order for this to happen the attacker must have the ‘manage printers’ capability (which is granted to locally logged on users).

For Windows 2000, this is a Critical issue. For Vista and WS08, this is Important. For XP and WS03 systems, this is rated Moderate.

MS09-023: Vulnerability in Windows Search Could Allow Information Disclosure (963093)
If a user running Windows XP or Windows Server 2003 performs a Windows Search on their machine, the search results could cause malicious scripts to execute that would display information from the target system. This attack requires that the target system be running Windows Search. It also requires that the attacker place a specially crafted file on the target user’s computer.

If this evil file is indexed by the search engine (whether it be an email message, document, or data file) AND appears at the top of a search result (performed by the user) html script embedded in the evil file can execute on the target system. The attacker’s script could access data on the system and forward this back to the attacker. Alternatively, if the evil file is not returned at the top search result, the script will still execute if the user selects and previews the search result for the evil file.

The above scenario is seemingly complex – probably what helped to get it rated Moderate rather than Important. Also, Windows Search is not installed on these platforms by default. If you’re a hacker looking to read data on a system, I’d look to other exploits before attempting this one. Windows Search has had two prior security updates: MS09-015 and MS08-075.

MS09-024: Vulnerability in Microsoft Works Converters Could Allow Remote Code Execution (957632)
This is a client-side vulnerability that could allow an attacker to execute on a user’s computer should they open a malformed Works document (.wps). As with other Office vulnerabilities, Office 2000 is rated Critical as the malformed document could open automatically and without warning when the user visits an evil website. For Office 2002, Office 2003, Office 2007 SP1, and users running Works 8.5 or 9, the malformed Works file wouldn’t open automatically, but would present an open confirmation dialog box before opening. The attacker could also email the malformed document to other users. When the unsuspecting users (and those not trained to not open unusual files from unknown individuals) open the Works document, it will execute code on their system.

The code will execute with the same level of permissions as the currently logged on user (administrator, in many cases) and can do anything the logged on user can do. This patch replaces MS08-072 for Works 8.5.

MS09-025: Vulnerabilities in Windows Kernel Could Allow Elevation of Privilege (968537)
Microsoft refers to MS09-025 as a local code execution vulnerability. In other words, the attacker must be logged on to the local machine and execute code locally in order for the vulnerability to be exploited. Once the attackers code has been initiated, it will run as LocalSystem and can grant the attacker administrative access.

While this exploit might be most beneficial to (the few) computer users who don’t have admin permissions to their local systems, the exploit can also be leveraged by folks who do terminal services to remote computers, and in some cases, to users who have code upload capabilities to hosted web servers.

Because it requires that the user have some level of access to execute code on the target system, Microsoft has rated this Important. Microsoft also says that proof of concept code has been released for several of the vulnerabilities addressed by this patch. This patch replaces MS09-006 (which was Critical).

MS09-026: Vulnerability in RPC Could Allow Elevation of Privilege (970238)
RPC vulnerabilities usually scare the pants off of me. In this instance though, it’s not so bad. Microsoft assures us that their Operating Systems are not vulnerable to this attack by default – none of their RPC services suffer from this issue. They mention that third party products could be vulnerable as they leverage an RPC runtime file that could be susceptible to this issue.

In order to pull off this attack, a remote attacker would need to send carefully constructed packets to a vulnerable RPC service on the target machine. Third party apps can choose any tcp or udp ports to use for their services – it’s not as easy as saying tcp 139 or 445. Third party services that implement tight authentication and security over their RPC services are less likely to be susceptible to exploitation. To be sure that you’re safe, install this patch and ask your vendors if they include any code that looks like the examples here: http://tinyurl.com/nsoqn6.

MS09-027: Vulnerabilities in Microsoft Office Word Could Allow Remote Code Execution (969514)
Same type of issue as MS09-021. Open a malformed Word document and it hacks your system. I’m tired of these. ‘Nuff said.

Recommended order of deployment:

First: MS09-018 (Win2K), MS09-019 (IE), MS09-020 (IIS)

After: all the rest

Disclaimer: adjust these recommendations for the assets on your network

Leave a comment »

Microsoft releases patch for Powerpoint 0-day flaw

Microsoft patched all Windows versions of Powerpoint today – addressing both a 0-day flaw and 13 other privately reported security vulnerabilities. The 0-day vulnerability enabled attackers to take over client machines if a user opened a malformed powerpoint document or visited an evil website. The attacker would be able to execute code on the user’s machine with the same level of permissions afforded to the logged on user. (If the user was logged on as an administrator, the evil code could execute as admin. If the user was logged on as a user-level account, then the evil code could only execute with user permissions and not admin permissions).

Microsoft has NOT released a patch at this time for Powerpoint on Mac. They said they weren’t seeing this flaw being executed against Macs and therefore didn’t want to hold up release of this patch for Windows machines while they finished the Mac patch. The patch for Powerpoint on Mac will be released at a later date.

The patches released today include versions of Powerpoint that weren’t flagged as vulnerable to the zero-day as Microsoft also included fixes for 13 additional vulnerabilities that were privately reported. Some of these vulnerabilities impact the newer versions of Powerpoint that were not vulnerable to the 0-day. Included in today’s release are patches for the Powerpoint viewer as well as the full version of Powerpoint.

Security patches for items like Powerpoint are considered ‘client-side’ patches because they can only attack a machine once a user has taken an action on their computer. Typical client-side actions might include opening malicious documents, reading an evil email, or viewing an evil web page. These types of attacks are usually constrained to systems where a user is interactively working on the desktop. Systems which don’t have a lot of user interaction at the desktop, like servers, are usually less susceptible to client-side attacks, though they are just as vulnerable if a user performs one of these actions at the desktop. In most cases, client side exploits only obtain the same level of access on the system as that of the currently logged on user.

Server-side attacks, on the other hand, don’t require user interaction to exploit vulnerabilities. Both workstations and servers are susceptible to server-side attacks. Server-side vulnerabilities leverage flaws in ‘services’ that are running on machines such as web services, file and print services, and networking services (such as TCP/IP or NetBIOS). Because these services are constantly running and are exposed externally on the system, no user interaction is required to interact with these services. This means the exploit can propagate from machine to machine very quickly. SQL Slammer, Nimda, Code Red, and Conficker are all examples of server-side exploitation. In many instances, server-side exploitation leads to administrative or ‘system’ level access on the target computer.

Viruses are a great example of a client-side vulnerability. Because it’s client-side, viruses usually require user interaction in order to spread and are therefoew slower to spread than a Worm. Worms, on the other hand, are representative of server-side exploitation. Since a worm doesn’t require user intervention to spread, it can propagate to other systems very rapidly.

Based on these definitions, today’s Powerpoint release addresses a client-side vulnerability. Its attack vector is dependant upon a user performing an action. As a result, we won’t see rapid propagation of infected systems through this vector (though once a machine is infected, it could launch other attacks using worm-like server side attack mechanisms such as Conficker). Best to patch your client-side systems (where users interact with the desktop) for this issue first, then patch any servers where Powerpoint products may be installed.

Leave a comment »

April 2009 Patch Day – Spring Cleaning

A slew of Microsoft updates this month – Eight bulletins released: 5 Critical, 2 Important, and 1 Moderate. While eight patches is a larger number than in recent months, this month’s release includes fixes for a number of issues that Microsoft previously identified as too laborious\complex to fix. This includes fixes for the Safari Carpet Bombing and SearchPath issues, additional enhancements for credential reflection (ala SMBRelay fix in MS08-068), and Service Isolation issues as called out at a 2008 security conference.

Microsoft had previously stated that each of these issues were either too complex to solve or didn’t represent actual vulnerabilities. It’s enlightening to see that they’ve taken a second look at each of these topics and have found solutions to address each. In probably their most ambitious patch to date, Microsoft even pulled developers off of Windows 7 to assist with the creation of the MS09-012 patch (discussed below). We can only hope that Microsoft continues in this vein and re-examines other parts of the Operating System that were thought too complex to fix. Gory details below…

Microsoft knocked off patches MS09-009 and MS09-010 for several outstanding 0-day issues, including fixes for Excel (advisory 968272 from February 09) and WordPad\Office (advisory 960906 from December 08). Users should install these patches right away because exploits for these issues have been circulating on the Internet for several months.

On to the good stuff:

1. Starting with the Carpet Bombing fixes: Microsoft has released two patches to deal with this issue – an IE patch and an OS patch. MS09-014 is a cumulative IE patch that addresses 6 vulnerabilities – one of these being the carpet bomb fix. In this scenario, an attacker would force an evil file down to a user’s desktop (through the initial release of the Apple Safari web browser). The evil file would be assigned a specific name – one that happened to match a normal Operating System file. When the user later opened Internet Explorer, IE would execute the evil ‘system’ file from the desktop rather than the similarly named (legitimate) file from system directory.

MS09-014 solves this issue by removing the current working directory (in this case, the desktop) from the search path. When IE is launched, it will now look in the system path for the proper file rather than loading the illegitimate file from the desktop.

The IE fix was accomplished by modifying two of the IE DLLs so that they don’t look in the current working directory first (when loading other app DLLs). While this fix only modifies Internet Explorer, Microsoft exposed a registry key that users can modify if they want to make all of their applications ignore the current working directory: [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\ Internet Explorer\Main\FeatureControl\ [FEATURE_ENABLESEARCHPATH_KB963027] “iexplore.exe”=dword:00000000 (spaces added in front of ‘Internet’ and ‘FEATURE’ to make for easier display – remove these spaces before setting this registry key)

The second fix for the carpet bombing issue was released in MS09-015, an OS patch for XP and later systems. This patch does two things: 1. It modifies one system DLL (secur32.dll) that incorrectly searched for schannel.dll in the current working directory, and 2. It introduces a new API function that application developers can use in their code to use safe search functions. Those APIs are SetDllDirectory which removes current working directory from DLL loading, and SetSearchPathMode, which moves current working directory to the end of the directories searched by the SearchPath API.

2. The second issue addressed this month (and also requiring installation of two patches) address more avenues for credential reflection. Credential reflection was first addressed in MS08-068. That bulletin addressed a scenario where opening a malicious email or document, or viewing an evil website would send encrypted versions of your credentials (username and password) to the attacker. The attacker could then turn these around and ‘replay’ the encrypted credentials to gain access to your computer. The MS08-068 patch addressed this issue when the attack vector was using the SMB protocol. MS09-013 is an Operating System patch that solves the same problem but is specific for the winhttp connection engine (using http protocol). MS09-014 is the Internet Explorer patch (previously referenced re: the carpet bombing fix) that also includes a fix for the credentials reflection issue, but this time when using wininet (http protocol) as the underlying connection engine when IE is used for establishing authentication.

In both credential reflection attacks, the attacker needs to have SMB access to the target system. The SMB access enables them to mount the registry and file system. Since the SMB protocol (tcp 139 ot tcp 445) is usually blocked at the Internet gateway/firewall, these attacks are more prone to execution on an internal corporate network. The MS09-014 wininet attack vector is worrisome in this environment, as Internet Explorer is configured by default to present credentials to remote systems when browsing in the Intranet zone.

To prevent your machine from being mounted via a credential reflection attack, install MS08-068, MS09-013, and MS09-014. (This will prevent attack when your system was the one that originally sent credentials to the attacker. This will NOT prevent exploitation if matching credentials gathered from another system are reflected from that system to your system.)

3. The last, and most interesting patch, that I’ll mention is MS09-012. This patch addresses ‘Token Kidnapping’. Essentially, it helps prevent applications running as NetworkService or LocalService from escaping their sandboxes and running as LocalSystem. In short, it means ‘better protection for your web and SQL servers’.

Token Kidnapping is detailed in a new whitepaper by Cesar Cerrudo (http://www.argeniss.com/research/TokenKidnapping.pdf) and presented at last year’s Hack in the Box conference (April 2008). By using impersonation functions, these services can execute code under a different context – where LocalSystem is the preferred context (as this has super-admin permissions). As a result, code can be executed with administrative rights.

Any application that uses NetworkService or LocalService (and SeImpersonate) is susceptible to this attack. The most common attack vectors include IIS servers and SQL Servers. IIS 6 and 7 servers run under the NetworkService context and enable FullTrust to .NET applications by default, making it an ideal candidate for this kind of attack.

This becomes a concern when we look at web servers where users are allowed to upload code to the server. The most common scenario is a multi-tenant webserver where an ISP is running websites for multiple customers on the same Server. Each customer is allowed to upload their web pages to their own website. If the customer uploads a specially crafted .aspx page, when that page is viewed – the .aspx page executes code as LocalSystem on the server. This can give the customer administrative access to the entire webserver – for example: allowing them access to all the websites on that server – not just their own site. From here, the customer (hacker) can access backend SQL databases or sensitive information, upload backdoors to the server, connect to other servers on the inside of ISP network, etc. Not good.

Microsoft expended a great deal of effort in correcting this issue – even pulling developers off of Windows 7 to assist with this patch. Certain parts of the fix were backported from Vista and Windows Server 2008 (tokens) while brand new code had to be written for all Operating Systems (XP through 2008). As a result of the effort, the MS09-012 patch provides Service Isolation that mitigates the attacks identified by Cesar Cerrudo.

Shavlik’s recommended order of installation:
Client systems:

  1. MS09-009
  2. MS09-010
  3. MS09-014
  4. MS09-011
  5. MS09-013
  6. MS09-012 (if running IIS or SQL)
  7. MS09-015

Server Systems:

  1. Follow recommendations for client systems, plus
  2. if hosting SQL Services or IIS web services where users can upload code to these systems, install MS09-012 as soon as possible
  3. install MS09-016 as soon as possible for ISA servers

Leave a comment »

Reflections on March 2009 Patch Day

Three new security bulletins released today. All three of today’s bulletins apply to the Operating System, though some apply to a smaller subset of machines, and each has a completely different impact on the end user experience (or lack of experience if you aren’t exploited).

The most Critical of today’s patches is MS09-006 which could allow an attacker to take complete control of your computer if you view a website, email, or document that contains an evil graphic or picture. Also Critical (in my mind, though Microsoft rates it Important), is a set of patches for Windows DNS Servers. Attackers can leverage this flaw to redirect Internet traffic to look-alike websites in hopes of gathering sensitive user information. Lastly, Microsoft issued a patch to correct an issue where attackers can access restricted websites that require certificates, even though they don’t have this certificate.

I recommend installing MS09-006 and MS09-008 right away – and while you’re at it, go ahead and install MS09-007 – that way you can install patches for all three vulnerabilities at the same time and leverage the same system reboot to complete the patch installation. Being OS patches, they should all be should be relatively simple to install.

Microsoft did NOT release a patch for the Excel zero day vulnerability. Maybe we can expect this as an out of band patch later this month?

Also, Adobe has just released a new version of Adobe Reader 9 to correct a zero day vulnerability that was previously announced.

DETAILS
MS09-006
follows a long line of vulnerabilities that can be exploited when viewing maliciously created graphic images. This time, the flaw exists in the way that the Operating System parses and displays WMF and EMF formatted images. The flaw actually resides in the Windows kernel – but is only exploited when managing the malformed pictures. All that the attacker needs do is encourage a victim to view a specially formatted image and the attacker can run code on the victim’s system. The evil code will execute with system privileges – even if the user wasn’t logged on as an administrator. With system privileges, the evil code can access, copy, or delete any files on the system, create or delete user accounts, change passwords, or install backdoors. IOW, nasty stuff.

While the common attack vector may be via images hosted on a website of questionable repute, the attack can also be spawned by viewing emails or documents with embedded images. Once again, don’t open documents or emails from people you don’t know. Don’t rule out hacks spawned from evil images hosted on Facebook.

This patch should be very safe to deploy and requires a reboot. Best to patch this first on machines where end-users exist – laptops, desktops, etc., then deploy to servers (where users are less likely to be reading emails, opening documents, or surfing the web.)

This patch applies to all Operating Systems and replaces MS08-061 (a kernel patch), which itself replaces MS08-025 (an earlier kernel patch).

MS09-007 is a seemingly innocuous spoofing vulnerability that can actually post great concern for certain types of users. This vulnerability can be used to connect to a website or resource that requires certificate-based authentication. Usually, this means that only users with the required certificate can access the site. However, in this scenario, an attacker could access the restricted site even though they don’t have the necessary certificate. In order to pull this off, the attacker needs to have a copy of the site’s public authentication certificate – which is something that is most easily obtained if the attacker has full access to the victim’s computer (and if this is the case, far worse things can happen).

Many users don’t ever do anything with certificate-based authentication for secure sites. Those that do probably use an Active Directory based certificate store, which thwarts this attack. Those that do use local accounts and certificates are most at risk from this vulnerability and should install the patch right away. All others can roll it out as they see fit – though if you’re rolling out MS09-006, just go ahead and roll this out at the same time and leverage the shared reboot.

This vulnerability impacts all Operating Systems. The Patch supersedes the one released for MS07-031, which also addressed an schannel vulnerability.

MS09-008 addresses a vulnerability in DNS and WINS services that could allow an attacker to insert bad data into a DNS (or WINS) Server, thereby redirecting people’s traffic to potentially evil websites. The security bulletin doesn’t list any workarounds, nor does it imply any pre-requisites on the part of the attacker, meaning it could be possible for a remote, unauthenticated attacker to modify a vulnerable DNS Server and redirect their site’s users. Assuming this knowledge is correct, that would make this a Critical issue, rather than a severity if Important, in my eyes.

The sole purpose of a DNS Server is to direct individuals to the proper end-location. If an unauthenticated remote attacker can modify these instructions and redirect people to bogus websites then the DNS Server isn’t doing its job and should be considered compromised. That’s a pretty serious situation – attackers can setup look-a-like websites hoping to entice users to enter sensitive information (though the redirection attack is thwarted by using SSL).

Any way I look at it, this should be a Critical patch to install on all DNS Servers right away. (Maybe Microsoft rated this Important as the level of effort to pull of this attack is so great that the likelihood of exploitation is minimal? However, exploit code was released for an earlier, similar exploit.) A similar patch was released for WINS servers to handle a similar type of attack, though limited to the internal WINS Server and its network.

This patch supersedes MS08-037 (a prior DNS Spoofing issue) and requires a reboot.

Leave a comment »