Skip to main content
Tag

Patch Management

December Patch Tuesday updates from Microsoft

By Patch Management, Patch TuesdayNo Comments

The final Patch Tuesday of 2014 is upon us so with that in mind we thought we’d take a quick look at how the year stacks up. There were a total of 85 bulletins fixing 349 separate vulnerabilities in Microsoft’s products; 29 were rated as Critical, 53 as Important, and 3 rated Moderate. Internet Explorer featured heavily this year, with over 200 separate vulnerabilities being patched – January being the only month where Internet Explorer didn’t feature in any update.

Compared to last year there were 21 fewer patch updates yet there were more individual vulnerabilities patched in 2014 compared to 2013 (349 vs. 332).

This month there are three Critical and four Important updates fixing a total of 25 vulnerabilities, including the delayed MS14-075 update from November, which we’ll cover first.

MS14-075

Rated as Important, this is the delayed update that was originally due to be released in November’s Patch Tuesday that addresses four privately reported vulnerabilities in Microsoft Exchange Server. The most severe of the four could allow elevation of privilege if a user views a specially crafted web page using…Internet Explorer unsurprisingly! Should an attacker successfully exploit the vulnerability they would be able to gain the same rights as the current user.

Critical Updates

MS14-080

The most severe of the 14 privately reported vulnerabilities in this bulletin could allow remote code execution, again, if the user visits a specially crafted web page using Internet Explorer. Successful exploitation would give the same rights to the attacker as the current user.

MS14-081

The second of three Critical updates resolves two privately reported vulnerabilities in Microsoft Word and Microsoft Office Web Apps. The vulnerabilities could allow for remote code execution if an attacker is able to convince a user to open, or even just preview, a specially crafted Microsoft Word file within an affected version of Microsoft Office software. The affected versions include: all supported editions of Microsoft Word 2007, Microsoft Office 2010, Microsoft Word 2010, Microsoft Word 2013, Microsoft Word 2013 RT, Microsoft Office for Mac 2011, Microsoft Word Viewer, Microsoft Office Compatibility Pack.

MS14-084

The final Critical update of 2014 is a security update that resolves a privately reported vulnerability in VBScript – the scripting engine in Microsoft Windows. If a user visits a specially crafted website the vulnerability could allow for remote code execution, which, if successfully exploited, will give the attacker the same rights as the current user. If the user is an administrator then the attacker could potentially take complete control of an affected system so it would be wise to prioritise this patch over the others.

Important Updates

The final three updates (unless an out-of-band patch is released) address three privately reported vulnerabilities across Microsoft Office and Microsoft Excel, as well as one publicly disclosed vulnerability in Microsoft Windows. All three of the privately reported vulnerabilities could allow for remote code execution if successfully exploited. Again, this could allow an attacker to gain the same rights as the current user.

The publicly disclosed vulnerability (MS14-085) could allow Information Disclosure should a user visit a website containing specially crafted JPEG content. Whilst this particular vulnerability doesn’t allow code execution, the information disclosed could reveal details about the system that could be used in conjunction with another vulnerability to bypass security features.

Next steps

As usual, we have included a breakdown of this month’s bulletin in the table below and have prioritised the patch updates by the independently rated CVSS score. We’d advise that you prioritise patches MS14-080, MS14-081, MS14-082, MS14-083 & MS14-084. For our customers, we will be analysing the binary code for each update and will be rolling out the patch updates using Verismic Syxsense, as per the agreed deployment process.

Update No.
CVSS Score
Microsoft Score
Affected Software
Details
MS14-080 9.3 Critical Microsoft Windows, Internet Explorer Cumulative Security Update for Internet Explorer (3008923)
MS14-081 9.3 Critical Microsoft Office Vulnerabilities in Microsoft Word and Microsoft Office Web Apps Could Allow Remote Code Execution (3017301)
MS14-084 9.3 Critical Microsoft Windows Vulnerability in VBScript Scripting Engine Could Allow Remote Code Execution (3016711)
MS14-082 9.3 Important Microsoft Office Vulnerability in Microsoft Office Could Allow Remote Code Execution (3017349)
MS14-083 9.3 Important Microsoft Office Vulnerabilities in Microsoft Excel Could Allow Remote Code Execution (3017347)
MS14-075 5.0 Important Microsoft Exchange Vulnerabilities in Microsoft Exchange Server Could Allow Elevation of Privilege (3009712)
MS14-085 4.3 Important Microsoft Windows Vulnerability in Microsoft Graphics Component Could Allow Information Disclosure (3013126)
patch management

Prioritising patches properly – don’t always listen to Microsoft

By Patch Management, Patch TuesdayNo Comments
[vc_single_image image=”1935″ img_size=”medium”]

It seems that it was only yesterday that patch/update Tuesday came and went, yet the next one is looming already.

As an IT guy I actually look forward to seeing the types of vulnerabilities that have been discovered in Microsoft’s products. Some are obviously more interesting than others, such as the vulnerability in Schannel, but what they all have in common is that they actually do pose a threat to your business.

We all know that patching is a vital process in keeping our businesses safe, but I do have some issues with Microsoft’s approach to patching. It’s very much a “fire and forget” exercise for them, whereby patch updates are released each month and your IT team is then expected to roll them out across the business.

Whilst this may be the most efficient way of releasing patches from Microsoft’s point of view, there are many instances where simply rolling them out is not an option. IT teams need to take a phased approach and test the patch updates before rolling them out, helping to mitigate any problems such as the dreaded blue screen of death.

Case in point was November’s MS14-066 update – there were a lot of reported problems when implementing the update, with Microsoft having to reissue the patch. Imagine if every business had implemented that immediately!

Keep in mind that Microsoft self-certifies vulnerabilities, and have a fairly easy to follow rating system:
• Critical – A vulnerability that could allow remote code execution without user interaction or where code executes without warnings or prompts.
• Important – These vulnerabilities are where the client is compromised with warnings or prompts and whose exploitation could result in compromise of data.
• Moderate – The impact is mitigated by numerous factors such as authentication or non-default applications being affected.
• Low – The impact is comprehensively mitigated by the characteristics of the component.

If we take a look at November’s Patch Tuesday, there were a total of 14 separate patches fixing almost 40 vulnerabilities as well as an out-of-band patch a week later, five of which were rated as critical. So how do you prioritise these five if they’re all rated the same? Which vulnerability do you patch first?

When rolling out patches, it’s all well and good to do so if your business is located in one or two premises, but what if your business has a number of remote locations? Retail, transportation and oil and gas are all good examples.

If you were to take a large retail store open 24 hours a day, there needs to be a window of time where the systems are taken offline so they can be updated. Microsoft’s approach would be to suggest patching the Critical vulnerabilities first, and then work through the rest.

At Verismic, we provide a service to our customers to ensure that their entire IT infrastructure remains as up-to-date as possible, which includes rolling out any patch updates from vendors. We do this by creating a baseline – what is going to be the most important update for the business, and then we work backwards. It’s important to do this because, as we said, many businesses simply don’t have the time or even the bandwidth to roll out all of the patch updates at once.

To create this baseline we use three different measurements; vendor severity (that would be Microsoft’s self-certified rating), the Common Vulnerability Scoring System (CVSS), and the total number of vulnerable systems in the customer’s environment. By measuring against three separate metrics we can get a much better understanding of the risk a vulnerability really poses.

My advice would be to take Microsoft’s vulnerability ratings with a respectful pinch of salt and start looking at independently assessed scores, such as CVSS. Each month US-CERT uses CVSS to rate all of Microsoft’s patch updates the same day they’re released, giving you a much better understanding of the risk a particular vulnerability poses to your business.

Patching is invaluable to protecting your business. By taking a phased approach to updating systems and creating a baseline to understand the risk of each vulnerability, you can get a much better idea of which patches you should be prioritising first.

Robert Brown is Director of Services at Verismic

Originally published on IT Security Guru

|

Microsoft issues critical patches for Windows SSL/TLS and OLE flaws

By Patch Management, Patch TuesdayNo Comments

Microsoft has issued critical patches for flaws relating to SSL/TLS encryption on Windows systems, as well as the Windows Object Linking and Embedding (OLE) protocol.

Microsoft issues critical patches for Windows SSL/TLS and OLE flaws
On Tuesday morning, the Redmond technology giant issued a news bulletin announcing the release of 14 security patches, including four rated ‘critical’ and eight as ‘important’, as part of its Patch Tuesday programme.

Arguably the most important of all of these was a patch for a flaw in the Microsoft secure channel (Schannel) security component, which implements the Secure Sockets Layer (SSL) and transport layer security (TLS) protocols that are used to handle encryption and authentication in Windows – including on HTTP applications.

According to the Microsoft advisory, the flaw comes down to the “improper processing of specially crafted packets”, which could be exploited by attackers remotely executing attacks on targets by sending malicious traffic to a Windows-based server.

The advisory notes that the flaw (MS14-066) – which has no workaround – is ‘critical’ for servers (Windows Server 2003, 2008 and 2012) and desktop devices, with the latter potentially threatening users running Vista, windows 7, 8 , 8.1 and Windows RT.

Amol Sarwate, director of engineering at Qualys, told newswire Ars Technica that these would be particularly vulnerable if the user had installed software on their client devices to monitor internet ports.

Fortunately, Microsoft says that there is no evidence pointing to in-the-wild exploits being used against Windows users at this point, although observers will note that the flaw itself comes in a year where the TLS stack (including Apple’s Secure Transport, Open SSL, NSS, GNU TLS and now SChannel) have been found with varying vulnerabilities.

The update was one of 16 (two have been postponed) scheduled for the Patch Tuesday batch, which also discloses and issues fixes for two OLE bugs.

The latter affects all supported versions of Windows and is given an ‘exploitability’ rating of “0” as the zero-day (CVE-201406352) is being used in “limited, targeted attacks in the wild.” Specifically, the most severe of the vulnerabilities could allow for remote code execution if a user was directed to a spoofed webpage on Internet Explorer.

“An attacker who successfully exploited the vulnerabilities could run arbitrary code in the context of the current user,” reads the advisory. “If the current user is logged on with administrative user rights, an attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.”

Elsewhere, there are also fixes for bugs in XML Core Services (rated as critical for Vista, Windows 7, 8 and 8.1 devices), Office, Exchange and SharePoint. The full list can be seen here.

In an email to journalists, Ross Barrett, senior manager of security engineering at Rapid7, said that MS14-064 is the most critical flaw, as it relates to OLE which was exploited in the Sandworm exploit – which has been used to target Windows devices within critical infrastructure.

“The top patching priority is definitely going to be MS14-064, which is under active exploitation in the wild and may be related, at least superficially, to last month’s Sandworm attack, which also worked through a vulnerability in OLE,” he said.

“After MS14-064, attention goes to MS14-065 and MS14-066, Internet Explorer and SChannel respectively. The SChannel issue is risky, since there is a very good chance that this service could be exposed or accessed via the perimeter. The IE patches are cumulative, as usual, and address 17 CVEs.

He added: “Perimeter systems are often mission critical and need the fastest attention.  Administrators will have to balance the risk of exploit with their perceived exposure and their tolerance for downtime.”

Ethical hacker Gavin Millard, who is technical director EMEA at Tenable Security, added in an email to SCMagazineUK.com that MS14-064 and MS14-066 should be the highest priority– noting that the latter is the most concerning as it affects all supported versions of Windows.

“MS14-064, a vulnerability in the Windows Object Linking and Embedding (OLE) library, appears to be a continuation of vulnerabilities disclosed last month in MS14-060. Researchers have already identified this vulnerability being used in the wild for exploitation through the use of malicious PowerPoint files,” he told SC.

“The larger worry for many is MS14-066 though as it’s a remote code execution vulnerability affecting all supported versions of Windows including the server platforms. The bug was discovered in Schannel, a set of security protocols for communication and identification, and is of particular concern due to the possibility of an attacker utilising it without user interaction.

“Whilst no proof of concept code has surfaced yet, due to Microsoft thankfully being tight-lipped on the exact details of the vulnerability, it won’t be long until one does which could be disastrous for any admin that hasn’t updated.”

Millard admitted it’s hard to say if the flaw could be potentially as dangerous as Shellshock (an open-source flaw which allowed an attacker to perform remote code execution attacks on any server using the Bash shell) and Heartbleed (OpenSSL bug exploited, with thousands of websites and web servers affected).

“Is MS14-066 as bad as ShellShock and Heartbleed? At the moment, due to the lack of details and proof of concept code it’s hard to say, but a remote code execution vulnerability affecting all versions of Windows server on a common component like Schannel is up there with the worst of them.”

Update: 

Robert Brown, director of services at cloud-based IT endpoint management solution provider Verismicsuggested however that Microsoft’s patches can be hard to manage for security teams with short maintenance windows.

And citing the US National Vulnerability Database where CVEs are scored independently by CERT,  he told SCMagazineUK.com: “They will probably look at the credibility and if there are any confirmed exploits. In my opinion, they will make these critical if there is active exploit.”

He went onto note that MS14-066 – already named Winshock in some quarters – would still require a user clicking on the link and using a device with administrator rights for an exploit to be effective, and suggested that MS14-065 is more pervasive as the Internet Explorer bug could be used to ‘actively infect a huge amount of the Windows estate’.

Citing the fact that it affects all versions of IE going back to version 6.0, he said: “One problem with Microsoft’s binary is that files remain behind it even if you don’t use [the application]…and lock it from your machine. The little seed is still there.” He added that hackers could remotely exploit the flaw by using a crafted instant messenger message promising Christmas pictures, for example, before delivering the payload.

Patch Tuesday: Time to Lose Your Marbles!

By Patch Management, Patch TuesdayNo Comments

Microsoft’s patches this month are few, but no less important. In fact, critical in one case!

We generally compare two sources of information to understand the impact of Microsoft’s patch updates – Microsoft’s own feed plus information from an independent source, such as US-CERT [United States-Computer Emergency Readiness Team] which uses the Common Vulnerability Scoring System (CVSS) to asses the potential impact of the IT vulnerabilities. By contrasting two sources of information we can get the real picture of how the vulnerabilities affect your business.

In this latest round, announced last week, we have four updates, MS14-052, MS14-053, MS14-054 and MS14-055. Full details for each below. Now, what’s interesting here is that Microsoft has listed the latter three as Important but by using the CVSS we can actually understand that MS14-055 has a score of 7.8 out of 10. That’s pretty high and, in our experience, anything with a CVSS score that high needs to be urgently prioritised along with the Critical update MS14-052.

What’s the risk?

MS14-055 resolves vulnerabilities, which could allow a denial of service attack against Microsoft Lync Server. This is rightfully a high-scoring ‘Important’ vulnerability that could allow someone to kill the server of a communications tool so vital to the operations of many, many businesses.

As an aside, I like to think of a denial of service attack as a marble in a bucket; the bucket is being used to remove water from a swimming pool. Every time, the bucket is used, another marble finds its way in. Before long, you’re carrying a lot of marbles and not shifting much water! This vulnerability needs resolving – its time to lose your marbles.

MS14-052 has a CVSS score of 9.3. It’s a ‘rollup’ of 36 privately reported vulnerabilities, which affect all versions of Microsoft Internet Explorer. The vulnerability could allow an attacker to execute remote code. Again, it needs to be resolved.

Next steps 

Right now, we’re looking at the binary code for each patch update and moving towards testing and piloting the updates before deployment to customers. As with all our customers, we’ll be working through our agreed deployment process using Verismic Syxsense for rollout.

Feel free to leave a comment below if you have any viewpoints on the patch updates.

Microsoft score
CVSS score
Update no.
Affected software:
Critical security bulletin 9.3 MS14-052 Windows Server 2003 Service Pack 2:
– Internet Explorer 6
– Internet Explorer 7
– Internet Explorer 8
Windows Server 2003 x64 Edition Service Pack 2:
– Internet Explorer 6
– Internet Explorer 7
– Internet Explorer 8
Windows Server 2003 with SP2 for Itanium-based Systems:
– Internet Explorer 6
– Internet Explorer 7
Windows Vista Service Pack 2:
– Internet Explorer 7
– Internet Explorer 8
– Internet Explorer 9
Windows Vista x64 Edition Service Pack 2:
– Internet Explorer 7
– Internet Explorer 8
– Internet Explorer 9
Windows Server 2008 for 32-bit Systems Service Pack 2:
– Internet Explorer 7
– Internet Explorer 8
– Internet Explorer 9
Windows Server 2008 Server Core installation not affected)
Windows Server 2008 for x64-based Systems Service Pack 2:
– Internet Explorer 7
– Internet Explorer 8
– Internet Explorer 9
(Windows Server 2008 Server Core installation not affected)
Windows Server 2008 for Itanium-based Systems Service Pack 2:
– Internet Explorer 7
Windows 7 for 32-bit Systems Service Pack 1:
– Internet Explorer 8
– Internet Explorer 9
– Internet Explorer 10
– Internet Explorer 11
Windows 7 for x64-based Systems Service Pack 1:
– Internet Explorer 8
– Internet Explorer 9
– Internet Explorer 10
– Internet Explorer 11
Windows Server 2008 R2 for x64-based Systems Service Pack 1:
– Internet Explorer 8
– Internet Explorer 9
– Internet Explorer 10
– Internet Explorer 11
(Windows Server 2008 R2 Server Core installation not affected)
Windows Server 2008 R2 for Itanium-based Systems Service Pack 1:
– Internet Explorer 8
– Windows 8 for 32-bit Systems:
– Internet Explorer 10
– Windows 8 for x64-based Systems:
– Internet Explorer 10
– Windows Server 2012:
– Internet Explorer 10
(Windows Server 2012 Server Core installation not affected)
– Windows RT:
– Internet Explorer 10
– Windows 8.1 for 32-bit Systems:
– Internet Explorer 11
– Windows 8.1 for x64-based Systems:
– Internet Explorer 11
– Windows Server 2012 R2:
– Internet Explorer 11
(Windows Server 2012 R2 Server Core installation not affected)
– Windows RT 8.1:
– Internet Explorer 11
Impact: Remote Code Execution
Version Number: 1.0
Important security bulletin 7.8 MS14-055 – Microsoft Lync Server 2010
– Microsoft Lync Server 2013
– Impact: Denial of Service
– Version Number: 1.0
Important security bulletin 6.8 MS14-054 – Windows 8 for 32-bit Systems
– Windows 8 for x64-based Systems
– Windows 8.1 for 32-bit Systems
– Windows 8.1 for x64-based Systems
– Windows Server 2012
– (Windows Server 2012 Server Core installation affected)
– Windows Server 2012 R2
– (Windows Server 2012 R2 Server Core installation affected)
– Windows RT
– Windows RT 8.1
– Impact: Elevation of Privilege
– Version Number: 1.0
Important security bulletin 4.3 MS14-053 Windows Server 2003 Service Pack 2
– Microsoft .NET Framework 1.1 Service Pack 1
– Microsoft .NET Framework 2.0 Service Pack 2
– Microsoft .NET Framework 3.0 Service Pack 2
– Microsoft .NET Framework 4
Windows Server 2003 x64 Edition Service Pack 2
– Microsoft .NET Framework 2.0 Service Pack 2
– Microsoft .NET Framework 3.0 Service Pack 2
– Microsoft .NET Framework 4
Windows Server 2003 with SP2 for Itanium-based Systems
– Microsoft .NET Framework 2.0 Service Pack 2
– Microsoft .NET Framework 4
Windows Vista Service Pack 2
– Microsoft .NET Framework 2.0 Service Pack 2
– Microsoft .NET Framework 3.0 Service Pack 2
– Microsoft .NET Framework 4
– Microsoft .NET Framework 4.5/4.5.1/4.5.2
Windows Vista x64 Edition Service Pack 2
– Microsoft .NET Framework 2.0 Service Pack 2
– Microsoft .NET Framework 3.0 Service Pack 2
– Microsoft .NET Framework 4
– Microsoft .NET Framework 4.5/4.5.1/4.5.2
Windows Server 2008 for 32-bit Systems Service Pack 2
– Microsoft .NET Framework 2.0 Service Pack 2
– Microsoft .NET Framework 3.0 Service Pack 2
– Microsoft .NET Framework 4
– Microsoft .NET Framework 4.5/4.5.1/4.5.2
(Windows Server 2008 Server Core installation not affected)
Windows Server 2008 for x64-based Systems Service Pack 2
– Microsoft .NET Framework 2.0 Service Pack 2
– Microsoft .NET Framework 3.0 Service Pack 2
– Microsoft .NET Framework 4
– Microsoft .NET Framework 4.5/4.5.1/4.5.2
Windows Server 2008 Server Core installation not affected)
Windows Server 2008 for Itanium-based Systems Service Pack 2
– Microsoft .NET Framework 2.0 Service Pack 2
– Microsoft .NET Framework 3.0 Service Pack 2
– Microsoft .NET Framework 4
Windows 7 for 32-bit Systems Service Pack 1
– Microsoft .NET Framework 3.5.1
– Microsoft .NET Framework 4
– Microsoft .NET Framework 4.5/4.5.1/4.5.2
Windows 7 for x64-based Systems Service Pack 1
– Microsoft .NET Framework 3.5.1
– Microsoft .NET Framework 4
– Microsoft .NET Framework 4.5/4.5.1/4.5.2
Windows Server 2008 R2 for x64-based Systems Service Pack 1
– Microsoft .NET Framework 3.5.1
– Microsoft .NET Framework 4
– Microsoft .NET Framework 4.5/4.5.1/4.5.2
(Windows Server 2008 R2 Server Core installation affected)
Windows Server 2008 R2 for Itanium-based Systems Service Pack 1
– Microsoft .NET Framework 3.5.1
– Microsoft .NET Framework 4
Windows 8 for 32-bit Systems
– Microsoft .NET Framework 3.5
– Microsoft .NET Framework 4.5/4.5.1/4.5.2
Windows 8 for x64-based Systems
– Microsoft .NET Framework 3.5
– Microsoft .NET Framework 4.5/4.5.1/4.5.2
Windows 8.1 for 32-bit Systems
– Microsoft .NET Framework 3.5
– Microsoft .NET Framework 4.5.1/4.5.2
Windows 8.1 for x64-based Systems
– Microsoft .NET Framework 3.5
– Microsoft .NET Framework 4.5.1/4.5.2
Windows Server 2012
– Microsoft .NET Framework 3.5
– Microsoft .NET Framework 4.5/4.5.1/4.5.2
(Windows Server 2012 Server Core installation affected)
Windows Server 2012 R2
– Microsoft .NET Framework 3.5
– Microsoft .NET Framework 4.5.1/4.5.2
(Windows Server 2012 R2 Server Core installation affected)
Windows RT
– Microsoft .NET Framework 4.5/4.5.1/4.5.2
Windows RT 8.1
– Microsoft .NET Framework 4.5.1/4.5.2
– Impact: Denial of Service
– Version Number: 1.0
Showing 1 to 4 of 4 entries