2016 was a big year for Syxsense. As a company, we are constantly growing, adding new features and always focused on our customers.
IT systems management is frequently changing and it’s crucial to keep up with the latest news, strategies and updates. Every month, we share the latest Microsoft and third-party patches, explaining which to prioritize and how to implement the most effective patch strategy.
With plenty of changes on the way for 2017, be sure to stay on top of patching and IT systems management in the new year. Even when other tasks fill up your to-do-list and seem more important, prioritizing patching is the best New Year’s resolution for any IT manager. Explore the highlights and some of our favorite content from the past year.
Start a free, 14-day trial of Syxsense, which helps organizations from 50 to 10,000 endpoints monitor and manage their environment, all from just a web browser. An email will be automatically sent to the address you provide.
IT Systems Management toolsets are becoming increasingly more complex. Whether you have tried one single solution or are using multiple products for patching, remote control, software distribution and inventory, so much work goes in to just managing and maintaining these tools. We invite you to join industry expert and Head of Desktop Management Services at Verismic Robert Brown for an informative webinar where he will share the top six issues IT professionals are sick of dealing with and best options to overcome them.
Join us: Wednesday 29 April 2015
[vc_single_image image=”2463″ img_size=”large”]
About the Presenter: Robert Brown is the head of Desktop Management Services at Verismic and is responsible for all software delivery services, which includes Security Updates and software distribution deployments. Rob Brown has 15+ years background in IT industry and within the last 10 years has focused on the systems management space.
As we enter another year and another Patch Tuesday, we see that Microsoft has now made the patch notifications that little bit harder for the average customer, by stopping the Advance Notification Service (ANS). Along with the regular Patch Tuesday updates, Microsoft publishes an advanced notification on the first Friday of each month, to give security teams a good idea of what to expect on Patch Tuesday.
They haven’t scrapped it altogether though, they are still offering ANS to paying users. The reasons, according to Microsoft, are that customers no longer use ANS with many simply waiting until Patch Tuesday. However, it could be argued that for smaller businesses that can’t afford a service like this, it could have an impact on how they deploy patches.
Fear not however, all of Verismic’s customers will still have all patches fully tested and rolled out as per agreed schedules via Verismic Syxsense.
A light patch update
We’ve all enjoyed our Christmas break and so, it would seem, have security researchers. This month’s Patch Tuesday is fairly light with only eight patch updates, with only one rated Critical. I’m in a good position to say that there appears to be nothing special or particularly significant about January’s updates – it’s especially rare to be in a position to say that as there are usually at least one or two updates that deserve special attention due to the seriousness or uniqueness of the vulnerability.
As ever, we have broken down the patch updates for you to give you a better understanding of what systems could be affected and have included the independently assessed Common Vulnerability Scoring System (CVSS) score from US-CERT.
The only Critical patch update this month, MS15-002 has a CVSS score of 9.3 [out of a possible 10], this is a relatively serious patch and definitely one that needs to be the top priority to patch. It’s a buffer overflow vulnerability that could allow remote code execution, which is caused by the Microsoft Telnet service improperly validating memory location. Attackers can exploit this vulnerability by sending specially crafted telnet packets to a Windows server that could then enable the attacker to run arbitrary code on a target server.
Amazingly, the other seven updates are all rated Critical by Microsoft’s standard, but if we take a look at the table below, US-CERT thinks that only three are actually quite serious (MS15-001, MS15-003, MS15-004), whereas the other four updates are rated as 5.0 and below. Whilst these are vulnerabilities that need to be patched, US-CERT has identified that the chances of the vulnerability being exploited are probably quite low and having assessed the potential impact (again likely to be low), have given the vulnerabilities a low risk score.
It’s such a light Patch Tuesday this month that working out which patches to prioritise is fairly straightforward. Get the Critical update done first, and then work through the list. If, like Verismic, you want to take into account the CVSS scores, then the table below is listed in order of most serious to least – use this to prioritise your patch roll outs as we will for our customers.
Vulnerability in Windows Telnet Service Could Allow Remote Code Execution (3020393)
Vulnerability in Windows Components Could Allow Elevation of Privilege (3025421)
Vulnerability in Windows Application Compatibility Cache Could Allow Elevation of Privilege (3023266)
Vulnerability in Windows User Profile Service Could Allow Elevation of Privilege (3021674)
Vulnerability in Network Policy Server RADIUS Implementation Could Cause Denial of Service (3014029)
Vulnerability in Network Location Awareness Service Could Allow Security Feature Bypass (3022777)
Vulnerability in Windows Kernel-Mode Driver Could Allow Elevation of Privilege (3019215)
Vulnerability in Windows Error Reporting Could Allow Security Feature Bypass (3004365)
Questions need to be asked of Patch Tuesday and Microsoft’s approach to it, says Robert Brown.
SC Magazine | Dec 17, 2014
The next Patch Tuesday, Microsoft’s usual day to issue security updates for its software, is looming again. It will be the 13th of January 2015, then in February and so on. It’s so frequent it’s easy to treat it as a’ business as usual’ exercise, so humdrum that it requires no second-thought or intelligence.
However, it really does need that a second-thought. Patching is obviously essential, companies do need to protect themselves from known software vulnerabilities, but there are problems with Microsoft’s approach to patching and simply installing every patch with the quick click of a button could be costly; worse, you might just see the Blue Screen of Death (BSOD) across your device fleet.
Microsoft’s approach to patching is very much a ‘fire and forget’ exercise where it issues patch updates each month and expects businesses to roll out the patches as soon as possible. However, this is where your second thought is needed, as many IT managers will attest, they cannot and, should not, deploy them right away. IT must take a phased approach and test the patch updates before rolling them out, helping to mitigate any problems.
Just take a look at MS14-066 – a lot of users reported problems when implementing the update, forcing Microsoft to reissue the patch. Imagine if every business had implemented that immediately! If there is a compatibility issue with a patch and systems need to be rolled back, this extends downtime and can impact the business’s bottom line.
Compatibility aside, my real issue with Patch Tuesday is Microsoft’s rating system. It is relatively simple to follow:
‘Critical’ – A vulnerability that could allow remote code execution without user interaction or where code executes without warnings or prompts.
‘Important’ – These vulnerabilities are where the client is compromised with warnings or prompts and whose exploitation could result in compromise of data.’
Moderate’ – The impact is mitigated by numerous factors such as authentication or non-default applications being affected.
‘Low’ – The impact is comprehensively mitigated by the characteristics of the component.
Keep in mind that Microsoft self-certifies vulnerabilities for its products and November’s Patch Tuesday contained 14 separate patches fixing almost 40 vulnerabilities as well as an out-of-band patch a week later; five of the updates, including the out of band patch, were rated by Microsoft as Critical, eight Important and two Moderate.
Where to start? With the obvious, surely? Patch the Critical updates first and take the rest in turn. Better still, do them all at once! This couldn’t be more wrong. My advice would be to take Microsoft’s vulnerability ratings with a respectful pinch of salt and start looking at independently assessed scores, such as the Common Vulnerability Scoring System (CVSS) to get a more informed view. Each month US-CERT uses CVSS to rate all of Microsoft’s patch updates the same day they’re released, giving a much better understanding of the risk a particular vulnerability poses to the business.
If we look again at November’s Patch Tuesday, US-CERT gave the out of band patch, rated as Critical by Microsoft, a score of 10.0 – that’s as serious as it can get and gives a good starting point for patching activities. It’s now top priority.
Three other Critical patches were scored 9.3 by US-CERT, which suggests Microsoft has got this right and they should be the next area of focus. Time to get to work.
But, the last remaining Critical patch only scored 6.8 by US-CERT. This is a really important discovery, because actually six other patches, some deemed only Moderate or Important by Microsoft, were rated higher than 6.8 by US-CERT. In other words, some of those Moderate and Important patches should be tackled before the last remaining Critical patch.
This isn’t a one-off slip from Microsoft either. In October’s Patch Tuesday, three Critical and two Important updates were all rated 9.3 equally by US-CERT. Those two Important updates might have been delayed by IT managers if relying on Microsoft’s rating only.
Microsoft is providing a great security service that everyone is thankful for, but it does need policing by a second source. The critical is not always critical and sometimes the Moderate needs urgent attention too.
The final Patch Tuesday of 2014 is upon us so with that in mind we thought we’d take a quick look at how the year stacks up. There were a total of 85 bulletins fixing 349 separate vulnerabilities in Microsoft’s products; 29 were rated as Critical, 53 as Important, and 3 rated Moderate. Internet Explorer featured heavily this year, with over 200 separate vulnerabilities being patched – January being the only month where Internet Explorer didn’t feature in any update.
Compared to last year there were 21 fewer patch updates yet there were more individual vulnerabilities patched in 2014 compared to 2013 (349 vs. 332).
This month there are three Critical and four Important updates fixing a total of 25 vulnerabilities, including the delayed MS14-075 update from November, which we’ll cover first.
Rated as Important, this is the delayed update that was originally due to be released in November’s Patch Tuesday that addresses four privately reported vulnerabilities in Microsoft Exchange Server. The most severe of the four could allow elevation of privilege if a user views a specially crafted web page using…Internet Explorer unsurprisingly! Should an attacker successfully exploit the vulnerability they would be able to gain the same rights as the current user.
The most severe of the 14 privately reported vulnerabilities in this bulletin could allow remote code execution, again, if the user visits a specially crafted web page using Internet Explorer. Successful exploitation would give the same rights to the attacker as the current user.
The second of three Critical updates resolves two privately reported vulnerabilities in Microsoft Word and Microsoft Office Web Apps. The vulnerabilities could allow for remote code execution if an attacker is able to convince a user to open, or even just preview, a specially crafted Microsoft Word file within an affected version of Microsoft Office software. The affected versions include: all supported editions of Microsoft Word 2007, Microsoft Office 2010, Microsoft Word 2010, Microsoft Word 2013, Microsoft Word 2013 RT, Microsoft Office for Mac 2011, Microsoft Word Viewer, Microsoft Office Compatibility Pack.
The final Critical update of 2014 is a security update that resolves a privately reported vulnerability in VBScript – the scripting engine in Microsoft Windows. If a user visits a specially crafted website the vulnerability could allow for remote code execution, which, if successfully exploited, will give the attacker the same rights as the current user. If the user is an administrator then the attacker could potentially take complete control of an affected system so it would be wise to prioritise this patch over the others.
The final three updates (unless an out-of-band patch is released) address three privately reported vulnerabilities across Microsoft Office and Microsoft Excel, as well as one publicly disclosed vulnerability in Microsoft Windows. All three of the privately reported vulnerabilities could allow for remote code execution if successfully exploited. Again, this could allow an attacker to gain the same rights as the current user.
The publicly disclosed vulnerability (MS14-085) could allow Information Disclosure should a user visit a website containing specially crafted JPEG content. Whilst this particular vulnerability doesn’t allow code execution, the information disclosed could reveal details about the system that could be used in conjunction with another vulnerability to bypass security features.
As usual, we have included a breakdown of this month’s bulletin in the table below and have prioritised the patch updates by the independently rated CVSS score. We’d advise that you prioritise patches MS14-080, MS14-081, MS14-082, MS14-083 & MS14-084. For our customers, we will be analysing the binary code for each update and will be rolling out the patch updates using Verismic Syxsense, as per the agreed deployment process.
Microsoft Windows, Internet Explorer
Cumulative Security Update for Internet Explorer (3008923)
Vulnerabilities in Microsoft Word and Microsoft Office Web Apps Could Allow Remote Code Execution (3017301)
Vulnerability in VBScript Scripting Engine Could Allow Remote Code Execution (3016711)
Vulnerability in Microsoft Office Could Allow Remote Code Execution (3017349)
Vulnerabilities in Microsoft Excel Could Allow Remote Code Execution (3017347)
Vulnerabilities in Microsoft Exchange Server Could Allow Elevation of Privilege (3009712)
Vulnerability in Microsoft Graphics Component Could Allow Information Disclosure (3013126)
With 14 bulletins this month across almost 40 individual Common Vulnerabilities and Exposures [CVEs] means that November Patch Tuesday is fairly significant in size, with one particular update considered fairly urgent; MS14-066, which fixes a vulnerability in Schannel. The component of Windows that implements SSL/TLS. Those of you with eagle eyes will have spotted that two bulletins are missing from the update (MS14-069 and MS14-075) – no release date has been confirmed by Microsoft as yet.
Microsoft’s advice is to apply all of the updates, which shouldn’t be an issue for home users, but for businesses that are geographically spread out, where there may be a slow internet connection, you’ll need to be very considered in the choice of patches you deploy first.
The Common Vulnerability Scoring System (CVSS), included in the table below, is provided independently by US-CERT and looks at the impact that certain vulnerabilities can have. Microsoft’s ‘Critical’ vulnerabilities are rated as such because there is a known active exploit, but using the CVSS score can give you a much better understanding of how easy your systems can be exploited and the potential impact each could have. Looking at the table below we can see some disparities between Microsoft’s rating and the independently scored CVSS.
The first update of November’s Patch Tuesday resolves vulnerabilities in Microsoft Windows Object Linking and Embedding (OLE). With a CVSS of 9.3, this is the one of five updates that you need to patch sooner rather than later. The more severe of the two vulnerabilities could allow remote code execution enabling an attacker to run arbitrary code in the context of the current user. If that user has admin rights then the attacker could install programs; view, change, or delete data; or create new user accounts.
I’d argue that this by far the most important update for you to pay attention to as it affects the entire Microsoft estate from the operating system to Internet Explorer. The update resolves seventeen privately reported vulnerabilities in Internet Explorer. An attacker who exploits these vulnerabilities could gain the same user rights as the current user. The most severe of these vulnerabilities would allow for remote code execution if a user views a specially crafted web page using Internet Explorer. Once again, this update has a CVSS of 9.3.
This update has been the focus of most blogs and articles this month, with most suggesting that it is in fact the single most important update to implement – rather than MS14-065 It’s a privately reported vulnerability in the Microsoft Secure Channel (Schannel) security package in Windows. The vulnerability could allow remote code execution if an attacker sends specially crafted packets to a Windows Server. However, the Schannel is not so easy to crack and the extent of the damage that can be caused is not as severe as other Critical updates. With a CVSS score of 6.8 I’d argue that there are other updates you should be prioritising over this one.
This security update (CVSS of 9.3) resolves a vulnerability in Windows that could allow remote code execution if a logged-on user visits a specially crafted website that is designed to invoke SML Core Services (MSXML) through Internet Explorer. However, in order for an attacker to take advantage of this exploit they would need to convince a user to visit a website using social engineering.
Other notable updates
There are, in fact, two other updates you should be paying close attention to: MS14-069 and MS14-072. Microsoft has rated both of these updates as ‘Important’ but they have each been given an independent CVSS score of 9.3, so US_CERT is saying that these two updates are just as severe as those noted above.
MS14-069 is a security update resolving three vulnerabilities in Microsoft Office that could allow remote code execution enabling an attacker to gain the same user access rights as the current user. It is exploited through a specially crafted file that is opened in an affected edition of Microsoft Office 2007.
MS14-072 resolves a vulnerability in the .NET framework, which could allow elevation of privilege. According to Microsoft, it is exploited through an attacker sending specially crafted data to an affected workstation that uses .NET Remoting. However, only custom applications that have been specifically designed to use .NET Remoting would expose a system to this vulnerability.
Below is the full breakdown of this month’s patch updates. We recommend patching MS14-064, MS14-065, MS14-067, MS14-069, and MS14-072 in the first instance, before working through the rest of the updates. For our customers, we will be analysing the binary code for each update and will be rolling out the patches to all of our customers through the agreed deployment process using Verismic Syxsense.
Microsoft has issued critical patches for flaws relating to SSL/TLS encryption on Windows systems, as well as the Windows Object Linking and Embedding (OLE) protocol.
On Tuesday morning, the Redmond technology giant issued a news bulletin announcing the release of 14 security patches, including four rated ‘critical’ and eight as ‘important’, as part of its Patch Tuesday programme.
Arguably the most important of all of these was a patch for a flaw in the Microsoft secure channel (Schannel) security component, which implements the Secure Sockets Layer (SSL) and transport layer security (TLS) protocols that are used to handle encryption and authentication in Windows – including on HTTP applications.
According to the Microsoft advisory, the flaw comes down to the “improper processing of specially crafted packets”, which could be exploited by attackers remotely executing attacks on targets by sending malicious traffic to a Windows-based server.
The advisory notes that the flaw (MS14-066) – which has no workaround – is ‘critical’ for servers (Windows Server 2003, 2008 and 2012) and desktop devices, with the latter potentially threatening users running Vista, windows 7, 8 , 8.1 and Windows RT.
Amol Sarwate, director of engineering at Qualys, told newswire Ars Technica that these would be particularly vulnerable if the user had installed software on their client devices to monitor internet ports.
Fortunately, Microsoft says that there is no evidence pointing to in-the-wild exploits being used against Windows users at this point, although observers will note that the flaw itself comes in a year where the TLS stack (including Apple’s Secure Transport, Open SSL, NSS, GNU TLS and now SChannel) have been found with varying vulnerabilities.
The update was one of 16 (two have been postponed) scheduled for the Patch Tuesday batch, which also discloses and issues fixes for two OLE bugs.
The latter affects all supported versions of Windows and is given an ‘exploitability’ rating of “0” as the zero-day (CVE-201406352) is being used in “limited, targeted attacks in the wild.” Specifically, the most severe of the vulnerabilities could allow for remote code execution if a user was directed to a spoofed webpage on Internet Explorer.
“An attacker who successfully exploited the vulnerabilities could run arbitrary code in the context of the current user,” reads the advisory. “If the current user is logged on with administrative user rights, an attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.”
Elsewhere, there are also fixes for bugs in XML Core Services (rated as critical for Vista, Windows 7, 8 and 8.1 devices), Office, Exchange and SharePoint. The full list can be seen here.
In an email to journalists, Ross Barrett, senior manager of security engineering at Rapid7, said that MS14-064 is the most critical flaw, as it relates to OLE which was exploited in the Sandworm exploit – which has been used to target Windows devices within critical infrastructure.
“The top patching priority is definitely going to be MS14-064, which is under active exploitation in the wild and may be related, at least superficially, to last month’s Sandworm attack, which also worked through a vulnerability in OLE,” he said.
“After MS14-064, attention goes to MS14-065 and MS14-066, Internet Explorer and SChannel respectively. The SChannel issue is risky, since there is a very good chance that this service could be exposed or accessed via the perimeter. The IE patches are cumulative, as usual, and address 17 CVEs.
He added: “Perimeter systems are often mission critical and need the fastest attention. Administrators will have to balance the risk of exploit with their perceived exposure and their tolerance for downtime.”
Ethical hacker Gavin Millard, who is technical director EMEA at Tenable Security, added in an email to SCMagazineUK.com that MS14-064 and MS14-066 should be the highest priority– noting that the latter is the most concerning as it affects all supported versions of Windows.
“MS14-064, a vulnerability in the Windows Object Linking and Embedding (OLE) library, appears to be a continuation of vulnerabilities disclosed last month in MS14-060. Researchers have already identified this vulnerability being used in the wild for exploitation through the use of malicious PowerPoint files,” he told SC.
“The larger worry for many is MS14-066 though as it’s a remote code execution vulnerability affecting all supported versions of Windows including the server platforms. The bug was discovered in Schannel, a set of security protocols for communication and identification, and is of particular concern due to the possibility of an attacker utilising it without user interaction.
“Whilst no proof of concept code has surfaced yet, due to Microsoft thankfully being tight-lipped on the exact details of the vulnerability, it won’t be long until one does which could be disastrous for any admin that hasn’t updated.”
Millard admitted it’s hard to say if the flaw could be potentially as dangerous as Shellshock (an open-source flaw which allowed an attacker to perform remote code execution attacks on any server using the Bash shell) and Heartbleed (OpenSSL bug exploited, with thousands of websites and web servers affected).
“Is MS14-066 as bad as ShellShock and Heartbleed? At the moment, due to the lack of details and proof of concept code it’s hard to say, but a remote code execution vulnerability affecting all versions of Windows server on a common component like Schannel is up there with the worst of them.”
Robert Brown, director of services at cloud-based IT endpoint management solution provider Verismic, suggested however that Microsoft’s patches can be hard to manage for security teams with short maintenance windows.
And citing the US National Vulnerability Database where CVEs are scored independently by CERT, he told SCMagazineUK.com: “They will probably look at the credibility and if there are any confirmed exploits. In my opinion, they will make these critical if there is active exploit.”
He went onto note that MS14-066 – already named Winshock in some quarters – would still require a user clicking on the link and using a device with administrator rights for an exploit to be effective, and suggested that MS14-065 is more pervasive as the Internet Explorer bug could be used to ‘actively infect a huge amount of the Windows estate’.
Citing the fact that it affects all versions of IE going back to version 6.0, he said: “One problem with Microsoft’s binary is that files remain behind it even if you don’t use [the application]…and lock it from your machine. The little seed is still there.” He added that hackers could remotely exploit the flaw by using a crafted instant messenger message promising Christmas pictures, for example, before delivering the payload.
After a relatively light Patch Tuesday last month, October’s security updates are back in full swing. With a total of eight security bulletins covering a total of 24 vulnerabilities discovered in Internet Explorer, Office, and the .Net framework, three of these are rated as critical – full details can be seen below.
Internet Explorer features heavily in this month’s update, with the first Critical update, MS14-056, addressing 14 privately reported vulnerabilities, scoring a CVSS of 9.3. The most severe of which could allow remote code execution giving the attacker the same admin rights as the current user.
The second of the Critical updates, MS14-057, could also allow remote code execution if the attacker sends a specially crafted URI request containing international characters to a .NET web application. The three privately reported vulnerabilities score CVSS 9.3, so remediation should be done as soon as technically possible.
The final of this month’s Critical updates, MS14-058, resolves two privately reported vulnerabilities in Windows, again with a CVSS score of 9.3. Once again the more severe of the two could allow remote code execution. What is interesting here is that the attacker would have to rely on a phishing attack to exploit this vulnerability as it requires the attacker to convince a user to open a specially crafted document or visit a untrusted website.
Important update – but no less critical
By far the most important patch in this month’s update is MS14-060 as there are already zero-day attacks taking advantage of this vulnerability, so remediation is recommended as soon as technically possible. While this security update is only rated Important by Microsoft, it has been independently scored CVSS 9.3 for all supported release of Microsoft Windows, excluding Windows Server 2003.
The security update resolves a privately reported vulnerability in Microsoft Windows that could allow remote code execution if a user opens an office file containing a specially crafted OLE object. This would allow an attacker to execute any command in the context of the user such as installing programs; view, change, or delete data; or create new accounts with full user rights.
As always it’s vital to update the Critical vulnerabilities at the earliest opportunity, so we will be analysing the binary code for each patch update and will be rolling out the updates to all of our customers through the agreed deployment process using Verismic Syxsense.
Microsoft Windows, Windows Explorer
Cumulative Security update for Internet Explorer (2987107)
Microsoft Windows, Microsoft .NET framework
Vulnerabilities in .NET framework could allow remote code execution (3000414)
Vulnerabilities in Kernel-Mode driver could allow remote code execution (3000061)
Vulnerability in Windows OLE could allow remote code execution (3000869)
Microsoft Office, Microsoft Office services, Microsoft Office web app
Vulnerability in Microsoft Word and Office web apps could allow remote code execution (3000434)
Vulnerability in FAT32 disk partition driver could allow elevation of privilege (2998579)
Vulnerability in message queuing service could allow elevation of privilege (2993254)
Microsoft Developer tools
Vulnerability in ASP.Net MVC could allow security feature bypass (2990942)