Skip to main content
Tag

Robert Brown

Patch Tuesday

HTTP.sys vulnerability fixed in April’s Patch Tuesday

By News, Patch Management, Patch TuesdayNo Comments

In this month’s patch updates from Microsoft there’s a total of 11 bulletins – four Critical and seven Important – covering 26 separate vulnerabilities. “We’re going to look at each of the four Critical updates in turn”, says Robert Brown, Director of Services at Verismic.

Data Encryption The first of the Critical updates from Microsoft, MS15-032, covers 10 separate vulnerabilities in Internet Explorer – nine of which are the most severe and can allow for remote code execution. However, there are two other Critical updates that you should be paying attention to – MS15-033 and MS15-034.

MS15-033 addresses five separate vulnerabilities in Microsoft Office, all of which could allow remote code execution. If that doesn’t encourage you to apply this patch, perhaps you should consider that one of the vulnerabilities within the update is currently being exploited in the wild. This is the only vulnerability in this month’s update that is known to be actively exploited.

The third Critical vulnerability has a CVSS of 10.0 from US-CERT, which is the highest rating possible. This patch should be your first priority above all others. Although the likelihood of this vulnerability being exploited is low it is a credible threat to your business and the potential damage it could cause is massive. The vulnerability can be exploited if an attacker sends a specially crafted HTTP request to an affected Windows system. Unlike the other Critical patches this month, MS15-034 requires no user interaction whatsoever, which makes it so dangerous.

The final Critical bulletin for April, like the first two this month, has a CVSS of 9.3. The vulnerability could allow remote code execution if an attacker successfully convinces a user to browse to a specially crafted website, open a specially crafted file, or browse to a working directory that contains a specially crafted Enhanced Metafile (EMF) image file. In all cases, however, an attacker would have no way to force users to take such actions; an attacker would have to convince users to do so, typically by way of enticements in email or Instant Messenger messages.

The remaining Important bulletins address vulnerabilities that could allow elevation of privilege, bypassing security features, information disclosures, and denial of service vulnerabilities.

Once you’ve prioritised your patches, I would always advise that you stage your roll out by testing and piloting the updates before deploying widely. This will help identify any compatibility issues. This should be done as standard each month, which is something we’ll always do for customers and MSPs through Syxsense.

Update no.

CVSS Score Microsoft rating Affected software Details

MS15-034

10.0 Critical Microsoft Windows Vulnerability in HTTP.sys could allow remote code execution
MS15-032 9.3 Critical Microsoft Windows, Internet Explorer

Cumulative security update for Internet Explorer

MS15-033

9.3 Critical Microsoft Office Vulnerabilities in Microsoft Office could allow remote code execution
MS15-035 9.3 Critical Microsoft Windows Vulnerability in Microsoft Graphics Component could allow remote code execution
MS15-038 7.2 Important Microsoft Windows Vulnerabilities in Microsoft Windows could allow elevation of privilege
MS15-037 6.9 Important Microsoft Windows Vulnerability in Windows Task Scheduler could allow elevation of privilege
MS15-036 4.3 Important Microsoft Server Software, Productivity Software Vulnerability in Microsoft SharePoint Server could allow elevation of privilege
MS15-039 4.3 Important Microsoft Windows Vulnerability in XML Core Services could allow security bypass feature
MS15-042 2.7 Important Microsoft Windows Vulnerability in Hyper-V could allow denial of service
MS15-041 2.6 Important Microsoft Windows, Microsoft .NET Framework Vulnerability in .NET Framework could allow information disclosure
MS15-040 1.9 Important Microsoft Windows

Vulnerability in Active Directory Federation Services could allow information disclosure

|

Microsoft Patch Tuesday insight: FREAK, Stuxnet and more

By Patch Management, Patch TuesdayNo Comments
[vc_single_image image=”3310″ img_size=”full” alignment=”center”]

Each month I’ll be offering insight into Microsoft’s Patch Tuesday updates, giving advice on which are the most serious vulnerabilities and how to prioritize them. Microsoft rates it’s own vulnerabilities internally, so whilst the ratings can give a good idea of severity, the scoring system isn’t infallible.

We generally compare two sources of information to try and understand the full impact of the patch update – Microsoft’s own rating as well as ratings from US-CERT [United States-Computer Emergency Readiness Team], which uses the Common Vulnerability Scoring System (CVSS).

By taking US-Cert’s independent ratings alongside Microsoft’s, you get a much clearer picture of which vulnerabilities are going to pose the biggest risk to your customers.

This month’s Microsoft Patch Tuesday is a relatively hefty one, with a total of 14 separate updates, with five rated Critical and the rest as Important, according to Microsoft. One update that surprises me is MS15-031, which resolves a major well-known issue with Windows called FREAK. This was serious enough a vulnerability that it was almost released as an out-of-band patch just last week, yet it’s only been rated as Important and not increased to Critical. Very odd!

The eagle-eyed will also notice MS15-020 is included in this month’s update that fixes the Stuxnet vulnerability, which is a virus/worm believed to have been developed by the US and Israel and used specifically to attack nuclear reprocessing plants in Iran. With a CVSS of 9.3 this should definitely be a priority for all businesses, whether you happen to be working at an Iranian nuclear plant or not.

Outlined below are the patches that you should actually consider rolling out first.

Critical patches
MS15-018 – CVSS: 9.3
This security update fixes a total of 13 separate vulnerabilities in Internet Explorer. The most serious flaw could allow remote code execution if a user were to a view a specially crafted webpage. An attacker would be able to gain the same access rights as the current user, so if you’re logged in as an administrator, that attacker can essentially have full control of the system.

The update addresses the vulnerability by modifying the way Internet Explorer handles objects in memory, helps to ensure policies are properly enforced and by adding additional permission validations.

MS15-019 – CVSS: 9.3
This security update resolves a vulnerability in VBScript (a script language designed for interpretation by web browsers). Again, if a user visits a specially crafted webpage it could allow remote code execution. The update is rated Critical for the VBScript scripting engine in Microsoft Windows, but only moderate for affected versions of VBScript on Windows Servers.

MS15-020 – CVSS: 9.3
This patch addresses the Stuxnet vulnerability, and while there were previous patches, they didn’t completely fix all of the vulnerable path code. Even if you aren’t working at an Iranian nuclear reprocessing plant its still worth patching as it can allow remote code execution if a user browses a specially crafted web page, open a specially crafted file, or browse a working directory that contains a specially crafted DLL file. Let’s stop Stuxnet once and for all!

MS15-021 – CVSS: 9.3
This update resolves eight privately reported vulnerabilities within Adobe Font Driver. The most serious of the eight could allow an attacker to take complete control of an affected system if a user views a specially crafted file or website.

MS15-022 – CVSS: 9.3
The final Critical update from Microsoft addresses vulnerabilities in Microsoft Office 2007, 2010 and 2013. This update patches five privately reported vulnerabilities, three of which could allow remote code execution.

Important updates
A further nine updates came from Microsoft this month that were all rated as Important. There is some discrepancy over the severity of the Important updates this month compared to US-CERT’s rating, so I’d recommend patching MS15-025 and MS15-030 once you’ve dealt with the Critical updates, and then take the rest from there.

Three of the Important updates [MS15-023, MS15-025, MS15-026] could allow an elevation of privilege. That is to say, an attacker that successfully gains access to your system can elevate their privilege to an administrator. From there, they could install programs; view, change or delete data; or create new accounts with full user rights.

Two updates (MS15-028, MS15-031) could allow security feature bypass, so an attacker with limited privileges could use the vulnerabilities to execute files that they do not have permission to run. MS15-031 resolves the FREAK vulnerability, an industry-wide issue that’s not specific just to the Windows operating system.

The final three updates resolve issues in Microsoft Windows and NETLOGON that prevent spoofing, information disclosure, and a denial of service attack.

Next steps
There’s rarely a Patch Tuesday that goes by where there isn’t an issue with one of the patches that can cause problems such as the dreaded blue screen of death. I’d advise that before you roll out patches to your customers, look at the binary code for each update and move to testing and piloting the updates before deployment. This is what we do for both our customers and MSPs and then work through the roll out of the patches through Verismic Syxsense.

Update no. CVSS Score Microsoft rating Affected software Details
MS15-018 9.3 Critical Microsoft Windows, Internet Explorer Cumulative security update for Internet Explorer
MS15-019 9.3 Critical Microsoft Windows Vulnerability in VBScript scripting engine could allow remote code execution
MS15-020 9.3 Critical Microsoft Windows Vulnerabilities in Microsoft Windows could allow remote code execution
MS15-021 9.3 Critical Microsoft Windows Vulnerabilities in Adobe Font Driver could allow remote code execution
MS15-022 9.3 Critical Microsoft Office, Microsoft Server Software Vulnerabilities in Microsoft Office could allow remote code execution
MS15-030 7.8 Important Microsoft Windows Vulnerability in Remote Desktop Protocol could allow denial of service
MS15-025 7.2 Important Microsoft Windows Vulnerabilities in Windows Kernel could allow elevation of privilege
MS15-023 5.6 Important Microsoft Windows Vulnerabilities in Kernel-Mode Driver could allow elevation of privilege
MS15-024 4.3 Important Microsoft Windows Vulnerability in PNG Processing could allow information disclosure
MS15-026 4.3 Important Microsoft Exchange Vulnerabilities in Microsoft Exchange Server could allow elevation of privilege
MS15-027 4.3 Important Microsoft Windows Vulnerability in NETLOGON could allow spoofing
MS15029 4.3 Important Microsoft Windows Vulnerability in Windows Photo Decoder Component could allow information disclosure
MS15-028 2.1 Important Microsoft Windows Vulnerability in Windows Task Scheduler could allow security feature bypass
MS15-031 5.0 Important Microsoft Windows Vulnerability in Schannel could allow security feature bypass

Our monthly blog post appears here.

patch management

Prioritising patches properly – don’t always listen to Microsoft

By Patch Management, Patch TuesdayNo Comments
[vc_single_image image=”1935″ img_size=”medium”]

It seems that it was only yesterday that patch/update Tuesday came and went, yet the next one is looming already.

As an IT guy I actually look forward to seeing the types of vulnerabilities that have been discovered in Microsoft’s products. Some are obviously more interesting than others, such as the vulnerability in Schannel, but what they all have in common is that they actually do pose a threat to your business.

We all know that patching is a vital process in keeping our businesses safe, but I do have some issues with Microsoft’s approach to patching. It’s very much a “fire and forget” exercise for them, whereby patch updates are released each month and your IT team is then expected to roll them out across the business.

Whilst this may be the most efficient way of releasing patches from Microsoft’s point of view, there are many instances where simply rolling them out is not an option. IT teams need to take a phased approach and test the patch updates before rolling them out, helping to mitigate any problems such as the dreaded blue screen of death.

Case in point was November’s MS14-066 update – there were a lot of reported problems when implementing the update, with Microsoft having to reissue the patch. Imagine if every business had implemented that immediately!

Keep in mind that Microsoft self-certifies vulnerabilities, and have a fairly easy to follow rating system:
• Critical – A vulnerability that could allow remote code execution without user interaction or where code executes without warnings or prompts.
• Important – These vulnerabilities are where the client is compromised with warnings or prompts and whose exploitation could result in compromise of data.
• Moderate – The impact is mitigated by numerous factors such as authentication or non-default applications being affected.
• Low – The impact is comprehensively mitigated by the characteristics of the component.

If we take a look at November’s Patch Tuesday, there were a total of 14 separate patches fixing almost 40 vulnerabilities as well as an out-of-band patch a week later, five of which were rated as critical. So how do you prioritise these five if they’re all rated the same? Which vulnerability do you patch first?

When rolling out patches, it’s all well and good to do so if your business is located in one or two premises, but what if your business has a number of remote locations? Retail, transportation and oil and gas are all good examples.

If you were to take a large retail store open 24 hours a day, there needs to be a window of time where the systems are taken offline so they can be updated. Microsoft’s approach would be to suggest patching the Critical vulnerabilities first, and then work through the rest.

At Verismic, we provide a service to our customers to ensure that their entire IT infrastructure remains as up-to-date as possible, which includes rolling out any patch updates from vendors. We do this by creating a baseline – what is going to be the most important update for the business, and then we work backwards. It’s important to do this because, as we said, many businesses simply don’t have the time or even the bandwidth to roll out all of the patch updates at once.

To create this baseline we use three different measurements; vendor severity (that would be Microsoft’s self-certified rating), the Common Vulnerability Scoring System (CVSS), and the total number of vulnerable systems in the customer’s environment. By measuring against three separate metrics we can get a much better understanding of the risk a vulnerability really poses.

My advice would be to take Microsoft’s vulnerability ratings with a respectful pinch of salt and start looking at independently assessed scores, such as CVSS. Each month US-CERT uses CVSS to rate all of Microsoft’s patch updates the same day they’re released, giving you a much better understanding of the risk a particular vulnerability poses to your business.

Patching is invaluable to protecting your business. By taking a phased approach to updating systems and creating a baseline to understand the risk of each vulnerability, you can get a much better idea of which patches you should be prioritising first.

Robert Brown is Director of Services at Verismic

Originally published on IT Security Guru

Patch Tuesday: Time to Lose Your Marbles!

By Patch Management, Patch TuesdayNo Comments

Microsoft’s patches this month are few, but no less important. In fact, critical in one case!

We generally compare two sources of information to understand the impact of Microsoft’s patch updates – Microsoft’s own feed plus information from an independent source, such as US-CERT [United States-Computer Emergency Readiness Team] which uses the Common Vulnerability Scoring System (CVSS) to asses the potential impact of the IT vulnerabilities. By contrasting two sources of information we can get the real picture of how the vulnerabilities affect your business.

In this latest round, announced last week, we have four updates, MS14-052, MS14-053, MS14-054 and MS14-055. Full details for each below. Now, what’s interesting here is that Microsoft has listed the latter three as Important but by using the CVSS we can actually understand that MS14-055 has a score of 7.8 out of 10. That’s pretty high and, in our experience, anything with a CVSS score that high needs to be urgently prioritised along with the Critical update MS14-052.

What’s the risk?

MS14-055 resolves vulnerabilities, which could allow a denial of service attack against Microsoft Lync Server. This is rightfully a high-scoring ‘Important’ vulnerability that could allow someone to kill the server of a communications tool so vital to the operations of many, many businesses.

As an aside, I like to think of a denial of service attack as a marble in a bucket; the bucket is being used to remove water from a swimming pool. Every time, the bucket is used, another marble finds its way in. Before long, you’re carrying a lot of marbles and not shifting much water! This vulnerability needs resolving – its time to lose your marbles.

MS14-052 has a CVSS score of 9.3. It’s a ‘rollup’ of 36 privately reported vulnerabilities, which affect all versions of Microsoft Internet Explorer. The vulnerability could allow an attacker to execute remote code. Again, it needs to be resolved.

Next steps 

Right now, we’re looking at the binary code for each patch update and moving towards testing and piloting the updates before deployment to customers. As with all our customers, we’ll be working through our agreed deployment process using Verismic Syxsense for rollout.

Feel free to leave a comment below if you have any viewpoints on the patch updates.

Microsoft score
CVSS score
Update no.
Affected software:
Critical security bulletin 9.3 MS14-052 Windows Server 2003 Service Pack 2:
– Internet Explorer 6
– Internet Explorer 7
– Internet Explorer 8
Windows Server 2003 x64 Edition Service Pack 2:
– Internet Explorer 6
– Internet Explorer 7
– Internet Explorer 8
Windows Server 2003 with SP2 for Itanium-based Systems:
– Internet Explorer 6
– Internet Explorer 7
Windows Vista Service Pack 2:
– Internet Explorer 7
– Internet Explorer 8
– Internet Explorer 9
Windows Vista x64 Edition Service Pack 2:
– Internet Explorer 7
– Internet Explorer 8
– Internet Explorer 9
Windows Server 2008 for 32-bit Systems Service Pack 2:
– Internet Explorer 7
– Internet Explorer 8
– Internet Explorer 9
Windows Server 2008 Server Core installation not affected)
Windows Server 2008 for x64-based Systems Service Pack 2:
– Internet Explorer 7
– Internet Explorer 8
– Internet Explorer 9
(Windows Server 2008 Server Core installation not affected)
Windows Server 2008 for Itanium-based Systems Service Pack 2:
– Internet Explorer 7
Windows 7 for 32-bit Systems Service Pack 1:
– Internet Explorer 8
– Internet Explorer 9
– Internet Explorer 10
– Internet Explorer 11
Windows 7 for x64-based Systems Service Pack 1:
– Internet Explorer 8
– Internet Explorer 9
– Internet Explorer 10
– Internet Explorer 11
Windows Server 2008 R2 for x64-based Systems Service Pack 1:
– Internet Explorer 8
– Internet Explorer 9
– Internet Explorer 10
– Internet Explorer 11
(Windows Server 2008 R2 Server Core installation not affected)
Windows Server 2008 R2 for Itanium-based Systems Service Pack 1:
– Internet Explorer 8
– Windows 8 for 32-bit Systems:
– Internet Explorer 10
– Windows 8 for x64-based Systems:
– Internet Explorer 10
– Windows Server 2012:
– Internet Explorer 10
(Windows Server 2012 Server Core installation not affected)
– Windows RT:
– Internet Explorer 10
– Windows 8.1 for 32-bit Systems:
– Internet Explorer 11
– Windows 8.1 for x64-based Systems:
– Internet Explorer 11
– Windows Server 2012 R2:
– Internet Explorer 11
(Windows Server 2012 R2 Server Core installation not affected)
– Windows RT 8.1:
– Internet Explorer 11
Impact: Remote Code Execution
Version Number: 1.0
Important security bulletin 7.8 MS14-055 – Microsoft Lync Server 2010
– Microsoft Lync Server 2013
– Impact: Denial of Service
– Version Number: 1.0
Important security bulletin 6.8 MS14-054 – Windows 8 for 32-bit Systems
– Windows 8 for x64-based Systems
– Windows 8.1 for 32-bit Systems
– Windows 8.1 for x64-based Systems
– Windows Server 2012
– (Windows Server 2012 Server Core installation affected)
– Windows Server 2012 R2
– (Windows Server 2012 R2 Server Core installation affected)
– Windows RT
– Windows RT 8.1
– Impact: Elevation of Privilege
– Version Number: 1.0
Important security bulletin 4.3 MS14-053 Windows Server 2003 Service Pack 2
– Microsoft .NET Framework 1.1 Service Pack 1
– Microsoft .NET Framework 2.0 Service Pack 2
– Microsoft .NET Framework 3.0 Service Pack 2
– Microsoft .NET Framework 4
Windows Server 2003 x64 Edition Service Pack 2
– Microsoft .NET Framework 2.0 Service Pack 2
– Microsoft .NET Framework 3.0 Service Pack 2
– Microsoft .NET Framework 4
Windows Server 2003 with SP2 for Itanium-based Systems
– Microsoft .NET Framework 2.0 Service Pack 2
– Microsoft .NET Framework 4
Windows Vista Service Pack 2
– Microsoft .NET Framework 2.0 Service Pack 2
– Microsoft .NET Framework 3.0 Service Pack 2
– Microsoft .NET Framework 4
– Microsoft .NET Framework 4.5/4.5.1/4.5.2
Windows Vista x64 Edition Service Pack 2
– Microsoft .NET Framework 2.0 Service Pack 2
– Microsoft .NET Framework 3.0 Service Pack 2
– Microsoft .NET Framework 4
– Microsoft .NET Framework 4.5/4.5.1/4.5.2
Windows Server 2008 for 32-bit Systems Service Pack 2
– Microsoft .NET Framework 2.0 Service Pack 2
– Microsoft .NET Framework 3.0 Service Pack 2
– Microsoft .NET Framework 4
– Microsoft .NET Framework 4.5/4.5.1/4.5.2
(Windows Server 2008 Server Core installation not affected)
Windows Server 2008 for x64-based Systems Service Pack 2
– Microsoft .NET Framework 2.0 Service Pack 2
– Microsoft .NET Framework 3.0 Service Pack 2
– Microsoft .NET Framework 4
– Microsoft .NET Framework 4.5/4.5.1/4.5.2
Windows Server 2008 Server Core installation not affected)
Windows Server 2008 for Itanium-based Systems Service Pack 2
– Microsoft .NET Framework 2.0 Service Pack 2
– Microsoft .NET Framework 3.0 Service Pack 2
– Microsoft .NET Framework 4
Windows 7 for 32-bit Systems Service Pack 1
– Microsoft .NET Framework 3.5.1
– Microsoft .NET Framework 4
– Microsoft .NET Framework 4.5/4.5.1/4.5.2
Windows 7 for x64-based Systems Service Pack 1
– Microsoft .NET Framework 3.5.1
– Microsoft .NET Framework 4
– Microsoft .NET Framework 4.5/4.5.1/4.5.2
Windows Server 2008 R2 for x64-based Systems Service Pack 1
– Microsoft .NET Framework 3.5.1
– Microsoft .NET Framework 4
– Microsoft .NET Framework 4.5/4.5.1/4.5.2
(Windows Server 2008 R2 Server Core installation affected)
Windows Server 2008 R2 for Itanium-based Systems Service Pack 1
– Microsoft .NET Framework 3.5.1
– Microsoft .NET Framework 4
Windows 8 for 32-bit Systems
– Microsoft .NET Framework 3.5
– Microsoft .NET Framework 4.5/4.5.1/4.5.2
Windows 8 for x64-based Systems
– Microsoft .NET Framework 3.5
– Microsoft .NET Framework 4.5/4.5.1/4.5.2
Windows 8.1 for 32-bit Systems
– Microsoft .NET Framework 3.5
– Microsoft .NET Framework 4.5.1/4.5.2
Windows 8.1 for x64-based Systems
– Microsoft .NET Framework 3.5
– Microsoft .NET Framework 4.5.1/4.5.2
Windows Server 2012
– Microsoft .NET Framework 3.5
– Microsoft .NET Framework 4.5/4.5.1/4.5.2
(Windows Server 2012 Server Core installation affected)
Windows Server 2012 R2
– Microsoft .NET Framework 3.5
– Microsoft .NET Framework 4.5.1/4.5.2
(Windows Server 2012 R2 Server Core installation affected)
Windows RT
– Microsoft .NET Framework 4.5/4.5.1/4.5.2
Windows RT 8.1
– Microsoft .NET Framework 4.5.1/4.5.2
– Impact: Denial of Service
– Version Number: 1.0
Showing 1 to 4 of 4 entries