Skip to main content

SC Magazine


Who Polices the Security Service?

By Patch Management, Patch TuesdayNo Comments
[vc_single_image image=”1679″ img_size=”full” css=”.vc_custom_1486577956970{padding-top: 10px !important;padding-bottom: 50px !important;}”][vc_single_image image=”2115″ img_size=”full”]

Questions need to be asked of Patch Tuesday and Microsoft’s approach to it, says Robert Brown.

SC Magazine  |  Dec 17, 2014

The next Patch Tuesday, Microsoft’s usual day to issue security updates for its software, is looming again. It will be the 13th of January 2015, then in February and so on. It’s so frequent it’s easy to treat it as a’ business as usual’ exercise, so humdrum that it requires no second-thought or intelligence.

However, it really does need that a second-thought. Patching is obviously essential, companies do need to protect themselves from known software vulnerabilities, but there are problems with Microsoft’s approach to patching and simply installing every patch with the quick click of a button could be costly; worse, you might just see the Blue Screen of Death (BSOD) across your device fleet.

Microsoft’s approach to patching is very much a ‘fire and forget’ exercise where it issues patch updates each month and expects businesses to roll out the patches as soon as possible.  However, this is where your second thought is needed, as many IT managers will attest, they cannot and, should not, deploy them right away.  IT must take a phased approach and test the patch updates before rolling them out, helping to mitigate any problems.

Just take a look at MS14-066 – a lot of users reported problems when implementing the update, forcing Microsoft to reissue the patch. Imagine if every business had implemented that immediately! If there is a compatibility issue with a patch and systems need to be rolled back, this extends downtime and can impact the business’s bottom line.

Compatibility aside, my real issue with Patch Tuesday is Microsoft’s rating system. It is relatively simple to follow:

  • ‘Critical’ – A vulnerability that could allow remote code execution without user interaction or where code executes without warnings or prompts.
  • ‘Important’ – These vulnerabilities are where the client is compromised with warnings or prompts and whose exploitation could result in compromise of data.’
  • Moderate’ – The impact is mitigated by numerous factors such as authentication or non-default applications being affected.
  • ‘Low’ – The impact is comprehensively mitigated by the characteristics of the component.

Keep in mind that Microsoft self-certifies vulnerabilities for its products and November’s Patch Tuesday contained 14 separate patches fixing almost 40 vulnerabilities as well as an out-of-band patch a week later; five of the updates, including the out of band patch, were rated by Microsoft as Critical, eight Important and two Moderate.

Where to start? With the obvious, surely? Patch the Critical updates first and take the rest in turn. Better still, do them all at once! This couldn’t be more wrong. My advice would be to take Microsoft’s vulnerability ratings with a respectful pinch of salt and start looking at independently assessed scores, such as the Common Vulnerability Scoring System (CVSS) to get a more informed view. Each month US-CERT uses CVSS to rate all of Microsoft’s patch updates the same day they’re released, giving a much better understanding of the risk a particular vulnerability poses to the business.

If we look again at November’s Patch Tuesday, US-CERT gave the out of band patch, rated as Critical by Microsoft, a score of 10.0 – that’s as serious as it can get and gives a good starting point for patching activities. It’s now top priority.

Three other Critical patches were scored 9.3 by US-CERT, which suggests Microsoft has got this right and they should be the next area of focus. Time to get to work.

But, the last remaining Critical patch only scored 6.8 by US-CERT. This is a really important discovery, because actually six other patches, some deemed only Moderate or Important by Microsoft, were rated higher than 6.8 by US-CERT. In other words, some of those Moderate and Important patches should be tackled before the last remaining Critical patch.

This isn’t a one-off slip from Microsoft either. In October’s Patch Tuesday, three Critical and two Important updates were all rated 9.3 equally by US-CERT. Those two Important updates might have been delayed by IT managers if relying on Microsoft’s rating only.

Microsoft is providing a great security service that everyone is thankful for, but it does need policing by a second source. The critical is not always critical and sometimes the Moderate needs urgent attention too.


Microsoft issues critical patches for Windows SSL/TLS and OLE flaws

By Patch Management, Patch TuesdayNo Comments

Microsoft has issued critical patches for flaws relating to SSL/TLS encryption on Windows systems, as well as the Windows Object Linking and Embedding (OLE) protocol.

Microsoft issues critical patches for Windows SSL/TLS and OLE flaws
On Tuesday morning, the Redmond technology giant issued a news bulletin announcing the release of 14 security patches, including four rated ‘critical’ and eight as ‘important’, as part of its Patch Tuesday programme.

Arguably the most important of all of these was a patch for a flaw in the Microsoft secure channel (Schannel) security component, which implements the Secure Sockets Layer (SSL) and transport layer security (TLS) protocols that are used to handle encryption and authentication in Windows – including on HTTP applications.

According to the Microsoft advisory, the flaw comes down to the “improper processing of specially crafted packets”, which could be exploited by attackers remotely executing attacks on targets by sending malicious traffic to a Windows-based server.

The advisory notes that the flaw (MS14-066) – which has no workaround – is ‘critical’ for servers (Windows Server 2003, 2008 and 2012) and desktop devices, with the latter potentially threatening users running Vista, windows 7, 8 , 8.1 and Windows RT.

Amol Sarwate, director of engineering at Qualys, told newswire Ars Technica that these would be particularly vulnerable if the user had installed software on their client devices to monitor internet ports.

Fortunately, Microsoft says that there is no evidence pointing to in-the-wild exploits being used against Windows users at this point, although observers will note that the flaw itself comes in a year where the TLS stack (including Apple’s Secure Transport, Open SSL, NSS, GNU TLS and now SChannel) have been found with varying vulnerabilities.

The update was one of 16 (two have been postponed) scheduled for the Patch Tuesday batch, which also discloses and issues fixes for two OLE bugs.

The latter affects all supported versions of Windows and is given an ‘exploitability’ rating of “0” as the zero-day (CVE-201406352) is being used in “limited, targeted attacks in the wild.” Specifically, the most severe of the vulnerabilities could allow for remote code execution if a user was directed to a spoofed webpage on Internet Explorer.

“An attacker who successfully exploited the vulnerabilities could run arbitrary code in the context of the current user,” reads the advisory. “If the current user is logged on with administrative user rights, an attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.”

Elsewhere, there are also fixes for bugs in XML Core Services (rated as critical for Vista, Windows 7, 8 and 8.1 devices), Office, Exchange and SharePoint. The full list can be seen here.

In an email to journalists, Ross Barrett, senior manager of security engineering at Rapid7, said that MS14-064 is the most critical flaw, as it relates to OLE which was exploited in the Sandworm exploit – which has been used to target Windows devices within critical infrastructure.

“The top patching priority is definitely going to be MS14-064, which is under active exploitation in the wild and may be related, at least superficially, to last month’s Sandworm attack, which also worked through a vulnerability in OLE,” he said.

“After MS14-064, attention goes to MS14-065 and MS14-066, Internet Explorer and SChannel respectively. The SChannel issue is risky, since there is a very good chance that this service could be exposed or accessed via the perimeter. The IE patches are cumulative, as usual, and address 17 CVEs.

He added: “Perimeter systems are often mission critical and need the fastest attention.  Administrators will have to balance the risk of exploit with their perceived exposure and their tolerance for downtime.”

Ethical hacker Gavin Millard, who is technical director EMEA at Tenable Security, added in an email to SCMagazineUK.com that MS14-064 and MS14-066 should be the highest priority– noting that the latter is the most concerning as it affects all supported versions of Windows.

“MS14-064, a vulnerability in the Windows Object Linking and Embedding (OLE) library, appears to be a continuation of vulnerabilities disclosed last month in MS14-060. Researchers have already identified this vulnerability being used in the wild for exploitation through the use of malicious PowerPoint files,” he told SC.

“The larger worry for many is MS14-066 though as it’s a remote code execution vulnerability affecting all supported versions of Windows including the server platforms. The bug was discovered in Schannel, a set of security protocols for communication and identification, and is of particular concern due to the possibility of an attacker utilising it without user interaction.

“Whilst no proof of concept code has surfaced yet, due to Microsoft thankfully being tight-lipped on the exact details of the vulnerability, it won’t be long until one does which could be disastrous for any admin that hasn’t updated.”

Millard admitted it’s hard to say if the flaw could be potentially as dangerous as Shellshock (an open-source flaw which allowed an attacker to perform remote code execution attacks on any server using the Bash shell) and Heartbleed (OpenSSL bug exploited, with thousands of websites and web servers affected).

“Is MS14-066 as bad as ShellShock and Heartbleed? At the moment, due to the lack of details and proof of concept code it’s hard to say, but a remote code execution vulnerability affecting all versions of Windows server on a common component like Schannel is up there with the worst of them.”


Robert Brown, director of services at cloud-based IT endpoint management solution provider Verismicsuggested however that Microsoft’s patches can be hard to manage for security teams with short maintenance windows.

And citing the US National Vulnerability Database where CVEs are scored independently by CERT,  he told SCMagazineUK.com: “They will probably look at the credibility and if there are any confirmed exploits. In my opinion, they will make these critical if there is active exploit.”

He went onto note that MS14-066 – already named Winshock in some quarters – would still require a user clicking on the link and using a device with administrator rights for an exploit to be effective, and suggested that MS14-065 is more pervasive as the Internet Explorer bug could be used to ‘actively infect a huge amount of the Windows estate’.

Citing the fact that it affects all versions of IE going back to version 6.0, he said: “One problem with Microsoft’s binary is that files remain behind it even if you don’t use [the application]…and lock it from your machine. The little seed is still there.” He added that hackers could remotely exploit the flaw by using a crafted instant messenger message promising Christmas pictures, for example, before delivering the payload.