Wednesday, February 09, 2005
Oy, what a week.
Anyone who works in security or Windows system administration is having a crappy week, thanks to MS and Symantec. If you do, then you know what I'm talking about. If you don't, you'll be no more confused by this post than by anything else in this blog, so read on anyway. Maybe we'll both learn something, and by "both" I mean "you"!
So after careful analysis (read: drinking *not* to the point of incapacitation), here's our take on the MS vulnerabilities and patches made available this week: note that there are 12 patches announced, but they cover more than that number of vulnerabilities in MS' software. MS has a tendency to combine vulnerability fixes into patches, in part because 12 is the lower number of the two.
"We've only had one patch released this year!"
Yes, but it covered 158 vulnerabilities and was 7 terabytes in size, requires all workstations and servers to be rebooted two and a half billion times (give or take one), and your own distribution software gives us conflicting reports on whether the installation was successful or not.
"Only *one* patch!"
Let me clarify on the below: it's my opinion that ALL Windows-based systems that face the Internet should have *ALL* applicable patches installed ASAP. Whether you need to patch internal-only facing servers depends on how much you trust your users, which is something only you can gauge, you precocious little monkey.
05-004 – ASP.NET Path Validation: Requires a site using authentication and ASP.NET, allows an attacker to bypass authentication. If you have an Internet-facing server that hosts ASP.NET-based services, patch now. If you have non-Internet-facing servers and you trust your users, patch a little later.
05-005 – Office XP Code Execution: Permits code execution, requires user interaction, executes with user’s privileges. Eh. Patch as soon as you can test a little, but send a reminder to your users not to click on random crap. Stop laughing.
05-006 – SharePoint XSS: Permits cross-site-scripting, requires attacker to have an authenticated logon to the SharePoint site, permits code execution with privileges of user tricked into executing code (requires interaction to execute script. Not so terrible, but see Internet-facing disclaimer above. Test and patch in the next scheduled downtime.
05-007 – Windows Information Disclosure: Affects XP only, permits attacker to list user account names using an open shared resource, requires Computer Browser Service. This adds one more to the list of one kabillion ways you can find out the names of user accounts on a system. Forget it, install when you can. No self-respecting hacker is going to use this one, when there are far simpler ways to get the info.
05-008 – Windows Shell Code Execution: Permits code execution through flaw in drag-and-drop routines, executes with user privileges, requires user interaction. Stop laughing and tell your users not to visit porn sites at work. It's not an escalation of privileges issue, so not too bad.
05-009 – PNG Processing Vulnerability: Affects Windows/MSN Messenger and Windows Media Player only, requires user interaction (opening file), executes with user privileges, requires attacker to be on user’s contact list (MSN Messenger) or that user is receiving .NET alerts (Windows Messenger). We still don't know why WMP would be opening PNG files, but there you go. This one has the potential to be a nasty worm on IM... I would patch soon, but don't take your users down over it. Sometimes the denial-of-service you apply to yourself when patching *too* enthusiastically is not worth the potential risk. Remember, you're supporting a business that has work to do.
05-010 – License Logging Service: Affects servers only, permits code execution from remote attacker through flaw in license logging service, service disabled by default on 2003, service requires authentication on 2000SP3+ & 2003. Forget this one: disable the service, you don't need it. Didn't you learn that in Security 101? Disable all unused services. First thing on the agenda. Just make sure you're legal on your licenses without MS peering over your shoulder. You can do that, right? We're all adults here?
05-011 – Server Message Block (SMB) Code Execution: Affects all Windows versions, flaw in SMB permits potential remote attack through targeted or broadcast packets or through user-interactive vector (e.g. SMB URL or HTML coding). Oy. Oy. Oy. Nasty one. Patch now, there's a worm on this one coming out this weekend. No, I won't give you the code, I'm not writing it.
05-012 – OLE/COM Code Execution: Affects Windows (all)/Exchange/Office, permits privilege escalation (to Admin), requires attacker is logged on locally. We set this one as a critical patch for Exchange servers, a moderate one for everything else. Even though we're not terribly convinced that Exchange is that vulnerable, we can't find any proof.
05-013 – DHTML ActiveX Code Execution: Affects all Windows versions, requires user interaction (click on link), executes with user privileges. Yeah, ActiveX. So it's an IE vuln, basically. WHAT DID I JUST TELL YOU PEOPLE ABOUT THE PORN SURFING?!
05-014 – Cumulative IE Security Update: Affects IE 5.01/5.5/6.0, 4 vulnerabilities included, all vulnerabilities are either spoofing/phishing or code execution with user privileges requiring user interaction. Just install all of the IE-based ones pretty soon, at the same time. You know your users won't listen, especially when you shout at them like that. Do we have to send you to sensitivity training again?
05-015 – Hyperlink Object Library Flaw: Affects all Windows versions, requires user interaction (click on link), executes with user privileges. I love this one. It doesn't require a bad guy to host malware on a website, the flaw is triggered just because the link itself is formed in a way MS didn't expect. Don't click on that URL! Why, because it might take me someplace nasty? No, because the URL ITSELF is the code. THE URL ITSELF IS THE CODE! SOYLENT MICROSOFT IS CODE!
Re-release 04-035 (SMTP DNS Lookup Vulnerability) to incorporate fix for additional vector. Oooh, missed this one, didn't you? It's not a NEW vulnerability, no: that would make our pretty number go up! Only 12, remember? But you thought you were safe, and now you're NOT! As far as I can tell, if you don't configure your Exchange servers to do reverse DNS lookup on incoming SMTP messages, this shouldn't affect you. If you do, then patch it, and ignore the mitigation step that says you should enable only authenticated users: who forces authenticated users on their incoming SMTP? People who get no email, that's who!
Now go patch. You know you don't want to. But for the spam-spewing-zombie-hating love of God, you MUST. It's for the good of the Internet, like flossing. ¶ 2/09/2005 08:25:00 PM
So after careful analysis (read: drinking *not* to the point of incapacitation), here's our take on the MS vulnerabilities and patches made available this week: note that there are 12 patches announced, but they cover more than that number of vulnerabilities in MS' software. MS has a tendency to combine vulnerability fixes into patches, in part because 12 is the lower number of the two.
"We've only had one patch released this year!"
Yes, but it covered 158 vulnerabilities and was 7 terabytes in size, requires all workstations and servers to be rebooted two and a half billion times (give or take one), and your own distribution software gives us conflicting reports on whether the installation was successful or not.
"Only *one* patch!"
Let me clarify on the below: it's my opinion that ALL Windows-based systems that face the Internet should have *ALL* applicable patches installed ASAP. Whether you need to patch internal-only facing servers depends on how much you trust your users, which is something only you can gauge, you precocious little monkey.
05-004 – ASP.NET Path Validation: Requires a site using authentication and ASP.NET, allows an attacker to bypass authentication. If you have an Internet-facing server that hosts ASP.NET-based services, patch now. If you have non-Internet-facing servers and you trust your users, patch a little later.
05-005 – Office XP Code Execution: Permits code execution, requires user interaction, executes with user’s privileges. Eh. Patch as soon as you can test a little, but send a reminder to your users not to click on random crap. Stop laughing.
05-006 – SharePoint XSS: Permits cross-site-scripting, requires attacker to have an authenticated logon to the SharePoint site, permits code execution with privileges of user tricked into executing code (requires interaction to execute script. Not so terrible, but see Internet-facing disclaimer above. Test and patch in the next scheduled downtime.
05-007 – Windows Information Disclosure: Affects XP only, permits attacker to list user account names using an open shared resource, requires Computer Browser Service. This adds one more to the list of one kabillion ways you can find out the names of user accounts on a system. Forget it, install when you can. No self-respecting hacker is going to use this one, when there are far simpler ways to get the info.
05-008 – Windows Shell Code Execution: Permits code execution through flaw in drag-and-drop routines, executes with user privileges, requires user interaction. Stop laughing and tell your users not to visit porn sites at work. It's not an escalation of privileges issue, so not too bad.
05-009 – PNG Processing Vulnerability: Affects Windows/MSN Messenger and Windows Media Player only, requires user interaction (opening file), executes with user privileges, requires attacker to be on user’s contact list (MSN Messenger) or that user is receiving .NET alerts (Windows Messenger). We still don't know why WMP would be opening PNG files, but there you go. This one has the potential to be a nasty worm on IM... I would patch soon, but don't take your users down over it. Sometimes the denial-of-service you apply to yourself when patching *too* enthusiastically is not worth the potential risk. Remember, you're supporting a business that has work to do.
05-010 – License Logging Service: Affects servers only, permits code execution from remote attacker through flaw in license logging service, service disabled by default on 2003, service requires authentication on 2000SP3+ & 2003. Forget this one: disable the service, you don't need it. Didn't you learn that in Security 101? Disable all unused services. First thing on the agenda. Just make sure you're legal on your licenses without MS peering over your shoulder. You can do that, right? We're all adults here?
05-011 – Server Message Block (SMB) Code Execution: Affects all Windows versions, flaw in SMB permits potential remote attack through targeted or broadcast packets or through user-interactive vector (e.g. SMB URL or HTML coding). Oy. Oy. Oy. Nasty one. Patch now, there's a worm on this one coming out this weekend. No, I won't give you the code, I'm not writing it.
05-012 – OLE/COM Code Execution: Affects Windows (all)/Exchange/Office, permits privilege escalation (to Admin), requires attacker is logged on locally. We set this one as a critical patch for Exchange servers, a moderate one for everything else. Even though we're not terribly convinced that Exchange is that vulnerable, we can't find any proof.
05-013 – DHTML ActiveX Code Execution: Affects all Windows versions, requires user interaction (click on link), executes with user privileges. Yeah, ActiveX. So it's an IE vuln, basically. WHAT DID I JUST TELL YOU PEOPLE ABOUT THE PORN SURFING?!
05-014 – Cumulative IE Security Update: Affects IE 5.01/5.5/6.0, 4 vulnerabilities included, all vulnerabilities are either spoofing/phishing or code execution with user privileges requiring user interaction. Just install all of the IE-based ones pretty soon, at the same time. You know your users won't listen, especially when you shout at them like that. Do we have to send you to sensitivity training again?
05-015 – Hyperlink Object Library Flaw: Affects all Windows versions, requires user interaction (click on link), executes with user privileges. I love this one. It doesn't require a bad guy to host malware on a website, the flaw is triggered just because the link itself is formed in a way MS didn't expect. Don't click on that URL! Why, because it might take me someplace nasty? No, because the URL ITSELF is the code. THE URL ITSELF IS THE CODE! SOYLENT MICROSOFT IS CODE!
Re-release 04-035 (SMTP DNS Lookup Vulnerability) to incorporate fix for additional vector. Oooh, missed this one, didn't you? It's not a NEW vulnerability, no: that would make our pretty number go up! Only 12, remember? But you thought you were safe, and now you're NOT! As far as I can tell, if you don't configure your Exchange servers to do reverse DNS lookup on incoming SMTP messages, this shouldn't affect you. If you do, then patch it, and ignore the mitigation step that says you should enable only authenticated users: who forces authenticated users on their incoming SMTP? People who get no email, that's who!
Now go patch. You know you don't want to. But for the spam-spewing-zombie-hating love of God, you MUST. It's for the good of the Internet, like flossing. ¶ 2/09/2005 08:25:00 PM
