Patch Tuesday Analysis for October 2008
Eveything and Everyone Impacted this Patch Tuesday (10/15/2008)
Wow, everything and everyone is affected by this month’s Patch Tuesday:
Domain controllers: 2 very important bulletins address vulnerabilities present in domain controllers. I recommend you immediately apply MS08-060 (Windows 2000 DCs only) and MS08-063 to your domain controllers after minimal or no testing.
Servers: In my chart below note that there are 4 bulletins impact primarily servers and that there is also a patch specific to HIS (mainframe/AS400 connectivity). In particular, take note of MS08-062 which is already being exploited in attacks. If you use Internet Printing Protocol patch such systems immediately.
SharePoint: This month’s Excel bulletin (MS08-057) impacts MOSS 2007 servers so make sure you patch them too.
Workstations and Terminal Servers: As usual most (8 out of 11) bulletins workstation centric. In particular watch out for MS08-058 which addresses some nasty IE bugs and MS08-061 both of whose exploit details are already public.
I’d also like to bring your attention to the point frequently made in MS security bulletins: “Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.” Nice thought, but it’s hard take admin authority away end-users on their workstations.
Yesterday's "Out of Band" Security Bulletin (10/24/2008)
Yesterday's "Out of Band" Security BAs most of you know, MS released what they call an “out of band” security update for the Server Service that impacts all versions of Windows. Here are my quick thoughts on it.
Are you vulnerable?
If your Server Service is started (it is by default on both workstations and servers) and if ports 139 or 445 are exposed to a network with possibly malicious agents the answer is yes. Any network can potentially have malicious agents especially if someone incorporates this exploit into a worm.
So unless you have isolated networks limited to highly trusted users I’d recommend protecting your systems as soon as possible.
Is it necessary to install the patch?
There are some good workarounds in the bulletin but they won’t be practical for most servers since they disable or block access to the Server service. Functionality that could be impacted include:
Server (File and Print Sharing)
Applications that use SMB (CIFS)
Applications that use mailslots or named pipes (RPC over SMB)
Group Policy
Net Logon
Distributed File System (DFS)
Terminal Server Licensing
Print Spooler
Computer Browser
Remote Procedure Call Locator
Fax Service
Indexing Service
Performance Logs and Alerts
Systems Management Server
License Logging Service
So most of you will need to install the patch.
How urgent is this?
Urgent. The vulnerability is being exploited while I write this. An unsecured system I keep on the net for this purpose has had the Server server repeatedly crashed for the last couple days.
I hope this helps in your patch management efforts. Again I’ve updated the chart on my home page.
Thanks as always for reading and best wishes on security,
Randy Franklin Smith
MS08-067 could be Code Red 2008 (10/31/2008)
Since my first coverage of MS08-067 the situation has become more urgent as I thought may happen. Proof-of-concept code has been released and malware is starting to show up that exploits this vulnerability. Jason Miller (security data team manager at Shavlik) and I talked this morning and we agree this could well be the Code Red of 2008.
Don’t wait till next Patch Tuesday to update your systems. A lot can happen between now and then. If a worm is released that exploits this vulnerability with the Server service the results will be really bad. Firewalls aren’t enough since there are many other ways for worms to get on your network. For most servers there is no comprehensive, practical workaround – although with workstations you should seriously consider disabling the Server service – or if required for remote systems management – lock access to it down with IPSec policies that limit connections to system management servers and not the rest of your network.
| Bulletin | Exploit Types
/Technologies Affected | System Types Affected | Exploit
details public?
/ Being exploited? | Comprehensive,
practical
workaround
available? | MS severity rating | Products Affected | Notes | Randy's recommendation | MS08-065
951071 | Arbitrary code
/ Windows | Workstations
Terminal Servers
Servers
| No/No | Yes | Important | Win2000
| Restart Req’d | Disable Message Queue via Group Policy or patch ASAP after testing | MS08-062
953155 | Arbitrary code
/ Windows Internet Printing | Servers
| No/Yes | Yes | Important | Win2000
XP
Vista
Win2008
Server 2003
| Vista not vulnerable at this time but patch will be offered | Immediately patch systems with IPP enabled | MS08-061
954211 | Privilege elevation
/ Windows | Workstations
Terminal Servers
| Yes/No | No | Important | Win2000
XP
Vista
Win2008
Server 2003
| Restart Req’d | Patch after testing | MS08-064
956041 | Privilege elevation
/ Windows | Workstations
Terminal Servers
Servers
| No/No | No | Important | XP
Vista
Win2008
Server 2003
| Restart Req’d | Patch after testing | MS08-058
956390 | Arbitrary code
Information disclosure
/ Internet Explore | Workstations
Terminal Servers
| Yes/No | No | Critical | Win2000
XP
Vista
Win2008
Server 2003
| Cumulative update addresses 6 vulnerabilities; Restart Req’d | Patch ASAP after testing | MS08-057
956416 | Arbitrary code
/ Office Excel | Workstations
Terminal Servers
Sharepoint Servers
| No/No | No | Critical | Office 2000
Office XP
Office 2003
Office 2007
Office 2004 for Mac
Office 2008 for Mac
Office Sharepoint Server 2007
| Viewers and compatibility packs also affected | Patch after testing | MS08-059
956695 | Arbitrary code
/ Host Integration Server | Servers
| No/No | Yes | Critical | Host Integration Server 2000
Host Integration Server 2004
Host Integration Server 2006
| None | Apply workaround(s) or patch after testing | MS08-066
956803 | Privilege elevation
/ Windows | Workstations
Terminal Servers
| No/No | No | Important | XP
Server 2003
| May have issue with ZoneAlarm; Restart Req’d | Patch after testing | MS08-063
957095 | Arbitrary code
/ Windows | Workstations
Servers
Domain Controllers
| No/No | No | Important | Win2000
XP
Vista
Win2008
Server 2003
| Restart Req’d | Patch ASAP after testing | MS08-060
957280 | Arbitrary code
Denial of service
/ Active Directory | Domain Controllers
| No/No | No | Critical | Server 2000
| Only domain controllers affected; Restart Req’d | Patch immediately | MS08-056
957699 | Information disclosure
/ Office | Workstations
Terminal Servers
| No/No | No | Moderate | Office XP
| None | Disable CDO or patch (does same thing) | MS08-067
958644 | Arbitrary code
/ Server Service | Workstations
Terminal Servers
Servers
| Yes/Yes | No | Critical | Win2000
XP
Vista
Server 2003
Server 2000
Server 2008
Web Server 2008
Datacenter Server 2000
Advance Server 2000
| could well be the Code Red of 2008 | Patch ASAP |
Receive Randy's same-day, independent analysis each Patch Tuesday
Email:
We will not share your address. Unsubscribe anytime.
|
"Thank you. I am very glad I subscribed to this newsletter.
Relevant content clearly and concisely. Finally!!!"
- John K.
"I really like the Fast Facts on this Month's Microsoft
Security Bulletins. Do you keep old copies? If yes, please let me know how I can
access them?"
-Susan D.
"Thanks, Randy. Your regular updates have streamlined my
monthly patching. Much appreciated,"
- Steve T.
"Really appreciate your patch observor. In the corporate
IT world, anything we can get our hands on that speeds the process of analyzing
threats and how they may or may not apply to our environments is a God-send.
Thanks so much for your efforts."
- Tess G.
"Many thanks for this Randy"
- Roger G.
"The chart is a REAAALLY good idea :)"
- Phil J.
"I like the table. Your insight is very valuable. "
Tom C.
"I liked your high level overview of patches in the
table. There are so many sources of patch information which can be very specific
or surrounded by other stuff that it’s refreshing to get everything summarised
like this. The “Randy’s Recommendation” comment is useful starting point too.
Please keep up the good work."
- David A.
"Your Patch Tuesday Observer is a very good tool in
making the decision whether to patch or not to patch. And also to patch asap or
to wait a while before patching. Also I do think the use of the table is realy
improving the readability of the provided information."
- Gerard T.
|