Patch Tuesday Analysis for October 2008

Eveything and Everyone Impacted this Patch Tuesday (10/15/2008)

Wow, everything and everyone is affected by this month’s Patch Tuesday:

Domain controllers:  2 very important bulletins address vulnerabilities present in domain controllers.  I recommend you immediately apply MS08-060 (Windows 2000 DCs only) and MS08-063 to your domain controllers after minimal or no testing.

Servers: In my chart below note that there are 4 bulletins impact primarily servers and that there is also a patch specific to HIS (mainframe/AS400 connectivity).  In particular, take note of MS08-062 which is already being exploited in attacks.  If you use Internet Printing Protocol patch such systems immediately.

SharePoint: This month’s Excel bulletin (MS08-057) impacts MOSS 2007 servers so make sure you patch them too.

Workstations and Terminal Servers: As usual most (8 out of 11) bulletins workstation centric.  In particular watch out for MS08-058 which addresses some nasty IE bugs and MS08-061 both of whose exploit details are already public.

I’d also like to bring your attention to the point frequently made in MS security bulletins: “Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.”  Nice thought, but it’s hard take admin authority away end-users on their workstations.

Yesterday's "Out of Band" Security Bulletin (10/24/2008)

Yesterday's "Out of Band" Security BAs most of you know, MS released what they call an “out of band” security update for the Server Service that impacts all versions of Windows. Here are my quick thoughts on it.
 
Are you vulnerable? 

If your Server Service is started (it is by default on both workstations and servers) and if ports 139 or 445 are exposed to a network with possibly malicious agents the answer is yes.  Any network can potentially have malicious agents especially if someone incorporates this exploit into a worm.

So unless you have isolated networks limited to highly trusted users I’d recommend protecting your systems as soon as possible.

Is it necessary to install the patch?

There are some good workarounds in the bulletin but they won’t be practical for most servers since they disable or block access to the Server service. Functionality that could be impacted include:

Server (File and Print Sharing)
Applications that use SMB (CIFS)
Applications that use mailslots or named pipes (RPC over SMB)
Group Policy
Net Logon
Distributed File System (DFS)
Terminal Server Licensing
Print Spooler
Computer Browser
Remote Procedure Call Locator
Fax Service
Indexing Service
Performance Logs and Alerts
Systems Management Server
License Logging Service
So most of you will need to install the patch.

How urgent is this?

Urgent. The vulnerability is being exploited while I write this. An unsecured system I keep on the net for this purpose has had the Server server repeatedly crashed for the last couple days.

I hope this helps in your patch management efforts. Again I’ve updated the chart on my home page.

Thanks as always for reading and best wishes on security,
Randy Franklin Smith

MS08-067 could be Code Red 2008 (10/31/2008)

Since my first coverage of MS08-067 the situation has become more urgent as I thought may happen.  Proof-of-concept code has been released and malware is starting to show up that exploits this vulnerability.  Jason Miller (security data team manager at Shavlik) and I talked this morning and we agree this could well be the Code Red of 2008.
 
Don’t wait till next Patch Tuesday to update your systems.  A lot can happen between now and then.  If a worm is released that exploits this vulnerability with the Server service the results will be really bad.  Firewalls aren’t enough since there are many other ways for worms to get on your network.  For most servers there is no comprehensive, practical workaround – although with workstations you should seriously consider disabling the Server service – or if required for remote systems management – lock access to it down with IPSec policies that limit connections to system management servers and not the rest of your network. 

BulletinExploit Types
/Technologies Affected
System Types AffectedExploit
details public?
/ Being exploited?
Comprehensive,
practical
workaround
available?
MS severity ratingProducts AffectedNotesRandy's recommendation
MS08-065

951071
Arbitrary code

/ Windows
Workstations
Terminal Servers
Servers
No/NoYesImportant Win2000
Restart Req’dDisable Message Queue via Group Policy or patch ASAP after testing
MS08-062

953155
Arbitrary code

/ Windows Internet Printing
Servers
No/YesYesImportant Win2000
XP
Vista
Win2008
Server 2003
Vista not vulnerable at this time but patch will be offeredImmediately patch systems with IPP enabled
MS08-061

954211
Privilege elevation

/ Windows
Workstations
Terminal Servers
Yes/NoNoImportant Win2000
XP
Vista
Win2008
Server 2003
Restart Req’dPatch after testing
MS08-064

956041
Privilege elevation

/ Windows
Workstations
Terminal Servers
Servers
No/NoNoImportant XP
Vista
Win2008
Server 2003
Restart Req’dPatch after testing
MS08-058

956390
Arbitrary code
Information disclosure

/ Internet Explore
Workstations
Terminal Servers
Yes/NoNoCritical Win2000
XP
Vista
Win2008
Server 2003
Cumulative update addresses 6 vulnerabilities; Restart Req’dPatch ASAP after testing
MS08-057

956416
Arbitrary code

/ Office Excel
Workstations
Terminal Servers
Sharepoint Servers
No/NoNoCritical Office 2000
Office XP
Office 2003
Office 2007
Office 2004 for Mac
Office 2008 for Mac
Office Sharepoint Server 2007
Viewers and compatibility packs also affectedPatch after testing
MS08-059

956695
Arbitrary code

/ Host Integration Server
Servers
No/NoYesCritical Host Integration Server 2000
Host Integration Server 2004
Host Integration Server 2006
NoneApply workaround(s) or patch after testing
MS08-066

956803
Privilege elevation

/ Windows
Workstations
Terminal Servers
No/NoNoImportant XP
Server 2003
May have issue with ZoneAlarm; Restart Req’dPatch after testing
MS08-063

957095
Arbitrary code

/ Windows
Workstations
Servers
Domain Controllers
No/NoNoImportant Win2000
XP
Vista
Win2008
Server 2003
Restart Req’dPatch ASAP after testing
MS08-060

957280
Arbitrary code
Denial of service

/ Active Directory
Domain Controllers
No/NoNoCritical Server 2000
Only domain controllers affected; Restart Req’dPatch immediately
MS08-056

957699
Information disclosure

/ Office
Workstations
Terminal Servers
No/NoNoModerate Office XP
NoneDisable CDO or patch (does same thing)
MS08-067

958644
Arbitrary code

/ Server Service
Workstations
Terminal Servers
Servers
Yes/YesNoCritical Win2000
XP
Vista
Server 2003
Server 2000
Server 2008
Web Server 2008
Datacenter Server 2000
Advance Server 2000
could well be the Code Red of 2008Patch ASAP

Receive Randy's same-day, independent analysis each Patch Tuesday

Email:
We will not share your address. Unsubscribe anytime. 

"Thank you. I am very glad I subscribed to this newsletter.  Relevant content clearly and concisely. Finally!!!"

- John K.

"I really like the Fast Facts on this Month's Microsoft Security Bulletins. Do you keep old copies? If yes, please let me know how I can access them?"

-Susan D.

"Thanks, Randy. Your regular updates have streamlined my monthly patching. Much appreciated,"

-  Steve T.

"Really appreciate your patch observor. In the corporate IT world, anything we can get our hands on that speeds the process of analyzing threats and how they may or may not apply to our environments is a God-send. Thanks so much for your efforts."

- Tess G.

"Many thanks for this Randy"

- Roger G.

"The chart is a REAAALLY good idea :)"

- Phil J.

"I like the table. Your insight is very valuable. "

Tom C.

"I liked your high level overview of patches in the table. There are so many sources of patch information which can be very specific or surrounded by other stuff that it’s refreshing to get everything summarised like this. The “Randy’s Recommendation” comment is useful starting point too. Please keep up the good work."

- David A.

"Your Patch Tuesday Observer is a very good tool in making the decision whether to patch or not to patch. And also to patch asap or to wait a while before patching. Also I do think the use of the table is realy improving the readability of the provided information."

- Gerard T.