Using WSUS is like playing a game of hot potato

One of the most important aspects of any IT administrator’s position these days is the ability to accurately patch their respective networks to avoid the potential for risk. That said, many organizations today perform regularly scheduled patch updates…however, not without difficulty!

A majority of the world’s IT professionals today leverage Microsoft’s Windows Server Update Services (WSUS) patching technology. While it does a fairly decent job with Microsoft applications, it falls short in its ability to address the ever-expanding challenges with patching non-Microsoft applications.

The challenge is that many IT administrators, especially in small and medium-size businesses (SMBs), have so much on their plate that it’s hard to just to research potential solutions to this issue, not forgetting to mention the ever-present budget challenges. Today many companies are running at unnecessary risk, not because they want to, but because they don’t have the time, tools or resources to address this growing problem. (See the ongoing discussion in the Spiceworks community: http://community.spiceworks.com/topic/144478-is-just-patching-microsoft-products-enough)

I equate this situation to a game of “hot potato,” where the need to address non-Microsoft patch related risks is generally understood, but is difficult to prove because of the absence of the proper tools.

For those of you reading this that fall into this categorization, I have an idea for you. Here’s where the game of hot potato comes in. There are tools readily available today that will give you (with VERY little effort) a quick assessment of your current patch state – for FREE. To start our game, you’ll need to run a quick patch assessment of your environment. We have a great website that can help you with this. Go to https://labs.shavlik.com/securityadvisor/ to start your network scan.  Once you have the results (the hot potato), send the results to your supervisor with the appropriate commentary. If you do find your network at risk, strongly suggest to your supervisor that he or she needs to invest in something to address the existing risk, and if not…you can’t be held accountable. You’ve now just passed the hot potato. Congratulations!

This approach is very powerful because you’re able to provide demonstrative evidence of the problem you only suspected you have, and leverage the power of this information into some form of action. Good luck!

Dave Eike

Uprecedented cooperation of hacking to pave new wave of cyber-attacks.

Well, this is new.  Yesterday, Lulz Security and Anonymous, two of the premiere hacking groups, have announced that they are teaming up in an effort they are calling “Operation:  Anti-Security” or “AntiSec” for short.  (For all of you that follow news on twitter the hashtag #AntiSec will be the one of note).

To quote yesterday’s release by LulzSec (http://pastebin.com/9KyA0E5v):

Welcome to Operation Anti-Security (#AntiSec) – we encourage any vessel, large or small, to open fire on any government or agency that crosses their path. We fully endorse the flaunting of the word “AntiSec” on any government website defacement or physical graffiti art. We encourage you to spread the word of AntiSec far and wide, for it will be remembered. To increase efforts, we are now teaming up with the Anonymous collective and all affiliated battleships.

To the best of my knowledge this is one of the most, if not the most, high profile alliances that I have seen in the hacking community.  Moreover, if estimates are correct, the two allies in AntiSec represent the largest global hacking consortium ever assembled.  Beyond the sheer size of their organization, this new alliance, if successful will test all anti-hacking and cyber security legislation and practices.  In many instances, the law is unclear or simply fails to track down international attacks due to legislation or priority.  It will be fascinating to see if their attacks will be successfully repelled, or if we find out the hacking alliances will feed on machines worldwide with relative ease and free from repercussions.

So who should be worried at this point about their security?  Well, LulzSec went on in their release to define their targets as:

Top priority is to steal and leak any classified government information, including email spools and documentation. Prime targets are banks and other high-ranking establishments.

To the governments around the world, and those high-target establishments that are like financial institutions or multinational organizations with strong brands that can be greatly defaced by failing to repel such attacks, keep your guard up… you are in the cross-hairs of a very well organized army.

For all of you out there reading this, I sincerely wish that there was a switch on the wall that I could flip to turn off the darkness on the Internet. — If there was, I’d flip it.  Unfortunately, there is only one way to get rid of the darkness and that’s to immunize the Internet from attacks.  That reality though, costs money and time.  Hopefully in the years to come we’ll learn our lesson and re-focus the required resources to make that happen.  Hopefully organizations that create software will bring their security to the forefront and we’ll find ways to prevent such high-profile exposures.  In the interim, I unfortunately have to stop at warning everyone that more attacks are on the way, and I hope that we don’t learn our lesson about the importance of security the hard way.

Update:  Interestingly enough, since this blog entry was written, London police have announced an arrest of a 19-year old in connection with the high-profile Sony Playstation network and are now investigating ties to LulzSec.  — It’s good to see that international authorities did cooperate and treat that attack as seriously as they did.  It’s a great sign that maybe we can have international cooperation to track down and prevent future attacks.

June 2011 Patch Tuesday Overview

Microsoft has released 16 new bulletins in the June 2011 edition of patch Tuesday.  These 16 bulletins address 34 vulnerabilities.  This is quite a large patch day and, to top it off, Microsoft was late in releasing the bulletins.

The first batch of security bulletins that need immediate attention all have web browsing to a malicious website as an attack vector.  As this is the number one way to be exploited, these bulletins should be rolled out first. 

The following five bulletins will be prime targets for attacks in the coming days/weeks.

First up is MS11-050.  This security bulletin is the bi-monthly cumulative security update for Internet Explorer.  This bulletin fixes multiple vulnerabilities and applies to all supported versions of Internet Explorer.

MS11-052 is the second Microsoft Internet Explorer security bulletin for this month.  This bulletin also fixes a vulnerability that can lead to remote code execution if a user browses to a malicious website with an unpatched machine.

MS11-039 is one of two updates affecting the Microsoft .NET framework.  This bulletin fixes a vulnerability that could lead to remote code execution if a user browses to a webpage containing malicious ASP.net applications.  In addition, malicious web pages hosting XBAP applications can also lead to remote code execution if browsed to with an unpatched .NET Framework.  It is important to note that XBAP vulnerabilities are not commonly used as a attack vectors to date.

With the two Internet Explorer and .NET Framework patches, both patches will need to be applied to machines to fully fix all vulnerabilities this month.

MS11-038 addresses a vulnerability in OLE Automation that can lead to remote code execution.  The vulnerability can be exploited if a user navigates to a malicious website that contains a VBScript to load a WMF (Windows Metafile).  Viewing media via web browsers is extremely common and prevalent in the new social media age, which increases the urgency of patching this vulnerability.

On the non-browser front, MS11-043 addresses a vulnerability with the SMB client on all supported operating systems.  If an attacker can convince a user to make a SMB connection to a malicious SMB server, the attacker can gain full control of the user’s machine.  This attack is unauthenticated, meaning the attacker only needs to convince the user to make a connection to the malicious machine to gain full control of the target.  Most home routers and firewalls block SMB connections externally to the internet.  But on an internal corporate network, a SMB connection is typically a business critical service that is not blocked by the firewall on the local system.

With such a large number of bulletins and affected products this month, it is important to review each bulletin thoroughly and plan your patch attack this month.  Every machine, whether server or workstation, will be affected this month.  Also keep in mind that Adobe is also planning to release their quarterly security update today.  This update will address all supported versions of Adobe Acrobat and Reader.  Some of these fixes have been a long wait for administrators.  The vulnerabilities affecting Adobe Reader X (10) have remained unpatched, and the vulnerabilities have been exploited in the wild against older versions of the Reader product.  For the X (10) version of Adobe’s product, the vulnerabilities have remained unpatched until the next scheduled quarterly security update because the latest version of their product runs in a sandbox mode.  This prevents the vulnerabilities from being exploited.

Keep an eye out for other vendors releasing new bulletins/patches today and tomorrow.  We have been here before with a massive patch day.  Researching, planning and implementing your attack plan for patching this month is a must.  If you are not responsible for patching your network, this would be an excellent time to take your IT admin in charge of patching out for lunch later this week after they catch up on sleep!

I will be going over the June 2011 patch Tuesday in depth with our monthly patch Tuesday webinar.  You can register to attend it here.

– Jason Miller

How do you secure what you don’t know is on the network?

When developing or revising a plan to protect your network, one of the first questions you need to answer is, “What exactly is on my network?”  You can’t lock down what you don’t know about.  Unfortunately, this is often difficult to do, especially in the SMB space.  While every company is created differently, most SMBs don’t have dedicated security teams enforcing best practices and locking down users.  Due to a lack of resources that enterprise IT organizations have, SMB administrators are often utilizing their resources to focus on keeping the network running.

It’s easy to identify the software and services configured in your environment.  You probably know how many Exchange servers you have, but how many different browsers are running on your network?  Do you have any old versions of Java running on your network, perhaps to support that critical Line of Business app that requires a specific old version?  Maybe the Line of Business app requires all users to be administrators, and so all of your users are set up as such.  Do you have any developers launching on-demand IIS and SQL servers that may only run and show up in vulnerability scans for a few days a month?

Regardless of how it happens, software gets installed on networks and is eventually forgotten.  When time is short and demand for your time is high, documentation often suffers.  This is especially dangerous when networks get passed down from admin to admin.  How can you be expected to defend against an attack vector you didn’t know was on your network?

A good first step in protecting your network is identifying the assets on your network.  This includes, for example the crazy local printer software you installed on somebody’s system so they could use the scanner.  Unfortunately, it also installed a web server for remote printer admin access.  That web server is now vulnerable (hey – it’s been on the network for five years and never been patched) and it needs to be brought to the light.  A good asset inventory/asset management program can identify these unknown machines and software and help you wrap your head around exactly what is out there on your network.

With Microsoft’s Patch Tuesday fast approaching, now is as good a time as any to get started.  If you are interested, every month we host a Patch Tuesday Webinar where Jason Miller and I go over the bulletins and point out, based on use cases, which affected software may be hiding on your network in order to simplify your patch management process.  The next webinar will be held on Wednesday, June 15th at 11:00am CT.  Register here.

Happy Patching!

Jace McLean
Senior Member of Technical Staff, Research and Development

June 2011 Patch Tuesday Advanced Notification

Microsoft has released their advanced notification for the June 2011 edition of Patch Tuesday.  Welcome back very large Patch Tuesdays!  This month marks a Microsoft “heavy” security bulletin release month.  As expected, we are also seeing Internet Explorer receiving security updates through the bi-monthly update.  It is interesting to note there are two security bulletins for Internet Explorer.  Typically, Microsoft will only release one Internet Explorer bulletin.

For the June 2011 patch day, Microsoft is planning to release 16 bulletins addressing 34 vulnerabilities.

Security Bulletin Breakdown:

  • 9 bulletins are rated Critical
  • 7 bulletins are rated Important
  • 10 vulnerabilities can lead to Remote Code Execution
  • 2 vulnerabilities can lead to Information Disclosure
  • 2 vulnerabilities can lead to Denial of Service
  • 2 vulnerabilities can lead to Elevation of Privilege

Affected Products:

  • All supported Microsoft Operating systems (XP, 2003, Vista, 2008, 7, 2008 R2)
  • All supported versions of Internet Explorer (7, 8, 9)
  • All supported versions of Microsoft Office Excel (XP, 2003, 2007, 2010)
  • Microsoft InfoPath 2007, 2010
  • Microsoft Excel Viewer
  • Microsoft Office Compatibility Pack 2007
  • SQL Server 2005, 2008, 2008 R2
  • Microsoft Silverlight
  • Microsoft Visual Studio 2005, 2008, 2010
  • Microsoft Forefront Threat Management Gateway 2010 Client

Yes, this will be another large Patch Day.  We were hoping to see a new record number of security bulletins released, oh, say something (like in the 20+ bulletin count).  However, we welcome, accept and look forward to the challenge of supporting as many patches as possible.

Adobe has also just announced they are planning to release updates for Adobe Reader and Acrobat.  Next Tuesday will mark Adobe’s quarterly security update.  This is an important date as Adobe has some outstanding vulnerabilities they have been waiting to address until the next scheduled quarterly update.  These vulnerabilities have been sitting idle as their newest products have a sandbox that protect against exploitation.

With this many bulletins, stay tuned next Tuesday as there will be a lot of information to parse through. I will be holding our monthly webinar on Wednesday, June 15th to review the patches from Patch Tuesday.  You can register for the event here .

– Jason Miller

Don't let your antivirus misbehave

One of the best front lines of defense for the computers on corporate network (or computers for home users) is antivirus software. However, not all antivirus solutions are created equally, and antivirus vendors are challenged with trying to keep the operating footprint small and still catch the viruses, threats and malware.

Some other key things to look for in an antivirus solution is the ability to detect on behavior analytics. This can be referred to as “heuristics” but it allows for additional detection beyond signature recognition. Signature recognition provides a very solid methodology in detection but, if an exact match is required, literally thousands of signatures need to be constantly updated to accommodate the onslaught of new malware being propagated on the Internet.

The safe testing of AV software is important and you can download the EICAR file to accomplish this. There is no malicious payload with the file but it should trigger the AV software to remediate it when the file is executed or scanned.

By detecting “behaviors” the malware patterns can be identified and remediated efficiently. This method will still require updating but provides a more generic approach to detection.

Top five detected malware on the Internet in May 2011:

The HTTPS Tidserv Request event is in first place this week. This event and the HTTP Tidserv Request 2 event (third place) signal attempts of the Backdoor.Tidserv malware to communicate with its control servers.

The Possible Conficker Infection event is in second place this week. The event corresponds to the ongoing use of the MS08-067 vulnerability as a propagation vector by various worms.

Multiple Adobe Products Remote Code Execution Vulnerability event is in fourth place this week. The event is related to attacks against multiple Adobe Products.

The fifth most common attack this week is the Windows RPC Denial of Service event. The event is related to attacks through the RPC protocol by exploiting vulnerabilities in Windows RPC services.

– Kim Fors