This Week in Patching – 9/28/2012

Here is a quick recap of the patch management activities this week.

Foxit released a new version of their Foxit Reader program on Wednesday.  Foxit Reader 5.4.3 fixes a vulnerability that could lead to Remote Code Execution, so you should look at options for patching this soon.

A new version of CDBurnerXP was released on Saturday.  CDBurnerXP version 4.4.2.3442 is a non-security update addressing several bugs.

The biggest news this week is a security advisory released by Adobe on Thursday.  Adobe security advisory APSA12-01 is informing the public about a leak of their signing certificate.  Sound familiar?  Microsoft had this same issue just a few months ago.  Adobe will be releasing new updates with a brand new digital signature on October 4th.  The implications of this certificate leak should not affect any companies.

I will be talking more in detail on how the new Adobe security advisory will affect your patching process next Monday.

Happy Patching,

– Jason Miller

Microsoft Releases Out-Of-Band Security Bulletin

Microsoft released one new security bulletin in their September 2012 out-of-band release.  Security bulletin MS12-063 addresses the zero-day vulnerability that has been discussed lately.  It is important to note this security bulletin is a cumulative update for Microsoft’s Internet Explorer browser.  There are four other vulnerabilities that are being addressed in this security bulletin release.  These four vulnerabilities are not publicly known at this time.

As this security bulletin contains a zero-day vulnerability that warranted an out-of-band release from Microsoft, administrators will want to apply this update as soon as possible.

With the security advisory for the zero-day vulnerability, administrators may have applied a FixIt workaround to help mitigate the risk of the vulnerability.  This workaround does not need to be removed before patching.  The FixIt workaround hardens the browser and administrators will need to decide if they want to remove this workaround.

Happy Patching!

 

– Jason Miller

The Meaning of Out-of-band Patches and Their Microsoft History

Microsoft is planning to release an out-of-band patch for a zero-day vulnerability at noon CST today.

We can set our calendars to every second Tuesday of the month (known as Patch Tuesday) for new Microsoft security bulletins.  Microsoft Patch Tuesday has become a ritual for the IT security industry.  Today is a stark reminder that you must always be vigilant and informative on the happenings in the security industry.  At any time, a vendor may release a patch out-of-band to address a zero-day vulnerability.

When is an out-of-band patch warranted?

Only a software vendor can make the decision on when a patch for a vulnerability should be released out-of-band from its normal release cycle.  Typically, a vendor will release a patch out-of-band when there are active exploits against the vulnerability, the vulnerability details have been released publicly, and the software affected could present a major attack outbreak.  With today’s release, all three of these criteria have been met.

Out-of-band patch releases are risky for the software vendor

When a patch is deemed necessary to be released out-of-band, the software vendor creating the patch is taking on risk.  In my post yesterday, I talked about the risk that IT administrators may take when implementing workarounds.  With software vendors, the risk of incorrect patch creation and testing is greatly increased.  The patch may fix the vulnerability, but there is always the possibility that a software patch will break normal functionality of a program.   For example: a patch fixes a vulnerability but the program now crashes when printing or saving.

Pay attention to all patches after applying, especially out-of-band patches

There is a chance with any patch that functionality could be broken.  With out-of-band patches, pay attention to the product patched to ensure other functionality is not broken.  If you find some functionality is broken, do not simply remove the patch.  Contact the software vendor and to determine if restoring the functionality but re-introducing the vulnerability is work the risk.

Out-of-band patch releases, not as common as we think

Since January 2010, Microsoft has released 269 security bulletins.  Only six of these bulletins (including today’s release) have been release out-of-band.  In fact, the last out-of-band patch release from Microsoft came nine months ago.

Year

Total Bulletins

Out-of-Band

% Out-of-band

2010

106

4

~4%

2011

100

1

~1%

2012

63*

1

~2%

(Note: 2012 includes today’s security bulletin release)

 

Security advisories do not mean out-of-band

Yesterday, I talked about zero-day vulnerabilities and security advisories.  Microsoft quite often will release security advisories throughout any given month.  The majority of these security advisories (pertaining to zero-day vulnerabilities) are fixed during a scheduled Patch Tuesday.  Below, you can see all of the security advisories Microsoft has released and the date they have released a patch to fix the vulnerability.  As you can see, active exploits happen quite often and do not warrant an out-of-band patch.

Advisory   Release Date

Advisory   #

Vulnerable   MS Product

Fixed   In

Fixed   Date

Out-of-band

Days   Between Advisory/Release

1/14/2010

979352

Internet   Explorer

MS10-002

1/21/2010

Yes

7

11/13/2009

977544

OS –   SMB

MS10-020

4/13/2010

No

150

1/20/2010

979682

OS –   Kernel

MS10-015

2/9/2010

No

19

2/3/2010

980088

Internet   Explorer

MS10-035

6/8/2010

No

125

2/9/2010

977377

OS –   SChannel

MS10-049

8/10/2010

No

181

3/1/2010

981169

OS –   VBscript

MS10-022

4/13/2010

No

42

3/9/2010

981374

Internet   Explorer

MS10-018

3/30/2010

Yes

21

4/29/2010

983438

Sharepoint

MS10-039

6/8/2010

No

39

5/18/2010

2028859

OS –   Canonical Display Driver

MS10-043

7/13/2010

No

55

6/10/2010

2219475

OS –   Help

MS10-042

7/13/2010

No

33

7/16/2010

2286198

OS –   Windows Shell

MS10-046

8/2/2010

Yes

16

9/17/2010

2416728

.NET   Framework

MS10-070

9/27/2010

Yes

10

11/3/2010

2458511

Internet   Explorer

MS10-090

12/14/2010

No

41

12/22/2010

2488013

Internet   Explorer

MS11-003

2/8/2011

No

46

1/4/2011

2490606

OS –   Windows Shell Graphics

MS11-006

2/8/2011

No

34

1/28/2011

2501696

OS –   MHTML

MS11-026

4/12/2011

No

74

9/26/2011

2588513

OS –   SSL/TLS

MS12-006

1/10/2012

No

104

11/3/2011

2639658

OS –   Kernel-Mode Drivers

MS11-087

12/13/2011

No

40

12/28/2011

2659883

.NET   Framework

MS11-100

12/29/2011

Yes

1

6/12/2012

2719615

MS   XML Core Services

MS12-043

7/11/2012

No

29

7/24/2012

273711

Exchange   Server

MS12-058

8/15/2012

No

21

9/17/2012

2757760

Internet   Explorer

MS12-063

9/21/2012

Yes

4

(Note:  Not all security advisories from Microsoft have a security bulletin associated.  Some security advisories have workarounds, information only or non-security patches associated.  These security advisories are not included in this list.)

Today’s scheduled security bulletin affects an Internet browser, so this should be high on your priority list for patch deployment today or this weekend.  With any out-of-band release, you should deploy the patch as soon as possible to prevent any attackers from taking advantage of the vulnerability on your network.

– Jason Miller

Zero-Day Vulnerabilities and What it Means to Your Organization

Note:  This is not an attack on Microsoft’s security process or vulnerabilities in their products.  Microsoft has one of the best information sharing policies that allows us to look deep into each security patch and software vulnerability.  In comparison, other vendors such as Apple and Oracle , typically only disclose very basic information on their process, vulnerabilities and patches.

There are many factors that go into classifying a zero-day vulnerability that will require an out-of-band patch release.  A zero-day vulnerability is described as a vulnerability that is actively being exploited by attackers where the vendor does not have a patch to fix the vulnerability. Understanding the types of vulnerabilities that may put your environment at risk will help you determine the level of protection that is needed across your environment.

 

Types of attacks
There are two different types of attacks that are factored into zero-day exploits.  The first classification is a targeted attack.  A targeted attack is a scenario where an attacker is targeting a specific company or group type.  These attacks are commonly dubbed with terms such as ‘limited’ and ‘targeted.’  A targeted attack does not affect the majority of users and the victim company typically works closely with the software vendor for investigation and a solution.

The second classification of an attack is a wide spread attack.  These attacks do not discriminate against specific companies or groups as the attack is aimed at the general public.  An example of this type of an attack is a malicious website preying on unpatched browsers or a worm attempting to exploit vulnerabilities on operating systems to create a bot network.

Targeted attacks usually do not prompt a software vendor to offer an out-of-band fix for the vulnerability as the vendor will work directly with the victim company to provide a workaround just for that company until the fix is made public.  Wide spread attacks usually prompt a software vendor to offer an out-of-band fix for the vulnerability as the general population is at risk for becoming attacked.

 

Understanding the type of zero-day vulnerability
There are two words that can distinguish the severity of a zero-day vulnerability that administrators should pay particular attention to – authenticated versus unauthenticated.  An authenticated attack requires an attacker to know information about the target to pull off an exploit of the vulnerability.  An example of this is a password to an account to gain access to the target system.  On the other hand, an unauthenticated attack requires no knowledge about a target system.  An example of this is a worm that exploits an operating system service without needed any information.

 

Is the vulnerability publicly disclosed?

A vulnerability has two ways of being disclosed, or known.  The first type is a privately disclosed vulnerability (also known as responsible disclosure).  A researcher that finds a vulnerability in a software program and only informs the software vendor about the vulnerability is a privately disclosed vulnerability.  This type of vulnerability is not widely known where attackers can research and implement attacks upon it.

The second type is a publicly disclosed vulnerability.  This type of disclosure can happen through two methods.  First, a security researcher can release the research done on a zero-day vulnerability to the public.  Second, an attacker can release the research of a zero-day vulnerability to a hacker community to share resources.  In the case of publicly disclosed vulnerabilities, the severity of the vulnerability is extreme.

 

Type of software or service
This is one of the most important factors of a zero-day vulnerability.  I like to make the analogy of typical attackers are a lot like sales people.  A sales person wants to find the widest range of an audience to sell to.  With this, a sales person is more likely to sell more than concentrating on a single prospect.  A typical attacker is similar in the fact that he or she wants to attack as many machines as possible to maximize results.  Today’s attacking method is looking for a result of gaining information for financial gain.  In the past, attackers typically could be seen as looking for notoriety.

Internet Browsers are the most commonly attacked software.  If an attacker can identify a zero-day vulnerability in any browser, Microsoft or non-Microsoft, the attacker can simply erect websites in hopes he/she can entice (social engineer) a person to visit the site with unpatched software to exploit their machine.

Attackers will also target any commonly used service on an operating system to carry out an attack.  Any service that has an unauthenticated vulnerability is a prime candidate for an attack.

 

Dealing with zero-day vulnerabilities

Monitor Vendors
Microsoft has a good track record in the software industry in regards to disclosing information around their patches and vulnerabilities.  With a Microsoft zero-day vulnerability, they will announce information when they are aware of publicly disclosed vulnerabilities and vulnerabilities that are being actively exploited.  Microsoft will publish a security advisory with the affected products, details on the effects of the vulnerability and any workarounds to help mitigate some of the risk with the vulnerability.

 

Other Resources
With a zero-day vulnerability, the information is spreading through many channels.  Using a resource such as the patchmanagement.org mailing list will help keep an eye on all of these active channels.  These channels are independent groups from the affected software vendor and typically provide information on how to implement workarounds provided by IT administrators that are researching the vulnerability, and any information antivirus vendors publicly release on the vulnerabilities.

 

Implement workarounds
At times, software vendors will supply workarounds to help mitigate the risk with vulnerabilities.  It is important to read all documentation thoroughly.  Typically, workarounds will reduce functionality on systems.  The decision on whether to implement a workaround is a risk decision that each administrator must decide.  For example, is the risk great enough to implement the workaround?  If this workaround will reduce functionality on my systems, in turn increasing the volume of support calls, but preventing a vulnerability from being exploited, is it worth implementing?  This decision is a delicate balance and there is no one answer that applies to each organization.

 

Antivirus
Antivirus programs are a reactionary security method.  This means, an antivirus program reacts to a virus on a system and subsequently prevents the malicious program from running.  The virus has already exploited the system and resides on the system.  Fully patching a system prevents an attacker from exploiting a vulnerability and running a malicious program (virus).  With the case of a zero-day vulnerability, a patch is not available from the vendor.  Therefore, it is absolutely critical to have an antivirus program that is up to date with the latest definition files.  Vendors, as in the case with Microsoft, work very closely with antivirus vendors to help combat the viruses and malware that target zero-day vulnerabilities.

 

Not all zero-day vulnerabilities have out-of-band patches
An out-of-band patch is quite rare when it comes to patching vulnerabilities.  Some of the vulnerabilities on a given Patch Tuesday could already have active attacks against them.  A decision on whether or not to release an out-of-band patch is completely in the hands of the software vendor. Some of the determining factors software vendors will take into account when determining to release an out-of-band patch include:
Is it close enough to our normal release cycle to wait on the patch release?
Are the attacks limited or targeting?
Are there more and more malware samples being created each day?
Will the quality of the accelerated patch break functionality?

 

Microsoft Vulnerability History
Since January 2010 through this September Patch Tuesday release, Microsoft has addressed 606 vulnerabilities in their products.

~15% of these vulnerabilities were publicly known
~4% of these vulnerabilities were actively exploited

As you can see below, the number of known and actively exploited has remained constant since 2010.  (Note:  2012 is an incomplete year with only partial data)

Year

Total Vulnerabilities

Publicly Known Vulnerabilities

Actively Exploited Vulnerabilities

% Known

% Exploited

2010

93

16

3

~17%

~3%

2011

212

35

7

~17%

~3%

2012

125

19

8

~15%

~6%

 

 

Tomorrow, we will see an out-of-band patch release from Microsoft.  I will be talking in detail about Microsoft’s history of out-of-band patch releases as well as the new out-of-band patch and how it could protect your network environment.

– Jason Miller

8 new ITScripts now available in vCenter Protect

This week we released eight new ITScripts into VMware vCenter Protect Advanced.  Several were based on requests from our customers, so Thank You as always for your feedback and requests and enjoy the new scripts!  The new scripts are as follows:

  • Terminate Process – Using the ID or process name you can terminate a process running on a remote machine from the vCenter Protect console.  Practical applications include troublesome apps that need to have a process killed regularly or before certain maintenance can be preformed.  You can create a template specific to your needs and run ad-hoc or on a scheduled basis to make life a little easier. (Available in Advanced/Essentials Plus editions.)
  • Get Running Processes When troubleshooting issues you often need to see what is running.  This works well with the terminate process script above to find what you are looking for then terminate it if necessary. (Available in all editions.)
  • Set Verbose Logging on Target Machine – A little assistance for our support team and customers who need to troubleshoot agentless deployments.  If you run into a deployment issue on an agentless machine and need to gather more information this script will enable or disable verbose logging on the agentless target by updating config files for our deployment components. (Available in all editions.)
  • Set Power Plan – This script allows for configuration of the power plan on Windows 72008 R2 systems. (Available in Advanced/Essentials Plus editions.)
  • Get Statuses for Built-in Administrator and Guest Accounts – Want to verify that the Admin and Guest accounts on your machines are disabled andor renamed correctly?  This is a common audit issue for many of our customers who have regulatory requirements.  This script will allow you to validate the status of these accounts to ensure you know where you stand. (Available in Advanced/Essentials Plus editions.)
  • Get Local Groups and Members – Another common regulatory issue.  This script will get the local groups on a machine and their members allowing for quick and easy validation that you are in compliance with your regulatory requirements. (Available in Advanced/Essentials Plus editions.)
  • Get Registry Key Value – This script allows you to specify registry keys and values.  Another script with a variety of practical applications.  Setup a template to look for keys that are needed for a specific application or to verify a setting is correct for compliance reasons. (Available in all editions.)
  • Get List of Files in a Directory – Another handy script that has a variety of uses.  Identify what files are in a folder that is growing out of control so you can send it to the owner and ask if they are needed or attach to a ticket with instructions on what needs to be done with them, etc .(Available in Advanced/Essentials Plus editions.)

You can view each of the scripts on our ITScripts Community to view specific details on the scripts.  vCenter Protect customers should already have the updated catalog on their consoles.  To enable these scripts in product go to  Manage ITScripts and enable the scripts so you can start using them today!  If you’re not a customer, try the product for free for 60 days here.

Regards,

Chris Goettl
Product Owner
SMB Management Solutions
VMware

 

Microsoft Security Advisory 2757760 Released

There has been some chatter in the past few days regarding a zero-day vulnerability in Internet Explorer that is currently being exploited.  Microsoft released a new security advisory (2757760) for this vulnerability.  Internet Explorer versions 6, 7, 8 and 9 are affected by this vulnerability.  Internet Explorer 10, which is bundled with Microsoft Windows 8 and Server 2012, is not affected by this vulnerability.

Microsoft has a few suggested actions to mitigate against attacks on the vulnerability.  First, administrators can deploy the Enhanced Mitigation Experience Toolkit (EMET).  This workaround cannot guarantee an attacker will not be successful on attacking this vulnerability, but EMET will make attempts difficult for attackers.

You can also set your Internet Explorer security settings for AcitveX Controls and Active Scripting to ‘High.’  This will help protect against attacks, but this setting will present many issues for users.  Many web pages will not properly display information due to the restricted security settings.

The next Patch Tuesday is still 21 days away and I am expecting a bi-monthly cumulative update for Internet Explorer during the October 2012 Patch Tuesday.  That is quite a bit of time between a potential security bulletin release and a zero-day vulnerability that has attacks against it.

In the meantime, there are a couple of other steps you can protect against exploitation on your network.  First, ensure you have an anti-virus program with up to date definition files on all of your servers and workstations.  Many anti-virus vendors have this current threat in their detection logic.  Other viruses could be coming in the near future, but anti-virus vendors are aware of the situation and keeping an eye on the threat landscape.

Another step you can take is to use a different browser in the meantime.  This is going to be very difficult for organizations.  First, administrators will need to deploy a non-Microsoft browser to all of their users.  Second, administrators must find a way to enforce the use of the non-Microsoft browser on all workstations.  This in itself is almost impossible.  Using a non-Microsoft browser in the meantime will be easier for home users.

Stay tuned to Microsoft and here for any new information coming forth on this newest threat.

– Jason Miller

RealPlayer (15.0.6.14) Security Bulletin Released

After a long delay, RealNetworks released their details for RealPlayer 15.0.6.14.  The installer for this version was released on August 2nd, but RealNetworks and the National Vulnerability Database just released the details surrounding the new version.

RealPlayer 15.0.6.14 addresses 9 vulnerabilities that could lead to Remote Code Execution.  Our patch management products (vCenter Protect and vCenter Update Product Update Catalog) already contain this patch as a non-security patch.  We will be updating the patch to a security patch and the appropriate CVE’s will be applied.

– Jason Miller

September 2012 Patch Tuesday Overview

Microsoft has released two security bulletins addressing two vulnerabilities for the September 2012 edition of Patch Tuesday, marking a light Patch Tuesday.  The last time Microsoft released this low of security bulletins on a Patch Tuesday was May 2011.

This Patch Tuesday also marks the lowest number of vulnerabilities patched by Microsoft since the beginning of 2011.

 

Both Microsoft security bulletins apply to specific and possible rare software on administrators networks.  MS12-061 affects Visual Studio Team Foundation Server 2010 SP1 and MS12-062 affects Systems Management Server 2003 / 2007.  Both bulletins are rated as Important, fix one privately reported vulnerability each, and cross-site scripting attacks could lead to elevation of privilege.

As for priority this month on which bulletin to apply, administrators should asses their servers and prioritize accordingly to their software setup.

If administrators have not patched since lately, or at least since last Patch Tuesday, they will want to deploy the latest version of Java to their systems.  Java 7 update 7 addresses a critical zero-day vulnerability that has seen active exploits.

With the break administrators are getting this month, it presents the perfect opportunity to use the free time to test the Microsoft Security Advisory update KB2661254.  This non-security update was released last month to the Microsoft Download Center.  During the October 2012 Patch Tuesday, Microsoft will be moving this patch to mainstream availability in Windows Update and WSUS.  This patch has the possibility of crippling business applications that utilize digital certificates less than 1024 bits in length.

On the non-Microsoft front, it is turning out to be relatively quiet as well.  Adobe has released a security update for its ColdFusion product.  Adobe security bulletin APSB12-21 addresses one important vulnerability that could lead to Denial of Service.  Notepad++ has also released a new version of their product.  Notepad++ 6.1.7 is a non-security update that addresses multiple crash issues.

I will be going over the September Patch Tuesday in detail in addition to any other non-Microsoft releases since the last Patch Tuesday in our Monthly Patch Tuesday webinar.  As this is an extremely light month in terms of Microsoft security bulletins, I will be spending some time talking about non-security update KB2661254 and what to expect in October.  This webinar is scheduled for next Wednesday, September 12th at 11:00am CT.  You can register for this webinar here.

 

– Jason Miller

New Updates for Foxit Reader and Apache Tomcat

The Foxit Reader program is seeing its first security update since last May.  Foxit Reader 5.4.2.901 fixes one issue that could result in Remote Code Execution.

This looks extremely similar to all of the DLL preload issues (Microsoft Security Advisory KB2269637) Microsoft has been fixing in their products since August of 2010.  To date, Microsoft has released 26 security bulletins addressing a DLL preload issue.

From the Foxit security bulletin summary:

“Foxit Reader 5.4 fixed an issue where Foxit Reader may call and run malicious code in the Dynamic Link Library (DLL) file. Attackers could place the infected DLL file, whose name is the same as the system DLL in the Windows prior search path, and then enable Foxit Reader to call the malicious file.”

Apache also released a new version of Tomcat for Windows.  Apache Tomcat 7.0.30 is a non-security update.

 

– Jason Miller