There seems to be a lot of discussion regarding the 7 years it took for Microsoft to patch against SMBRelay (the name of a tool published in 2001.) There’s some speculation that Microsoft is only now addressing the issue because a Metasploit module was added in 2007 to exploit the vulnerability. Here’s our take.

Should Microsoft have patched SMB sooner? Why? Who has been adversely affected by the vulnerability? We’ve never had an Incident Response case that involved abuse of it. Given the fact that we now know there was a solution to the puzzle, chances are that solution was stumbled upon by accident in one of those “Eureka” moments. Once that idea was finally conceived, of course, it made sense for them to produce a patch, but do try to appreciate just what was at stake as they attempted to implement it and test it. Thousands, if not hundreds of thousands of 3rd party applications are based on SMB working just the way it does. Break it while patching the vulnerability and you’d have a lot of upset people.

(more…)

Today Microsoft released a patch for the “click-jacking” vulnerability announced by Robert Hanson in September. The issue, as you may remember, was that exploiting this vulnerability (in all versions of XMLHTTP but 3.0) allowed him to cause your click on a web page to be directed at anything he wanted. So you might have thought you were clicking a URL to http://securityblog.verizonbusiness.com, but you’d visit http://Ive_Got_You_Now_Sucker.com.

(more…)

From January to July 2008 Microsoft’s technologies disinfected just over 8 million more computers than it did in the previous six month period according to their just released 5th Security Intelligence Report.

Such a statement will make many jump to the conclusion that the state of crimeware is getting worse. But such a conclusion may not be accurate. For example, the increase in distinct computers cleansed in this latest period is just under 50%, whereas in the 2H07 report the increase was just over 79%. The increase in 1H07 was 95%. So the percentage increase this time around is smaller than it has been previously. The same can be said for the number of distinct infections cleansed. 1H08 was 47% higher than 2H07, but 2H07 was 219% higher than 1H07 and 1H07 was 80% higher than 2H06.

(more…)

Microsoft rarely releases these out of cycle patches, but when they do lots of people get excited. It should come as no surprise that we aren’t.

If you want to get an idea of what could happen as a result of this vulnerability, think MS06-040/Graweg/Mocbot/SDBot/August-September 2006. MS06-040 was a similar vulnerability which allowed criminals to gain control of systems they could reach via Server Message Block (SMB). Of course if you can get to someone’s machine via SMB, there’s a lot of harm that could possibly be done.

(more…)

by Russ Cooper

This month gives us numerous Microsoft Office patches (MS08-042, MS08-043, MS08-044 and MS08-051), including at least one (MS08-042) that addresses a vulnerability which has reportedly been used in another highly targeted attack.

We’ve also been given a patch (MS08-041) to address the Access Snapshot Viewer ActiveX control that is being actively targeted by criminals. Luckily, this control is rarely deployed so the actual number of victims is believed to be quite low.

Meanwhile, our concern is with the Cumulative Internet Explorer Update (MS08-045) and the IPsec Policy issue (MS08-047.) In the IE patch is a vulnerability involving memory allocation. This vulnerability cannot be mitigated by disabling Active Scripting, and also affects IE systems configured to run in the Enhanced Security mode. Details of how to exploit this vulnerability have not yet, however, been publicly disclosed so we can only hope that exploits do not arise before the patch can be installed.

As for the IPsec Policy issue, networks that use IPsec and believe they are encrypting their traffic may not in fact be encrypting. The problem is likely to be very rare at this point, given that a requirement is that the client system gets its IPsec policy information from a Windows Server 2008 system. Never-the-less, verifying that traffic you expect to be encrypted is actually encrypted is a good idea.

We have two patches (MS08-044 and MS08-046) pertaining to image format file parsing again. Even with numerous image vulnerabilities in the past we still do not see any exploits of this type, leading us to believe that the risk of attacks against these new ones is low.

Patches for Outlook Express and Windows Mail (MS08-048) normally don’t concern us very much because they’re rarely used in a corporate environment, but this one does cause some concern due to the fact that it involves MIME HTML (MHTML), which can be invoked via IE.

A vulnerability in COM+ Event System (MS08-049) and a Windows Messenger ActiveX control (MS08-050) round out the month’s offerings. Neither is terribly worrisome.

All in all, a busy month, but not really that much to worry about.

Symantec’s Hon Lau recently published a blog post titled “Patch Management – Speed is of the Essence.” You may know that we also recently published a blog post titled “Patching Conundrum”, in which we discussed how our studies had convinced us that patching too fast can be a “bad thing™.”

Hon Lau said, “It is this gap between the availability of patches and their application that is creating a window of opportunity for would-be attackers.”

Well, really, it isn’t. The “window of opportunity” begins when the vulnerable version of whatever is actually installed and/or implemented, and lasts until a non-vulnerable version is installed, or until the product stops being used. Nothing terribly significant occurs once a patch is released, unless you fear “Automatic Patch-Based Exploit Generation” (APEG). Hon Lau seems to.

(more…)

How much better is it to have a world-class patching process compared to an average one? Could it ever be detrimental to patch too fast? And what does patching have to do with cholera? Two earlier Verizon Business Risk Team Studies shed more light on this subject.

The recently published “Verizon Business 2008 Data Breach Investigations Report” describes characteristics of more than 500 computer crime investigations performed over the past four years. Our data shows that in only 18% of cases in the hacking category (see Figure 11) did the attack have anything to do with a “patchable” vulnerability. Further analysis in the study (Figure 12) showed that 90% of those attacks would have been prevented had patches been applied that were six months in age or older! Significantly, patching more frequently than monthly would have mitigated no additional cases.

(more…)