In Life There are Two Certainties – Taxes and Patches
Paul Henry - April 10th, 2012
As we approach April 15, we get to deal with both filing our income taxes and a taxing bunch of patches from Microsoft and others. While the overall number of patches from Microsoft is light, we have 4 critical patches along with two important ones. They impact a wide array of platforms and applications including Microsoft Windows, IE, .NET Microsoft Office, SQL Server, Windows Server, Developer Tools and Forefront. Most concerning is that some critical issues seem to impact Windows from the older legacy XP platform. Lately we have come to expect current Windows 7 and Windows 2008 platform issues.
Let’s look at the details from Microsoft:
MS12-023 Rated Critical – Cumulative Security Update for Internet Explorer
Requires a restart. It impacts IE across family of platforms, corrects 5 privately reported issues and addresses a remote code issue.
MS12-024 Rated Critical – Vulnerability in Windows
Requires a restart. This vulnerability impacts third party signed code and could be used in a man-in-the-middle attack.
MS12-025 Rated Critical – Vulnerability in .NET Framework
May require a restart. This is a .NET developer issue that could allow remote code execution.
MS12-027 Rated Critical – Vulnerability in Windows Common Controls Code
May require a restart. This is an Active X issue that impacts numerous applications; it could allow remote code execution.
MS12-026 Rated Important – Impacts ForeFront UAG
May require a restart. This vulnerability takes advantage of a UAG Direct Access issue and is an information disclosure issue.
MS12-028 Rated Important – Vulnerability in Microsoft Office
May require a restart. This is a Microsoft Office write access vulnerability that could allow remote code execution.
It is important to remember that as of April, only two years remain before the end of Windows XP support. In terms of Security updates, there is a measurable benefit (Figure 1) in moving off of Windows XP:
When considering malware infection rates, Windows XP SP3 machines had an infection rate 6 times higher than Windows 7 SP1 32-bit machines, and almost 10 times higher than Windows 7 SP1 64-bit machines. Obviously there is also a significant benefit in Windows 7 vs. Windows XP (Figure 2) when considering the respective risk / exposure infection rate:
Also worth noting that April 10, 2012 is also the end of full support for the black sheep of the Redmond family, Windows Vista – extended support will continue until 2017.
Perhaps the bigger story this Patch Tuesday is Apple (and their lack of a formal Patch Tuesday like program):
Anyone with Internet access has been reading the stories of Apple products being impacted with yet more malware. This time around it is already impacting an estimated 600,000 Macs after snubbing the researchers that found the botnet. Apple eventually released a patch that, as always, plays down any sense of urgency to empower users to make their own informed decision. If you just so happened to have checked for updates on your Mac today you would have seen a note that a Java patch is available:
"Java for OS X 2012-001 delivers improved compatibility, security, and reliability by updating Java SE 6 to 1.6.0_31."
The original patch from Apple was released on April 3rd and then quickly followed up with another patch on April 6th – it is assumed that a glitch in the original patch necessitated a second patch be released by Apple.
No mention from Apple that 600,000 users were infected or that the exploit is clearly being used in the wild. If Apple wants to be taken seriously as an enterprise player they have to stop trying to hide behind their issues and take a lesson from Microsoft. They need to own up to the vulnerabilities they are exposing their users with enough information that users can make educated decisions regarding urgency in flaw remediation. Interesting to also note that it was about 7 weeks after Oracle released a patch for an eerily similar Java issue that Apple addressed the issue (albeit quietly).
Several vendors including Kaspersky along with many others have provided analysis on the size of the botnet. It is also disappointing that no automated tool that determines infection has been provided by Apple so far. One was developed by Juan Leon from GPS device manufacturer, Garmin called Flashback Checker (Figure 4). A link to the free tool on the github source code repository was originally featured in an article by Ars Technica and later by Computer World.
Other noteworthy Patch Tuesday news:
Another recent patch worth mentioning this Patch Tuesday comes from Adobe that fixes two critical vulnerabilities in Flash Player across Solaris, Linux, Mac OS X and Windows platforms. Read more on the Adobe Flash Player patch here in the respective Adobe Security Bulletin.
Google released multiple patches for Chrome this Patch Tuesday period. The latest patch on April 9th addressed 12 security issues and followed the previous patch released just 8 days earlier.
Mozilla added vulnerable Java Plug-ins to its black list in efforts to protect users in its latest patch.