Looks like IT administrators will be busy, busy, busy this week patching a total of 8 patches – six of which are critical and 2 are important. This brings the total for 2008 to 77, far below the record set in 2000 with 100 but more than last year’s release of 69 and nearly on par with the 78 released back in 2006.
The patches released today by Microsoft block Remote Code Execution in Windows, Office, Internet Explorer, and Visual Basic. Specifically they correct vulnerabilities that have been identified in the following software:
* Windows 2000 Service Pack 4
* Windows XP Service Pack 2 and 3
* Windows Server 2003 Service Pack 1 and 2
* Windows Server 2008
* Windows Vista and Windows Vista Service Pack 1
* Microsoft Office 2003 with Service Pack 3
* Microsoft Office 2007
Two of the eight patches are for Windows, another two are for Office, and the remaining four are for:
- Internet Explorer (IE)
- SharePoint
- Windows Media Player
- Visual Basic and Visual Studio
In the bulletins released today 6 are labeled as critical, and 2 labeled at important. Remember that a ‘critical’ patch blocks Internet worms that don’t require you to click, open, or view an attachment or website to start and an ‘important’ patch blocks attacks that would compromise local systems.
All of the patches are marked – May Require Restart – can be very disruptive to your network and productivity as this requires system and server reboot. Most of these are client side.
As far as prioritization, there is no single patch you can prioritize – they are all critically important– including the “important” bulletin that impacts SharePoint issue as it affords a privilege escalation.
**The only saving grace is most of these are client side hence will not perhaps impact major e-commerce vendors. Otherwise this will consume a large amount of a time for patches during an already busy time of year.
While this is exceptionally busy Patch Tuesday, there are other exploits in the wild that IT administrators need to watch out for, hence the importance of patching all the critical and important patches as soon as business conditions permit so you can have a restful and secure holiday season.
There is a zero-day exploit for IE 7 which enables web-board malware. Microsoft has released patches that fixe issues in IE but not this particular vulnerability.
Chinese researcher “KnownSec” Blog reports seeing new Zero-Day for IE7 in the wild. The exploit impacts IE7 running on Windows XP as well as Windows 2003. When a user visits a malicious webpage that contains the JavaScript that runs the attack using a flaw in XML, code is dropped on the users PC. The dropped code then connects to the Internet and downloads additional malware.
IMPACT: As with other web-borne malware threats the downloaded malware can easily convert the users PC in to a spam sending bot or install a key logger to harvest the users banking credentials
If you are not yet using Whitelisting Application Control your only other mitigation is to enable the use of Data Execution Protection (DEP), a feature released in Windows XP SP2 to afford risk mitigation while waiting for a patch from MS.
A few others:
Firefox
Firefox is being targeted with malware – there is a rare exploit in the wild called
Trojan.PWS.ChromeInjectA it sits in the FireFox add-on folder and listens for anyone of 100 different financial web sites to be brought up….. It then collects user names and passwords and sends them along to a server in Russia.
Your best defense is comprehensive patch management
VoIP is actively under attack
The FBI is reporting that the bad guys are taking advantage of a vulnerability in Asterisk to steal VoIP minutes by directly calling potential victims it is also being used in Dishing scams where the bad guys send out an email to trick the user in to calling the compromised VoIP server with it’s fake “calling center” to then have the caller divulge account information.
Your best defense is comprehensive patch management to prevent the bad guys from gaining a foot hold in your network that would allow the to use your VoIP server
Facebook worm
The worm that has been getting Facebook users to click on a fake video codec since July has come back with a vengeance. The latest variant actually uses Facebook’s feature that redirects users to a website outside of Facebook. Unfortunately, it allows Facebooks own filtering software to be bypassed because the malware resides on the site that you are redirected to that is outside of the protection afforded by the filtering software.
Is it realistic in this environment to expect your users to know if what appears to be a legitimate update is malicious or not? Application Control is your best defense, as it would prevent the fake video codec from running in the first place
A Change in Tactics for SSH Brute Forcing
It appears the bad guys have recently changed tactics in how they do SSH brute force attacks. Instead of simply pounding away as fast as possible from the same IP address over and over again they only try one or two logins from an IP address then move on to a different source IP address. Many administrators have configured alerts when they see multiple failed login attempts from a single IP address – this new tactic effectively eliminates those alerts….
In light of the continuously changing tactics a multi-level defense is necessary that includes patch management to prevent any escalation of privilege if a bad guy is able to get in via SSH with a normal users level of privilege and Application Control that can go a long way in mitigating risk in a bad guy bringing in software and trying to run it if they got in via SSH.
The noted issues we currently face as well as those we are focusing on today with Microsoft’sPatch Tuesday again highlight the need for comprehensive patch management - patching both fast and wide across “multiple” vendor platforms as well as the need for Application Control to mitigate the risks that are not being addressed by today’s seemingly over-whelmed AV solutions.
