threat

Microsoft does not patch vulnerability for supported version of Windows

Last week was the September issue of Microsoft “patch Tuesday”. The September 2009 Microsoft Security Bulletin lists a number of vulnerabilities. Microsoft held the bulletin webcast on Wednesday, September 9, to discuss the vulnerabilities and customer concerns.

One particular bulletin is creating some concerns for Microsoft Windows 2000 users. MS09-048 is a bulletin for a vulnerability to the TCP/IP stack in all current supported versions of Windows. The bulletin describes the vulnerability:

Vulnerabilities in Windows TCP/IP Could Allow Remote Code Execution (967723)

This security update resolves several privately reported vulnerabilities in Transmission Control Protocol/Internet Protocol (TCP/IP) processing. The vulnerabilities could allow remote code execution if an attacker sent specially crafted TCP/IP packets over the network to a computer with a listening service. Firewall best practices and standard default firewall configurations can help protect networks from attacks that originate outside the enterprise perimeter. Best practices recommend that systems that are connected to the Internet have a minimal number of ports exposed.

Even though the bulletin here describes it as potential remote code execution, the webcast focused more on the denial of service threat due to this vulnerability. Unfortunately, Microsoft has chosen to not issue a patch for Windows 2000, even though Windows 2000 is a supported version of Windows with regards to patches and security fixes. ComputerWorld gives a good amount of detail in the article: Microsoft: Patching Windows 2000 ‘infeasible’ Dark Reading published Microsoft, Cisco Issue Defenses For TCP Denial-Of-Service Attack and The Register published Microsoft, Cisco issue patches for newfangled DoS exploit.

I know that there is a reasonable population of Windows 2000 machines in operation at my organization. So, this choice by Microsoft to not issue a patch for this vulnerability raises some concerns. Fortunately the vulnerable population is not publicly exposed and does not have mobile users. The layered defenses we have in place should help mitigate the risks to our environment. However, the risk is still there and the threat needs to be addressed. What other vulnerability will come out that Microsoft chooses not to address in a supported operating system? Are you facing the same situation in your environment? How large is the risk to your environment? What are you doing to address these threats? Why are you doing what you are doing? Share your thoughts with other ITKE readers.

Thanks for reading & let’s continue to be good network citizens.

Red alert - automated SHIELDS Up - malware becomes smarter!

If you haven’t recently kept up to date on the malware front, a recent article at DarkReading may come as a surprise to you. ALERT: Malware has become intelligent!

Rare Malware A Hint Of Threats To Come shows that malware has come a long way and has gained some significant intelligence to avoid detection. The article mentions that some attacks are more directed than broad. These attacks go at specific organizations and even specific data at those organizations. Once the data is collected, the malware can clean up after itself and disappear.

Other “intelligent” behavior seen by researchers includes command and control systems that can determine if a device is actually an owned bot or a researcher imitating a bot. In these types of cases, the command and control system can actually blacklist the researcher’s network range so it cannot intrude on the malware environment.

Quite intriguing stuff and this is what is really happening today! You should be familiar with this stuff if you manage a computer network and are responsible for security. Remember in secURITy - U R IT (you are IT).

Thanks for reading & let’s continue to be good network citizens!