Andrew Storms, director of security operations for nCircle, explains, “The dirty dozen affects a wide range of operating system versions and includes Exchange Server, a critical business application.  Over the past few months Microsoft has released a number of bug fixes for Oracle’s Outside In technology used by Exchange Server, but none of the bugs fixed represented severe threats. Exchange server bugs make a lot of people nervous; let’s hope this month’s Exchange patch is as dull as ditch water.”

According to the Microsoft Advance Notification, five of the 12 security bulletins are rated as Critical, while the remaining seven are Important.

Alex Horan, senior product manager, CORE Security, says, “This month we see some significant vulnerabilities with the potential to create a formidable one-two punch, which could be key to hackers unleashing the most powerful attacks in their arsenals. When these exploits are used in the right combination, the effects can be deadly for system administrators.”

Rapid7’s Senior Manager of Security Engineering, Ross Barrett, tries to find some silver lining, “It’s both good and bad news that the patches are mostly clustered on Windows Operating System, without dipping too much into Office or more esoteric specialty Microsoft products.  It’s good because administrators probably don’t have to worry about applying multiple patches for the same advisory to a single host.  It’s bad because an organization with even the simplest deployment of Microsoft products will probably be hit by all of these advisories, meaning their desktop and server teams will be extra busy.”

Storms has some concerns about Internet Explorer. “Internet explorer patches are always a top priority  and this month we’re going to get two Internet Explorer bulletins.  That’s unusual because generally, when Microsoft patches IE, the patch is delivered as  a single bulletin.  The planned delivery of two separate IE bulletins has my ‘Spidey’ senses on alert. I’m sure other IT security teams are wondering exactly what kind of IE valentine we’re going to get.”

Qualys CTO Wolfgang Kandek points out that Microsoft is not the only vendor issuing patches. “Adobe released out-of-band a new version of its Flash Player that fixes two vulnerabilities that are already being exploited in the wild. Update your Flash installations as quickly as possible – Users of Google Chrome and Internet Explorer 10 will get their Flash update automatically from Google and Microsoft respectively.”

I hope you didn’t have anything going on for Valentine’s Day, because you might be busy.

As we begin 2012, it is a great time to reflect on the significant security events that occurred over the last year, and identify trends that can help you prepare for the threats to come this year. With that in mind, let’s take a look at what 2011 served up.

The Low-Hanging Fruit

Attacks have traditionally targeted flaws related to specific operating systems – mainly Microsoft Windows. But, malware developers prefer the path of least resistance. They want the simplest means of developing an attack with the largest potential pool of victims and odds of success.

Adobe products and Web browsers are just the sort of low-hanging fruit malware developers love. Products like Adobe Reader, Adobe Flash, and Adobe Air, and browsers like Firefox, Chrome, and Internet Explorer are virtually ubiquitous across all platforms.

In April, Adobe Flash was hit with back to back zero day attacks – the first using a malicious file embedded in an Excel spreadsheet, and the second relying on a file attachment embedded in a Microsoft Word document. In either case, opening the malicious attachment would infect the PC.

Qualys CTO, Wolfgang Kandek noted in his Laws of Vulnerabilities blog, “This all happens so fast that a normal user would not notice the attack.”

That was just the beginning for Adobe, though. Flaws in Adobe products are believed to have played a key role in high-profile attacks targeting RSA Security, Pacific Northwest National Laboratories and numerous other victims. There are rumors that the attack used against RSA was also used against 760 other organizations, including many global marquis organizations.

Damages from cyber attacks have been hard to estimate up to now. But 2011 saw the shutdown of a company due to cyber attack. That was just the beginning for Adobe, though. Flaws in Adobe products are believed to have played a key role in high-profile attacks targeting RSA Security, and Digital certificate authority Diginotar was attacked in August. Soon Microsoft, Mozilla, Opera, Apple, and others revoked trust in certificates issued from Diginotar, and this eventually resulted in Diginotar closing down for good.

Web browsers are another attack vector that are present on virtually every PC and mobile device. Many users also install a variety of third-party plugins and add-ons – complicating the effort involved in keeping it all up to date. An extensive review of browser security by Qualys found that a majority are running out of date versions of commonly targeted tools – like Adobe Flash.

No Such Thing As Perfect

While there are many applications that seem to be full of holes and provide an easy target for malware developers, it is equally important to realize there is no impervious application. Most software is comprised of tens of thousands, or even millions of lines of code. Even with secure coding practices, and diligence on the part of developers, it is virtually inevitable that a flaw (or many flaws) exist somewhere just waiting to be discovered.

For evidence of the frailty of operating systems and software applications, you don’t need to look any farther than the information security conferences that occur throughout the year. One shining example is the annual Pwn2Own contest at the CanSecWest conference. Security researchers compromise fully patched and updated systems in a matter of seconds – demonstrating that someone with sufficient time and skill can always succeed in finding an exploit.

Don’t Believe the Hype

Zero day exploits are like the bogeyman of information security. They are scary – in theory – and make for sensational headlines, but the reality is that they aren’t really that insidious.

A recent Microsoft Security Intelligence Report (SIR) drilled down to analyze the flaws and vulnerabilities responsible for the most infections and compromised PCs, and found that zero day exploits barely come into play at all. Kandek stressed in a blog post, “This is not really a surprise as zero days are a much too expensive a component to be included in mass-malware, which tend to use older, well understood vulnerabilities for propagation.”

Of course, the “never say never” principle also comes into play. Soon after Microsoft released that report, two threats equipped with zero-day exploits – Duqu and Beast – were discovered targeting previously unknown vulnerabilities in Microsoft products. The moral is that zero day flaws pose a very real, and credible threat for precision, targeted attacks, but that history illustrates there is little chance of any malware pandemic starting from a zero day.

Batten Down the Hatches

There is no silver bullet for security, and there is no impervious software, but that doesn’t mean that there aren’t things that can be done to improve security and thwart attacks. Microsoft was vigilant in 2011 when it came to taking proactive steps to strengthen security.

With the February Patch Tuesday, Microsoft pushed out an update that changes the behavior of the “AutoRun” feature in Windows to prevent malware infections through USB or network drives. The update was available as an option prior to that, but Microsoft forced the update to mitigate a common attack vector.

Microsoft also built on what it started with the Coordinated Vulnerability Disclosure (CVD) program, and made changes to its vulnerability exploitability index to provide more valuable information. Microsoft separated out the exploitability index for the current version of software like the Windows operating system, and the Internet Explorer Web browser because legacy software is generally less secure and presents a greater risk for organizations.

In December, Microsoft unveiled plans to start silently updating Internet Explorer to the most current version. The move follows in the footsteps of rivals like Google and Mozilla, and will help make the Internet at large more secure by creating an environment where more users have the most up to date, most secure browsers possible.

Qualys’ Kandek noted, “Being on the newest possible Internet Explorer (IE8 on Windows XP, IE9 on Vista/Win7) brings a significant increase in security and robustness to malware infections due to better architecture, sandboxing and the included URL filtering feature.”

2011 was a busy year in information security, and 2012 will most likely continue the trend. What is important is for organizations to understand the risks, stay aware of emerging threats and vulnerabilities, and take proactive steps to avoid attacks.

Microsoft used to release security bulletins and patches ad hoc as they arose, but switched to the Patch Tuesday monthly release cycle to make it easier for IT admins. The regular, predictable release of updates enables IT departments to be prepared and have the appropriate resources allocated to analyze and deploy the batch of patches.

Most software doesn’t have any such patch management framework, though–putting the burden on IT admins to try to keep up with vulnerability details and patch releases. The lack of a consistent patch release and deployment schedule results in vulnerabilities that fall through the cracks and remain unpatched.

Some attacks leverage previously unknown zero-day vulnerabilities, but many viruses, worms, and other types of malware often attack vulnerabilities which are already known, and for which patches have already been published. Norman–a security and patch management company–claims that nearly two dozen new vulnerabilities are discovered on average each day. 

Paul Henry, Forensic & Security Analyst at Lumension, points out, “Time and time again, we’re finding that spear phishing exploits are taking advantage of the weaknesses in third party applications,” adding, “While the rest of the world is focusing on Windows, the bad guys are taking advantage of the applications we aren’t patching with free patch software that Microsoft makes available.”

“IT departments should make patch and remediation a priority,” said Audun Lodemel, vice president, Norman Marketing, “Remember to look into all your OS platform and applications vulnerabilities, not just focus on Microsoft issues around Patch Tuesday.”

Bottom line: Microsoft makes it easy because Patch Tuesday is reliable, and predictable, and Microsoft provides the tools to download and implement the latest updates for both consumer and business systems. But, don’t get lazy and forget that you have a wide variety of software installed on those systems, and that those applications are just as likely to contain exploitable flaws.

Microsoft has only three security bulletins planned this month. Two affect Windows, and one addresses issues with Microsoft Office. One of the two slated for Windows is Critical, while the second is rated Important. The Microsoft Office bulletin is ranked as Important as well, and all three may require a system reboot for the update to complete.

Amol Sarwate, manage of the Vulnerability Research Lab for Qualys, passed on this analysis of the Patch Tuesday advance notification. 

“The critical update affects Windows XP, Vista and Windows 7 while Windows Sever 2003 and Server 2008 are not affected. One of the important updates affects all Windows operating systems and we expect it to be for the MHTML Information Disclosure issue which was left un-patched in last month’s patch cycle (2501696). The other important update patches the little known Office Groove 2007 software.”