Patch Tuesday

Patch Tuesday June09: A Real Whopper!

OK, so yesterday’s Patch Tuesday does the deed for June. It’s a monster: 10 security bulletins, 31 vulnerabilities addressed, and involving most versions of Windows itself, IE, and various MS Office and related elements (Works, Word, and Excel). Even the Windows Print Spooler and OS Kernel get in on the act!

Of the 10 bulletins issues, half (5) are critical, and fill some gaping widely-known holes in MS security. Chief among these: the dual WebDAV gothas for IIS publicized in May (explained in this Ryan Naraine blog from 5/19) and the infamous Pwn2Own vulnerability discovered in March at the CanSecWest conference in Vancouver.

I downloaded mine for Vista yesterday and they appear to have installed and taken without a hitch. You’ll probably want to start testing these right away, if you don’t plan to deploy them as-is.

Patch Tuesday Preview for April 09

Next Tuesday, April 14, is Patch Tuesday for this month. As usual, Microsoft e-mailed its Advance Notification yesterday to let us all know what’s coming (there’s also a Web version as well). Here’s what to expect, Windows Vista-wise from the 8 bulletins (5 of which are critical) to be released that day:

• Windows (which often involves Vista): 3 Critical, 1 important, 1 moderate. All 3 Critical bulletins pose potential remote code execution vulnerabilities, while the Important one involves an elevation of privilege for attackers. The Moderate item involves a potential elevant of privilege as well.
• Internet Explorer and Excel: Two more critical bulletins, both of the remote code execution variety.
• Internet Security & Acceleration Server (ISA): One important bulletin that could involve Denial of Service for Microsoft Forefront Edge Security software.
• 6 of the 8 items require a system restart, while the other two may require a restart, depending on local conditions on patched PCs.
• Of the 5 Windows bulletins, 3 of them involve Vista (Windows 2, 4, and 5); the IE patch also affects IE7 on Vista as well.

Looks like we’ve got some patching in our future. Stay tuned for details next Wednesday, April 15.

Patch Tuesday March 2009

Tuesday, March 10, was the second Tuesday of the month, the day colloquially known to MS system administrators and security mavens as “Patch Tuesday.” Here’s a smorgasbord of the items that showed up in the list of 3/10/2009 items with relevance for Windows Vista:

• MS09-006 Vulnerabilities in Windows Kernel Could Allow Remote Code Execution (KB958690). This is first kernel vulnerability to come along for a while and as such affects all supported versions of Windows back to Windows 2000. Most fixes go the the Win32k.sys file, which ranks right up there with ntoskrnl.exe at the heart of Windows OSes everywhere. Update this one quick!
• MS09-007 Vulnerability in SChannel Could Allow Spoofing (KB960225). This privately reported item, if exploited, could allow an attacker who gains access to end-user certificates to successfully impersonate (spoof) those users, but only when the public key component of an authentication certificate has also been obtained as well. This affects all supported versions of Windows as well. If you use end-user certificates as part of your authentication mechanisms, you’ll want to apply this update quickly as well.

Another bulletin (MS09-008) was also released with fixes for vulnerabilities in DNS and WINS Server code that could permit address spoofing for potential man-in-the-middle or site impersonation attacks. But you can leave these fixes for the server gang, unless you happen to take care of your organization’s servers as well.

For the record, only MS09-006 is rated Critical, while both MS09-007 and MS09-008 are rated Important. Given the nature of the related vulnerabilities, anyone who’s affected by either Important item should probably expedite pushing this update out as quickly as possible anyway. And of course any Critical item needs to make its way onto Vista (and other Windows) machines as soon as circumstances and testing/deployment requirements permit.

Preview of Patch Tuesday Attractions

Tomorrow, February 11, is the second Tuesday in February–hence, “Patch Tuesday” is once again at hand. Microsoft publishes advance notification for security bulletins each month on the preceding Thursday, so I can tell you what to expect in tomorrow’s updates. There are four items that should be included (though last-minute additions and deletions have been known to occur):

• Critical: Internet Explorer 7 versions remote code execution fix. XP, Vista, Windows Server 2003 and 2008, 32- and 64-bit versions.
• Critical: Exchange Server versions remote code execution fix. Exchange 2000 Server SP3 with 8/04 update rollup, Exchange Server 2003 SP2, Exchange Server 2007 SP1 (32- and 64-bit versions).
• Important: SQL Server remote code execution. Too many versions to enumerate here (check the advance notification link in the first paragraph for details).
• Important: Visio remote code execution. MS Office Visio 2002 SP2, MS Office Visio 2003 SP3, MS Office Visio 2007 SP1.

As usual, there will also be an updated version of the Microsoft Malicious Software Removal tool (KB890830) and the Windows Junk E-mail Filter (KB905866) for February, 2009, included as well. There will also be cumulative updates for Media Center for Windows Vista (KB950644) and Media Center TVPack for Windows Vista (KB958653), plus an update rollup for ActiveX Killbits for Windows (KB960715). These are described in more detail in KB894199 and also in the other KB articles cited for each item.

Given that all the major updates relate to remote code execution and the system compromises such vulnerabilities can produce, it’s probably time to start testing and/or deploying these patches to your clients and servers on an ASAP basis.

Patch Tuesday Brings SMB Relief

Microsoft kicked off 2009 with a very interesting critical security update on the first “Patch Tuesday” of this year: MS09-001 Vulnerabilities in SMB Could Allow Remote Code Execution addresses issues with the Server Message Block Protocol that go all the way back to Windows 2000 (and would go further except that’s where the Microsoft  “update horizon” kicks in). This update address three vulnerabilities in all:

1. SMB Buffer Overflow Remote Code Execution Vulnerability (CVE-2008-4834)
2. SMB Validation Remote Code Execution Vulnerability (CVE-2008-4835)
3. SMB Validation Denial of Service Vulnerability (CVE-2008-4114)

Of those three, the first is the scariest because it allows forged SMB packets to compromise a machine at the System level on any Windows PC running the Server service (except for Vista and Server 2008). That said, this is a “theoretically possible” exploit, rather than a known or demonstrated one. Number 2 is similar to number 1 except that it could affect Vista and Server 2008, but not in their default configurations. It’s more likely, in fact, that 1 and 2 will produce the same effects as number 3, and result in a denial of service for SMB hosts (again except for default Vista and Server 2008 configurations) than actually resulting in remote code execution. But whether you’re ducking a system takeover or just a DoS, this patch is definitely worth applying to your Vista systems anyway.

Other items from this Patch Tuesday include:

• Updates for the various MS email (Outlook and MS Mail on most Vista machines) Junk Email Filters (KB959141 and KB905866)
• Malicious Software Removal Tool for January, ‘09 (KB890830)

These are entirely routine, and while worth grabbing, don’t really cry out for much attention or coverage. I also found a Realtek RTL8168B/8111B GbE Interface update in my queue, for several of my Vista machines including both notebooks and desktops, so I suspect others will see and welcome this driver update as well (installed without a glitch on all affected machines).

Patch Tuesday Posts a Plethora of Critical Items

The second Tuesday in each month is when Microsoft schedules its patches, fixes, and security updates. Recently, Microsoft has begun to offer Advance Notification for its Security Bulletins, which makes it a lot easier to tell what’s coming down the pike. For December, 8 updates have been pushed to the Windows Update servers

Of the 8 items for Vista that appeared on December 9, 6 are rated Critical and 2 Important. Here’s a brief summary of what you’ll find:

MS08-71: Vulnerabilities in GDI Could Allow Remote Code Execution
Permits a specially crafted WMF image file to inject remote code execution at the system level.
MS08-75: Vulnerabilities in Windows Search Could allow Remote Code Execution
Blocks vulnerabilities that could occur if a user opens and saves a specially-crafted save-search file in IE or clicks a similar search URL.
MS08-073: Cumulative Security Update for IE
Resolves 4 privately reported vulnerabilities including remote code execution.
MS08-070: Vulnerabilities in Visual Basic 6 Runtime Extended Files (ActiveX Controls) could allow remote code execution
Resolves 5 private and 1 public vulnerability in ActiveX controls for VB 6.0 Runtime Extended files.
MS08-072: Vulnerabilities in Microsoft Office Word Could Allow Remote Code Execution
Resolves 8 privately reported MS Office and Outlook vulnerabilities related to Word or RTF file contents that devlier access at the system level.
MS08-074: Vulnerabilities in Microsoft Office Excel Could Allow Remote Code Execution
Resolves 3 privately reported vulnerabilities possible from specially-crafted Excel files that provide system-level access.
MS08-077: Vulnerability in Microsoft Office SharePoint Server Could Cause Elevation of Privilege
Resolves a privately reported item that allows elevation ofprivilege when authentication is bypassed by browsing to an admin URL on a SharePoint site (might result in DoS or unauthorized access).
MS08-076: Vulnerabilities in Windows Media Components Could Allow Remote Code Execution
Resolves 2 privately reported vulnerabilities in Windows Media Player, Windows Media Format Runtime, and Windows Media Services that could allow remote code execution at system level privilege.

The first six are rated Critical, the last two Important. Vista admins will probably want to start working with all of these that apply to their environments (including SharePoint and Windows Media, where applicable) because all come with potentially dire consequences if they remain unpatched. Hopefully, none of them will cause too many compatibility problems. Nonetheless I advise you to get testing underway ASAP.

I just saw an interesting story from Ryan Naraine on ZDNet that puts these Vista Updates into a different context. He calls this patch Tuesday a “whopper” because it mentions that 28 vulnerabilities in Windows, IE, and Office are addressed, of which 23 are rated “Critical.” He counts each of the reported items addressed in the preceding list of security bulletins to come up with these numbers, which certainly adds to the drama. I guess it’s all in how you play out and drum up those numbers! He also mentions that other security experts from Shavlik agree that it’s wise to start planning a roll-out of these patches ASAP because of the vulnerabilities they expose.

More out-of-cycle Vista patches on Windows Update!

On Tuesday, October 28, as I was knocking off for the day, after 11 PM, I noticed that the autoupdate function in Windows Update had posted two more items to my primary production Vista PC. Both look interesting, but so far I’ve had some trouble trying to ferret out more details about one of these two patches.

Here’s what I know so far:

• One of the items is a security update, labeled MS08-062 and is entitled “Vulnerability in Windows Internet Printing Service Could Allow Remote Code Execution.” Interestingly, the security bulletin is dated October 14, and it documents a serious vulnerability in the seldom-used Internet Printing Service–or rather, the IPP protocol and the Internet Printing Client that this service uses–that Vista installs by default (see this vulnerability report dated October 14 for more info on the vulnerability details; this MS White paper describes how Internet Printing works inside Vista; note further that this vulnerability applies to Windows 2000, Windows Server 2003 and 2008, and Windows XP as well). Basically an integer overflow in this service lets attackers run arbitrary code at system level privilege: a proof-of-concept exploit is known, and several “active, in-the-wild exploit attempts of this type have been detected.” If you don’t use Internet Printing, you can follow the instructions in the MS White paper to turn off the Internet Printing Client in Vista instead (under Printing Services, Turn Windows features on or off, Programs and Features, Control Panel).
• More interesting, and more mysterious is the other item: a “reliability update” for Windows Vista described in a currently unavailable Knowledge Base article (KB957200). All I can find on this update so far is the standalone download page entitled Update for Windows Vista (KB957200). Of course, I’m dying to know what’s been tweaked in this particular update, and why MS decided to push it out the door before November 11 (next patch Tuesday). The Web is abuzz with the word that the KB article remains missing in action, so I guess I’ll have to bide my time. As of this morning (10/30/2008) the article remains missing in action, so I posted a query to the Technet Windows Vista Announcements forum in hopes it might provoke some kind of official response (or better yet, the promised KB article).

My advice on MS08-062 is to download and install it, unless you never use the Internet Printing Service, in which case you can simply turn it off on your PCs, or set a GPO to do it globally. Files affected are detailed in KB 953135, and include three Vista DLLs: Msw3prt.dll, Win32spl.dll, and Printcom.dll. As far as the reliability update documented in KB957200 goes, stay tuned: I’ll provide more information about this update as soon as it becomes available.

Wow! Two out-of-cycle update postings for Windows in the same month, after 18 months with no updates except for Patch Tuesday releases. What does it all mean?

Out-of-schedule Security Patch Posts to Windows Update

Normally, Microsoft reserves its security patches, fixes, updates, and other software tweaks and maneuvers for the second Tuesday in each month, aka “Patch Tuesday.” Yesterday afternoon I was somewhat surprised to see various sources trumpeting the release of an out-of-schedule security patch through Windows Update on the fourth Thursday in October.

As described in Knowledge Base article 958644 and MS Security Bulletin MS08-067, this update addresses a vulnerability in the Windows Server service. The Server service is a critical portion in any modern Windows OS that responds to incoming network communication requests; it has been part of the Windows kernel since the LAN Manager days. In fact, this service is called the LAN Manager Server in the “Server service configuration and tuning” article (KB 128167). It’s also managed via a Registry key named LanmanServer in the HKLM\SYSTEM\CurrentControlSet\Services sub-tree.

In short, the Server service is so entrenched in Windows operating systems that even Windows Server 2008 installations that lack a GUI–the so-called “Server Core” minimalist version–can fall prey to this vulnerability. That explains why every Windows OS from Server 2008 and Vista, to Windows XP, Windows Server 2003, and Windows 2000, in 64- and 32-bit flavors, and server and workstation versions, where applicable, is included in this security update.

Why all this hoopla? According to Brian Livingston’s Windows Secrets Newsletter, “this is the first time in 1-1/2 years that Microsoft has released an emergency fix outside of its montly Patch Tuesday cycle.” The reason is that Microsoft discovered an RPC (remote procedure call) attack that could propagate around internal networks and the Internet with no user action needed to help it spread. Modern versions of Windows that predate User Account Control (UAC), such as XP, Windows Server 2003, and all flavors of Windows 2000, are especially susceptible to this vulnerability. At the same time, most AV vendors have also released updates to defend against this kind of attack, but Livingston’s newsletter reports “there are already nine different strains of viruses” that seek to exploit this vulnerability.

As with other patches that replace kernel files, Windows will request you to restart your PC after the patch is installed. In writing the story on this RPC vulnerability for the Windows Secrets Newsletter, writer Susan Bradley also urges administrators and users to reboot their PCs before installing the patch, just to make doubly darn sure the machine will reboot properly once the patch has been installed (the update process requires a successful restart/reboot for the patch to be completely and properly applied). Then when you reboot the machine after installation, you can be reasonably sure it will complete the installation process following a second successful restart.

If you haven’t already installed this patch, please do so now. It only replaces a single Windows file–namely Netapi32.dll–and is therefore unlikely to cause any incompatibility problems, either for server or desktop machines.

–Ed–