Tuesday, March 9, 2010

Microsoft Patch Tuesday - March 2010

Eight vulnerabilities are addressed in Microsoft's Patch Tuesday for March 2010. Two security bulletins for remote code execution with Windows and Office that are both deemed as important patches affecting x86 and x64 versions of Vista, Windows 7, and all supported versions of the Microsoft Office suites for both Windows and Mac OS X. 

The IE/Windows Help issue involving VBScript vulnerability that can allow remote code execution published March 01, 2010 that affects Windows 2000, XP, Server 2003 - Microsoft Security Advisory (981169) This vulnerability is not ready to be patched yet. More information can be found at the link. Microsoft is encouraging customers to review the advisory and apply workarounds where possible until further notice. Machines running Vista, Server 2008, Windows 7, or Server 2008 R2 are not affected.

Microsoft Security Bulletins below with patch information:
#KB numberDescriptionSeveritySoftwareAffectedImpact
MS10-  016
Vulnerability in Windows Movie Maker Could Allow Remote Code Execution
Remote Code Execution
Microsoft Windows
Moviemaker:  CVE-2010-0265Important
Vulnerabilities in Microsoft Office Excel Could Allow Remote Code Execution
Remote Code Execution
Microsoft Office

MS10-016 - Vulnerabilities associated with Windows Movie Maker are present when a user opens a Windows Movie Maker file. Many organizations probably do not have this software deployed or used; However, Movie Maker is built-in to some versions of Windows Vista making uninstallation difficult. So even if you are not using Movie Maker, you still need to apply the patches; please search to confirm if you have it installed. What is interesting is that an attacker can just Google for Windows Movie Maker with a query for "running version" and can find hosted forums for users who post topics looking for help and talking about the specific (vulnerable) version of Movie Maker. An attacker only needs to associate the forum user ID or email with the target and a potentially successful attack could then be started to be carried out.

As said before, the more software and services running on your machine the more potential ability for it to be exploited through known and unknown vulnerabilities. If your organization is not using certain software or services then turn them off, uninstall them, and verify that they are not running.

MS10-017 - Seven vulnerabilities in Microsoft Excel are being fixed. It is interesting to see that CVE-2010-0263 was disclosed to Microsoft last year July 14, 2009 and now just being fixed almost 8 months later. Core Security reported CVE-2010-0243 on September 4, 2009 just over 6 months ago and also being addressed now. The vulnerability itself does not execute remote code or exploit remotely accessible network services; However, thinking outside the box - an attacker can produce specifically targeted attacks with the help of the following Google query:

filetype:xls inurl:xls site:.gov

Chart below showing results of as of March 11, 2010 for search results for Excel Spreadsheets hosted by various domains. Spreadsheets can be downloaded by attackers and analyse metadata (information contained within a document that can reveal the software type, version and platform it is running on in addition to the user who created it). With this information an attacker can create automated attacks that read document metadata from a target's website and launch targeted email attacks by sending a malicious Microsoft Excel spreadsheet to the target knowing that the host machine has vulnerabilities in their Excel software, and continue from there.

March 11, 2010:

3,540,000 - .gov

2,280,000 - .com

1,960,000 - .org

1,250,000 - .edu

478,000 - .net

56,800 - .mil

Recently, attackers have been using malicious PDF documents taking advantage of the many vulnerabilities in Adobe Reader and Acrobat in 2009 and so far in 2010. Organizations are now more aware of these malicious PDF attacks; However, because organizations are expecting these PDF attacks there may be a change towards a shift in attack vectors for attacks to involve more with Microsoft Office documents along with traditional PDF attacks. 

Many people think "why would someone want to attack us?" and "I haven't been attacked before so why should I worry now?". Attackers have many motives to compromise your network and systems along with the data stored on it. From intellectual property, political reasons, financial motivations (storing credit cards on your network, bank information, etc.). Attackers are able to do what they do through exploiting vulnerabilities found in system code in software. We fix these vulnerabilities through the testing, implementation, and review of patches to roll out on systems. So the question from "why would someone want to attack us?" should be transformed to "Why would someone need to attack us?". Usually, people are not targeted in attacks because of who you are (although it does happen), but targeted because of what you have. There is not much control over limited the threat - the reasons why you are going to be attacked; so have the mindset that you will be attacked and secure your network and patch accordingly. The patch management process is just one small part of IT security. Security can be seen as insurance (loss avoidance)- Sometimes it is required such as part of being compliant with regulatory compliance audits such as PCIHIPPAGLBA, etc. but other times your left to secure your network as your organization sees fit. Yes, there are enterprise security best practices, etc. but many people do not follow them or forget something. When an attack does happen and your without (security) then your in trouble. A lack of patching and security measures also make it much easier for the bad guys to get in and when they do what is the cost of your data loss, stolen intellectual property, credit card numbers, social security numbers, other personally identifiable information, etc.? Could the data loss or stolen data bring you out of business? what about identity theft?

Stephen Geldersma, 
Digital Designs, LLC

Last Updated: 03/11/2010