Risk of the nasty April patching

On April 15, 2011, in Security, by

I thought I’d share my ‘risk of the nasty April’ comments. I wrote these notes up to share with folks on a list, but they are also my cheat sheet notes for the comments I made for the Patch Watch articles I wrote over on www.windowssecrets.com.  Given that some of you guys might wait until the weekend to patch I’d figure I’d post these on the blog as well:

I find the MSRC blog and the SRD blog the best resources for today over and above the specific bulletins:

Some facts:

1.  You are rebooting.
2.  There are extra patches including one that is an “anti root kit”
3.   What I’m going to focus on is how much can we NOT patch this week.
4 I review the SANS chart — April 2011 Microsoft Black Tuesday Summary:
http://isc.sans.edu/diary.html?n&storyid=10693

So I start out and read that and disagree with them.

IE on a server is not a critical update for me.
SMB client and server in this space, I’m not seeing the immediate risk
ActiveX kill bits – I prefer to wait
.NET – no way am I rushing .net – especially on a server
GDI and DNS – down here in this space I’m disagreeing.

So in conclusion

IE -yes on workstations/no on servers
.net – no on key machines, no on servers

Mind you when I say this I will ultimately get all patches installed on a server and on workstations.  I try to never not have all updates, but it’s not always the same week as Patch Tuesday.  Being “fully patched” in my mind isn’t necessarily making smart decisions about patching and acknowledging that the risk of the patch is sometimes greater than the risk of the vulnerability.

Let’s dig a little deeper and see if I can change my mind on any other updates:

=====================

April 2011 Security Bulletin Release – MSRC – Site Home – TechNet Blogs:
http://blogs.technet.com/b/msrc/archive/2011/04/12/april-2011-security-bulletin-release.aspx

Assessing the risk of the April security updates – Security Research & Defense – Site Home – TechNet Blogs:
http://blogs.technet.com/b/srd/archive/2011/04/12/assessing-the-risk-of-the-april-security-updates.aspx

I will refer to 11-0## as the  security bulletin designations, not KBblahblah as that’s how I look at them, translate accordingly.

My lovely friend .NET 11-028

MS11-028
(.NET)
Victim browses to a malicious webpage that offers an XBAP application. Could also be used by a malicious ASP.Net application to bypass CAS restrictions. Critical 1 Vulnerability itself is exploitable (hence the “1” rating). However, we do not typically see XBAP exploits in the wild. Remains to be seen if attackers will attempt to exploit this. Silverlight not affected.

Do not get this NEAR a Quickbooks on a workstation prior to 4/19 in a CPA firm.

The patch I’m most worried about on a SBS box is .net – that may be a ‘critical patch’ but the attacker gets on your system via browsing.  We do not browse on a server.  This can WAIT.  See also how they also say ‘we do not see xbap exploits in the wild’.  Just because it’s a real critical exploit doesn’t mean that someone can build working exploit code.  If they cannot build it, they can’t get you.

We also know now that Win2k8’s net patch is causing issues with Exchange 2010 – http://blogs.technet.com/b/exchange/archive/2011/04/15/exchange-2010-management-tools-do-not-start-after-the-installation-of-net-hotfix-kb-2449742.aspx note that this is not Win2k8r2.  I’ve personally tested the 2k8R2 version of .net and it did not have issues but that doesn’t mean we should be rolling this out.

11-018 – IE critical on workstations – not critical on servers (in my opinion).  I will ultimately get this on all machines, just not this week.  Maybe not until next week.

11-019  SMB client – you have to make an outbound connection to a malicious smb server – more critical on workstations/less so on servers

11-020  SMB server – if your port 139 and 445 is exposed to the web, you have bigger problems.  Internal attacker only.  Okay so maybe a conficker-ishy thing down the road but nothing for a small firm to worry about at this point in time (in my opinion)

11-027  ActiveX killbits – watch LOB impact – I usually hold back on these to see any old lob app interaction.

11-028  .NET – little sucker is a pain to install

Known Issues. Microsoft Knowledge Base Article 2484015 documents the currently known issues that customers may experience when installing this security update. The article also documents recommended solutions for these issues.
The known issue KB is not yet live – translation the same .net installing issues we’re used to we’ll see here.
We’re patching 2/3.5 AND 4  so we’re going to see one, possibly two .net on many of your systems.  Skip them ALL for now, let the dust settle before deploying.

11-031 vbscript/jscript  Browsing to a web page.  Again we don’t surf at the server, more important on workstations.  32-bit platforms unlikely to be exploited for code execution unless running with /3GB boot option.  <<wooohoo another reason to hold back what /3gb switches do we have around here?

11-030  DNS link name  – attacker sends a malcious link on the same local link – honey that attacker is going to be hit by  my 2×4 first.  Ill see what sort of mood I’m in if I deploy this one otherwise I’m not seeing a huge risk this week just yet.

11-032 Open font driver – victim using explorer.exe browses to folder containing malicious otf file  – which means they have to get ON my network first – Windows XP and Windows Server 2003 not vulnerable to the shell preview attack vector.

11-026 – victim browses to website that steals browser cookie — I don’t surf from a server, more important for workstations

11-021 Excel – ain’t patching any Excel in the office until 4/19
Known Issues. Microsoft Knowledge Base Article 2489279 documents the currently known issues that customers may experience when installing this security update.
Points to — Known issue in security update 2466169:

  • After you install this security update, you may have to accept the Microsoft Software License Terms when you start a Microsoft Office XP program. If you do not accept the Microsoft Software License Terms, the Office XP program may not start.

Normal office patching issues that has been documented before, no biggie.

11-022 – Powerpoint – victim opens a malicious powerpoint – I’ll put this on a high priority for my Dad he opens ANYTHING
Known Issues. Microsoft Knowledge Base Article 2489283 documents the currently known issues that customers may experience when installing this security update. — which points to
Known issues in security update 2464588 — watch your PowerPoint 2003 people:

  • Presentations that are created by using newer versions of PowerPoint and that contain layouts that have background images may cause an error when the presentations are opened in PowerPoint 2003. A message box notifies you that some contents (text, images, or objects) are corrupted. The specific content that is lost is specified in the layout. The lost content is not specified in the actual slide content itself. Items that were removed are displayed as a blank box or as a box that contains the word “cleansed.”

Lovely huh?  Yeah good marketing for those selling managed services to showcase why automatic updates should be turned off huh?

11-023 Excel – again?  Victim opens a malcious spreadsheet – again not in my office until 4/19
Known Issues. Microsoft Knowledge Base Article 2489293 documents the currently known issues that customers may experience when installing this security update.
Which points to — Known issues in security update 2509461:

  • After you install this security update, you may have to accept the Microsoft Software License Terms when you start a Microsoft Office XP program. If you do not accept the Microsoft Software License Terms, the Office XP program may not start.

That’s normal Office – not a biggie.

11-029 GDI plus – victim opens a word doc — Office 2003 and later versions of Office are not affected. Windows Vista and later versions of Windows are not affected  We run Office 2007 – so I’m in who cares mode for my Office 2007 as I run Win7 here,  but if you run earlier decide accordingly

11-033 Wordpad  Windows Vista and later versions of Windows are not affected.

11-034 Win32k  Wow hit the jackpot on this one – 30 of this month’s 64 vulnerabilities being addressed in this bulletin. More information about the high vulnerability count in this month’s SRD blog post:
http://blogs.technet.com/b/srd/archive/2011/04/12/ms11-034-addressing-vulnerabilities-in-the-win32k-subsystem.aspx

Obviously this is an enterprise concern here as an attacker can use a blended vuln/wiggle in and walk up the stack and take over the pc without you knowing about it.  Watch the kernel updates — a/v sometimes has issues with them and rootkitted machines, and I’ve seen sometimes where kernel updates get offered over and over again.  Older not up to date a/v will sometimes have issues so make sure your a/v is up to date BEFORE applying this one….even then you might want to hold back just to make sure there’s no bodies.

11-025 preloading on webdav … still?  Man didn’t we just patch that?  Later versions of Quickbooks install that Visual C++ redistributable, if you have multiple versions you may see more than one, pro going to see this on our sbs 2011’s offered up.  On the server I don’t go to an external webdav share and I don’t randomly click so hold back.
On a workstation with later versions of Quickbooks I’d also hold back a bit just to be sure.

11-024 – fax cover sheet you should see this on SBS boxes with faxing – they’d have to get on the system first

Now add to that we have two security advisories one of which is a root kit preventer.
Root kit preventers = kernel updates = go slow and careful.

http://blogs.technet.com/b/msrc/archive/2011/04/12/april-2011-security-bulletin-release.aspx

Update for the Windows Operating System Loader to help prevent rootkit evasion-In the words of Dustin Childs, senior security program manager, MSRC:

“For a rootkit to be successful it must stay hidden and persistent on a system. One way we have seen rootkits hide themselves on 64-bit systems is bypassing driver signing checks done by winload.exe. While the update itself won’t remove a rootkit, it will expose an installed rootkit and give your anti-malware software the ability to detect and remove the rootkit.”

===========

Office File Validation: Blocks malware disguised as Office documents- Originally announced in December 2010, Microsoft Office File Validation is now available to Office 2003 and Office 2007 users via Security Advisory 2489299. According to Modesto Estrada, Office program manager:

“This feature, which is included in Word, Excel, PowerPoint and Publisher (.doc, .xls, .ppt and .pub file formats), verifies the contents of the file as it is being read and if it detects an issue, opens the file in Protected View.” For further information visit the Microsoft Office blog.   This one hasn’t come out yet, but the current 2003 and 2007 office updates lay the foundation for this future file validation feature.  You might want to read up on this one.

——————-

Next up is an additional patch in KB2509470  (like we didn’t have enough already?!) that adds extended authentication to Outlook.  It’s also causing Print preview issues.  Another marketing plug for managed services and having you control updates.

And don’t forget if you have Win7 – sp1 is up there being offered up as well as IE9. 

Of all the patches I’d probably rush on the IE patch and the rest, run tests on and certainly don’t deploy that .NET one yet.

 

Comments are closed.