Within hours of Microsoft's critical patch release Tuesday, security experts were banging the alarm bell with a...
Marc Maiffret, chief hacking officer of Aliso Viejo, Calif.-based eEye Digital Security, sent this message to the patch management forum hosted by Roseville, Minn.-based Shavlik Technologies: "All in all… it's a nasty time in IT between the two very critical remote SYSTEM Microsoft flaws released… and the Cisco IOS shellcode exploits floating around. You better be paying attention to your security."
Then Glendale, Calif.-based Panda Software sent out this statement: "In recent years, the month of August has seen a series of alerts caused by the propagation of malicious code, which have in some cases caused serious damage to IT systems." Panda offered up these examples: the Sircam and CodeRed attacks of August 2001, the Mimail, Blaster and Sobig-F attacks of August 2003; and the Bagle-AH, Mydoom-N and Bagle-AM worms that came along during the "black period" of August 2004.
Are these warnings simply hype to sell the latest security products? Or are they a prudent response to cyberthreats that have clearly gotten grimmer this past year? Users asked for their opinions seemed to lean toward hype. But in the end, a little FUD may be necessary to save IT professionals from complacency.
Todd Towles, a network systems analyst at a medium-sized, Southeastern-based retail chain, said in an e-mail interview that it should surprise no one that some security vendors "may use the media frenzy to their business advantage."
But, he added, "In today's security world, every possible attack angle must be taken into account and researched. Security professionals have to be right 100% of the time while the attackers only have to be right once. Companies hope for the best-case scenario, yet must prepare for the worst. Each company must examine its current security posture and then set the alarm bell threshold accordingly."
One reason IT shops may want to set the threshold high this month is that exploit code is already circulating for flaws outlined in four of the six bulletins Microsoft released Tuesday.
"The vulnerabilities addressed in MS005-038, MS005-039, MS05-040 and MS05-043, all covered in this month's Fat Tuesday festivities… have fallen victim already to publicly released exploits," George Bakos, a handler for the Bethesda, Md.-based SANS Internet Storm Center (ISC), wrote in his shift diary Friday. "I haven't built or tested any of it, so I can't personally vouch for the effectiveness [of] any of it, but if it isn't working as intended you can bet it will be shortly. Patch up, folks."
Some of that exploit code was outlined Friday in several advisories from the French Security Incident Response team (FrSIRT).
As far as Maiffret is concerned, the two most critical patches to install are MS05-039,which fixes flaws in the Plug and Play program, and MS05-043, which fixes an unchecked buffer in the Printer Spooler service. Both programs are embedded in Windows and attackers could exploit the vulnerabilities to take complete control of affected systems.
"MS05-039 is a remote RPC vulnerability that can lead, in some configurations, to remote SYSTEM compromise or at least local SYSTEM privilege escalation," he said in the posting to Shavlik's patch management forum. "This is a very easy-to-exploit vulnerability. The time to reverse engineer this patch and find the vulnerability to exploit should only be a few hours (it took us an hour, as we didn't report the bug). There is a good chance you will see exploits for this within the next few days and if someone is bent out of shape this would be easy for them to base a worm on." The risks are similar with MS05-043, he said.
That assessment, made Tuesday, proved correct, and Microsoft has since issued an advisory acknowledging the exploit code for the Plug and Play flaw.
Nobody's panicking -- yet
Asked what he makes of all this, Eric Case, support systems analyst for the University of Arizona's Department of Chemical and Environmental Engineering, said in an e-mail exchange that he's "a little worried about the holes that now have exploits in the wild," but isn't about to panic. Of course, that may change when students return soon.
"As a university, we're a big target and the students come back next week and classes start on the 22nd," he said. "So I'm more worried about the infected/exploited laptop[s] that are about to descend on campus. I can patch all the faculty, staff, lab machines but I won't see the students' laptops until after they're on the wire."
John Gehrke, a systems administrator for the U.S. Geological Survey's Denver, Colo.-based Branch of Quality Systems, expressed confidence in an e-mail interview that the right tools are in place to protect his department.
"I myself do certain things like run IE through Freedom Websecure's proxy, so that tends to filter out some potential crud," he said. "And, of course, we have current antispyware, antivirus, port monitoring, system file integrity checks and so on, so normally I have some idea of what could slip in to a local network -- hopefully!"
Towles said he's keeping a wary watch on the Internet Explorer flaws that were patched Tuesday, but he isn't panicking, either. After all, he said, any experienced IT administrator knows what it takes to minimize the threat.
"The vulnerabilities were serious and the quick release of exploit code only drove home that point," he said. "However, by utilizing proxy servers and advanced Web content filtering software, the threat of those vulnerabilities can be reduced. This is a perfect example of the 'defense-in-depth' security approach."
Indeed, the Plug and Play vulnerability could potentially be crafted into a Sasser-type worm in the near future, he said. But if that happens, he added, "The global impact will most likely not reach Sasser's epidemic proportions. Patch administrators learned a hard but valuable lesson from the CodeRed and Sasser worms. Patch management is no longer viewed as a luxury. It is now viewed as a necessity."