Never underestimate the power and effectiveness of simplicity with regard to protecting your computing systems....
Criminals love simplicity -- they attack what is not protected. Why break a locked window when one can walk through an unlocked door? A system lacking security updates is like walking through the front door.
For this month's column, I will provide guidance regarding a straightforward method of deploying security updates to help you protect your systems. In addition, I will share information regarding two new programs. The first is the Exploitability Index, which is an additional aid to help you in your risk assessment. The second is the Microsoft Active Protections Program (MAAP), in which we have collaborated with industry partners to help you protect systems from evolving security threats. First, however, I will review each of the bulletins for this month's release to help you understand them for your risk assessment and deployment strategies.
The October 2008 bulletin release has eleven new security bulletins: four rated as critical, six rated as important and one rated as moderate.
This bulletin, which is rated moderate, addresses a vulnerability in Microsoft Office that could allow for information disclosure. This vulnerability only affects Microsoft Office XP Service Pack 3. The information disclosure would occur if a user clicks on a specially crafted Collaboration Data Objects (CDO) URL. The security update addresses the vulnerability by unregistering the CDO protocol.
If a user opens a specially crafted Excel file it can exploit a remote code execution vulnerability in Microsoft Excel. This bulletin is rated critical, but it is only rated critical for Excel 2000 Service pack 3. For other affected versions the vulnerability is rated important. In addition, users who have installed the Office Document Open Confirmation Tool for Office 2000 will be prompted with Open, Save or Cancel before opening a document.
This bulletin addresses several remote code execution vulnerabilities in Internet Explorer and is rated critical. There are a few things that I would like to bring to your attention to help with your risk assessment. First, two of the vulnerabilities do not affect Internet Explorer 7. Second, best practices dictate that Internet access be used at a minimum, if at all, from the server. If this is not feasible, there are protections that can mitigate against exploitation of this vulnerability on a server. By default, Internet Explorer on Windows Server 2003 and Windows Server 2008 runs in a restricted mode that is known as Enhanced Security Configuration. The benefits of Enhanced Security Configuration are best described directly from MSDN online: "Automatic detection of intranet sites is disabled. ActiveX controls, script, and the Microsoft virtual machine (Microsoft VM) cannot be used from any Internet website. Additionally, files cannot be downloaded from these sites. If a crucial website requires this functionality, the site can be added to the Trusted sites zone or the Intranet zone to increase privileges." Lastly, there are many other mitigations to be considered, which are detailed in the bulletin.
About Inside MSRC:
Inside MSRC: Microsoft provides guidance on GDI flaws
Inside MSRC: Microsoft issues guidance on DNS server update
Inside MSRC: Bluetooth, Internet Explorer issues explained
This bulletin addresses a remote code execution vulnerability in the SNA Remote Procedure Call (RPC) service for Host Integration Server. While this vulnerability is rated critical and should be applied as soon as is feasible, there are mitigating factors to make note of. The initial installation of Host Integration Server prompts the administrator to designate a default account. If the administrator follows best practices, configuring a low privileged account mitigates the impact of the vulnerability. In addition, disabling the SNA RPC service is an effective workaround. Please see the bulletin for additional mitigations and workarounds.
There is a remote code rated critical for Windows 2000 Servers configured as a domain controller. In particular, being that the Windows 2000 server role is a domain controller, Active Directory is enabled, which receives Lightweight Directory Access Protocol (LDAP) requests. A specially crafted LDAP request could result in a remote code execution. These specially crafted messages also apply to Lightweight Directory Access Protocol over SSL (LDAPS). Although you probably have already gathered, I will mention that only Windows 2000 is affected by this vulnerability.
This bulletin, which is rated important, addresses Elevation of Privilege (EoP) vulnerabilities in Windows Kernel. These vulnerabilities can only be exploited locally with valid logon credentials. That is, a user would have to log on to the system with a username and password first to exploit the vulnerability. The vulnerability cannot be exploited remotely.
The Microsoft Internet Printing Protocol (IPP) implementation on Windows servers running IIS is vulnerable to a remote code execution vulnerability, which is rated important. The vulnerability can only be exploited by an authenticated user. In some default configurations, you may not be vulnerable. For example, installations of IIS on Windows Server 2003 and Windows Server 2008 are not vulnerable in their default configuration. However, the systems would be exposed if the systems are configured for Internet Printing at a later date.
A vulnerability in Server Message Block (SMB) protocol could allow for remote code execution and is rated important. The first step in understanding this vulnerability is realizing that it can only be exploited by someone who has already been authorized with credentials to log on to systems. Secondly, a person must have the target host's IP address, NetBIOS computer name and port number in order to send the malicious traffic. Lastly, to minimize your exposure, the SMB port should be blocked from the Internet and any network traffic originating outside the enterprise perimeter.
This bulletin addresses a vulnerability in Virtual Address Descriptor (VAD) that could allow for an elevation of privilege and is rated important. A person must be authenticated with logon credentials in order to exploit this vulnerability. VAD, by the way, allows applications to have their own private address space and is managed by the memory manager. MS08-065
Windows 2000 systems are affected by a remote code execution vulnerability in Microsoft Message Queuing (MSMQ); this bulletin is rated important. The MSMQ service does not correctly parse specifically crafted RPC requests. In your deployment there are two things to keep in mind. First, by default the Message Queuing component is not installed and can only be enabled by a user with administrative privileges. Second, MSMQ is a store-and-forward technology. You may have technology solutions in which it is installed between a front-end client and a back-end server. Therefore, applying this update without testing it first could impact applications in your environment that depend on MSMQ. MS08-066
As you probably have gathered up until this point, a good number of these vulnerabilities are elevation-of-privilege vulnerabilities. MS08-066 follows suit. This bulletin addresses an elevation-of-privilege vulnerability in the Microsoft Ancillary Function Driver and is rated as important. A person must have valid logon credentials and be able to log on locally to exploit a vulnerable system.
While there are 11 security updates being released this month, update management of 100 systems can be the same as the management of 1000 systems. This can be accomplished through a one-to-many strategy. Microsoft offers a free management system, along with prescriptive guidance, to deploy security updates in your computing environment: Microsoft Windows Server Update Services (WSUS). With WSUS, depending on the hardware, tens of thousands of machines can be managed by one WSUS server. With WSUS, an administrator can target specific computers and groups of computers. In addition, administrators can audit compliance information for a specific update. Finally, WSUS can update a wide array of products such as Windows, SQL Server and Exchange Server, to name a few. I have barely scratched the surface so I encourage you to find out more about Microsoft Windows Update Services to help you simplify your deployment of security updates.
There are two new programs that have been released to help you protect your computing environment from emerging security and privacy threats. These are the Microsoft Exploitability Index and the Microsoft Active Protections Program (MAPP).
The Microsoft Exploitability Index is an index that will provide additional information to help you with your risk assessment. This index will provide guidance on the likelihood of functional exploits being developed for vulnerabilities addressed by Microsoft security updates. The index will be part of the security bulletin summary. Microsoft has provided information about the Exploitability Index.
The Microsoft Active Protections Program (MAPP) is a new program that will provide vulnerability information to third-party security software providers that offer security protection, such as Intrusion Detection Systems (IDS), Intrusion Prevention Systems (IPS) or security software signatures. Microsoft has provided detailed information about MAPP.
I have covered the straightforward by reviewing Microsoft Windows Server Update Services (WSUS) to help you simplify your deployment of security updates. In addition, I have offered insights into each bulletin to help you focus on important mitigations of various bulletins. Finally, I was excited to offer information about the new programs we just released.
In closing, please take a moment and register for our regular monthly security bulletin webcast, which will be held on Wednesday, Oct.15, at 11 a.m. PDT.
Christopher Budd and Adrian Stone will review information about each bulletin to further aid in your planning and deployment. Immediately following their review session, they will answer questions with information from our assembled panel of experts. If you are not able to view the live webcast, it will also be available on demand.
In addition, please take a moment and mark your calendars for the November 2008 monthly bulletin. The release is scheduled for Tuesday, Nov. 11 and the advance notification is scheduled for Thursday, Nov. 6. Look for the November edition of this column on release day with information to help you plan and deploy the most recent security bulletins.