Install Microsoft IE, RPC patches first, experts say

By Bill Brenner, Senior News Writer 10 Oct 2007 | SearchSecurity.com

Security Wire Daily News Digg This!     StumbleUpon     Del.icio.us

For IT administrators still trying to determine which of Microsoft's October 2007 security updates to deploy first, patch management experts have this suggestion: Worry about the Internet Explorer (IE) and RPC flaws first, then deal with the rest.

Given that IE is so prevalent in the workplace, every time there's a critical issue we recommend people put that high up the list. Don Leatham, director of solutions and strategy, Lumension Security

Since the IE Web browser is used by just about everyone on the planet, attackers are most likely to go after the flaws outlined Tuesday in Microsoft's MS07-057 bulletin, which fixes four different flaws, the most serious of which could allow remote code execution if a user views a specially crafted Web page using IE. Microsoft rated the security update as moderate for Internet Explorer 6 and 7 on Windows Server 2003 and critical for all other supported releases of IE.

"Given that IE is so prevalent in the workplace, every time there's a critical issue we recommend people put that high up the list," said Don Leatham, director of solutions and strategy for Scottsdale, Ariz.-based Lumension Security. "Employees can be on what they think is a secure page when they are not [and] hackers can spoof trusted information. Some interesting hacks could come out of this."

In addition to deploying the MS07-057 fixes, he suggested that as a best practice IT administrators ensure their users are set up in trusted zones within IE, so that scripting is disabled if they end up on an untrusted Web site.

Amol Sarwate, research manager of the vulnerability research lab at Redwood Shores, Calif.-based Qualys, said the IE fix should be top priority because it addresses two zero-day issues. He said the spoofing flaw can be used for phishing attacks.

"[The flaw] enables an attacker to write malicious code that leads a victim to a Web site that looks legitimate, from the content all the way down to the address bar URL address," he said in an email. "Instead, it's a landing page where the hacker can phish for information that can be used to compromise their machine and, more specifically, their identity."

Microsoft security news: Microsoft releases security updates for IE, Word: Microsoft released four critical security bulletins and two rated important Tuesday for flaws in Internet Explorer, Word, various versions of Windows and Outlook. Microsoft Windows background update blocks 80 patches: A Windows expert says the repair feature of Windows XP has been knocked off balance by a silent update Microsoft pushed out in July and August.

Eric Schultze, chief security architect at Shavlik Technologies LLC in Roseville, Minn., thinks attackers are more likely to launch exploit code for one of the two flaws Microsoft rated "important." MS07-058 fixes a denial-of-service flaw in the remote procedure call (RPC) facility due to a glitch in how the program communicates with the NTLM security provider when performing authentication of RPC requests. This affects all supported editions of Windows 2000, Windows XP, Windows Server 2003, and Windows Vista.

"The RPC denial-of-service is the one I think corporate administrators should install first, because I expect we'll see exploit code for this shortly," he said in an email.

Microsoft security updates are typically followed by reports of deployment trouble in some IT shops. After the May patch release, for example, various blogs and discussion boards were full of reports about everything from DNS service failures to Windows Server Update Services (WSUS) malfunctions.

Some minor problems with the October updates have been reported so far.

Schultze noted that Microsoft forgot to digitally sign its Malicious Software Removal Tool for x64 systems. "This is the first month they've offered an x64 version of this tool," he said. "Forgetting to sign it is a very bad move on Microsoft's part."

Susan Bradley, a Microsoft MVP and IT administrator at Tamiyasu, Smith, Horn and Braun Accountancy Corp. in Fresno, Calif., said she's proceeding with caution on MS07-059, which fixes a flaw in Microsoft Windows SharePoint Services 3.0 and Microsoft Office SharePoint Server 2007. Microsoft said attackers could exploit the flaw to run a malicious script and gain elevated privileges within the SharePoint site, as opposed to elevation of privilege within the workstation or server environment. The vulnerability could also allow an attacker to run arbitrary script to modify a user's cache, resulting in information disclosure at the workstation.

Asked if she was running into any patching issues, Bradley said in an email, "The Sharepoint 3.0 patch has a list of watch-outs a mile long. I wouldn't be rushing to get that sucker out but would be backing up my Sharepoint first."

Edward Ziots, a Rhode Island-based network engineer, reported smooth patching so far, though his department is still in the testing phase.

Tags: Security Patch Management,  Windows Security: Alerts, Updates and Best Practices,  VIEW ALL TAGS

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Security Patch Management Squad: Tokenization, Phishing and the Feds Should management processes change based on a patch release schedule? Should Windows Mobile updates come from Microsoft? Adobe updates ColdFusion, JRun, Flex Trusteer CEO criticizes Adobe, touts better patch deployments Patch management study shows IT taking significant risks Vulnerability mitigation study shows need for faster patching Microsoft to issue security report card, new tool at Black Hat How to manage patches for Adobe When is it suitable to remove Java updates? Windows Security: Alerts, Updates and Best Practices Microsoft to address flaws in Windows, Office for Mac Microsoft fixes security update that breaks Internet Explorer What is the best database patch management process? Microsoft addresses critical SMBv2 flaw, fixes record number of flaws Microsoft to address SMB zero-day, IIS FTP Service vulnerabilities Microsoft releases temporary fix for SMB2 zero-day vulnerability Microsoft issues SMB vulnerability advisory, patch pending Attackers target Microsoft IIS; new SMB flaw discovered Microsoft repairs Windows media, TCP/IP vulnerabilities Microsoft five critical updates won't include IIS

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary attack vector  (SearchSecurity.com) back door  (SearchSecurity.com) ethical worm  (SearchSecurity.com) Patch Tuesday  (SearchSecurity.com) zero-day exploit  (SearchSecurity.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary