Thursday, July 10, 2008

July Patch Cycle Elicits Some 'Critical' Opinions

On its face, today's July patch release from Microsoft seems to be light one. There are no "critical" or "moderate" ratings this time. All four items are deemed "important."

But the rollout is not without controversy among some IT pros who think some of these hotfix designations may be off the mark. It's possible that some of the nine identified vulnerabilities may be a lot more "critical" than Redmond lets on, they say.

"The biggest beef I have with this month's group of patch releases is the classification of vulnerabilities that Microsoft has chosen to use. In some cases, it's rather absurd," opined Eric Schultze, chief technology officer of Minnesota-based Shavlik Technologies. "In the case of [SQL Server], Microsoft calls this 'Important,' but the attacker can 'execute code of the attacker's choice.' Microsoft doesn't label this as 'code execution', but rather as 'escalation of privilege', because the attacker must be an 'authenticated' attacker."


Referring to the first patch on the rollout slate pertaining to SQL, Schultze jokingly says it's as if the security staff at Microsoft is saying, "Raise your hands, who's an 'authenticated' hacker?"

"It sure seems like Microsoft is rewriting their definitions this month," he added. "They've downgraded 'code execution' attacks if the attacks happen to come from 'authenticated users.' And it's no longer called 'code execution,' it's called 'privilege escalation.' I can see where Microsoft is coming from, and it's a very rosy side of Redmond."

This month's patch addresses an assortment of exploit risks, with two elevation-of-privilege vulnerabilities, one spoofing vulnerability and one relating to remote code execution (RCE) threats. The RCE exploits were a major issue last year, and continue to be so six months into this year as well.

The first important fix is timely, security experts agree, as it deals with SQL Server. With an elevation-of-privilege attack, hackers can gain back-door access into the database and change fields to configure user access parameters, giving themselves unlimited access.

Tuesday's SQL patch affects the following releases of the database and server software program: SQL Server 7.0 Service Pack 4, SQL Server 2000 for Itanium systems and all versions of SQL Server 2005 SP2.

Other applications fixed with this SQL patch include the following: Microsoft Data Engine 1.0 SP4, SQL Server 2000 Desktop Engine SP4, SQL Server 2005 Express Edition SP2 and SQL Server 2005 Express Edition with Advanced Services SP2.

On the operating system side, the SQL patch affects Windows 2000 Service Pack 4 and Windows Server 2003 SP1 and SP2, including both 64-bit editions. Also affected is Windows Internal Database (WYukon) for all versions of Windows Server 2008, except for Itanium processor-based systems.

The second important fix is designed to resolve a publicly reported vulnerability in Windows Explorer. The vulnerability could allow a hacker to remotely take complete control of an enterprise system via a corrupt saved-search file in Windows Explorer. However, some security pros were puzzled by the "important" rating it received.

"I'm surprised that Microsoft labeled the Saved Searches in Windows Explorer vulnerability as remote code execution and gave it an 'Important' rating," said Tyler Reguly, a security engineer at San Francisco-based nCircle. "As far as I'm concerned, this is a minor issue and is likely to affect very few people. Not many people browse the 'net looking for Saved Searches. I wonder if they increased the risk slightly because this vulnerability only applies to their newest operating systems, Vista and (Windows Server) 2K8."

This update blocks potential RCE exploits in all versions of Windows Vista and Windows Server 2008.

Fix No. 3 is said by Redmond to stave off spoofing, which is the act of masking Internet Protocol configurations under false pretenses to gain illegal entry into a secure system. The patch is being released in response to two privately reported vulnerabilities in the Windows Domain Name System that could allow spoofing. This patch affects the following infrastructure: client and server side update functions for Windows 2000 SP4; client updates for multiple versions of Windows XP; client and server update functions for Windows Server 2003; and server-side updates for all versions of Windows Server 2008 except those running on an Itanium-based system.

The final fix is one that network and systems administrators will definitely need to look at, according to security pros. It involves Exchange Server, supporting e-mail, task scheduling, instant messaging and Web traffic flow. The update addresses "two newly discovered and privately reported vulnerabilities" in the Outlook Web Access component of Microsoft Exchange Server, according to Redmond. Those holes could give hackers control of user session data, among other things.

In this case, elevation of privilege is the relevant exploit. A hacker could do damage by shutting down Exchange Server, redirecting traffic or stealing large e-mail lists.

"Both SQL Server and Exchange can be high-value targets and these vulnerabilities could be considered Critical depending on the organization," said Don Leatham, director of solutions and strategy at Lumension Security in Scottsdale, Ariz. "Many corporations hold not only their basic business information, but also their customer/patient data and critical intellectual property in Microsoft SQL Server databases, or transmit these types of data via Microsoft Exchange Servers."

Security experts say companies that depend heavily on SQL and Exchange Servers to manage and store customer/patient data and intellectual property should evaluate the criticality of these updates and even possibly address them as if they were a "critical"-level security update.

All four fixes will require a restart to take effect.

In addition, Redmond is pointing users to this knowledgebase article for a list of all of the Windows Server Update Services and Windows Update upgrades that will come out this month. Such items will include an update to the dynamic installer function in Internet Explorer, the Windows Mail Junk E-mail feature and a nonsecurity update for Windows Server 2008.


‘Important’ Fixes To Come in July Patch Cycle
Researcher slams Adobe for ‘epidemic’ of JavaScript bugs
Word 2002 SP3 Subject to Remote Attacks