Guest blog from Amol Sarwate, Manager of Vulnerability Labs for Qualys.
Microsoft released today fixes for a total of eight security bulletins, out of which two are marked as critical and the rest are marked as important.
The highest priority should be given to MS11-081 which patches a code execution vulnerability in Internet Explorer. The exploit occurs when a victim uses IE to browse a malicious website. High priority should also be given to MS11-078 which fixes a vulnerability in Microsoft Silverlight and the .NET framework. This vulnerability is also exploited when a victim browses a malicious website with a Silverlight enabled browser.
The rest of the six bulletins are classified below. In our opinion they can be scheduled after the critical bulletins are patched:
Two DLL preloading issues were fixed by MS11-075 and MS11-076. More information about DLL preloading and workarounds can be found in advisory 2269637 from last year. Two local EoP issues were fixed in win32k.sys and AFD.sys by MS11-077 and MS11-080. To exploit these issues, attackers already need to have access to the target systems to gain higher privileges. Two patches were released for less pervasive technologies, namely Forefront Unified Access Gateway and Host Integration Server. In our opinion, the exposure for this is very low, but if your corporation uses these technologies, then patching is recommended.
Although eight bulletins were released, we do not expect this month's release to generate a heavy load on administrators who are responsible for patching.
Today at the RSA Europe 2011 conference Microsoft released their new Security Intelligence Report (SIR) report covering January to June 2011. As in previous editions it analyzes massive amounts of data form both the consumer and enterprise edition of Microsoft security tools such as the MSRT, MMPC, Security Essentials and Forefront.
Interestingly this edition contains a new section "Zeroing in on Malware", an analysis on the ways malware propagates between machines. This section, based on the MSRT data, is a welcome addition, as we security professionals frequently focus on the clever evasion techniques and sophisticated communication structures of the latest malware, rather than on the fundamental question: How does the malware get on the machine and how can we reduce the occurrences of these infections?
Microsoft lists the top 3 scenarios as:
User Interaction - the user actively participates in the infection process, by opening an e-mail, or browsing to a malicious site or even installing a program that has a malware part embedded (Fake Anti-Virus, Games, Media, Productivity software come to mind)
Autorun Infections - the user inserts an infected USB drive (memory stick, SD card, picture frame, etc) into the computer and the Operating system automatically installs the included "AUTORUN" program which contains malware. Similar behaviour can be triggered by infected network shares.
Drive-by-Downloads - the user browses a web site that contains code that attacks a weakness in the browser or in the installed plug-ins and installs malware on visitor's PC
The good news is that there are stable and mature technologies that address the above scenarios that we can deploy to make the life of an malware significantly harder. At Qualys, we call this "Software Hygiene", practices and configuration settings that prevent a large percentage of common attacks, the US DoD calls it "Cyber Hygiene", and the Australian Government calls it more prosaic "Mitigation Strategies" :
User Interaction: the most straightforward solution seems to be user education, but there is a technology solution as well: not allowing your users to run as "admin" on the workstation will prevent them from installing the majority of malware. Pair this restriction with an "AppStore" approach to software installation where users can find approved and verified software packages for their professional and personal needs and you have a solution that addresses most users' needs.
Autorun infections: install the Microsoft provided patches for Windows that disable AUTORUN for non-CD-ROMs or disable them through the registry. Microsoft included these patches in their February 2011 patch release and are pointing to some significant drops of the propagation of "autorun" malware, in some cases over 65%.
Drive-by-downloads: The first level of defense against Drive-bys is to be fully patched as the attacks mostly target vulnerabilities that have a patch available already. Using the latest version of the software attacked usually means additional robustness against attacks - IE9 is better than IE6, Adobe Reader X is better than Adobe Reader 9 (or 8, which is as of this month unsupported) and Office 2010 is much more robust than Office 2007 or 2003. BTW, the most attacked plug-ins in H1 2011 has been Java, followed by Adobe Flash, making them the top 3rd party software to update on your workstations, if you need them at all.
0-day vulnerabilities play only a very small role in the propagation of the malware families Microsoft analyzed. This is not really a surprise as 0-days are a much too expensive component to be included in mass-malware, which tend to use older, well understood vulnerabilities for propagation.
It would be interesting to analyze how initial malware infections (i.e. the patient Zero) in a company occur. Unfortunately that requires extensive forensic analysis of the affected targets, something that is not within Microsoft's reach and was thus not the focus of this report. However, we can still reason that the "autorun" vector will lose of its effectiveness and that exploitation through web browsing (i.e. ExploitKits) and through e-mail conatinign attachments and links will become major sources.
I often hear that companies cannot update software due to their internal polices and business applications that require using older software versions, particularly IE6 (still in use at over 45% of our customers) and Java. With the growth of recent attacks and associated data breaches, this is the right time to bring this discussion to the forefront and invest new resources into an automated and comprehensive patching program. Let me know your thoughts on how you have managed to implement your program or what are the challenges you faced when embarking on such a mission within your organization.
BTW, we will talk about a similar subject later this week at RSAC Europe: "SPO-209 Enterprise Patching - Best Ways to Proactively Protect Against Threats". If you are in London, please come by and discuss with us, either during/after the talk or later over a beer at the pub across the street.
Next week's October Patch Tuesday looks to be a light to medium sized release, with eight bulletins, two of which are critical. Top priority should be given to the remote code execution patch for all versions of Internet Explorer (including 9, the most modern version of IE on Windows 7). The other critical higher priority remote code execution patch affects the Microsoft .NET Framework and Microsoft Silverlight.
The remaining six bulletins are for Windows itself and a number of less pervasive Microsoft technologies, such as Forefront and the Host Integration server. They are all rated as important and not all of them apply to all configurations. IT administrators will have to evaluate to what degree they affect their networks, servers and workstations.