Microsoft Black Tuesday Overview October 2011

Published: 2011-10-11,
Last Updated: 2011-10-11 18:20:21 UTC
by Swa Frantzen (Version: 2)
Rate this diary:

0 comment(s)

Overview of the October 2011 Microsoft patches and their status.

# Affected Contra Indications - KB Known Exploits Microsoft rating(**) ISC rating(*)
clients servers
MS11-075 A vulnerability allows random code execution with full system rights through loading a hostile library from a WebDAV network share. Related to SA 2269637.
Active Accessibility

CVE-2011-1247
KB 2623699 No publicly known exploits. Severity:Important
Exploitability:1
Critical Important
MS11-076 A vulnerability allows random code execution with full system rights through loading a hostile library from a network location. Related to SA 2269637.
Media Center

CVE-2011-2009
KB 2604926

Exploits are trivial to find on the Internet

Severity:Important
Exploitability:1
Critical Less Urgent
MS11-077 Multiple vulnerabilities in windows drivers allow Denial of Service, privilege escalation and random code execution.
Replaces MS11-054.
Windows drivers

CVE-2011-1985
CVE-2011-2002
CVE-2011-2003
CVE-2011-2011
KB 2567053

No publicly known exploits

Severity:Important
Exploitability:1
Critical Important
MS11-078 A vulnerability in .NET (XAML Browser applications) and silverlight allows random code execution with the rights of the logged on user. Also affects IIS server configured to process ASP.NET pages.
Replaces MS09-061, MS10-060 and MS10-070.
.NET framework
Silverlight

CVE-2011-1253
KB 2604930
No publicly known exploits Severity:Critical
Exploitability:1
Critical Critical
MS11-079 Multiple vulnerabilities in Forefront Unified Access Gateway allow Denial of Service, privilege escalation and random code execution with the rights of the logged-on user. It affects both the client and server components, the impact is greater on the clients.
Forefront Unified Access Gateway (UAG)

CVE-2011-1895
CVE-2011-1896
CVE-2011-1897
CVE-2011-1969
CVE-2011-2012
KB 2544641 No publicly known exploits Severity:Important
Exploitability:1
Critical Important
MS11-080 An input validation vulnerability in the afd.sys driver allows privilege escalation.
Replaces MS10-046.
Ancillary Function Driver (AFD)

CVE-2011-1974
KB 2592799 No publicly known exploits Severity:Important
Exploitability:1
Important Less Urgent
MS11-081 The usual monthly collection of vulnerabilities in Internet Explorer. Cumulative patch. All versions of IE6 to IE9 are affected.
Replaces MS11-057.
IE

CVE-2011-1993
CVE-2011-1995
CVE-2011-1996
CVE-2011-1997
CVE-2011-1998
CVE-2011-1999
CVE-2011-2000
CVE-2011-2001
KB 2586448 No publicly known exploits Severity:Critical
Exploitability:1
Critical Important
MS11-082 Vulnerabilities in host integration server allow denial of service. The host integration server listens to udp/1478, tcp/1477 and tcp/1478.
Host Integration Server

CVE-2011-2007
CVE-2011-2008
KB2607679 Both vulnerabilities are publicly known. Severity:Important
Exploitability:NA
Less Urgent Important
We will update issues on this page for about a week or so as they evolve.
We appreciate updates
US based customers can call Microsoft for free patch related support on 1-866-PCSAFETY
(*): ISC rating
  • We use 4 levels:
    • PATCH NOW: Typically used where we see immediate danger of exploitation. Typical environments will want to deploy these patches ASAP. Workarounds are typically not accepted by users or are not possible. This rating is often used when typical deployments make it vulnerable and exploits are being used or easy to obtain or make.
    • Critical: Anything that needs little to become "interesting" for the dark side. Best approach is to test and deploy ASAP. Workarounds can give more time to test.
    • Important: Things where more testing and other measures can help.
    • Less Urgent: Typically we expect the impact if left unpatched to be not that big a deal in the short term. Do not forget them however.
  • The difference between the client and server rating is based on how you use the affected machine. We take into account the typical client and server deployment in the usage of the machine and the common measures people typically have in place already. Measures we presume are simple best practices for servers such as not using outlook, MSIE, word etc. to do traditional office or leisure work.
  • The rating is not a risk analysis as such. It is a rating of importance of the vulnerability and the perceived or even predicted threat for affected systems. The rating does not account for the number of affected systems there are. It is for an affected system in a typical worst-case role.
  • Only the organization itself is in a position to do a full risk analysis involving the presence (or lack of) affected systems, the actually implemented measures, the impact on their operation and the value of the assets involved.
  • All patches released by a vendor are important enough to have a close look if you use the affected systems. There is little incentive for vendors to publicize patches that do not have some form of risk to them.

(**): The exploitability rating we show is the worst of them all due to the too large number of ratings Microsoft assigns to some of the patches.

--
Swa Frantzen -- Section 66

Diginotar declared bankrupt

2
Published: 2011-09-20,
Last Updated: 2011-09-20 11:16:50 UTC
by Swa Frantzen (Version: 1)
Rate this diary:

4 comment(s)

In the latest installment of this seemingly never-ending saga, a Dutch court in Haarlem (NL) declared DigiNotar bankrupt.

Read more:

The CA business is all about selling trust. After all a CA is supposed to be a trusted third party. Let's hope all the remaining ones get the right message: it's not about not getting caught being hacked. On the contrary: it's about doing the right thing once you have been hacked. Let's hope it leads to more transparency and public scrutiny of the CAs we trust explicitly or implicitly though the choice of some of our vendors.

--
Swa Frantzen -- Section 66

More DigiNotar intermediate certificates blacklisted at Microsoft

Published: 2011-09-13,
Last Updated: 2011-09-13 19:42:58 UTC
by Swa Frantzen (Version: 1)
Rate this diary:

0 comment(s)

Microsoft issued yet another update to remove trust in the cross signed intermediate certificates of DigiNotar.

Early Patch Tuesday Today: Microsoft September 2011 Patches

1
Published: 2011-09-09,
Last Updated: 2011-09-09 23:43:32 UTC
by Johannes Ullrich (Version: 1)
Rate this diary:

4 comment(s)

Looks like Microsoft made the bulletins live that were supposed to be released this coming Tuesday. The bulletins are dated September 13th 2011. While the links below work as I type this diary, they may not work later today. Some of the related links may not have any information yet (like CVE). All bulletins appear to be live right now, and we will add them to the list below as we get to it.

This information may of course change as the final bulletins will be released on Tuesday. Some readers report that the bulletins are no longer available.

# Affected Contra Indications - KB Known Exploits Microsoft rating(**) ISC rating(*)
clients servers
MS11-070 Vulnerability in WINS could allow elevation of privilege. Replaces MS11-035.
WINS

CVE-2011-1984
KB 2571621 - none - Severity:Important
Exploitability:?
Important Important
MS11-071 Vulnerability in Windows could allow remote code execution (DLL Linking Vuln.).
Windows

CVE-2011-1991
KB 2570947 yes Severity:Important
Exploitability:?
Critical Important
MS11-072 Arbitrary code execution vulnerability in Excel. Replaces MS11-045.
Excel

CVE-2011-1986 CVE-2011-1986 CVE-2011-1987 CVE-2011-1988 CVE-2011-1989 CVE-2011-1990
KB 2587505 - none - Severity:Important
Exploitability:?
Critical Important
MS11-073 Code execution vulnerability in Microsoft Office. Replaces MS11-023, MS10-087 .
Office

CVE-2011-1980
CVE-2011-1982
KB 2587634 - none - Severity:Important
Exploitability:?
Critical Important
MS11-074 Microsoft Sharepoint Elevation of Privilege Vulnerability. Replaces MS11-016.
Sharepoint

CVE-2011-0653
CVE-2011-1252
CVE-2011-1890
CVE-2011-1891
CVE-2011-1892
CVE-2011-1893
KB 2581858 CVE-2011-1252 publicly disclosed. some of the others are not disclosed but likely simple to exploit XSS flaws. Severity:Important
Exploitability:?
-N/A- Important
We will update issues on this page for about a week or so as they evolve.
We appreciate updates
US based customers can call Microsoft for free patch related support on 1-866-PCSAFETY
(*): ISC rating
  • We use 4 levels:
    • PATCH NOW: Typically used where we see immediate danger of exploitation. Typical environments will want to deploy these patches ASAP. Workarounds are typically not accepted by users or are not possible. This rating is often used when typical deployments make it vulnerable and exploits are being used or easy to obtain or make.
    • Critical: Anything that needs little to become "interesting" for the dark side. Best approach is to test and deploy ASAP. Workarounds can give more time to test.
    • Important: Things where more testing and other measures can help.
    • Less Urgent: Typically we expect the impact if left unpatched to be not that big a deal in the short term. Do not forget them however.
  • The difference between the client and server rating is based on how you use the affected machine. We take into account the typical client and server deployment in the usage of the machine and the common measures people typically have in place already. Measures we presume are simple best practices for servers such as not using outlook, MSIE, word etc. to do traditional office or leisure work.
  • The rating is not a risk analysis as such. It is a rating of importance of the vulnerability and the perceived or even predicted threat for affected systems. The rating does not account for the number of affected systems there are. It is for an affected system in a typical worst-case role.
  • Only the organization itself is in a position to do a full risk analysis involving the presence (or lack of) affected systems, the actually implemented measures, the impact on their operation and the value of the assets involved.
  • All patches released by a vendor are important enough to have a close look if you use the affected systems. There is little incentive for vendors to publicize patches that do not have some form of risk to them.

(**): The exploitability rating we show is the worst of them all due to the too large number of ratings Microsoft assigns to some of the patches.

--
Johannes B. Ullrich

********************************************************************
Title: Microsoft Security Advisory Notification
Issued: September 6, 2011
********************************************************************

Security Advisories Updated or Released Today ==============================================

 * Microsoft Security Advisory (2607712)
  - Title: Fraudulent Digital Certificates Could Allow Spoofing
  - http://www.microsoft.com/technet/security/advisory/2607712.mspx
  - Revision Note: V3.0 (September 6, 2011): Revised to
    announce the release of an update that addresses this issue. 


DigiNotar breach - the story so far

Share |
Published: 2011-09-01,
Last Updated: 2011-09-01 14:26:50 UTC
by Swa Frantzen (Version: 3)
Rate this diary:

1 comment(s)

I've been following the DigiNotar story as it evolved for a few days now with growing concern and increasing alarm.

I'm by far not privy to the inside information to be able to really assess and audit the situation, so this is purely based on what is publicly known. Being a Dutch native speaker I have access to what the press in the Netherlands writes about it with the subtle nuances that an automated translation will not capture. I do lack the resources to independently double verify everything and as such some errors might still be in it, consider this a best effort at creating some overview and leading up to conclusions with the limited information that is available.

If we do attract the attention of DigiNotar and/or Vasco: please do contact us, we'd love to talk to you and get more information!

So who is DigiNotar and what do they do when all is normal?

DigiNotar is a CA. They sell SSL certificates, also the EV kind.

But there is more that's mostly of interest to those in the EU or the Netherlands only:

They are also (I'm simplifying a bit, I know) an accredited provider in the EU and provide qualified certificates and approved SSCDs to customers to create digital signatures that -by law- in the EU are automatically considered to be qualified digital signatures and as such they are automatically equivalent to manual signatures. This status forces regular 3rd party audits against the relevant Dutch law and standards such as ETSI TS 101 456.

They also provide certificates services under the PKIOverheid umbrella in the Netherlands. This has even more and stricter rules. e.g. Things that are suggested in the ETSI standards, but not mandatory, can become mandatory for PKIOverheid.

DigiNotar is a 100% daughter company of Vasco (since Jan 2011), so if you see Vasco sometimes doing things like press releases regarding the incident, that's why. 

So what do we know in a chronological order ?

  • Dating back as far as May 2009, the portal of DigiNotar has been defaced, these hacks remained in place till this week after f-secure exposed them in their blog.
    Source: f-secure blog
  • On July 10th 2011 a certificate was issued with a CN of *.google.com by DigiNotar
    Source: pasted certificate
  • In July 2011 "dozens" of fake certificates were issued by intruders -most likely Iranian, but that remains to be proven-.
    Source: Jan Valcke, Operational director at Vasco in an interview with "webwereld" [in Dutch]
    The list of fake certificates appears to include certificates for mozilla, tor, yahoo, wordpress and baladin.com, but does not include any financial institutes.
    Source: nu.nl article [in Dutch] would love a second or more authoritative source for this.
  • On July 18th 2011, 6 fraudulent certificates were created with a CN of *.torproject.org
    Source: torproject
  • On July 19th 2011, DigiNotar detected the incident and supposedly the majority of these certificates were revoked. At least one, possibly more certificates were missed in this process.
    Source: Jan Valcke, Operational director at Vasco in an interview with "webwereld" [in Dutch]
    There's a bit of a bad feeling with this claim, see further.
  • On July 20th 2011, (at 06:56, unspecified timezone) a second batch of 6 fraudulent certificates were created with a CN of *.torproject.org
    Source: torproject
    Note we lack timezone info from both the claim above and these certificates, don't jump to conclusions just yet.
  • On an unknown date, an unknown external auditor did not catch the fraudulent certificate for *.google.com. as well as any others that might be missed as well.
  • On Aug 28th 2011, (some sources claim 27th) a user from Iran posted on a forum using Chrome was warned by his browser the certificate was not to be trusted.
    Source: Forum post
    Chrome does additional protections for gmail since chromium 13.
  • On Aug 29th 2011, the *.google.com certificate was revoked by DigiNotar
    This can be seen in the CRL at http://service.diginotar.nl/crl/public2025/latestCRL.crl [do not click on this URL, most browsers "understand" CRLs], see further.
  • On Aug 29th 2011, the response from Google and the other browser makers came: Basically the "sh*t hit the fan" as the browser vendors are pulling the plug on DigiNotar and not trusting their processes anymore.
  • On Aug 30th 2011, Vasco issued a press release reporting the incident.
  • On Aug 30th 2011, various claims of both Vasco, and the Dutch government try to stress that the activities of DigiNotar under the PKIOverheid root were not affected. Some arguments used in the press such as that the root certificate of PKIOverheid is not at DigiNotar (they have an intermediate) are obvious and irrelevant.
  • On Aug 30th 2011, DigiNotar released information for users of Diginotar certificates [in Dutch]. This includes a very painful statement: (my translation): "Users of SSL certificates can depending on the browser vendor be confronted with a statement that the certificate is not trusted. This is in 99,9% of the cases incorrect, the certificate can be trusted". I've got nothing positive to say about that statement. They also offer a free upgrade to the PKIOverheid realm for those holding a SSL or EVSSL certificate.
  • On Aug 31th 2011, it is confirmed security company Fox-IT is performing a forensic audit of the systems of DigiNotar. Results are expected next week at the earliest.
    Source: webwereld article [in Dutch]

Analysis of the CRLs

DigiNotar claims all breaches were under the "Public 2025 Root" ref [in Dutch]. What "root" does in there is somewhat unclear to the technical inclined mind, and the "public 2025" just seems to be some sort of internal name. Let's assume they meant the fraudulent certificates all were signed by the same intermediate.

The CRL indicated in the fraudulent *.google.com certificate does indeed point in the same "public 2025" direction, so let's get that CRL:

$ wget http://service.diginotar.nl/crl/public2025/latestCRL.crl

Let's make this file human readable:

$ openssl crl -text -inform DER -in latestCRL.crl >/tmp/t

And let's verify there is indeed the Serial Number in there of the *.google.com fake certificate we found on pastebin:

$ grep -i "05e2e6a4cd09ea54d665b075fe22a256" /tmp/t
    Serial Number: 05E2E6A4CD09EA54D665B075FE22A256

So yes, it's revoked. Getting the other relevant lines (it means first figuring out how many, but I skip the boring part).

$ grep -i -A4 "05e2e6a4cd09ea54d665b075fe22a256" /tmp/t
    Serial Number: 05E2E6A4CD09EA54D665B075FE22A256
        Revocation Date: Aug 29 16:59:03 2011 GMT
        CRL entry extensions:
            Invalidity Date:
                Aug 29 16:58:47 2011 GMT

So that checks out nicely. [One should of course check that all signatures are valid everywhere]

Unfortunately one can only see the Serial Number of the certificates revoked, not the more juicy fields like the CN or so that would allow to see what and when other (fake) certificates were revoked.

But since we have the revocation date, maybe we can see the peak where they revoked the fraudulent certificates. I know the nature of revocation and any other work in a CA/RA can be highly cyclic with huge peaks in it, and I know not to worry about any revocation as such, users loosing control over a certificate happens all the time.

So let's see revocation activity in July 2011 split out per day:

$ grep "Revocation Date:" /tmp/t | sed 's/^.*Date: //' | sed 's/..:..:.. //' 
|sed 's/GMT//' | sort -n | uniq -c  | grep 'Jul .* 2011'
   1 Jul  1 2011
   3 Jul  4 2011
   3 Jul  5 2011
   6 Jul  6 2011
   6 Jul  7 2011
   1 Jul  8 2011
   2 Jul 11 2011
   6 Jul 14 2011
   1 Jul 15 2011
   1 Jul 18 2011
   2 Jul 19 2011
   1 Jul 20 2011
   1 Jul 21 2011
   3 Jul 22 2011
   3 Jul 26 2011
   7 Jul 28 2011
   5 Jul 29 2011

Uhmm, where is the "dozens" on July 19th ?

Since the *.google.com one was made on Jul 10th, there is no dozens neither before nor shortly after the 19th.

They might have been added to another CRL, hard to say as DigiNotar does not allow directory listing and doesn't have an easy to find list of CRLs they publish either.

Still, even if we look at the "normal" workload in 2011:

$ grep "Revocation Date:" /tmp/t | sed 's/^.*Date: //' | sed 's/..:..:.. //' 
|sed 's/GMT//' |grep 2011| sed 's/ .. 2011//'| sort -n | uniq -c
  93 Apr
  34 Aug
 112 Feb
 144 Jan
  52 Jul
  18 Jun
 118 Mar
 118 May

We see that the Jun/Jul and Aug months are very light on revocations. [Note that August was not yet complete in GMT time when I downloaded the CRL file].

I know my sed, grep commands could be optimized to save a few CPU cycles, but this isn't a unix lesson.

I'd love to see the "dozens" of revocations around July 19th in a DigiNotar CRL, but I simply cannot find them.

The torproject was in touch with Diginotar and got a spreadsheet with validity dates , SN and some more fields of the certificate (CN, L, O, ST, C) of 12 fraudulent certificates.

Excel spreadsheet is here. The 12 certificates had a validity of Aug 17th, 2011 or Aug 19th 2011

torpoject spreadsheet

$ grep -i -A4 "899AE120CD44FCEC0FFCD62F6FC4BB81" /tmp/t
$ grep -i -A4 "7DD16C03DF0438B2BE5FC1D3E19F138B" /tmp/t
$ grep -i -A4 "5432FC98141883F780897BC829EB9080" /tmp/t
$ grep -i -A4 "73024E7C998B3DDD244CFD313D5E43B6" /tmp/t
$ grep -i -A4 "B01D8C6F2D5373EABF0C00319E92AE95" /tmp/t
$ grep -i -A4 "FF789632B8D4AECD94A0AAB33074A058" /tmp/t
$ grep -i -A4 "86633B957280BC65A5ADFD1D153BDE52" /tmp/t
$ grep -i -A4 "E7F58683066112DC5EB244FCF208E850" /tmp/t
$ grep -i -A4 "1A07D8D6DDC7E623E71205074A05CEA2" /tmp/t
$ grep -i -A4 "79C8E8B7DE36539FFC4B2B5825305324" /tmp/t
$ grep -i -A4 "06CBB1CC51156C6D465F14829453DD68" /tmp/t
$ grep -i -A4 "ED1A1008190A5D1654D138EB8FD1154A" /tmp/t
$

These were clearly not revoked in this CRL. And we can confirm what the torproject concluded about that themselves: we simply can't find proof of revocation.

So what's the known impact right now:

  • If you're a general Internet user: you're unlikely to see much impact, maybe you'll run into a website with a DigiNotar certificate somewhere that will now warn the certificate is not trusted anymore.
    Keep your browser up to date!
    The longer term impact will still have to manifest itself, and for sure breaches such as these will prompt thinking of other solutions.
    If the add-ons of Mozilla were indeed attacked using a MitM approach, impact might be more widespread, but that becomes somewhat less likely.
    If you really need to access a website that is using a DigiNotar SSL certificate that your browser is not trusting anymore, I'd encourage you not to ignore the warning of the browser, certainly not to add the yanked DigiNotar root certificate back in. Instead the safe procedure is to go examine the certificate and contact the website operator out of band (e.g. by phone). Make them tell you what the fingerprint is of their certificate, verify that with what you see and only then accept the certificate. If you want to be sure you're talking to the right website, you need to perform the work the 3rd party used to do for you, not blindly click OK.
  • If you're a user in Iran, and had something to hide from your government, odds are you're in trouble with your government.
  • Tor users: the torproject confirms the tor network itself is not reliant on SSL certificates. Downloading their client should be done with great care, but the fraudulent certificates that DigiNotar informed them about have by now all expired on their own - revocation can't be confirmed yet.
  • If you're a stakeholder in the Dutch PKIOverheid, well then I'd be careful with the preliminary "all is well" messages, I know PKIOverheid a little bit and I know it's one of the strictest things to get a certificate from, but never say never till it's proven. I do understand the need to keep confidence in the system, but that is also achieved by first investigating before saying there is no problem based on false logic and/or irrelevant data.
  • You're a customer of DigiNotar: DigiNotar lost the trust from the browser makers, how permanent that is is too soon to say, but it's a big unprecedented dent.
    If you're a PKIOverheid customer that leaves you a bit more breathing room, and there are 6 more providers to migrate to, and apparently no urgent need to do so.
    Other customers seem to have been offered to migrate to PKIOverheid, but the stringent requirements there might be too much for some, so your best option might be to seek another provider, if you have not done so already.
  • If you're a CA or RA, this is yet another big wake-up call. If you're a 3rd party auditor of said, it's the exact same thing. CAs are now a target.

What is the biggest thing we all lack to better see what impact there is/was ?

  • Full list of fraudulent certificates (CN, SN fields at the very least)
  • Clarity on when each certificate was created and when it was revoked
  • I for one would love to know who that external auditor was that missed defaced pages on a CA's portal, that missed at least one issued fraudulent certificate to an entity that's not a customer, and what other CAs and/or RAs they audit as those would all loose my trust to some varying degree. This is not intended to publicly humiliate the auditor, but much more a matter of getting confidence back into the system. So a compromise that an unnamed auditor working for well known audit company X is now not an auditor anymore due to this incident is maybe a good start.
  • Clarity over what was affected by the hackers, a full report would be really nice to read. Special attention should be given to explain how it is sure PKIOverheid, the qualified certificates etc. are for sure not affected and how privacy of other customers e.g. was affected. Similarly the defacements should be covered in detail as well as how they could be missed for so long.

Obviously it's unlikely we'll get all those details publicly, but the more we get the easier it will be to keep the trust in the SSL "system" in general and more specifically in DigiNotar.

Glossary

  • CA: Certificate Authority
  • CN: Common Name, in case of a SSL certificate for a web server this contains the name of the website, can be a wildcard as well in that case.
  • CRL: Certificate Revocation List a machine readable list of revoked certificates, typically published over http. Contains the Serial Numbers (SN) of the revoked certificates along with some minimal supporting data.
  • "dozens" used in my text above is a somewhat freely translation of the Dutch "tientallen", literally, "multiple tens"
  • ETSI TS 101 456: A technical specification on "policy requirements for certification authorities issuing qualified certificates"; used as a norm in audits of said providers.
    Can be freely downloaded from ETSI: version 1.4.3.
  • EV: extended validation: essentially the same SSL certificate, but with a slightly stricter set of rules on issuing. Most browsers render something like the URL in the address bar in a green color when they see such a certificate
  • PKIOverheid: a PKI system run under very strict requirements by and for the Dutch Government. There are 7 providers recognized to deliver certificates under a root certificate held by the Dutch government. This PKI not only issues certificates to (web) servers, but also to companies and individuals to do client authentication against government websites as well as provide means to create qualified digital signatures.
  • RA: Registration Authority
  • SN: Serial Number
  • SSCD: Secure Signature Creation Device. Mostly a smartcard or smart USB token that holds key pairs used for signing and protects the secret keys

Update History

  • version 1: initial release
  • version 2: updated with more information from the torproject, thanks for the pointer Gary!
  • version 3: update to include the DigiNotar press release of Aug 30th.

--
Swa Frantzen -- Section 66

ISC Diary | Internet Worm in the Wild
Internet Worm in the Wild
Share |
Published: 2011-08-29,
Last Updated: 2011-08-29 12:53:18 UTC
by Kevin Shortt (Version: 1)
Rate this diary:

2 comment(s)

Well, the word is out. Morto, the latest Internet worm has arrived and clearly has been working itself around for a while.

After reading the write ups available, it would appear for now, that the network flood is the most substantial consequence for any network with infected hosts.

Prevention looks to be easy. I would not suspect any of our readers to fall victim to this worm, as it appears to take advantage of systems not complying to best practices. Though that is not a proven fact yet, so stay vigilant.

The Microsoft Malware Prevention Center has a detailed write up on Morto here. [1] Check it out and feel free to send us any samples via the contact form here.

As always give us your comments and provide feedback on what is happening out there.

UPDATE:

Thanks to Don for keeping us up to date. MMPC has a new Morto variant write up. Check it out here. [2]

Keep the intel coming folks. I'll continue to update as more info becomes available.



[1] http://www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Worm%3AWin32%2FMorto.A
[2] http://www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Worm%3aWin32%2fMorto.gen!A



-Kevin
--
ISC Handler on Duty

Adobe August 2011 Black Tuesday Overview

Published: 2011-08-09,
Last Updated: 2011-08-10 11:57:37 UTC
by Swa Frantzen (Version: 2)
Rate this diary:

1 comment(s)

Although none of us seems to have seen any warning, Adobe has released 5 bulletins today.

These update Adobe products to the following versions:

  • Adobe Shockwave Player 11.6.1.629
  • Flash Media Server 4.0.3 (or 3.5.7 if you are using 3.x)
  • Adobe Flash Player
    • Android 10.3.186.3
    • Windows, OS X, Solaris, Linux 10.3.183.5
  • Adobe Air 2.7.1
  • Photoshop version is not changed by the update.
  • Robohelp version is not changed, but version 9.0.1.262 is not vulnerable.

Overview of the August 9th 2011 Adobe Patches.

# Affected Known Exploits Adobe rating
APSB11-19 Multiple memory corruption vulnerabilities in the shockwave player allow random code execution.
Shockwave Player

CVE-2010-4308
CVE-2010-4309
CVE-2011-2419
CVE-2011-2420
CVE-2011-2421
CVE-2011-2422
CVE-2011-2423
TBD Critical
APSB11-20 A memory corruption vulnerability in the Flash media Server (FMS) allows a denial of service.
Flash Media Server (FMS)

CVE-2011-2132
TBD Critical
APSB11-21 Multiple vulnerabilities in flash player allow random code execution.
Flash Player
Adobe AIR

CVE-2011-2134
CVE-2011-2135
CVE-2011-2136
CVE-2011-2137
CVE-2011-2138
CVE-2011-2139
CVE-2011-2140
CVE-2011-2414
CVE-2011-2415
CVE-2011-2416
CVE-2011-2417
CVE-2011-2425

Adobe claims to not be aware of any exploits in the wild against the vulnerabilities are patched in Flash Player

 

 

Critical
APSB11-22 A memory corruption vulnerability in Photoshop CS5, CS5.1 and earlier allows random code execution.
Photoshop

CVE-2011-2131
TBD Critical
APSB11-23 A cross site scripting (XSS) vulnerability attack against RoboHelp installations.
RoboHelp

CVE-2011-2133
TBD Important

Please note that adobe is at the time of writing inconsistent in the CVE names they fixed (CVE-2010-XXXX vs CVE-2011-XXXX), I've tried to guess the right ones, but we won't know for sure till the CVE databases are up to date.

This is an effort to try to structure the non-microsoft patches more or less in a familiar format on Black Tuesday, depending on the amount of available information available we can have more or less columns. Do let us know what you think of it!

--
Swa Frantzen -- Section 66

Microsoft August 2011 Black Tuesday Overview

Published: 2011-08-09,
Last Updated: 2011-08-09 19:35:25 UTC
by Swa Frantzen (Version: 1)
Rate this diary:

0 comment(s)

Overview of the August 2011 Microsoft patches and their status.

# Affected Contra Indications - KB Known Exploits Microsoft rating(**) ISC rating(*)
clients servers
MS11-057 Multiple vulnerabilities in Internet Explorer allow random code execution with the rights of the logged on user and information leaks. Replaces MS11-050.
MSIE

CVE-2011-1257
CVE-2011-1960
CVE-2011-1961
CVE-2011-1962
CVE-2011-1963
CVE-2011-1964
CVE-2011-2383
CVE-2011-1347
KB 2559049 A for-pay exploit for CVE-2011-1347 is available (the fix for this vulnerability is classified by Microsoft as a functionality upgrade)
Public disclosure against CVE-2011-1962 and CVE-2011-2383 are also reported.
Severity:Critical
Exploitability:1
Critical Important
MS11-058 Multiple vulnerabilities in the DNS server allow random code execution through NAPTR (Naming Authority Pointer) queries against recursive servers and denial of service.
Replaces MS09-008 and MS11-046.
DNS server

CVE-2011-1966
CVE-2011-1970
KB 2562485

No publicly known exploits

Severity:Critical
Exploitability:3
N/A Critical
MS11-059 Windows DAC (Data Access Components) can incorrectly restrict the path used for loading libraries, allowing random code execution (e.g. by opening a excel file on a network share).
Windows DAC, exposed through e.g. Excel

CVE-2011-1975
KB 2560656

No publicly known exploits

Severity:Important
Exploitability:1
Important Less Urgent
MS11-060 Multiple vulnerabilities  in Visio allow random code execution with the rights of the logged on user.
Replaces MS11-008.
Visio

CVE-2011-1972
CVE-2011-1979
KB 2560978 No publicly known exploits Severity:Important
Exploitability:1
Critical Important
MS11-061 A cross site scripting (XSS) vulnerability in Remote Desktop Web Access.
Remote Desktop Web Access

CVE-2011-1263
KB 2546250 No publicly known exploits Severity:Important
Exploitability:1
Less Urgent Important
MS11-062 An input validation vulnerability in the way the NDISTAPI driver validates user mode input before sending it to the windows kernel allows privilege escalation.
Remote Access Service (RAS)

CVE-2011-1974
KB 2566454 No publicly known exploits Severity:Important
Exploitability:1
Important Less Urgent
MS11-063 An input validation vulnerability in the Client/Server Runtime SybSystem allows privilege escalation by running arbitrary code in the context of another process.
Replaces MS10-069 and MS11-056.
CSRSS

CVE-2011-1967
KB 2567680 No publicly known exploits Severity:Important
Exploitability:1
Important Less Urgent
MS11-064 Vulnerabilities in how windows kernels handle crafted ICMP messages and how Quality of Service (QoS) based on URLs on web hosts handles crafted URLs allow denial of service.
Replaces MS10-058.
TCP/IP stack

CVE-2011-1871
CVE-2011-1965
KB 2563894 No publicly known exploits Severity:Important
Exploitability:3
Important Important
MS11-065 A vulnerability in the RDP implementation allows denial of service of the exposed machine.
Remote Desktop Portocol (RDP)

CVE-2011-1968
KB 2570222 Microsoft reports it is used in targeted exploits. Severity:Important
Exploitability:3
Less urgent Important
MS11-066 An input validation in the Chart Control allows retrieval of any file within the ASP.NET application.
ASP.NET Chart Control

CVE-2011-1977
KB 2567943 No publicly known exploits Severity:Important
Exploitability:3
N/A Important
MS11-067 A cross site scripting (XSS) vulnerability in the Microsoft report viewer control.
Replaces MS09-062.
Report Viewer

CVE-2011-1976
KB 2578230 No publicly known exploits Severity:Important
Exploitability:3
Important Less Urgent
MS11-068 Access to meta-data of files (can be trough the web and file sharing) can cause a reboot of the windows kernel.
Replaces MS10-047.
Windows Kernel

CVE-2011-1971
KB 2556532 No publicly known exploits Severity:Moderate
Exploitability:?
Less Urgent Less Urgent
MS11-069 Lack of restricted access to the System.Net.Sockets namespace in the .NET framework allows information leaks and control over network traffic causing Denial of Service or portscanning.
Replaces MS11-039.
.NET framework

CVE-2011-1978
KB 2567951 No publicly known exploits Severity:Moderate
Exploitability:?
Important Important
We will update issues on this page for about a week or so as they evolve.
We appreciate updates
US based customers can call Microsoft for free patch related support on 1-866-PCSAFETY
(*): ISC rating
  • We use 4 levels:
    • PATCH NOW: Typically used where we see immediate danger of exploitation. Typical environments will want to deploy these patches ASAP. Workarounds are typically not accepted by users or are not possible. This rating is often used when typical deployments make it vulnerable and exploits are being used or easy to obtain or make.
    • Critical: Anything that needs little to become "interesting" for the dark side. Best approach is to test and deploy ASAP. Workarounds can give more time to test.
    • Important: Things where more testing and other measures can help.
    • Less Urgent: Typically we expect the impact if left unpatched to be not that big a deal in the short term. Do not forget them however.
  • The difference between the client and server rating is based on how you use the affected machine. We take into account the typical client and server deployment in the usage of the machine and the common measures people typically have in place already. Measures we presume are simple best practices for servers such as not using outlook, MSIE, word etc. to do traditional office or leisure work.
  • The rating is not a risk analysis as such. It is a rating of importance of the vulnerability and the perceived or even predicted threat for affected systems. The rating does not account for the number of affected systems there are. It is for an affected system in a typical worst-case role.
  • Only the organization itself is in a position to do a full risk analysis involving the presence (or lack of) affected systems, the actually implemented measures, the impact on their operation and the value of the assets involved.
  • All patches released by a vendor are important enough to have a close look if you use the affected systems. There is little incentive for vendors to publicize patches that do not have some form of risk to them.

(**): The exploitability rating we show is the worst of them all due to the too large number of ratings Microsoft assigns to some of the patches.

--
Swa Frantzen -- Section 66

Do you currently read comics books, and are looking for something different to read? Have you ever thought about reading comic books, and had no idea where to start? Did you used to read comics but stopped for some reason? Do you want to get your kids reading SOMETHING and need some ideas? Have you seen the latest superhero movie and are begging for more?

If you answered yes to any of those questions, then this is the podcast for you! Comic books are more accessible than they have ever been before. The Digital Age of comics has begun so let us be your guide to one of the greatest forms of entertainment ever devised and find out what you have been missing!


http://www.talesfromthelongbox.com/2011/08/02/tales-from-the-longbox-podcast-episode-0-secret-origin



Microsoft July 2011 Black Tuesday Overview

Share |
Published: 2011-07-12,
Last Updated: 2011-07-12 18:26:38 UTC
by Swa Frantzen (Version: 1)
Rate this diary:

0 comment(s)

Overview of the July 2011 Microsoft patches and their status.

# Affected Contra Indications - KB Known Exploits Microsoft rating(**) ISC rating(*)
clients servers
MS11-053 Memory handling problems in the bluetooth river allow remote attackers to control the affected systems.
Bluetooth

CVE-2011-1265
KB 2566220 No known exploits Severity:Critical
Exploitability:2
Critical Important
MS11-054 Multiple vulnerabilities in kernel mode drivers allow privilege escalations.
Replaces MS11-034 and MS11-041.
Kernel mode drivers

CVE-2011-1874
CVE-2011-1875
CVE-2011-1876
CVE-2011-1877
CVE-2011-1878
CVE-2011-1879
CVE-2011-1880
CVE-2011-1881
CVE-2011-1882
CVE-2011-1883
CVE-2011-1884
CVE-2011-1885
CVE-2011-1886
CVE-2011-1887
CVE-2011-1888
KB 2555917 No known exploits Severity:Important
Exploitability:1
Important Less Urgent
MS11-055 Search path for libraries allow random code execution (e.g. by opening a visio file on a network share).
Visio

CVE-2010-3148
KB 2560847 Exploit code publicly available since August 2010 Severity:Important
Exploitability:1
Important Less Urgent
MS11-056 Multiple vulnerabilities in the Client/Server Run-time SubSystem allow privilege escalation and denial odf service on affected systems.
Replaces MS11-010 and MS10-069.
CSRSS

CVE-2011-1281
CVE-2011-1282
CVE-2011-1283
CVE-2011-1284
CVE-2011-1870
KB 2507938 No known exploits Severity:Important
Exploitability:1
Important Less Urgent
We will update issues on this page for about a week or so as they evolve.
We appreciate updates
US based customers can call Microsoft for free patch related support on 1-866-PCSAFETY
(*): ISC rating
  • We use 4 levels:
    • PATCH NOW: Typically used where we see immediate danger of exploitation. Typical environments will want to deploy these patches ASAP. Workarounds are typically not accepted by users or are not possible. This rating is often used when typical deployments make it vulnerable and exploits are being used or easy to obtain or make.
    • Critical: Anything that needs little to become "interesting" for the dark side. Best approach is to test and deploy ASAP. Workarounds can give more time to test.
    • Important: Things where more testing and other measures can help.
    • Less Urgent: Typically we expect the impact if left unpatched to be not that big a deal in the short term. Do not forget them however.
  • The difference between the client and server rating is based on how you use the affected machine. We take into account the typical client and server deployment in the usage of the machine and the common measures people typically have in place already. Measures we presume are simple best practices for servers such as not using outlook, MSIE, word etc. to do traditional office or leisure work.
  • The rating is not a risk analysis as such. It is a rating of importance of the vulnerability and the perceived or even predicted threat for affected systems. The rating does not account for the number of affected systems there are. It is for an affected system in a typical worst-case role.
  • Only the organization itself is in a position to do a full risk analysis involving the presence (or lack of) affected systems, the actually implemented measures, the impact on their operation and the value of the assets involved.
  • All patches released by a vendor are important enough to have a close look if you use the affected systems. There is little incentive for vendors to publicize patches that do not have some form of risk to them.

(**): The exploitability rating we give is the worst of them all due to the too large number of ratings Microsoft assigns to some of the patches.

--
Swa Frantzen -- Section 66

ISC Diary | Microsoft June 2011 Black Tuesday Overview

Microsoft June 2011 Black Tuesday Overview

Share |
Published: 2011-06-14,
Last Updated: 2011-06-14 21:04:02 UTC
by Swa Frantzen (Version: 2)
Rate this diary:

3 comment(s)

Overview of the June 2011 Microsoft patches and their status.

# Affected Contra Indications - KB Known Exploits Microsoft rating ISC rating(*)
clients servers
MS11-037 The MHTML (Mime encapsulated HTML) protocol handler is vulnerable to information disclosure through an XSS like problem.
Replaces MS11-026.
MHTML

CVE-2011-1894
KB 2544893 Publicly known vulnerability. Severity:Important
Exploitability:3
Important Low
MS11-038 WMF processing by OLE allows for arbitrary code execution with the rights of the logged on user.
Replaces MS08-008.
OLE - WMF

CVE-2011-0658
KB 2476490 No known exploits Severity:Critical
Exploitability:1
Critical Important
MS11-039 Input validation vulnerabilities in the .NET framework and the Silverlight implementations allow for arbitrary code execution with the rights of the logged on user.
.NET - silverlight

CVE-2011-0664
KB 2514842 No known exploits Severity:Critical
Exploitability:1
Critical Important
MS11-040 Improper bounds checking in Microsoft Forefront Threat Management Gateway 2010 Client allows for arbitrary code execution in the context of the service.
Forefront TMG

CVE-2011-1889
KB 2520426 No known exploits Severity:Critical
Exploitability:1
Critical Important
MS11-041 An input validation problem in the parsing of OTF (OpenType Font) fonts in in 64bit kernels allows for arbitrary code execution in kernel mode. This is remotely exploitable though file sharing, webdav, websites, email and more.
Replaces MS11-034.
OTF

CVE-2011-1873
KB 2525694 No known exploits Severity:Critical
Exploitability:2
Critical Important
MS11-042 Input validation problems in the Distributed File System (DFS) implementation allow for arbitrary code execution in the context of the service or denial of service (DoS) conditions.
DFS (Distributed File System)

CVE-2011-1868
CVE-2011-1869
KB 2535512 No known exploits Severity:Critical
Exploitability:1-3
Critical Critical
MS11-043 An input validation problem in the parsing of the responses to SMB requests allows for arbitrary code execution in the context of the service.
Replaces MS11-019 and MS10-020.
SMB

CVE-2011-1268
KB 2536276 No known exploits Severity:Critical
Exploitability:1
Critical Important
MS11-044 An input validation problem in the JIT optimization of the .NET framework allows for arbitrary code execution in the context of the logged on user, and bypass security measures such as the CAS (Code Access Security) restrictions.
Replaces MS11-028 and MS10-060.
.NET

CVE-2011-1271
KB 2538814 Publicly disclosed vulnerability. Severity:Critical
Exploitability:2
Critical Critical
MS11-045 Multiple vulnerabilities in Excel allow for arbitrary code execution in the context of the logged on user.
Office for Mac versions are also affected.
Replaces MS11-021 and MS11-022.
Excel

CVE-2011-1272
CVE-2011-1273
CVE-2011-1274
CVE-2011-1275
CVE-2011-1276
CVE-2011-1277
CVE-2011-1278
CVE-2011-1279
KB 2537146 No known exploits Severity:Important
Exploitability:1-3
Critical Important
MS11-046 An input validation vulnerability in AFD (Ancillary Function Driver) allows for privilege escalation and arbitrary code execution in kernel mode for logged on users.
Replaces MS10-066.
AFD

CVE-2011-1249
KB 2503665 Publicly disclosed vulnerability, Microsoft claims "limited, targeted attacks attempting to exploit the vulnerability" Severity:Important
Exploitability:1
Critical Critical
MS11-047 A Denial of Service (DoS) condition is possible where an authenticated user of a guest system can cause a denial of service on the host system.
Replaces MS10-102.
Hyper-V

CVE-2011-1872
KB 2525835 No known exploits. Severity:Important
Exploitability:3
Low Important
MS11-048 A parsing error in the SMB server can be used to cause a Denial of Service (DoS) condition.
Replaces MS09-050.
SMB server

CVE-2011-1267
KB 2525835 No known exploits. Severity:Important
Exploitability:3
Low Important
MS11-049 XML editor can leak file content though XML external entities that are nested. XML editor is part of Infopath, SQL server, and Visual Studio.
Replaces MS10-039 and MS09-062.
XML editor

CVE-2011-1280
KB 2543893 No known exploits. Severity:Important
Exploitability:3
Important Important
MS11-050 Multitude of vulnerabilities in MSIE.
Replaces MS11-018.
MSIE

CVE-2011-1246
CVE-2011-1250
CVE-2011-1251
CVE-2011-1252
CVE-2011-1254
CVE-2011-1255
CVE-2011-1256
CVE-2011-1258
CVE-2011-1260
CVE-2011-1261
CVE-2011-1262
KB 2543893 No known exploits. Severity:Critical
Exploitability:1-3
Critical Important
MS11-051 Active Directory Certificate Services Web Enrollment allows for a reflected XSS issue.
Active Directory Certificate Services Web Enrollment

CVE-2011-1264
KB 2518295 No known exploits. Severity:Important
Exploitability:1
N/A Important
MS11-052 A VML memory corruption allows arbitrary code execution in MSIE with the rights of the logged on user. IE9 is not affected.
VML - MSIE

CVE-2011-1266
KB 2544521 No known exploits. Severity:Critical
Exploitability:1
Critical Important
We will update issues on this page for about a week or so as they evolve.
We appreciate updates
US based customers can call Microsoft for free patch related support on 1-866-PCSAFETY
(*): ISC rating
  • We use 4 levels:
    • PATCH NOW: Typically used where we see immediate danger of exploitation. Typical environments will want to deploy these patches ASAP. Workarounds are typically not accepted by users or are not possible. This rating is often used when typical deployments make it vulnerable and exploits are being used or easy to obtain or make.
    • Critical: Anything that needs little to become "interesting" for the dark side. Best approach is to test and deploy ASAP. Workarounds can give more time to test.
    • Important: Things where more testing and other measures can help.
    • Less Urgent: Typically we expect the impact if left unpatched to be not that big a deal in the short term. Do not forget them however.
  • The difference between the client and server rating is based on how you use the affected machine. We take into account the typical client and server deployment in the usage of the machine and the common measures people typically have in place already. Measures we presume are simple best practices for servers such as not using outlook, MSIE, word etc. to do traditional office or leisure work.
  • The rating is not a risk analysis as such. It is a rating of importance of the vulnerability and the perceived or even predicted threat for affected systems. The rating does not account for the number of affected systems there are. It is for an affected system in a typical worst-case role.
  • Only the organization itself is in a position to do a full risk analysis involving the presence (or lack of) affected systems, the actually implemented measures, the impact on their operation and the value of the assets involved.
  • All patches released by a vendor are important enough to have a close look if you use the affected systems. There is little incentive for vendors to publicize patches that do not have some form of risk to them.

********************************************************************
Title: Microsoft Security Bulletin Minor Revisions
Issued: May 17, 2011
********************************************************************

Summary
=======
The following bulletins have undergone a minor revision increment.
Please see the appropriate bulletin for more details.

  * MS11-036 - Important

Bulletin Information:
=====================

* MS11-036 - Important

  - http://www.microsoft.com/technet/security/bulletin/ms11-036.mspx
  - Reason for Revision: V1.1 (May 17, 2011): Removed an erroneous
    note from the Affected Software table pertaining to security
    updates KB2535818 and KB2540162 for Microsoft PowerPoint 2007
    Service Pack 2. 
  - Originally posted: May 10, 2011
  - Updated: May 17, 2011
  - Bulletin Severity Rating: Important
  - Version: 1.1

********************************************************************

Title: Microsoft Security Bulletin Re-Releases

Issued: May 16, 2011

********************************************************************

 

Summary

=======

The following bulletins have undergone a major revision increment.

Please see the appropriate bulletin for more details.

 

  * MS11-018 - Critical

 

Bulletin Information:

=====================

 

* MS11-018 - Critical

 

 - http://www.microsoft.com/technet/security/bulletin/ms11-018.mspx

 - Reason for Revision: V2.0 (May 16, 2011): Bulletin rereleased to

    reoffer the update for Internet Explorer 7 on supported

    editions of Windows XP and Windows Server 2003. This is a

    detection change only. There were no changes to the binaries.

    Only affected customers will be offered the update. Customers

    who have installed the update manually and customers running

    configurations not targeted by the change to detection logic

    do not need to take any action. 

 - Originally posted: April 12, 2011

 - Updated: May 16, 2011

 - Bulletin Severity Rating: Critical

 - Version: 2.0

Normal 0 false false false EN-US X-NONE X-NONE /* Style Definitions */ table.MsoNormalTable {mso-style-name:"Table Normal"; mso-tstyle-rowband-size:0; mso-tstyle-colband-size:0; mso-style-noshow:yes; mso-style-priority:99; mso-style-parent:""; mso-padding-alt:0in 5.4pt 0in 5.4pt; mso-para-margin:0in; mso-para-margin-bottom:.0001pt; mso-pagination:widow-orphan; font-size:11.0pt; font-family:"Calibri","sans-serif"; mso-ascii-font-family:Calibri; mso-ascii-theme-font:minor-latin; mso-hansi-font-family:Calibri; mso-hansi-theme-font:minor-latin; mso-bidi-font-family:"Times New Roman"; mso-bidi-theme-font:minor-bidi;}


Share |
Published: 2011-05-10,
Last Updated: 2011-05-10 16:58:08 UTC
by Swa Frantzen (Version: 1)
0 comment(s)

Overview of the May 2011 Microsoft patches and their status.

# Affected Contra Indications Known Exploits Microsoft rating ISC rating(*)
clients servers
MS11-035 An input validation vulnerability in WINS allow arbitrary code execution with the rights of the WINS system.
Note: WINS is not installed by default.
Replaces MS09-039.
WINS

CVE-2011-1248
KB 2524426 No known exploits Severity:Critical
Exploitability:2
N/A Critical
MS11-036 Memory corruption and buffer overflow vulnerabilities allow for arbitrary code execution with the rights of the logged on user.
Note: Microsoft confirms in the bulletin that Office for Mac versions 2004 and 2008 of Powerpoint are vulnerable, but no patch is available at this point in time, nor is there an indication of a time commitment.
Note: Windows Office 2010 and Office for Mac 2011 are not affected.
Replaces MS11-022.
Powerpoint

CVE-2011-1269
CVE-2011-1270
KB 2545814 No known exploits Severity:Important
Exploitability:1,3
Critical Important
We will update issues on this page for about a week or so as they evolve.
We appreciate updates
US based customers can call Microsoft for free patch related support on 1-866-PCSAFETY
(*): ISC rating
  • We use 4 levels:
    • PATCH NOW: Typically used where we see immediate danger of exploitation. Typical environments will want to deploy these patches ASAP. Workarounds are typically not accepted by users or are not possible. This rating is often used when typical deployments make it vulnerable and exploits are being used or easy to obtain or make.
    • Critical: Anything that needs little to become "interesting" for the dark side. Best approach is to test and deploy ASAP. Workarounds can give more time to test.
    • Important: Things where more testing and other measures can help.
    • Less Urgent: Typically we expect the impact if left unpatched to be not that big a deal in the short term. Do not forget them however.
  • The difference between the client and server rating is based on how you use the affected machine. We take into account the typical client and server deployment in the usage of the machine and the common measures people typically have in place already. Measures we presume are simple best practices for servers such as not using outlook, MSIE, word etc. to do traditional office or leisure work.
  • The rating is not a risk analysis as such. It is a rating of importance of the vulnerability and the perceived or even predicted threat for affected systems. The rating does not account for the number of affected systems there are. It is for an affected system in a typical worst-case role.
  • Only the organization itself is in a position to do a full risk analysis involving the presence (or lack of) affected systems, the actually implemented measures, the impact on their operation and the value of the assets involved.
  • All patches released by a vendor are important enough to have a close look if you use the affected systems. There is little incentive for vendors to publicize patches that do not have some form of risk to them.

--
Swa Frantzen -- Section 66

More Posts « Previous page - Next page »