The ghosts of Microsoft: Patch, present and future
Alex Horan, senior product manager, CORE Security
When you consider how many stakeholders are invested in Microsoft's Patch Tuesday, it's no wonder the monthly affair stirs up so much energy in the cyber world. Security researchers are eager to understand the issue being patched; administrators want to get a feel for how many reboots they will have to schedule in the coming week, and security vendors are looking to produce signatures or code telling you which patches appear to be missing. Meanwhile, our Exploit Writing Team looks forward to identifying what is being patched and determining if it can be exploited. If it can, they will code it, QA it and turn it into one of the hundreds of commercial grade exploits we release each year.
Based on my count, there were 83 advisories announced by Microsoft over the past year. This averages out to a little more than six per month, a reasonable number of patches (and reboots) to apply to your systems over the course of a year. While I think the Microsoft severity rating system of critical/important, etc., is quite effective, I try to avoid biases. Any vulnerability that helps me learn more about a target network or gain a foothold I can leverage is a serious one. What I considered was how these vulnerabilities could have been leveraged by the bad guys. Again and again, we see targeted emails and drive-by downloads giving attackers initial access. Privilege escalation exploits give them full control over a system and a great beach-head to further explore the internal networks of the target environment. Those are the desired abilities of a professional bad guy, and reported vulnerabilities that allow for that are their bread and butter.
So, first we need that initial entry point – some juicy client-side attacks. We might only get one shot at these, so we want our attack to work in as many environments as possible. When you look at the bulletins for the last 12 months, there are a few standouts:
April, MS12-027: Vulnerability in Windows Common Controls Could Allow Remote Code Execution
A vulnerability in Office 2003, 2007 and 2010. That is a great spread of MS Office versions, making virtually everyone who runs MS Office a possible target. A classic email claiming the attachment contains information about changes to the company benefits plan could have many employees opening a word document with this vulnerability built in.
June, MS12-037: Cumulative Security Update for Internet Explorer
Who doesn't love waking up to the smell of unpatched IE in the morning? This update covered a multitude of issues, including one that was publically known. It was rated as critical for IE 6, 7, 8 and 9 on Windows clients, otherwise known as “every machine in your userland.” I no longer need you to open a file (on the off-chance that your users have learned not to open attachments), I can access your machine just by getting you to click a link. You're one fake Amazon gift certificate away from handing over control.
[A previous version of this story said Microsoft issued 83 "vulnerabilities" last year, when it should have said "advisories]."