When you consider how many stakeholders are invested in Microsoft’s Patch Tuesday, it’s no wonder the monthly affair stirs up so much energy in the cyber world. Security researchers are eager to understand the issue being patched; administrators want to get a feel for how many reboots they will have to schedule in the coming week, and security vendors are looking to produce signatures or code telling you which patches appear to be missing. Meanwhile, our Exploit Writing Team looks forward to identifying what is being patched and determining if it can be exploited. If it can, they will code it, QA it and turn it into one of the hundreds of commercial grade exploits we release each year.
Based on my count, there were 83 advisories announced by Microsoft over the past year. This averages out to a little more than six per month, a reasonable number of patches (and reboots) to apply to your systems over the course of a year. While I think the Microsoft severity rating system of critical/important, etc., is quite effective, I try to avoid biases. Any vulnerability that helps me learn more about a target network or gain a foothold I can leverage is a serious one. What I considered was how these vulnerabilities could have been leveraged by the bad guys. Again and again, we see targeted emails and drive-by downloads giving attackers initial access. Privilege escalation exploits give them full control over a system and a great beach-head to further explore the internal networks of the target environment. Those are the desired abilities of a professional bad guy, and reported vulnerabilities that allow for that are their bread and butter.
So, first we need that initial entry point – some juicy client-side attacks. We might only get one shot at these, so we want our attack to work in as many environments as possible. When you look at the bulletins for the last 12 months, there are a few standouts:
April, MS12-027: Vulnerability in Windows Common Controls Could Allow Remote Code Execution
A vulnerability in Office 2003, 2007 and 2010. That is a great spread of MS Office versions, making virtually everyone who runs MS Office a possible target. A classic email claiming the attachment contains information about changes to the company benefits plan could have many employees opening a word document with this vulnerability built in.
June, MS12-037: Cumulative Security Update for Internet Explorer
Who doesn’t love waking up to the smell of unpatched IE in the morning? This update covered a multitude of issues, including one that was publically known. It was rated as critical for IE 6, 7, 8 and 9 on Windows clients, otherwise known as “every machine in your userland.” I no longer need you to open a file (on the off-chance that your users have learned not to open attachments), I can access your machine just by getting you to click a link. You’re one fake Amazon gift certificate away from handing over control.
[A previous version of this story said Microsoft issued 83 “vulnerabilities” last year, when it should have said “advisories].”
July, MS12-047: Vulnerabilities in Windows Kernel-Mode Drivers Could Allow Elevation of Privilege
I am not sure about the word ‘could’ in the vulnerability title, they definitively do allow for elevation of privilege, as we demonstrated when we responsibly disclosed this issue to Microsoft and again when we released a module to our customers.
August, MS12-060: Vulnerability in Windows Common Controls Could Allow Remote Code Execution
It’s déjà vu all over again. A vulnerability in Office 2003, 2007 and 2010 (32-bit) allows an attacker to execute code remotely. If you think your target organization has patched for MS12-027, recycle that attachment with this brand new exploit!
So now I’m on the machine, but it’s just some user down in the basement with no access to anything. I need to take full control of the machine (and maybe the stapler) as the first step in trying getting full control of the network. We need to leverage some local vulnerabilities on the machine to get system-level access.
There is one vulnerability that did not make the list, which in my mind produced the biggest reaction (not to mention speculation, tweets and conspiracy theories of leaked code).
March, MS12-020: Vulnerabilities in Remote Desktop Could Allow Remote Code Execution
This vulnerability initiated the big race – who could produce a working remote code execution vulnerability first? Multiple members of our professional in-house Exploit Writing Team focused on this bug and we saw others without our level of in-house expertise offering cash bounties for exploits. The Twittersphere blew up with speculation that the POC provided to Microsoft made its way overseas. We were the first to release a Denial of Server attack for this vulnerability, but we weren’t able to control the crash and execute our code on the system.
What does this mean for vulnerabilities present and future? The Exchange (another internet-facing service)-related vulnerability will generate a lot of interest. Could we get a MS08-067 this year after all? It also means any vulnerability of the future looking like it might become a network exploit will make exploit writers feel like every day is Christmas.