Microsoft pushes monthly update while experts doubt Exploitability rankings
On Tuesday, Microsoft released four updates that addressed eight vulnerabilities in Microsoft Office and Internet Explorer. One update, 09-003 for Microsoft Exchange, has earned the ire of one security expert based on the Exploitability Index (EI) rating assigned to the critical patch.
The Internet Explorer patch addressed problems that allow attackers to run code at will on an exploited system. Paul Zimski, VP of market strategy for Lumension, calls the critical IE patch the most important.
“The remote-code-execution vulnerabilities exist in IE 7 on both Windows XP and Windows Vista – probably the most prevalent Windows configurations in use today. This update addresses two separate vulnerabilities that are rated a “1” on Microsoft’s Exploitability Index (consistent exploit code can be crafted easily),”Zimski explained.
“Although there is no known exploit code available today, we expect it to be available soon. Browser vulnerabilities are especially popular with the [criminal] community to deliver blended attacks where a compromised browser is used to introduce additional Malware onto the computer.”
Discussing the Exchange Server patch, Zimski added, “The Exchange bulletin is a remote code executive, and as far as sensitive information and critical data are concerned, this has proven to be the easiest target for hackers to infiltrate. If the bad guys are able to compromise an organization’s Exchange Server, then they will be able to intercept every email coming and going, essentially making it open to every corporation across the globe. Given the proximity of the Exchange Server to external data entering the network, organizations will want to deploy this update immediately.”
Some businesses will place less of a priority on the Exchange patch because of the ranking assigned to it on the Exploitability Index. Both problems, the denial-of-service due to a specially crafted MAPI command sent to an Exchange Server, and the total compromise of an Exchange Server thanks to a specially crafted TNEF message, are listed as a “2” on the Exploitability Index.
“While Microsoft labels the Exchange bulletin as ‘Inconsistent exploit code likely,’ and there are no known public exploits yet, attackers are going to latch onto this like flies to honey,” Andrew Storms, Director of Security Operations for nCircle, said in a statement to various press outlets.
“Don’t be surprised if we begin to see early exploit code within a week.”
While there might not be code within a week, the odds are high that code will be developed, and thanks to the EI listing from Microsoft, businesses will be vulnerable.
Another issue taken with this month’s patch release by expert’s centers on MS09-004, which addresses problems within SQL Server, such as the Zero-Day reported by Bernhard Mueller of SEC Consult Vulnerability Lab.
The problem is that it was not listed as critical, but important. The patch fixes the problem that allows an attacker complete control over the database if they are authenticated to a database. Reports claim that the need for prior authentication is the reason for the lower severity rating. However, in the case of web servers, where most SQL Servers see the most use, the authentication already exists. Moreover, while listed as Important, MS09-004 is given the highest rank on the EI, level 1, meaning that consistent exploit code is likely.
Related to this month’s patches is a new report from BeyondTrust, which looked at the patches from 2008 and drew some interesting conclusions about access levels.
“An examination of all vulnerabilities documented by Microsoft in Security Bulletins issued in 2008 reveals that configuring users to operate without administrator rights enables organizations to mitigate the effects of 92% of Critical Microsoft vulnerabilities. Furthermore, by removing administrator rights companies will harden their endpoint security against the exploitation of 94% of Microsoft Office, 89% of Internet Explorer, and 53% of Microsoft Windows vulnerabilities. Of the total published vulnerabilities, 69% are mitigated by removing administrator rights.”