Reaction to MS08-067
Last week Microsoft published Security Bulletin MS08-067. This bulletin describes a vulnerability in the Windows server service, affecting Windows 2000, XP, Vista, 2003 and 2008.
Microsoft have also released a corresponding “out-of-band” (i.e., not contained in the monthly batch of updates) update in the shape of KB958644. The update is available from Microsoft Update.
Novosco are actively encouraging all of our customers to deploy the update as soon as possible (on all Windows hosts - clients and servers). You can do so by visiting the Microsoft Update website or by deploying with Windows Server Update Services or some other 3rd party deployment tool.
But why all the fuss? Well, this particular vulnerability is wormable - meaning that potentially (more on “potentially” later) the vulnerability can be exploited by a worm, i.e., self-replicating malicious code that seeks out vulnerable hosts and infects them from your laptop while you’re writing your blog post…
Talking about worms in this way takes me back to those bygone halcyon days when Windows anti-virus was “optional”, host based firewalls were unheard of and the only reason to use a firewall in the enterprise was to take advantage of its NAT capabilities and not fork out for expensive publicly routable IP addresses for your network. It was also the time before we had all deployed WSUS or some other automatic update solution. Right?
Wrong! Even though we now have written policies defining that laptops must have host-based firewalls and AV, and we have fancy UTM devices at the network perimeter, all too often we still have the problem that updates are being ignored. Consider this situation: a user goes home with their company laptop (which hasn’t been updated in the last 8 months) and browses the web for a while from their home internet connection. Because Internet Explorer hasn’t been patched they get burned by some exploit which drops a Trojan containing code which in turn exploits the MS08-067 vulnerability. The user didn’t really do anything wrong, wasn’t an local administrator and knows nothing of the infection. Next day they plug their laptop into the corporate network and while they’re at the coffee machine ten minutes later they see the IT admins running past on their way to the server room as the “whole network’s down!!!!”.
Update mangement would have saved that company on two counts - the first by patching the user’s laptop. If it wasn’t vulnerable the malicious code wouldn’t have got onto it in the first place. The second; even if the laptop hadn’t been patched (say the user was off work for a while and got infected anyway) the servers would have been patched and wouldn’t have been vulnerable so no downtime would have occurred.
That example’s a bit simplified, certainly a layered security solution of best practices, AV and UTM would have helped. But I think it serves to get the message across - the fuss surrounding this update is symptomatic of a bigger problem.
Now I put “potentially” in bold above for a reason - there is no worm exploiting this vulnerability (that we know of, yet). Right now, there is however a recognisable trojan which is being used in targeted attacks. And, there’s publicly available exploit code in the wild which means you can bet that VXers are beavering away trying to develop a suitable worm. So you have a choice - patch now or don’t. You can choose not to and give me the old excuses about the risks of deploying patches (breaking applications etc) but that’s why Microsoft genuinely recommend that you test their updates with your applications and if you’re really that worried you should seriously think about a test environment, but if (maybe when) the worm hits and you get burned I’ll try not to say “I told you so”.
Remember folks - “Proactive patching is better than reactive repair”.
Posted in: Technology Tags: Microsoft, security, update