Wednesday, September 9, 2009

Critical Patch Tuesday Misses Serious Hole in FTP

Microsoft has confirmed an active FTP attack against Windows servers that is not included in the five critical advisories issued on Patch Tuesday. Windows Vista, Windows Server 2008, and the release candidates of Windows 7 and Windows Server 2008 R2 are vulnerable. Microsoft's patches focus on eight Windows vulnerabilities, some requiring a restart.


Before the dust even settled on Patch Tuesday, Microsoft confirmed a bug in several versions of its Windows operating system that could leave the door open to malicious hackers. Windows Vista, Windows Server 2008, and the release candidates of Windows 7 and Windows Server 2008 R2 are vulnerable.

"An attacker who successfully exploited this vulnerability could take complete control of an affected system," Microsoft's advisory said. "Most attempts to exploit this vulnerability will cause an affected system to stop responding and restart."

Microsoft confirmed that hackers are actively using exploits of the FTP bug to attack Web servers. Until a patch is available, Microsoft recommends users disable SMB 2 by editing the Windows Registry or blocking TCP ports 139 and 445 at the firewall. However, this workaround disables the browser and several other applications.

Patch Tuesday Review

Beyond the unexpected Patch Tuesday drama, Microsoft released five critical advisories to address eight vulnerabilities. The focus is on the Windows operating system family, and all versions are affected except Windows 7. There are critical vulnerabilities in the JavaScript engine, the wireless LAN autoconfig service, Windows Media, Windows TCP/IP, and the editing component of DHTML Active X.

Of the five critical patches, two will require mandatory restarts, causing some level of disruption within the enterprise , according to Paul Henry, Lumension security and forensic analyst. Leading the pack this month, however, is Microsoft Vista with four critical vulnerabilities.

"This brings up an interesting situation, as Windows 7 and Windows 2008 R2 were released to manufacturing (RTM) early last month, which means many Microsoft partners and corporate customers will have started using and evaluating these two new platforms," Henry said. "These early adopters are covered this month as Microsoft has identified these new platforms as non-affected for all five September updates."

Shaking Consumer Confidence

Microsoft hasn't seen a serious bug in its TCP/IP stack in a long time, so it's pretty likely this is the exploit most people will focus on, according to Andrew Storms, director of security operations at nCircle. Because it follows on the heels of the new zero-day vulnerability, he said, it will shake consumer confidence in the integrity of Microsoft's networking stack.

"The bugs to focus on this month are the three critical Internet Explorer flaws," Storms said. "All three are critical and two of the three carry a exploit index of one -- indicating reliable exploit code is probable within 30 days. All of these bugs are especially dangerous because they lend themselves to drive-by exploits where an unsuspecting user only has to visit a Web site to be infected."

Again this month there is a mix of client-side attacks, including a couple of drive-by attacks, noted Tyler Reguly, a senior security engineer at nCircle, and these will most likely be used as ammo in the "IE6 Must Die" campaign.

"IE8 appears to include several mitigations that older versions of IE don't have, so it would be recommended that anyone who hasn't yet moved to it upgrade as soon as possible," Reguly said. "Companies with many road warriors using corporate laptops should review their policies to ensure proper security and encryption is in place on files stored on the laptops. MS09-049 is going to introduce serious risk for these road warriors, especially if they are away for extended periods of time without regular patching."

Sci Tech Today

No comments:

Post a Comment