Every ?Microsoft Tuesday? the RISK Team will review the Security Bulletins released by Microsoft and the vulnerabilities addressed by each of them. The goal is to provide recommendations on patch strategies and target dates for each bulletin. We strive to reduce the pressure and stress caused by updates by offering feasible and achievable timelines. The majority of the patches receive a recommendation of 90 days, which we believe falls within most enterprises? scheduled patch cycle.
Our targets may differ from Microsoft?s recommendations, and frequently do. The major reason for a less sense of urgency on our side is the luxury we have of understanding our customer?s environments and knowledge of the existence of baseline security practices. For example, when a vulnerability for Remote Desktop Protocol (RDP) is discovered, and then addressed by Microsoft, their recommendations must be written with the assumption that RDP is present in a given environment, open to the Internet, and there are no other compensating controls in place to reduce the risk of exploitation. We base our recommendations with the assumptions that basic security practices are in place like use of firewalls protecting the Internet perimeter and elimination of non-essential Internet-facing services.
I thought it would be interesting to look at all of the bulletins released for 2012 and compare them to last year. We can begin by simply comparing the number of security bulletins released per year, and the number of vulnerabilities addressed.
In 2011, 100 Security Bulletins were released, addressing 212 vulnerabilities. 2012 was similar (which will be a recurring theme in this post) with 83 bulletins and 191 vulnerabilities. Looking at monthly patch counts is a little more interesting, with 2011 having a couple of ?hot? months and 2012 showing more consistency in the number of patches released month-per-month.
Our time-to-patch recommendations fall into one of these categories: 7 days, 30 days, 90 days, or next Service Pack / major OS upgrade. The breakdowns for 2011 and 2012 are remarkably close.
Continuing my quest to find something dissimilar between the two years, each bulletin was labeled with the potential impact(s) of the underlying vulnerabilities. The potential impacts were broken out into the following groups:
- Remote Code Execution with user privileges (RCE-U)
- Remote Code Execution with SYSTEM privileges (RCE-P)
- Denial of Service (DoS)
- Privilege Escalation (PrivEsc)
- ?Information Disclosure (Info Dis)
Again we see very similar percentages in the two data sets, with a reduction in the number and percentage of vulnerabilities that would result in privileged code execution as the only significant change.
It should be noted that there is not a one-to-one correlation between Security Bulletins and impacts; a single patch can address numerous issues with differing impacts. Also, exploitation attempts of Remote Code Execution vulnerabilities could result in a Denial of Service condition if the device crashes. Only vulnerabilities that specifically cited DoS as a likely result were counted.
The final set of metrics collected focused on the types of vulnerabilities addressed in 2011 and 2012. Month to month there are some categories of vulnerabilities that are consistently present. Cumulative Internet Explorer patches can be expected about every other month and were actually a bit more prevalent in 2012. Microsoft Office file-parsing vulnerabilities, which could be exploited via a malicious Excel, Word, PowerPoint , or other file type have also been mainstays in the monthly patch releases. In both 2011 and 2012, sixteen percent of bulletins included one or more Office file-parsing vulnerabilities.
The chart below shows the percent of bulletins that addressed vulnerabilities in each of the categories, again a single bulletin could have several of these associated with it. Moreover, I also included a category of ?browser?, which captures any vulnerability that could use the web browser as the attack vector.? We typically treat these very carefully and browser-exploitable issues are responsible for most of the accelerated (30-days and less) patch recommendations. There are several, more specific categories shown that collectively make up a large percentage of all browser-exploitable vulnerabilities. Cumulative and XAML issues, as well as others, are double counted in this chart, once for the more specific issue and again in the browser-exploitable category. A quarter of bulletins in both 2011 and 2012 could be exploited via a malicious page visit.
- Office File Parse: Vulnerabilities exploited by tricking or enticing victim into opening up a malicious Office document.
- Image Parse: Vulnerabilities exploited by viewing crafted, malicious images.
- DLL Preload: Triggered if user opens up a particular file located in the same directory as a malicious .dll that is called in place of the legitimate library. First discovered in 2000, yet no known widespread exploitation has been associated with these type of issues.
- Cumulative: Internet-Explorer specific bulletin, will typically have one or more memory corruption weakness that could result in code execution.
- Browser exploit: Bulletin features vulnerabilities that could be exploited via a web browser if a malicious page is viewed. No additional user interaction would be necessary.
- FontParse: Vulnerabilities that can be triggered by parsing a malicious font. Many of these
- J/VB: script (Java or Virtual Basic) vulnerabilities.
- Kernel: vulnerabilities associated with Kernel or Kernel drivers
- XAML: Vulnerabilities exploitable by launching a malicious XAML browser application; these are browser exploitable by definition.
All in all, there were no show-stoppers to report after looking into the last two years of ?Microsoft Tuesday? patches. The absence of the pattern of an easy month followed by a hard month (in terms of patches to address) was a notable and welcome change in 2012. I will continue to track vulnerability categories and other metrics this year and while I would not expect any major changes in 2013, it will be interesting to see if the first full year of significant implementation of Windows 8 produces anything noteworthy.
?
justified southland sopa blackout protect ip act jim caldwell internet blackout jessica capshaw
No comments:
Post a Comment
Note: Only a member of this blog may post a comment.