Regular readers of our Update Tuesday Wrap-ups, along with regular listeners to the Chet Chat podcast, will know that we don’t like zooming in too keenly on any one security bulletin.
Our reason is that if you become too focused on one vulnerability, you are likely to lose sight of (or to put off until another day) all the other monthly fixes.
So you might end up with a false sense of security because you’ve patched the big hole, but left all the other nearly-but-not-quite-so-big holes wide open.
Also, there’s the problem that exploits can often be abused in pairs, for example by combining a critical hole such as remote code execution with an escalation of privilege hole that sounds much less serious if you consider it on its own.
That sort of exploit combination can be deadly, because a crook can get in, albeit only with limited access rights, and then go up, finishing off his attack with SYSTEM privileges.
That is as good as taking over your computer entirely.
→ In the recent PWN2OWN competition in Vancouver, 11 attacks against the Big Four browsers plus Adobe’s plugins produced 10 succesful compromises. In 4 of those, the attackers ended up with SYSTEM powers. In a nice demonstration of comparative value, promoting yourself to SYSTEM meant an immediate bonus prize of $25,000.
Having said all that, this month’s we’re breaking with our own tradition.
Do this one first
We’ll start off short and straight: if you only apply one patch, or are keen to find one to lead off with, make it MS15-034.
That bug is described rather blandly by Microsoft as:
Vulnerability in HTTP.sys Could Allow Remote Code Execution.
But the big parts of the story are:
• 1 This isn’t an IIS bug, so it doesn’t apply only to IIS servers.
As far as we can see, the bug affects pretty much any Windows software that uses Microsoft’s HTTP stack to respond to HTTP requests, whether that software runs on desktops, laptops or servers.
All sorts of software could fall into that category: custom company messaging systems; data loggers; configuration agents; peer-to peer-tools; heck, even an existing malware infection!
• 2 The bug allows remote code execution.
• 3 The bug can be triggered with an innocent-looking HTTP request from outside your network.
That means that the bug could, in theory, be turned into a true network worm like the Morris Internet Worm or SQL Slammer.
Those worms spread without having to wait for users to do anything such as clicking a web link or opening an attachment.
• 4 The bug is in a kernel component, and a successful exploit gives the attacker SYSTEM privileges.
As explained above, that is as good as taking over your computer entirely.
• 5 Even Server Core is affected.
• 6 Proof of Concept (PoC) exploit code can already be found on the internet.
The proof of concept we’ve seen doesn’t actively attempt to exploit the bug and do anything deliberately malicious.
But reports say that a probe by the PoC does actually trigger a buffer overflow, which could be distracting and time-consuming when you review your logs.
(You do review your logs regularly. Don’t you?)
Special mitigation for IIS
If you have an IIS server, you can shield it from harm even before you apply the M15-034 update, using a workaround published by Microsoft:
Disable IIS kernel caching. This workaround is specific to IIS and can cause performance issues.
Note that kernel caching is enabled by default in IIS 7 and later.
What about the rest?
There are 10 other security updates from Microsoft this month, including the usual Cumulative Security Update for Internet Explorer; two of those fixes, including the IE update, close other remotely exploitable holes.
There’s also a new version of Flash from Adobe, fixing 22 CVE-numbered security bugs, including remote code execution holes.
So we think you should apply all those updates as well.
But if you are searching for one patch to lead off with, make it MS15-034.
If nothing else, you can expect a sea of probes over the next few days, as inquisitive “researchers” find the PoC and set it loose to see what happens.
In short: patch early, patch often; but in the case of MS15-034, patch NOW.
Matt Pardo
Seems like this one would have been an out-of-band patch. Thanks for the info!
LindaB
It was included in the critical updates notified on Wednesday in the UK.
Akos
Can Sophos UTM Webserver Protection already protect against this?
alex
Install today new updates on standalone 2012 server with ISCSI connection to SAN storages, server running AppAssure backup software.
After installing and rebooting server, ISCSI drive became readonly and backup software stop working.
Fix this problem using diskpart command.
Check with dell support and they did not find any problems with hardware or software.
Please let me know if anyone else get the same problems.
I run this updates on 2003, 2008 and 2012 server without any problems, but backup server is only one that had ISCI connection.
loadtest
Why is SYSTEM such a big deal? If you can manage to get out of the sandbox or virtualization environment, you’re already sitting on an administrator account in Admin Approval Mode. All you need from there is the Debug privilege and an NTLM token for SYSTEM, which more than a handful of Windows services use.
As though that’s not bad enough, Microsoft’s implementation of Kerberos ensures continued access to any account on the machine even if all the passwords are changed.