BeyondTrust

Security in Context: The BeyondTrust Blog

Welcome to Security in Context

Bringing you news and commentary on solutions and strategies for protecting critical IT infrastructure in the context of your business.

Microsoft Patch Tuesday – November 2011

Posted November 8, 2011    Chris Silva

This month Microsoft released four security bulletins, patching a total of four vulnerabilities. Included in this month’s bulletins is a particularly ugly vulnerability in tcpip.sys (MS11-083). This vulnerability involves sending a large amount of UDP packets to a closed port. While the amount of work to exploit seems great and Microsoft feels that exploitation will prove unreliable, the reward is high – remote unauthenticated code execution within the kernel. To prevent exploitation, firewall all unused UDP ports at the perimeter, and install the patch as soon as possible.

Not patched this month is the zero-day vulnerability leveraged by Duqu. Last Thursday, Microsoft released a security advisory (2639658) outlining the vulnerability and providing a workaround. Microsoft is already working on a fix, but they did state in advance it would not be ready in time for this patch Tuesday. Given the amount of press that Duqu has received, we’ll see if Microsoft waits until December to patch this or if they release an out-of-band fix sometime this month.

Join us tomorrow for another edition of the Vulnerability Expert Forum (VEF). Marc Maiffret and the eEye Research Team will be talking about today’s security bulletins as well as other security related topics and issues.

Retina Network Security Scanner customers can view the list of audits associated with these bulletins.

Here are this month’s recommendations from the eEye Research Team:

Deploy Immediately

MS11-083 – Vulnerability in TCP/IP Could Allow Remote Code Execution (2588516)
Recommendation: Install the patch immediately to prevent exploitation by attackers. Until the patch can be installed, any unused UDP ports should be blocked at the external firewall.

Deploy As Soon As Possible

MS11-085 – Vulnerability in Windows Mail and Windows Meeting Space Could Allow Remote Code Execution (2620704)
Recommendation: Deploy patches as soon as possible. Until the patch can be installed, block ports 139 and 445 using a firewall, prevent the WebClient service from running, and prevent DLLs from being loaded from WebDAV and remote shares.

MS11-086 – Vulnerability in Active Directory Could Allow Elevation of Privilege (2630837)
Recommendation: Deploy patches as soon as possible. Until the patch can be installed, remove the user account that is associated with the revoked certificate. Also, use LDAPS along with IPsec-based connections that are in “Always check CRL” mode.

Deploy At Earliest Convenience

MS11-084 – Vulnerability in Windows Kernel-Mode Drivers Could Allow Denial of Service (2617657)
Recommendation: Deploy patches at the earliest convenience. Until the patch can be installed, block ports 139 and 445 using a firewall, prevent the WebClient service from running, and disable both the Preview and Details Pane in Windows Explorer.

Leave a Reply

Additional articles

Dark Reading

2014: The Year of Privilege Vulnerabilities

Posted December 18, 2014    Chris Burd

Of the 30 critical-rated Microsoft Security Bulletins this year, 24 involved vulnerabilities where the age-old best practice of “least privilege” could limit the impact of malware and raise the bar of difficulty for attackers.

Tags:
, , , , ,
dave-shackleford-headshot

Looking back on information security in 2014

Posted December 16, 2014    Dave Shackleford

Dave Shackleford is a SANS Instructor and founder of Voodoo Security. Join Dave for a closer look at the year in security, and learn what you can do to prepare for 2015, with this upcoming webinar. 2014 has been one heck of an insane year for information security professionals. To start with, we’ve been forced…

Tags:
, ,
patch-tuesday

December 2014 Patch Tuesday

Posted December 9, 2014    BeyondTrust Research Team

This month marks the final Patch Tuesday of 2014. Most of what is being patched this month includes Internet Explorer, Exchange, Office, etc… and continues a trend of the greatest hits collection of commonly attacked Microsoft software. Probably the one thing that broke the mold this month is that for once there is not some…

Tags:
,