BeyondTrust

Security in Context: The BeyondTrust Blog

Welcome to Security in Context

Bringing you news and commentary on solutions and strategies for protecting critical IT infrastructure in the context of your business.

Microsoft Patch Tuesday – November 2011

Posted November 8, 2011    Chris Silva

This month Microsoft released four security bulletins, patching a total of four vulnerabilities. Included in this month’s bulletins is a particularly ugly vulnerability in tcpip.sys (MS11-083). This vulnerability involves sending a large amount of UDP packets to a closed port. While the amount of work to exploit seems great and Microsoft feels that exploitation will prove unreliable, the reward is high – remote unauthenticated code execution within the kernel. To prevent exploitation, firewall all unused UDP ports at the perimeter, and install the patch as soon as possible.

Not patched this month is the zero-day vulnerability leveraged by Duqu. Last Thursday, Microsoft released a security advisory (2639658) outlining the vulnerability and providing a workaround. Microsoft is already working on a fix, but they did state in advance it would not be ready in time for this patch Tuesday. Given the amount of press that Duqu has received, we’ll see if Microsoft waits until December to patch this or if they release an out-of-band fix sometime this month.

Join us tomorrow for another edition of the Vulnerability Expert Forum (VEF). Marc Maiffret and the eEye Research Team will be talking about today’s security bulletins as well as other security related topics and issues.

Retina Network Security Scanner customers can view the list of audits associated with these bulletins.

Here are this month’s recommendations from the eEye Research Team:

Deploy Immediately

MS11-083 – Vulnerability in TCP/IP Could Allow Remote Code Execution (2588516)
Recommendation: Install the patch immediately to prevent exploitation by attackers. Until the patch can be installed, any unused UDP ports should be blocked at the external firewall.

Deploy As Soon As Possible

MS11-085 – Vulnerability in Windows Mail and Windows Meeting Space Could Allow Remote Code Execution (2620704)
Recommendation: Deploy patches as soon as possible. Until the patch can be installed, block ports 139 and 445 using a firewall, prevent the WebClient service from running, and prevent DLLs from being loaded from WebDAV and remote shares.

MS11-086 – Vulnerability in Active Directory Could Allow Elevation of Privilege (2630837)
Recommendation: Deploy patches as soon as possible. Until the patch can be installed, remove the user account that is associated with the revoked certificate. Also, use LDAPS along with IPsec-based connections that are in “Always check CRL” mode.

Deploy At Earliest Convenience

MS11-084 – Vulnerability in Windows Kernel-Mode Drivers Could Allow Denial of Service (2617657)
Recommendation: Deploy patches at the earliest convenience. Until the patch can be installed, block ports 139 and 445 using a firewall, prevent the WebClient service from running, and disable both the Preview and Details Pane in Windows Explorer.

Leave a Reply

Additional articles

How To Implement The Australian Signals Directorate’s Top 4 Strategies

Posted October 20, 2014    Morey Haber

The Australian Signals Directorate (ASD), also known as the Defence Signals Directorate, has developed a list of strategies to mitigate targeted cyber intrusions. The recommended strategies were developed through ASD’s extensive experience in operational cyber security, including responding to serious security intrusions and performing vulnerability assessments and penetration testing for Australian government agencies. These recommendations…

Tags:
, , , ,
asp-mvc

Exploiting MS14-059 because sometimes XSS is fun, sometimes…

Posted October 17, 2014    BeyondTrust Research Team

This October, Microsoft has provided a security update for System.Web.Mvc.dll which addresses a ‘Security Feature Bypass’. The vulnerability itself is in ASP.NET MVC technology and given its wide adoption we thought we would take a closer look. Referring to the bulletin we can glean a few useful pieces of information: “A cross-site scripting (XSS) vulnerability exists…

Tags:
4bestpracticesaudits-blog

Four Best Practices for Passing Privileged Account Audits

Posted October 16, 2014    Chris Burd

Like most IT organizations, your team may periodically face the “dreaded” task of being audited. Your process for delegating privileged access to desktops, servers, and infrastructure devices is a massive target for the auditor’s microscope. An audit’s findings can have significant implications on technology and business strategy, so it’s critical to make sure you’re prepared…

Tags:
, , , ,