BeyondTrust

Security in Context: The BeyondTrust Blog

Welcome to Security in Context

Bringing you news and commentary on solutions and strategies for protecting critical IT infrastructure in the context of your business.

Microsoft Patch Tuesday – November 2011

Posted November 8, 2011    Chris Silva

This month Microsoft released four security bulletins, patching a total of four vulnerabilities. Included in this month’s bulletins is a particularly ugly vulnerability in tcpip.sys (MS11-083). This vulnerability involves sending a large amount of UDP packets to a closed port. While the amount of work to exploit seems great and Microsoft feels that exploitation will prove unreliable, the reward is high – remote unauthenticated code execution within the kernel. To prevent exploitation, firewall all unused UDP ports at the perimeter, and install the patch as soon as possible.

Not patched this month is the zero-day vulnerability leveraged by Duqu. Last Thursday, Microsoft released a security advisory (2639658) outlining the vulnerability and providing a workaround. Microsoft is already working on a fix, but they did state in advance it would not be ready in time for this patch Tuesday. Given the amount of press that Duqu has received, we’ll see if Microsoft waits until December to patch this or if they release an out-of-band fix sometime this month.

Join us tomorrow for another edition of the Vulnerability Expert Forum (VEF). Marc Maiffret and the eEye Research Team will be talking about today’s security bulletins as well as other security related topics and issues.

Retina Network Security Scanner customers can view the list of audits associated with these bulletins.

Here are this month’s recommendations from the eEye Research Team:

Deploy Immediately

MS11-083 – Vulnerability in TCP/IP Could Allow Remote Code Execution (2588516)
Recommendation: Install the patch immediately to prevent exploitation by attackers. Until the patch can be installed, any unused UDP ports should be blocked at the external firewall.

Deploy As Soon As Possible

MS11-085 – Vulnerability in Windows Mail and Windows Meeting Space Could Allow Remote Code Execution (2620704)
Recommendation: Deploy patches as soon as possible. Until the patch can be installed, block ports 139 and 445 using a firewall, prevent the WebClient service from running, and prevent DLLs from being loaded from WebDAV and remote shares.

MS11-086 – Vulnerability in Active Directory Could Allow Elevation of Privilege (2630837)
Recommendation: Deploy patches as soon as possible. Until the patch can be installed, remove the user account that is associated with the revoked certificate. Also, use LDAPS along with IPsec-based connections that are in “Always check CRL” mode.

Deploy At Earliest Convenience

MS11-084 – Vulnerability in Windows Kernel-Mode Drivers Could Allow Denial of Service (2617657)
Recommendation: Deploy patches at the earliest convenience. Until the patch can be installed, block ports 139 and 445 using a firewall, prevent the WebClient service from running, and disable both the Preview and Details Pane in Windows Explorer.

Leave a Reply

Additional articles

VMware Hardening Guidelines-img3

How to Audit VMware ESX and ESXi Servers Against the VMware Hardening Guidelines with Retina CS

Posted February 27, 2015    BeyondTrust Research Team

Retina CS Enterprise Vulnerability Management has included advanced VMware auditing capabilities for some time, including virtual machine discovery and scanning through a cloud connection, plus the ability to scan ESX and ESXi hosts using SSH. However, in response to recent security concerns associated with SSH, VMware has disabled SSH by default in its more recent…

Tags:
, , , ,
dave-shackleford-headshot

Privileged Passwords: The Bane of Security Professionals Everywhere

Posted February 19, 2015    Dave Shackleford

Passwords have been with us since ancient times. Known as “watchwords”, ancient Roman military guards would pass a wooden tablet with a daily secret word engraved from one shift to the next, with each guard position marking the tablet to indicate it had been received. The military has been using passwords, counter-passwords, and even sound…

Tags:
, , ,
Privileged Account Management Process

In Vulnerability Management, Process is King

Posted February 18, 2015    Morey Haber

You have a vulnerability scanner, but where’s your process? Most organizations are rightly concerned about possible vulnerabilities in their systems, applications, networked devices, and other digital assets and infrastructure components. Identifying vulnerabilities is indeed important, and most security professionals have some kind of scanning solution in place. But what is most essential to understand is…

Tags:
, , , , ,