BeyondTrust

Security in Context: The BeyondTrust Blog

Welcome to Security in Context

Bringing you news and commentary on solutions and strategies for protecting critical IT infrastructure in the context of your business.

Microsoft Patch Tuesday – November 2011

Posted November 8, 2011    Chris Silva

This month Microsoft released four security bulletins, patching a total of four vulnerabilities. Included in this month’s bulletins is a particularly ugly vulnerability in tcpip.sys (MS11-083). This vulnerability involves sending a large amount of UDP packets to a closed port. While the amount of work to exploit seems great and Microsoft feels that exploitation will prove unreliable, the reward is high – remote unauthenticated code execution within the kernel. To prevent exploitation, firewall all unused UDP ports at the perimeter, and install the patch as soon as possible.

Not patched this month is the zero-day vulnerability leveraged by Duqu. Last Thursday, Microsoft released a security advisory (2639658) outlining the vulnerability and providing a workaround. Microsoft is already working on a fix, but they did state in advance it would not be ready in time for this patch Tuesday. Given the amount of press that Duqu has received, we’ll see if Microsoft waits until December to patch this or if they release an out-of-band fix sometime this month.

Join us tomorrow for another edition of the Vulnerability Expert Forum (VEF). Marc Maiffret and the eEye Research Team will be talking about today’s security bulletins as well as other security related topics and issues.

Retina Network Security Scanner customers can view the list of audits associated with these bulletins.

Here are this month’s recommendations from the eEye Research Team:

Deploy Immediately

MS11-083 – Vulnerability in TCP/IP Could Allow Remote Code Execution (2588516)
Recommendation: Install the patch immediately to prevent exploitation by attackers. Until the patch can be installed, any unused UDP ports should be blocked at the external firewall.

Deploy As Soon As Possible

MS11-085 – Vulnerability in Windows Mail and Windows Meeting Space Could Allow Remote Code Execution (2620704)
Recommendation: Deploy patches as soon as possible. Until the patch can be installed, block ports 139 and 445 using a firewall, prevent the WebClient service from running, and prevent DLLs from being loaded from WebDAV and remote shares.

MS11-086 – Vulnerability in Active Directory Could Allow Elevation of Privilege (2630837)
Recommendation: Deploy patches as soon as possible. Until the patch can be installed, remove the user account that is associated with the revoked certificate. Also, use LDAPS along with IPsec-based connections that are in “Always check CRL” mode.

Deploy At Earliest Convenience

MS11-084 – Vulnerability in Windows Kernel-Mode Drivers Could Allow Denial of Service (2617657)
Recommendation: Deploy patches at the earliest convenience. Until the patch can be installed, block ports 139 and 445 using a firewall, prevent the WebClient service from running, and disable both the Preview and Details Pane in Windows Explorer.

Leave a Reply

Additional articles

Sudo_logo

Don’t Create a Different sudoers File for Each System

Posted May 20, 2015    Randy Franklin Smith

What if you have multiple Linux and/or Unix systems? Sudo management can become onerous and unwieldy if you try to manage a different sudoers file on each system. The good news is that sudo supports multiple systems.

password-safety

What Does Microsoft Local Administrator Password Solution Really Do?

Posted May 19, 2015    Morey Haber

LAPS is a feature that allows the randomization of local administrator accounts across the domain. Although it would seem that this capability overlaps with features in BeyondTrust’s PowerBroker Password Safe (PBPS), the reality is it is more suited for simple use cases such as changing the local Windows admin account and not much more.

Tags:
, ,
webinar_ondemand

On Demand Webinar: Securing Windows Server with Security Compliance Manager

Posted May 14, 2015    BeyondTrust Software

On Demand Webinar: Security Expert Russell Smith, explains how to use Microsoft’s free Security Compliance Manager (SCM) tool to create and deploy your own security baselines, including user and computer authentication settings.

Tags:
, ,