Sophos Cloud Optix
Microsoft has issued its routine advance notification for the coming week’s Patch Tuesday.
As usual, the “pre-announcement” is a bit like a bikini: interesting more for what it conceals than what it reveals.
Nevertheless, there’s enough to make sure you’re ready for Tuesday 09 April 2013 (or Wednesday, of course, if you live at the longitude of about Thailand or further east).
This month’s nine updates don’t sound too onerous, with just two at critical level and the remaining seven important, but the critical ones affect Internet Explorer (IE) and Windows itself, and the IE fix will require a reboot.
Just so you know.
Importantly, the IE update applies to all supported versions of the browser, from IE 6 to IE 10, on all supported version of Windows, from XP and Server 2003 to Eight and Server 2012, in both 32-bit and 64-bit flavours.
Server Core installs, happily, aren’t affected by either of the two critical flaws.
→ Internet Explorer isn’t part of a Core install, which doesn’t support GUI applications for safety’s sake. This reduces your attack surface area tremendously and you should go for a Server Core installation whenever you can.
As you may have seen, there has been plenty of speculation that the critical updates will include patches for the IE vulnerabilities exploited in the recent PWN2OWN competition.
Mozilla and Google triumphantly rushed out patches to the holes in Firefox and Chrome that were found at PWN2OWN, closing down the vulnerabilities within 24 hours.
As we remarked at the time, this certainly threw down the patching gauntlet to Microsoft, though we also pointed out that:
Redmond, to be fair, has many more products with much more complex inter-relationships to juggle than Mozilla, and even Google.
With the PWN2OWN rules this year requiring responsible disclosure, meaning that winners had to reveal their attacks to the affected vendors and allow time for a considered and tested fix, it wasn’t actually necessary for Microsoft to rush.
If Redmond’s security team does fix IE’s PWN2OWN bugs on its offical April patch day, it will in my opinion have done a timely job, but until Tuesday, Microsoft is keeping the details up its sleeve.
Note that five of the non-critical patches fix what’s known as elevation of privilege, a trick that allows untrusted software to do things beyond its official authority.
Usually, that means a program running as a regular user can complete operations that would normally require administrator privileges, such as modifying system settings or altering critical files,
As you can imagine, attackers often combine RCE, or remote code execution, with EoP, or elevation of privilege.
They use the RCE to escape from the strictures of your browser, or some other interactive application, and then the EoP to escape from the limitations of your regular login account.
Either sort of exploit is dangerous on its own, but together they are much more harmful.
So plan to patch all the holes, not just the critical ones, and watch out on Naked Security and the SophosLabs Vulnerabilities page for our analysis and assessment of the updates once we’re clear to publish.
(We have to wait until Microsoft has made the updates live before we give away any details.)
Bonne chance!
But I dont and wont use IE so I wont patch something I dont use.
I used to be the guy that tested everyone of those patches for a university.
I tend to refrain from patching stuff that #1- I dont use and #2 dont need.
If you have IE installed, and I'm guessing you do, then you almost certainly load and run parts of it – various DLLs, for example – as components of other software you do use, both from third-parties and from Microsoft.
Until you know precisely what IE components have been updated (and we'll have a bit more clarity on Tuesday), I suggest that deciding in advance not to update it might be a bit risky.
Notice also that the patch is declared as covering IE *and* Windows, suggesting strongly that the patches includes fixes for holes that aren't entirely contained within IE. Perhaps it's just that the only way to exploit them so far known is via IE?
In short, if you have IE installed, I'd strongly suggest you apply the patches. Even if you don't/won't use IE, you have to admit there is something technically unappealing about knowingly leaving known-exploitable software components lying around…
Don’t patches only apply to what is on the system and if it doesn’t need a patch, it isn’t offered. I noticed after I started using Net Framework because an app I installed need it to run I got patches for it but never before.
As Paul says, patch ALL windows installations. Even if you don't use IE, it is still there in all Windows installations and can be the 'back door' entry point.
You cannot install windows, except the Server Core versions, without having at least some parts of IE present in your system. And you cannot uninstall IE either – if you are apparently successful it will leave several parts behind as they are needed by Windows and several applications. If they were not there, Windows would not load!
So please patch for your own system's health and security.
BTW, we in the UK generally don't see the updates till we log on Wednesday morning, so we get a delayed update merely as we are not on Pacific time but BST (changed last weekend from GMT)!
"With the PWN2OWN rules this year requiring responsible disclosure, meaning that winners had to reveal their attacks to the affected vendors and allow time for a considered and tested fix, it wasn't actually necessary for Microsoft to rush."
Aren't you assuming that no-one other that the competition winner knew of, or has been able to discover, the flaw? The software companies should be working hard to correct any serious defect, as soon as they are aware of its existence.
Hi njorl,
I don’t think that Paul is making an unreasonable assumption. Since the flaw discovered by Vupen has not been publically disclosed, users of IE are at no more risk than they were before Pwn2Own.
Yes, attackers will know that a flaw exists but when you consider that it took weeks before Vupen found the flaw and weeks to make it reliably exploitable, it will take any attackers a huge amount of effort to find and exploit this. The financial cost to Vupen was very high and the prize money barely covered that cost. Here is a quote from Vupen CEO, Chaouki Bekrar describing this:
"We thought a lot about whether to participate this year because the cost to create a reliable exploit is getting very high. We spent several weeks finding the vulnerability in IE 10 and several more weeks writing a reliable exploit," said Bekrar. "Even the prizes at Pwn2Own don't cover that cost. But we have other techniques."
Source: http://threatpost.com/en_us/blogs/pwn2own-browser…
Copyright © 2013 threatpost.com
Apologies for linking to an external source.
It is unlikely that any attacker would spend almost $100,000 in time and resources in an effort to find a flaw which they may not be able to reliably exploit.
It is extremely likely that Microsoft is working hard on fixing the flaw in IE especially since Vupen provided the full details of the flaw to them. We should know more by the end of today when the security updates from Microsoft are released. If Microsoft don’t fix this flaw this month, they will likely provide some kind of workaround or other mitigation for it if they feel the risk of not doing so is too great.
Thank you.
Hi njorl,
Microsoft did not patch the Pwn2Own flaw with its IE security update:
http://technet.microsoft.com/en-us/security/bulle…
It did however fix 2 use after free security flaws. If you would like any advice on hardening IE and/or Windows from attack, please let me know.
I installed all applicable security updates about 30 minutes ago and my computers continue to work perfectly.
I hope this helps. Thank you.
A lot of good the patches do, if the patches blew up back in February making changes to the system configuration and preventing new patches from installing. Early in Februay the Security Patches blew up and now are preventing any new security patches from installing. I went through all the FAQ's and while Microsoft is aware of the situation, none of their solutions corrects the situtation. You look at the update history and it shows failure after failure of the patches to install even though you have done their solutions multiple times. The only way you can get the system to restart is to go back to the last know good configuration which is sometime in early February.
Bob, are those failures consistent in your environment? Do you patch many PCs, or is this a single machine? Do you use a standard software imaging system, or just install from MS media?
We have not seen such problems with the MS patches the last several months, and I'm not aware of such failures being widely reoprted.
You might have other problems you were not aware of that the patching process is simply exposing.
Hi Bob,
Fubar is right. I have not encountered any reports of major issues with recent Microsoft security updates.
I would suggest using System Restore to restore your PC back to a working state:
Windows XP:
http://technet.microsoft.com/en-us/library/bb4570…
Windows Vista:
http://windows.microsoft.com/en-US/windows-vista/…
http://windows.microsoft.com/en-US/windows-vista/…
Windows 7:
http://windows.microsoft.com/en-US/windows7/produ…
Windows 8:
http://windows.microsoft.com/en-US/windows-8/rest…
If you have installed any programs after the security updates or have made other settings changes, you should undo those changes or uninstall those programs.
If you believe that the Microsoft Security Updates are causing the start-up issues for you, you can contact Microsoft Technical Support. You SHOULD not be charged for technical support. Microsoft provides free support for issues caused by security updates.
If they determine the issue was caused by something else they will charge between US $70 to US $100 to resolve it.
You can contact Microsoft Support from the following link:
http://support.microsoft.com/select/?target=assis…
Alternatively you could take your computer to a local repair shop for them to begin troubleshooting the issue.
If I can provide any further assistance, please let me know. Thank you.