Update Tuesday wrap-up, March 2015 – FREAK fixed fast, and lots more from Microsoft

Microsoft and Adobe just had Update Tuesday, when they thrust the month’s important security patches on us.

Confusingly, Adobe’s Security Bulletins page lists the “Bulletins and Advisories from this month” as follows:

Only messages from February 2015 are shown, which reinforces the wisdom of taking care with terms like “today,” “this month” and “in summer” (which is still going strong for some of us) on security notification web pages.

Nevetheless, it looks as though Adobe’s security updates for 10 March 2015 numbered zero.

So it’s all about Microsoft here.

The elevator pitch

The elevator pitch is perhaps bulkier than average:

Update Tuesday – Microsoft – March 2015

  • 14 bulletins
  • 4 Remote Code Execution (RCE) holes
  • 4 Elevation of Privilege (EoP) bugs
  • 1 Information Disclosure
  • Server Core installs affected by RCE
  • All Internet Explorer versions for all Windows flavours affected.
  • The FREAK fix made it

FREAK is the TLS security downgrade flaw that only made it big in the news just over a week ago.

At first, it looked as though Microsoft’s own TLS implementation, known by the nickname Schannel, was unaffected.

But on 05 March 2015, the company (perhaps rather sheepishly, considering that three of its own researchers co-authored the FREAK paper) was forced to admit that Schannel could be FREAKed, and a patch would be needed.

So, well done to Microsoft for speedily squeezing that fix into the 10 March 2015 Update Tuesday.

All bases loaded

As often happens, the March 2015 updates cover what you might call an “all bases loaded” sitation, where a single well-hit exploit could bring all the runners home.

Remember that many RCEs only let a a crook trick a single process, for example your web browser or image viewer, into running remotely-supplied malware.

That’s bad, but not always terribly bad.

The crook gets to control a program being run by you, so he doesn’t get more rights than you already have.

So he may be able to read your email, snoop through your files and delete your photo collection, but he probably can’t start doing administrative tasks like creating new users, changing your company’s Group Policy, and so forth.

And RCE vulnerabilies can be hard to exploit successfully, thanks to technology like Address Space Layout Randomisation (ASLR).

ASLR makes it hard for a crook to guess where to find handy system functions in memory, something that most exploits need to do at some point, because they’re in different memory addresses on each computer.

So an Information Disclosure bug that leaks information such as USER32.DLL is loaded at address 0x7E410000 can greatly assist an RCE exploit.

An RCE that knows where to strike turns from a “hit-and-hope” assault, which might work once every 2000 times, into a pinpoint attack that is as good as guaranteed to succeed.

And an RCE that gives a crook access in your name can be made much more devastating if it is followed by an EoP attack to grab administrative privilege instead.

→ For a full list of the latest fixes, please see the SophosLabs Vulnerabilities page.

Pop, pivot and get root

The load-all-the-bases approach means that an attacker who gets in unnoticed can then go both up and across in your network.

Penetration testers have terms for this sort of progress, such as:

  • Popping a shell (getting in).
  • Pivoting laterally (going across by jumping from one server to another).
  • Getting root (going up by becoming an administrator on the network, or taking over the the kernel on an individual computer).

Any and all of these outcomes mean real trouble.

Patching, of course, doesn’t eliminate your chances of being attacked successfully: some crooks have access to zero-day exploits, giving them ways to attack for which there is no patch at all yet.

But many, perhaps most, attacks rely on already-known holes.

So the quicker you patch, the less time you will have to spend chasing fires that should never have started.

In other words, if you are unfortunate enough to be an early victim in a brand new zero-day attack, but you are properly patched, you will have more time to deal with it, because you won’t be sidetracked by yesterday’s exploits as well.

What we’re trying to avoid saying yet again, but are going to repeat anyway, is our usual, “Patch early, patch often!”

Click to get the latest vulnerability info...