IT Security Blog

Today Microsoft will release two out of band patches: one to address a vulnerability in Internet Explorer that is rated as "critical" (which typically means that there are exploits available in the wild that predicate the need to have to release an update outside of the normal "Patch Tuesday" schedule which occurs on the second Tuesday of every month.  The second patch is rated as "moderate" by Microsoft and affects Visual Studio. 

It is recommended that any out of band patches released by Microsoft be tested before being deployed on any systems, particularly those critical to the function of your organization.  After the patch has been tested in your environment, deploy it is quickly and as responsibly as possible in order to minimize your window of exploitation.  Again, generally when out of band patches are released, exploits are already available in the wild.

For more information about the patches being released today see Microsoft's web site.  More information will be posted on the details of the vulnerabilities being patched after Microsoft releases the updates.


*** UPDATE 7/28/2009 12:00pm MST *** Microsoft has released the security updates and has named them MS09-034 and MS09-035.  MS09-034 is a cumulative update for Internet Explorer and MS09-035 is an update for the Visual Studio Active Template Library (ATL).  Both vulnerabilities allow for a remote hacker to execute arbitrary code on your system.  This includes the ability to install a backdoor or Trojan on your PC.  As stated before, please test and deploy these patches as soon as you can.

 

For the last two out of three months Microsoft has released an out-of-band patch to fix a critical vulnerability in one of its applications.  Today they are releasing an update to patch a critical vulnerability within Internet Explorer.  The patch addresses an XML handling bug within the browser that would allow an attacker to inject malware onto an unsuspecting user's computer merely by visiting a compromised web site.

Back in October Microsoft also released an out-of-band patch to address a vulnerability in the "Server" service which affected many versions of Windows XP and Windows Server 2003.  This new update is right on the heels of a record setting Patch Tuesday on December 9th where an incredible 28 patches were released with 23 of them carrying a "Critical" rating.

Since I have had a couple of people ask me the question, I figured it was appropriate to address the question here.  That question is "What does an out-of-band patch mean?"  In this context I am referring to an update that is released outside of Microsoft's typical update schedule.  The second Tuesday of every month is widely called "Patch Tuesday."  This is when Microsoft releases its software/application updates for the month.  Many of these patches are security related.  When a patch is released on a day other than Patch Tuesday, like today, it is then considered "out-of-band."

This is an especially critical vulnerability to patch as soon as possible as exploit code has been available and hackers have been taking advantage of this vulnerability for about a week now.  Typically following "Patch Tuesday" is another common term called "Exploit Wednesday" (which is likely when this exploit was released into the wild).  Exploit Wednesday is when new exploits are commonly released which either address new vulnerabilities brought about by the code that was patched or take advantage of existing code issues with the knowledge that Microsoft is typically slow to react to release a patch outside of its normally published schedule.

Test and deploy this patch immediately or encourage your users to use a different browser (such as Firefox or Chrome) until you can deploy the fix.

*** UPDATE 12/18/2008 9:15am MST *** More information here written by SC Magazine which re-emphasizes the importance of rapid patch testing and deployment due to the number of active exploits.

In the event that you were not aware, a new critical update (rated as Important on Vista and Server 2008, but critical for Windows XP, 2000, and Server 2003) has been released as an out of band patch from Microsoft. 

It is of utmost importance that this vulnerability be patched as soon as you are able to.  The primary reason for this patch being released outside of the typical Patch Tuesday schedule is in response to exploits available in the wild and the potential for damage as a result of becoming infected. 

The vulnerability being patched is a network level vulnerability.  This means that once one machine within the network becomes infected, it will immediately start looking for other vulnerable machines within the network to exploit.  As a result, this exploit could have SQL Slammer like implications.  The primary difference here is that SQL Slammer was an exploit of IIS, an individual application where this exploit is taking advantage of a vulnerability in the operating system which means that the potential attack surface is much larger.

In the past 24 hours our Threat Operations Center has seen over 100,000 emails with attached exploits that appear to be taking advantage of this vulnerability.  All instances that we have seen thus far have been in German so their viability in the United States is limited.  We are on the lookout for additional variants, and will report them as they are seen.

*** UPDATED 10/24/2008 1:06pm MDT *** Upon further review It appears that the German emails are not related to the Microsoft exploit.  We are currently researching whether there is an email delivery vector being used to deliver exploit code to take advantage of this vulnerability.  The German emails are actually a different piece of malicious code.  More information here.  This update is also to correct the brief mention that was made in this morning's edition of the Security Buzz podcast that there might be an email attack vector sending out exploits.  That does not CURRENTLY appear to be the case.

*** UPDATED 10/24/2008 2:20pm MDT *** Exploit code for yesterday's patched vulnerability is freely available via popular security sites like SecurityFocus.  Blocking RPC ports such as 135-139, and 445 at your firewalls will not mitigate this attack.  Now that exploit code is so easily available it is not out of the realm of possibility that attacks will come from many different angles, email included, looking to get into your network.  It is definitely advised that you test and deploy this patch ASAP. 

As if Windows users didn't fear Patch Tuesday enough, today there is a new email-borne malware campaign attempting to trick people into installing a piece of malware posing as an official update from Microsoft. 

As with many poorly constructed malware campaigns, there is a lot of broken English in the email (even in the Subject line!).  The PGP signature at the bottom of the message also appears to be random. 

The subject line of the message is "Security Update for OS Microsoft Windows" and alleges to contain an update for several unsupported versions of Windows.  This is likely to attempt to infect users who are still on these ancient versions of the Windows OS.  Considering the fact that versions of Windows like Windows 98 have been unsupported for so long, if you are still using it, you are likely already infected with lots of other malware and are already a part of many other botnets.

Fake Microsoft Updates are certainly nothing new.  We've been seeing them for a couple of years now, but the timing coinciding with Patch Tuesday throws in a wrinkle that I do not recall seeing previously. 

It is important to note and remember that all Microsoft Windows updates are distributed either by download off of the Microsoft Web site or through the Windows Update service.  Microsoft never releases official patches by email.  It is likely that most people are not even seeing this email arrive in their inboxes because most organizations filter out executable attachments (the email comes with a .exe attached to the message) by default. 


The message follows:

-----------------------------------------
Dear Microsoft Customer,

Please notice that Microsoft company has recently issued a Security Update for OS Microsoft Windows. The update applies to the following OS versions: Microsoft Windows 98, Microsoft Windows 2000, Microsoft Windows Millenium, Microsoft Windows XP, Microsoft Windows Vista.

Please notice, that present update applies to high-priority updates category. In order to help protect your computer against security threats and performance problems, we strongly recommend you to install this update.

Since public distribution of this Update through the official website http://www.microsoft.com would have result in efficient creation of a malicious software, we made a decision to issue an experimental private version of an update for all Microsoft Windows OS users.

As your computer is set to receive notifications when new updates are available, you have received this notice.

In order to start the update, please follow the step-by-step instruction:
1. Run the file, that you have received along with this message.
2. Carefully follow all the instructions you see on the screen.

If nothing changes after you have run the file, probably in the settings of your OS you have an indication to run all the updates at a background routine. In that case, at this point the upgrade of your OS will be finished.

We apologize for any inconvenience this back order may be causing you.


Thank you,

Steve Lipner
Director of Security Assurance
Microsoft Corp.


-----BEGIN PGP SIGNATURE-----
Version: PGP 7.1

1RX0EOI070TX9C0CMDCBL4GNR7M6F5ADE5HG40SBZCS0AZ8Q12WOXXWS7Q54QXJI1
T627U7IN4N75ESPT0JSYANAB87PPX68FBUB1D740V3WSFO4C8LW8PEV74VF69A4C6
Z805OCL1H9Z7B41U2WA4UO8GXYMRSA6XYYH2R6PLMQIBEHC556EH3U2I9LS8NQKBT
Q1M0Q79GU6MIL3EGB3L950O9MVV9E7S40O7124ZU5V3H6F5MQIL6JTNFHFYIKZWQN
WXGI4N3Z8RZOKGVSCH2UA9C31R8239S1Y44==
-----END PGP SIGNATURE-----

-----------------------------------------