Issue #6, 08/11/05
In this issue:
- This Month's Security Updates from Microsoft
- Upcoming Public Courses
- Logparser Script
- Subscribe, Unsubscribe and Usage Information
This Month's Security Updates from Microsoft
Whew! 6 bulletins and a lot of research to do. Combine that with canceled flights and losing my phone/PDA and I end up missing my self imposed update for this commentary. Thank you for your patience.
This month you have quite a few decisions to make regarding which updates need to be rolled out to both workstation and servers. As always one of the key issues I consider when analyzing these bulletins is assessing under which circumstances it's necessary to install the associated update. Withholding updates from systems where it is safe to do so can save a lot work associated with testing and deployment as well as reduce threats to stability by defective updates. You may decide to withhold some of these updates for certain systems based on the issues I highlight below. This month really highlights the benefit of implementing XP SP2 and Windows Server 2003. These two versions are the first versions are the first real products of Trustworthy Computing and while I've not been assimilated by Redmond I believe in giving credit when it's due. Also, this month also demonstrates the benefits of attack surface reduction (e.g. disabling unneeded services) that I've been preaching for years. Attack surface reduction may eliminate the need to install half of these updates on certain systems that don't have print, use telephony or the remote desktop protocol.
MS05-038 - Cumulative Security Update for Internet Explorer (896727)
This update fixes several new vulnerabilities with Internet Explorer and email clients like Outlook and Outlook Express, which use IE to render HTML. The vulnerabilities allow a remote (semi-passive) attacker to execute arbitrary code under the authority of the user. Bottom line: I see no choice for user workstationr and Terminal Servers that have access to the Internet but to install this update as soon as possible. The published work-arounds either break highly used features of IE or rely on end-users to make security decisions. For servers you can avoid installing this update if you can ensure that administrators do not or cannot read email and browse the Web from the server. The vulnerabilities rely on maliciously coded web pages or email content. Microsoft says a mitigating factor with IE vulnerabilities like this are that user would have to be lured to a malicious site or a legitimate site that had been compromised by the attacker. However, don't forget that many sites such as ebay allow users to post html and images to dynamically created pages which isn't quite the same thing as a hacked sited. Therefore html and image based vulnerabilities like those in this update must shouldn't be viewed as "theoretical" or as an "out-site chance". For most organizations I recommend installing this update to workstations but not to servers, especially since it requires a restart. If you choose not to install this update to servers you must ensure that administrators do not browse the web or read email from an interactive logon at a server which is already an established best practice. There are some possible collision issues with other hotfixes you may have loaded so be sure to read the "Security Update Information" for this update.
MS05-039 - Vulnerability in Plug and Play Could Allow Remote Code Execution and Elevation of Privilege (899588)
If your workstations are XP SP 2 and servers Windows Server 2003 SP 1, you can probably relax this vulnerability can only be executed by users logged on locally. Provided server logons are limited to administrators it's not really an issue since administrators are already all powerful. So at worst an end user could grab administrator authority of his workstation. If you have an advanced workstation security model in which end-users do not hold administrator authority, you may be concerned about this vulnerability but keep in mind that there are no reports of proof-of-concept code being published as of this time.
If your workstations are XP SP1 you are vulnerable to remote attacks but only if by authenticated users who can access TCP ports 139 or 445. To avoid installing this update for XP SP1 computers consider using IP Security Policy to block access to those ports from all source IP addresses except computers that have legitimate reason to access the workstation remotely such as SMS servers and workstation support staff. If there's no need to access XP SP1 systems remotely for support or management you can also just enable Internet Connection Firewall and don't allow exceptions for these ports. This vulnerability can be exploited by remote, anonymous attackers Windows 2000. For Windows 2000 workstations, to avoid installing this update consider the same suggestions indicated for XP SP1. For Windows Server 2000 I see no alternative but to recommend loading the update. This update does require a restart.
MS05-043 - Vulnerability in Print Spooler Service Could Allow Remote Code Execution (896423)
The bottom line with this vulnerability is that you should install it on any computer that has shared printers or uses shared printers. Evidently this vulnerability doesn't affect computers that have locally attached printers that are not shared or network printers that you directly print to - not through a Windows share. (I haven't yet received confirmation on this point but that is what all documentation indicates.) The risk to XP SP2 and Windows Server 2003 is limited to denial of service but back level systems could sustain arbitrary, remote code execution and privilege escalation.
MS05-040 - Vulnerability in Telephony Service Could Allow Remote Code Execution (893756)
This is mainly a server vulnerability; on Windows 2000 and XP risk is limited to local privilege escalation which will mostly concern those maintaining an advanced secure workstation model where end-users lack local administrator authority. See considerations in my commentary for MS05-039. Windows 2000 Server and Windows Server 2003 are only vulnerable if the Telephony service is started. Disabling this service eliminates the risk but will break RRAS and other applications like fax and voice mail servers. Bottom line: I recommend installing this patch on servers that actually require the Telephony service and disabling the Telephony service on other servers. This vulnerability highlights the benefit of attack surface reduction through disabling unneeded services and features.
MS05-041 - Vulnerability in Remote Desktop Protocol Could Allow Denial of Service (899591)
This vulnerability is limited to denial of service and does not affect systems unless Terminal Services, Remote Desktop or Remote Assistance is used which enables incoming RDP connections. Systems with the Terminal Services service disabled are immune. While it affects both servers and workstations (Windows 2000, XP and 2003) you should weigh the likelihood and impact of this vulnerability being exploited against your systems. Some administrators may choose to limit rollout of this update to Terminal Services servers that deliver end-user remote desktop functionality and any servers that expose port 3389 to the Internet. Consider protecting computers that accept RDP connections with and IP Security Policy. See my article at http://www.windowsitpro.com/WindowsSecurity/Article/ArticleID/20288/20288html for details.
MS05-042 - Vulnerabilities in Kerberos Could Allow Denial of Service, Information Disclosure, and Spoofing (899587)
This vulnerability only affects domain controllers (both Windows 2000 Server and Windows Server 2003). Unless you are using smart cards for interactive logons the risk is limited to denial of service against domain controllers. A denial of service attack against domain controllers would affect all users and systems on the network. If you are using smart cards for interactive logons then you are exposed to the PKINIT vulnerability of this bulletin which is much more serious; the risks include information disclosure and spoofing of domain controllers or servers. Note that this update includes a new feature to protect against other PKINIT vulnerabilities which requires all workstations (2000 and XP) to be updated as well. Bottom line: Since this vulnerability could cause an outage for your entire Windows network you should update your domain controllers after testing and monitoring for any problems discovered by those on the bleeding edge. I definitely recommend installing this update if you are using smart cards and that you enable the new RequireAsChecksum feature but carefully read the information regarding deployment sequence and configuration of this setting so that workstations are not inadvertently denied access to the domain.
As you can see this month really highlights the benefit of implementing XP SP2 and Windows Server 2003. These two versions are the first versions are the first real products of Trustworthy Computing and while I've not been assimilated by Redmond I believe in giving credit when it's due. Also, this month also demonstrates the benefits of attack surface reduction (e.g. disabling unneeded services) that I've been preaching for years. Attack surface reduction may eliminate the need to install half of these updates on certain systems that don't have print, use telephony or the remote desktop protocol.
Upcoming Public Courses
Security Log Secrets
- Cincinnati, September 15, 16
Complete Windows Security
- San Francisco, October 24-28
Save $100 if you register 30 days in advance
This month's log parser security script is canceled in the interest of getting this issue out as soon as possible. It will return next month.
If you would like to understand the "nitty gritty" details of the security log and log parser please join us in Cincinnati on September 15 and 16. Seats are filling up. To register or for more information please email firstname.lastname@example.org or visit http://www.ultimatewindowssecurity.com/register.asp.
Randy Franklin Smith
CISA, SSCP, Microsoft Security VIP
CEO, Monterey Technology Group, Inc.
Subscribe, Unsubscribe and Usage Information
- subscribe to this newsletter
- unsubscribe from this newsletter
- usage information
If you've received this message as a forward from a friend, or are reading it online in the archives, you can sign up for your own newsletter subscription.
Also, if you want to unsubscribe, you can do that too (but we'll be sad to see you go).
You can use this information as you see fit, but if you're going to copy any portion, please FORWARD THE ENTIRE email.
While Monterey Technology Group, Inc. tries to ensure that all information is technically accurate, we make no warranty with regard to the information within. Please use at your own risk.
If you need personalized attention in any way, just email me: mailto:email@example.com. I endeavor to respond to everyone who emails.
Thanks for reading!
List address: MonthlySecurityTip@ultimatewindowssecurity.com