Patch Tuesday serves critical fixes for all

In Wednesday's IT Blogwatch, Richi Jennings watches Patch Tuesday get bloggers all in a tizzy. Not to mention cute things falling asleep...

Tuesday's child is Gregg Keizer:

Microsoft Corp. today patched three vulnerabilities in the company's Server Message Block (SMB) file-sharing protocol, including two that could make "Swiss cheese" out of enterprise networks, according to one researcher ... affects all currently-supported versions of Windows.
...
Of the three bugs outlined in the MS09-001 security bulletin, two were rated "critical," the most serious ranking in Microsoft's four-step scoring system ... because attackers can exploit them simply by sending malformed data to unpatched machines ... Much the same situation led to Blaster and Sasser ... [which] wreaked havoc worldwide as they spread to millions of Windows machines.

Don't put your daughter on the stage, David Worthington:

For Microsoft, the days when worms like Blaster and Sasser regularly blackened its eye have passed; the number of major operating system vulnerabilities fell dramatically after it weaved security into its development life cycle.

However, two out of the three SMB vulnerabilities that the company disclosed today are critical enough that virus writers could exploit them in a similar fashion ... un-patched enterprise systems will be easy targets.
...
Microsoft’s problem is all of the legacy code and protocols that it must continue to support - they weigh like an anchor around its neck ... SMB itself dates back circa the early 1990s. It would not at all surprise me if these vulnerabilities have something to do with legacy support.

Microsoft's Mark Wodrich explains:

For all affected versions of Windows, the two [remote code execution] vulnerabilities are unlikely to result in functioning exploit code ...

• The vulnerabilities cause a fixed value (zero) to be written to kernel memory – not data that the attacker controls.
• Controlling what data is overwritten is difficult. To exploit this type of kernel buffer overrun, an attacker typically needs to be able to predict the layout and contents of memory. The memory layout of the targeted machine will depend on various factors such as the physical characteristics (RAM, CPUs) of the system, system load, other SMB requests it is processing, etc.

In terms of prioritizing the deployment of this update, we recommend updating SMB servers and Domain Controllers immediately since a system DoS would have a high impact. Other configurations should be assessed based on the role of the machine.

John Lister stifles a yawn:

While Microsoft ranks the fix as critical (meaning the damage that could theoretically be done without it is high), the problems get the lowest ranking on the ‘exploitability index’, which rates how likely it is hackers will attempt to use them ... [because] the worst-case scenario is particularly unlikely. In Vista and Server 2008, the worst that hackers can do with the vulnerability is a denial of service attack.
...
While any vulnerability is a problem, this issue isn’t major by Microsoft standards; in a busier month, it probably wouldn’t get that much attention. That said, it may even work out better for the firm’s public relations to have a sole problem like this than to have a month with no security updates at all.

But Brendan J. Keefe is worried by that attitude:

This month was a mild one, but make sure you're up to date. I've seen several stories lately reporting that millions of Windows machines are being infected with malware only because the machines aren't being kept patched.

Brian Krebs knows other reasons why we should care:

Microsoft also added two new strains of malware to its "malicious software removal tool" (MSRT), an optional component updated once a month that can scan for and remove some of the most prevalent threats in circulation today. If installed and updated, the MSRT will run once a month when the computer is idle.

Added to the MSRT this month is "Downadup," a relatively new computer worm that attacks another Windows networking flaw Microsoft patched in October. Microsoft also threw in detection for the prolific "Bancos" family of data-stealing Trojan horse programs.

Meanwhile, Steven Lynch plays by the rules:

I just noticed the Windows Update icon flashing on my desktop and it hit me, duh…today is Patch Tuesday. This security update fixes a trio of vulnerabilities in the network file sharing protocol Server Message Block that could allow an attacker to remotely take control of your PC. Just to be safe, I’m gonna patch my box now. You go get your patch on and I’ll meet you back here later.

And finally...

• Cute things falling asleep

Buffer overflow:

• 4sysops: Is Windows 7 less bloated than Vista?
• Lisa Hoover: Linux Powers New Security System
• CloudAve: Morsels from the Crunchies, or Whatever Happened to Startups?
• 1 Raindrop: Enterprise Security 2009 To Do List
• Camille Ricketts: Stanford launches $100M energy institute for cleantech research, teaching
• Michael Finneran: Cisco Goes Bigger In 802.11n

Other Computerworld bloggers:

• Mark Everett Hall: Engine Yard opens its tracks in the cloud
• SJVN: The real (sort of) $100 laptop
• Preston Gralla: Microsoft beware: Will a Google OS power netbooks?
• Mike Elgan: Why Sony is the new Apple
• Mark Everett Hall: Financing IT's revival
• Shark Tank: Because we care
• Shark Bait: More Campus IT Fun

Like this stuff? Subscribe to the RSS feed.

Richi Jennings is an independent analyst/adviser/consultant, specializing in blogging, email, and spam. A 23 year, cross-functional IT veteran, he is also an analyst at Ferris Research. You can follow him on Twitter, pretend to be Richi's friend on Facebook, or just use boring old email: blogwatch@richi.co.uk.

Previously in IT Blogwatch:

• Wow, bloggers quite like Windows 7
• Google CO2 claim: a load of hot air?
• Palm previews the Pre and webOS