In the SBS newsgroup someone asked if they applied “all“ of the critical security bulletins because they were afraid of breaking something on their boxes. First off, realize that not only do these patches go through an internal testing process, but they go through external testing by OEMs, partners, etc as well. They DO get tested on SBS boxes.
Next, you guys probably know that I'm writing a book on patch management and I'll share with you in this post a part of the book “in real time“, a concept that I call “handicapping the patches“.
First let set forth some understandings:
1. Do we apply all patches in SBSLand?
-
I do.
I don't feel that at the present time since I still have too much local administrator, not enough control of the desktops that I don't feel comfortable in NOT patching.
The guidance normally says “apply patches based on risk, cost, availability and timing and minimize change whenever possible“ [1]
Well I have a tool to easily patch [
Shavlik], since I have a 100% Borg network [all XP sp2s], I normally schedule patching if the risk is a “normal“ risk for Friday night [gives me a weekend to undo anything], and I know that I have good backups.
2. Any recommendations for best practices?
-
Good backup.
-
Reboot the server before applying patches to ensure that the server is in good working order BEFORE you apply the patches.
-
Patch has been either
-
Tested in a test bed network [my SBS2003 home network serves this purpose for me]
-
On a VMware network or VPC network - you literally image a system and patch it
-
You scan the newsgroups for “dead bodies“ - other SBSers report in the yahoogroups and sbs public newsgroup when we have issues with patches
-
You have “canaries“. A couple of people in my office [me being one of them] gets the patches THAT DAY. We then monitor our systems and ensure that all is well
-
Keep a log file of what system changes you have made. David emailed me the other day his log file of a system so I could update his “patches for a SBS box“ and it was a gorgeous document. Let me see if I can reproduce it so you can see a FANTASTIC best practice
-
Do you priortize your patches {I do this and will discuss this below} Internet Explorer patches get FAST TRACKED in my office and are definitely OUT that week on all desktops. BUT that same IE patch is not fast tracked for the server. I don't surf at the server so it's “role“ as not a “surf machine“ means that I don't patch it for IE patches like I do for the workstations.
-
I will put patches on fast tracks whether or not public vulnerabilities are “in the wild“. You don't have to be the listserve junkie I am to know this info. Most of it is in the bulletins.
-
Critically rated bulletins get the first glance and I review them THAT DAY to see what priority I put them on.
3. I agree with Eric that we're not yet in a position to “choose“ patches. I test. Make sure I'm not seeing issue on mine or on the newsgroups and then they get rolled out.
So without further ado, here's “my personal risk analysis“ of the bulletins this month:
Critical Bulletins:
MS04-032 - Security Update for Microsoft Windows (840987)
http://www.microsoft.com/technet/security/Bulletin/ms04-032.mspx
Okay first off - Remote Code Execution is the impact...hmmm that doesn't sound good...let's keep reading...hey already a KB on “known issues“. Cool... see they are doing testing on this and are ensuring that it's known. Okay that's the issue of the disk size on NT 4 that showed up a bit back.
Okay now lets Expand that section on “Executive summary“. See that “Vulnerability Identifiers section“? See those CAN numbers? Lets pick the worst one, the Graphics rendering one CAN-2004-0209 and see if it links us back to “in the wild“ stuff. Okay right now it doesn't. So far so good. In fact the description says “privately reported”
Next, the bulletin says MBSA will detect this. Good. Windows Update Yes.
Okay now lets look a the vuln details section and in particular mitigating factors. Since this is a “multi patch“,there are several issues being patched here. Lets again review the worst one, the Graphics rendering one. Okay that one has a mitigation of reading email in plain text.
In the Security update section, we read that it needs a reboot, and the patch can be uninstalled. Then scroll down and look at the affected files. Hmmmm... some of those have been patched before I recall. And if you remember reading the patch chapter in the Server 2k3 patch they have two versions.
To verify installation you can use MBSA, check the version in the version tab window or look at the reg key.
The last section - the acknowledgments also helps me “rate“ the security patches. Anytime eEye, or another of the “major“ security researchers that have found nasty stuff in the past are listed, I take a closer read. Keep in mind that while this is privately reported, eEye will be disclosing details in a usually short time frame. They also tend to give enough detail to make the lovely communities start reverse engineering.
My take? Higher priority for workstations, lesser for servers.
MS04-033 - Vulnerability in Microsoft Excel Could Allow Code Execution
(886836)
http://www.microsoft.com/technet/security/Bulletin/ms04-033.mspx
Well I’m a beancounter so if it’s critical for Excel…well…BUT I’m already on Office 2003 service pack 1 so I’m not affected. But.. it is remote execution.
Per the Executive summary it is “privately reported” And to be exploited pretty much you have to be emailed an Excel file. Windows Update, No.
My take? For me, I’m patched. Obviously NO issue on servers, and since I haven’t seen a lot of vulns via Excel, this is probably a lower priority in my book especially if you don’t have an automatic patch tool for Office.
MS04-034 - Vulnerability in Compressed (zipped) Folders Could Allow Code
Execution (873376)
http://www.microsoft.com/technet/security/Bulletin/ms04-034.mspx
Critical, remote code. Again, look at the executive summary, privately reported. This one has the caveat that if the user is logged in as admin, the attacker could take complete control if they tricked them into open up an compressed file.
Hmmm… eEye again, which means the details will probably be posted in a bit and people will begin reverse engineering this.
Scannable by MBSA, may not need a reboot, can be removed.
My take? Not as high for servers, higher on the desktop. But I already am using Outlook 2003 and thus this attack vector is reduced.
MS04-035 - Vulnerability in SMTP Could Allow Remote Code Execution
(885881)
http://www.microsoft.com/technet/security/Bulletin/ms04-035.mspx
Critical, Remote code execution again. Newly discovered with no acknowledgments and the CAN link has no “live exploits”. The issue is with DNS lookups, but in our SBS boxes, we don’t normally have port 53 open on the outside anyway. A lot of us use Smarthost for email delivery anyway. Will I patch this anyway. Yup. Better be safe than sorry.
Needs a reboot. Can be removed. Can be scanned by MBSA. Not Windows Update.
My take? Server only and not a high priority, nothin’ to do on the workstation.
MS04-036 - Vulnerability in NNTP Could Allow Code Execution (883935)
http://www.microsoft.com/technet/security/Bulletin/ms04-036.mspx
Critical, Remote Code execution again. Private reporting. On our SBS boxes, NNTP is not enabled and running, Read the bulletin and it’s ONLY important on Server 2003. MBSA will scan for this. Furthermore we don’t have port 119 and 563 open from the outside unless we ARE running a newsgroup. Thus in theory while I could never really need to patch for this since I’m never doing NNTP, nor opening up ports 119 or 563, I’ll still patch because I want to make sure that in case I do something STUPID in the future I won’t nail myself.
May not need a reboot. And can be removed. Can be scanned by MBSA.
My take? I’ll patch, but I’m not putting it on a high priority
MS04-037 - Vulnerability in Windows Shell Could Allow Remote Code
Execution (841356)
http://www.microsoft.com/technet/security/Bulletin/ms04-037.mspx
Critical, remote code. Uh, oh.. “Public vulnerabilities” as per the executive section. BUT it’s only has a rating of Important on the Server 2003 system.
This one is again mostly email and web based attack. So for the server I’m not so concerned.
Needs a reboot. Can be removed. Can be scanned by MBSA
My take? I’ll patch, but I’m not putting it on a high priority
MS04-038 - Cumulative Security Update for Internet Explorer (834707)
http://www.microsoft.com/technet/security/Bulletin/ms04-038.mspx
This one to me is the biggie of the month.
Critical. Remote code. Public AND private vulnerabilities. And here’s the example of where those “in the wild” stuff is. See this CAN link? That’s what I was talking about earlier. That drives you right back to the discussions on the Full Disclosure listserves. Along with this one. The infamous Drag and Drop vulnerability. One called HijackClick. And some others not public. This suckers on a fast track. I’m going to put it on a couple of desktops tonight and start testing for a fast rollout as I need this even on XP sp2.
Needs a reboot, can be removed, Windows Update and MBSA scannable.
My take? ROLL THIS OUT ON YOUR WORKSTATIONS ON THE FAST TRACK. Server … I don’t surf on the server so it’s not the biggie there but this IS a highly critical on my workstations.
Important Bulletins:
MS04-029 - Vulnerability in RPC Runtime Library Could Allow Information
Disclosure and Denial of Service (873350)
http://www.microsoft.com/technet/security/Bulletin/ms04-029.mspx
For SBS 2003 we don’t even need this at all. If you are still running SBS 4.5 …folks the clock is ticking. You don’t have a huge community to help you test patches. We’ve had historical issues in the past that ONLY aftected the 4.5 platform. This sucker replaces the Blaster patches. It is only a denial of service.
My take? I’m glad I’m off NT4. NT4 server is on service pack coverage until the end of the year… clock is ticking folks.
MS04-030 - Bulletin Title Vulnerability in WebDAV XML Message Handler
Could Lead to a Denial of Service (824151)
http://www.microsoft.com/technet/security/Bulletin/ms04-030.mspx
Private vuln, on our IIS boxes, and Webdav is enabled on our SBS 2000 boxes. I don’t remember if WebDav is enabled on SBS2k3… I’ll check.. but I’ll patch in due time but I’m not freaking on this one.
My take? I’ll patch just to be a good patcher.
MS04-031 - Vulnerability in NetDDE Could Allow Remote Code Execution
(841533)
http://www.microsoft.com/technet/security/Bulletin/ms04-031.mspx
Remote code – important.
I don’t even know what this is… http://msdn.microsoft.com/library/default.asp?url=/library/en-us/ipc/base/establishing_a_network_dde_conversation.asp but again, for now I’ll patch but not on a priority schedule.
MBSA Scannable. May need a reboot. Can be uninstalled.
My take? I’ll patch just to be a good patcher.
Re-Released Bulletins:
MS04-028 - Buffer Overrun in JPEG Processing (GDI+) Could Allow Code
Execution (833987) http://www.microsoft.com/technet/security/Bulletin/ms04-028.mspx
Per Russ Cooper the reason for revision: Bulletin updated to advise on the availability of revised security updates for Office XP, Visio 2002, and Project 2002 customers that are using Windows XP Service Pack 2. Microsoft Knowledge Base Article 833987 documents the currently known issues that customers may experience when installing these security updates. The article also documents recommended solutions for these issues. Microsoft has also released the MS04-028 Enterprise Update Scanning Tool to help customers detect and deploy the required updates. For more information about the MS04-028 Enterprise Update Scanning Tool, see Microsoft Knowledge Base Article 886988. We have released an update for Windows 2000-based systems that have installed the Windows Journal Viewer. The bulletin has also been updated with a new FAQ that addresses questions regarding the Visio 2002 Viewer, Visio 2003 Viewer, and PowerPoint 2003 Viewer programs.