Executive Summary - Massive breadth/depth of changes.
Microsoft's October "Patch Tuesday" Security Update brings us a massive wave of patches with 6 Critical, 4 Important and 1 Moderate update. These are significant updates with one patch (MS08-057) updating more than 50 core files and most of the patches updating key system files, therefore requiring system restarts. The good news is that only one of the patches has wide scale issues for application compatibility. The major concern for this October release is the Internet Explorer Update MS08-058. As in the case with the September updates, updating Internet Explorer components affects a large number of applications in our test portfolio for all Windows desktop/server operating systems including XP and VISTA. Again as in September it is likely that some applications will have performance issues as a result of this update. Here is a sample snippet from the AOK Workbench report on one application.
This example illustrates how the JAVA application package includes file level dependencies that have been updated by the MS08-085 Security Update
These three items are critical dependencies with Java. If you have a Java application that uses the IE7 internet control you will need to thoroughly test this application.
Examples of other applications affected include Oracle 9, several HP printer drivers and some IBM AS400 client access tools.
We recommend organisations test their key applications affected by this patch before deploying the update and look carefully at the small number of applications affected more widely by these updates.
Vendors supplying applications in widespead use should have the resource to quickly resolve any issues identified and are likely to have more resiliance in their code to minimize problems with MS08-057. In house developed applications are likely to be more at risk. Without a product like AOK it can takes days per application to identify the code affected by these patches. Many corporates have to 10% to 30% of their applications developed in house so this could run to hundreds of even thousands of individual packages that will need testing.
Coprorates will be under extreme pressure to release this these new patches to the live environment but proper testing can takes months.
Testing Summary
- MS08-56: Marginal impact with low numbers of applications affected
- MS08-57: Marginal impact with low numbers of applications affected
- MS08-58: High impact with significant numbers of applications affected
- MS08-59: Marginal impact with low numbers of applications affected
- MS08-60: Marginal impact with low numbers of applications affected
- MS08-61: Medium impact with low numbers of applications affected
- MS08-62: Medium impact with low numbers of applications affected
- MS08-63: Medium impact with low numbers of applications affected
- MS08-64: Medium impact with low numbers of applications affected
- MS08-65: Marginal impact with low numbers of applications affected
- MS08-66: Medium impact with low numbers of applications affected
| Patch Name | Total Issues | % of apps Affected | Reboot | Rating | RAG |
|---|---|---|---|---|---|
| Microsoft Security Bulletin MS08-056 | <1% | <1% | YES | M |  |
| Microsoft Security Bulletin MS08-057 | <1% | <1% | YES | C | |
| Microsoft Security Bulletin MS08-058 | 1130 | 33% | YES | C |  |
| Microsoft Security Bulletin MS08-059 | <1% | <1% | NO | C | |
| Microsoft Security Bulletin MS08-060 | <1% | <1% | YES | C | |
| Microsoft Security Bulletin MS08-061 | 146 | <1% | YES | I |  |
| Microsoft Security Bulletin MS08-062 | 136 | <1% | NO | I | |
| Microsoft Security Bulletin MS08-063 | 131 | <1% | YES | I | |
| Microsoft Security Bulletin MS08-064 | 197 | 1% | YES | I | |
| Microsoft Security Bulletin MS08-065 | <1% | <1% | YES | I | |
| Microsoft Security Bulletin MS08-066 | 127 | <1% | YES | I | |
Legend:
| No Issues Detected |
| Potentially fixable application Impact |
| Serious Compatibility Issue |
M = Moderate
I = Important
C = Critical
So in the example of MS08-061 we found only 8 of the c. 800 applications in our sample were affected. However a number of these have widespread dependencies. One example being Microsoft Digital Image version 9 where there were 38 separate recorded dependencies i in this application affected by this patch.
c. 800 applications were tested against these patches using the ChangeBASE ACL (Application Compatibility Lab)
Security Update Detailed Summary
| MS08-056 | Vulnerability in Microsoft Office Could Allow Information Disclosure (957699) |
| Description | This security update resolves a privately reported vulnerability in Microsoft Office. The vulnerability could allow information disclosure if a user clicks a specially crafted CDO URL. An attacker who successfully exploited this vulnerability could inject a client-side script in the user's browser that could spoof content, disclose information, or take any action that the user could take on the affected Web site. |
| Payload | HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Handler\cdo HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CDO HKEY_CLASSES_ROOT\PROTOCOLS\Handler\cdo |
| Impact | Information Disclosure |
| MS08-057 | Vulnerabilities in Microsoft Excel Could Allow Remote Code Execution (956416) |
| Description | This security update resolves three privately reported vulnerabilities in Microsoft Office Excel that could allow remote code execution if a user opens a specially crafted Excel file. An attacker who successfully exploited these vulnerabilities could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights. |
| Payload | Nosxs_mfc80cht.dll, Nosxs_mfc80deu.dll, Nosxs_mfc80enu.dll, Nosxs_mfc80esp.dll, Nosxs_mfc80fra.dll, Nosxs_mfc80ita.dll, Nosxs_mfc80jpn.dll, Nosxs_mfc80kor.dll, Nosxs_mfc80u.dll, Nosxs_mfcm80.dll, Nosxs_mfcm80u.dll, Nosxs_msvcm80.dll, Nosxs_msvcp80.dll, Nosxs_msvcr80.dll, Sql90.xsl, Ul_atl80.dll, Ul_mfc80.dll, Ul_mfc80chs.dll, Ul_mfc80cht.dll, Ul_mfc80deu.dll, Ul_mfc80enu.dll, Ul_mfc80esp.dll, Ul_mfc80fra.dll, Ul_mfc80ita.dll, Ul_mfc80jpn.dll, Ul_mfc80kor.dll, Ul_mfc80u.dll, Ul_mfcm80.dll, Ul_mfcm80u.dll, Ul_msvcm80.dll, Ul_msvcp80.dll, Ul_msvcr80.dll, Xlcall32.dll, Xlsrv.dll, Xlsrv.webservices.api.dll, Xmlrw.dll, Xmlrwbin.dll, Msmdlocal.dll, Msmdlocal.dll, Msmgdsrv.dll, Msmgdsrv.dll, Msolap90.dll, Msolap90.dll, Msolui90.dll, Msolui90.dll, Msvcm80.dll, Msvcp80.dll, Msvcr80.dll, Sql90.xsl, Sql90.xsl, |
| Impact | Remote Code Execution |
| MS08-058 | Cumulative Security Update for Internet Explorer (956390) |
| Description | This security update resolves five privately reported vulnerabilities and one publicly disclosed vulnerability. The vulnerabilities could allow information disclosure or remote code execution if a user views a specially crafted Web page using Internet Explorer. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights. |
| Payload | Iecustom.dll, Browseui.dll, Cdfview.dll, Danim.dll, Dxtmsft.dll, Dxtrans.dll, Iepeers.dll, Inseng.dll, Jsproxy.dll, Mshtml.dll, Msrating.dll, Mstime.dll, Pngfilt.dll, Shdocvw.dll, Shlwapi.dll, Urlmon.dll, Wininet.dll, Browseui.dll, Cdfview.dll, Danim.dll, Dxtmsft.dll, Dxtrans.dll, Iepeers.dll, Inseng.dll, Jsproxy.dll, Mshtml.dll, Msrating.dll, Mstime.dll, Pngfilt.dll, Shdocvw.dll, Shlwapi.dll, Urlmon.dll, Wininet.dll, Iecustom.dll, |
| Impact | Remote Code Execution |
| MS08-059 | Vulnerability in Host Integration Server RPC Service Could Allow Remote Code Execution (956695) |
| Description | This security update resolves a privately reported vulnerability in Microsoft Host Integration Server. The vulnerability could allow remote code execution if an attacker sent a specially crafted Remote Procedure Call (RPC) request to an affected system. Customers who follow best practices and configure the SNA RPC service account to have fewer user rights on the system could be less impacted than customers who configure the SNA RPC service account to have administrative user rights. |
| Payload | Hisservicelib.dll Rpcdetct.dll Snarpcsv.exe |
| Impact | Remote Code Execution |
| MS08-060 | Vulnerability in Active Directory Could Allow Remote Code Execution (957280) |
| Description | This security update resolves a privately reported vulnerability in implementations of Active Directory on Microsoft Windows 2000 Server. The vulnerability could allow remote code execution if an attacker gains access to an affected network. This vulnerability only affects Microsoft Windows 2000 servers configured to be domain controllers. If a Microsoft Windows 2000 server has not been promoted to a domain controller, it will not be listening to Lightweight Directory Access Protocol (LDAP) or LDAP over SSL (LDAPS) queries, and will not be exposed to this vulnerability. |
| Payload | Ntdsa.dll Sp3res.dll |
| Impact | Remote Code Execution |
| MS08-061 | Vulnerabilities in Windows Kernel Could Allow Elevation of Privilege (954211) |
| Description | This security update resolves one publicly disclosed and two privately reported vulnerabilities in the Windows kernel. A local attacker who successfully exploited these vulnerabilities could take complete control of an affected system. The vulnerabilities could not be exploited remotely or by anonymous users. |
| Payload | Win32k.sys W32ksign.dll Gdi32.dll Wgdi32.dll |
| Impact | Elevation of Privilege |
| MS08-062 | Vulnerability in Windows Internet Printing Service Could Allow Remote Code Execution (953155) |
| Description | This update resolves a privately reported vulnerability in the Windows Internet Printing Service that could allow remote code execution in the context of the current user. If a user is logged on with administrative user rights, an attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights. |
| Payload | Msw3prt.dll Win32spl.dll Printcom.dll |
| Impact | Remote Code Execution |
| MS08-063 | Vulnerability in SMB Could Allow Remote Code Execution (957095) |
| Description | This security update resolves a privately reported vulnerability in Microsoft Server Message Block (SMB) Protocol. The vulnerability could allow remote code execution on a server that is sharing files or folders. An attacker who successfully exploited these vulnerabilities could install programs; view, change, or delete data; or create new accounts with full user rights. |
| Payload | Srv.sys |
| Impact | Remote Code Execution |
| MS08-064 | Vulnerability in Virtual Address Descriptor Manipulation Could Allow Elevation of Privilege (956841) |
| Description | This security update resolves a privately reported vulnerability in Virtual Address Descriptor. The vulnerability could allow elevation of privilege if a user runs a specially crafted application. An authenticated attacker who successfully exploited this vulnerability could gain elevation of privilege on an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full administrative rights. |
| Payload | Ntkrnlmp.exe Ntkrnlpa.exe Ntkrpamp.exe Ntoskrnl.exe Hal.dll |
| Impact | Elevation of Privilege |
| MS08-065 | Vulnerability in Message Queuing Could Allow Remote Code Execution (951071) |
| Description | This security update resolves a privately reported vulnerability in the Message Queuing Service (MSMQ) on Microsoft Windows 2000 systems. The vulnerability could allow remote code execution on Microsoft Windows 2000 systems with the MSMQ service enabled. |
| Payload | Mq1repl.dll, Mq1sync.exe, Mqac.sys, Mqads.dll, Mqbkup.exe, Mqcertui.dll, Mqclus.dll, Mqdbodbc.dll, Mqdscli.dll, Mqdssrv.dll, Mqlogmgr.dll, Mqmig.exe, Mqmigrat.dll, Mqoa.dll, Mqperf.dll, Mqqm.dll, Mqrperf.dll, Mqrt.dll, Mqsec.dll, Mqsnap.dll, Mqsvc.exe, Mqupgrd.dll, Mqutil.dll, Msmq.cpl, Msmqocm.dll |
| Impact | Remote Code Execution |
| MS08-066 | Vulnerability in the Microsoft Ancillary Function Driver Could Allow Elevation of Privilege (956803) |
| Description | This security update resolves a privately reported vulnerability in the Microsoft Ancillary Function Driver. A local attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. |
| Payload | Afd.sys |
| Impact | Elevation of Privilege |
No comments:
Post a Comment