Friday 14 November 2008

November 2008, Microsoft Patch Tuesday

ChangeBASE have announced their findings of Microsoft's Patch Tuesday update of November, 2008. There were two patch releases this week (MS08-068 and MS08-069) and one last week (MSO8-067).

MS067 and MS068 were critical releases as they addressed potential serious security issues. However from an application compatibility perspective they will have minimal impact on an organisation's application portfolio. This comes as good news for enterprises as it gives them a month off the full testing cycle with patch updates. In recent months the impact of patches on applications has been significant and has required a huge amount of testing to ensure business critical applications continue to work.

From our discussions with larger companies their testing activity generally falls into one of three camps:

  • Light sample testing of a small number of business critical applications - This requires limited testing resource but leaves organisations vulnerable to applications problems/failures
  • Medium testing - This takes significant resource and time but means that a wider portfolio of applications can be tested
  • Heavy testing - Many organisations do not have the resource to do this on a monthly basis and we have come across examples of corporates who only release new patches to their live environment twice a year as a result of this. The plus side of this approach is that applications are likely to be unaffected by the patch updates. The downside is that critical patches are not deployed, leaving organisations vulnerable to, for example, security breaches

ChangeBASE AOK Patch Impact Monitor identifies in minutes applications that are affected by new Microsoft releases and provides detailed information on potential compatibility issues. This can cut the testing time down to the point that heavy testing can be done on a greater number of applications in a short period of time.

Thankfully November should be a quiet time for testing as the new patches will have minimal impact on an organisation's applications.

Testing Summary

MS08-68: Marginal impact with low numbers of applications affected
MS08-69: Marginal impact with low numbers of applications affected

Patch NameTotal Issues% of apps
Affected
RebootRatingRAG
MS08-067<1%<1%YESCNo Issue
MS08-068<1%<1%YESCNo Issue
 MS08-069<1%<1%YESINo Issue

Legend: 
No IssueNo Issues Detected
FixablePotentially fixable application Impact
SeriousSerious Compatibility Issue

M = Moderate 
I = Important 
C = Critical 

c. 800 applications were tested against these patches using the ChangeBASE ACL (Application Compatibility Lab) 

Security Update Detailed Summary
MS08-067Vulnerability in Server Service Could Allow Remote Code Execution (958644)
DescriptionThis security update resolves a privately reported vulnerability in the Server service. The vulnerability could allow remote code execution if an affected system received a specially crafted RPC request. On Microsoft Windows 2000, Windows XP, and Windows Server 2003 systems, an attacker could exploit this vulnerability without authentication to run arbitrary code. It is possible that this vulnerability could be used in the crafting of a wormable exploit.
PayloadNetapi.dll
ImpactRemote Code Execution

MS08-068Vulnerability in SMB Could Allow Remote Code Execution (957097)
DescriptionThis security update resolves a publicly disclosed vulnerability in Microsoft Server Message Block (SMB) Protocol. The vulnerability could allow remote code execution on affected systems. An attacker who successfully exploited this vulnerability could install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.
PayloadMrxsmb.sys
ImpactInformation Disclosure

MS08-069Vulnerabilities in Microsoft XML Core Services Could Allow Remote Code Execution (955218)
DescriptionThis security update resolves several vulnerabilities in Microsoft XML Core Services. The most severe vulnerability could allow remote code execution if a user viewed a specially crafted Web page using Internet Explorer. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.
PayloadMsxml5.dll
ImpactRemote Code Execution

No comments: