Wednesday, November 12, 2014

Catastrophic Windows Bug - Could It Be Microsoft's Heartbleed/Shellshock?


Ars Technica reported today that there's a potentially catastrophic bug targeting all versions of Windows. How surprised or shocked should we be? After years of such shattering news, not very. The bug, which allows execution of malicious code, resides in TLS stack.

TK Keanini, CTO of Lancope, suggests that "System administrators should already have a process to review and patch each Patch Tuesday. Those who have these good habits remain secure; those who have bad habits need reminders or ultimately get compromised before they get around to updating.

"This bug effects the listening side of the connection traditionally the server, but it is difficult these days to make this differentiation with software installing on traditional desktop OS’s as servers.
Online games are particularly notorious in installing listening ports for incoming connections so it is best that everyone just apply the patch regardless of the client or server designation.
 
"Attackers will just add this to their playbook as they explore your network for access vectors. You have two tasks: 1 is to patch and narrow the aperture of your target surface and but more importantly 2, have the telemetry in place so that if someone is performing this recognizance on your network, you can identify them and shut them down prior to exploitations or exfiltration. Put it this way: if banks had no security cameras or incident response, crooks could show up with tools and torches and take their time as they made their way into the safe."

Amichai Schulman, CTO at Imperva, adds, "The advisory from Microsoft does not state that hosts running web servers are more vulnerable than others to this. It seems that while the same patch includes enhancement to the TLS ciphersuite list, this enhancement has nothing to do with the vulnerability being patched. If this vulnerability is indeed exploitable via SSL/ TLS it is more sever in nature than Heartbleed because this is a remote code execution vulnerability – it allows the attacker to completely take over the server (while Heartbleed attempted, opportunistically to collect sensitive information)."

For more on patch management, see these articles and Security Patch Management by Felicia M. Nicastro.

5 Reasons to Establish a Patch Management Policy

Security Patch Management: Getting Started