Microsoft tonight released a critical patch, MS08-067, outside their normal patch cycle. For Microsoft to release a patch outside of their patch cycle indicates that this is a serious issue that we must pay attention to.
I am obviously not the only one who thinks that as the Internet Storm Center‘s Infocon has turned yellow which means they are “currently tracking a significant new threat. The impact is either unknown or expected to be minor to the infrastructure. However, local impact could be significant. Users are advised to take immediate specific action to contain the impact. Example: ‘MSBlaster’ worm outbreak. “
The vulnerability could allow an attacker without authentication to remotely run arbitary code using a specially crafted RPC request on Microsoft Windows 2000, Windows XP, and Windows Server 2003 systems. This is similar in nature to how the MSBlaster worm propogated throughout the Internet and this vulnerability could be used in the same way. Microsoft have reported that they have seen live targetted attacks on some customer systems using this vulnerability.
It is recommended that you patch your systems ASAP. However patches, be they from Microsoft or other vendors, brings with them many inherent risks that we need to consider before rolling them out onto production systems. Will the patch introduce new problems as well as fixing the ones identified? Will it impact on other applications and systems? If we patch we may have problems, if we don’t we may have a security breach. Not the easiest of choices for an IT or Infromation Security professional to have to make.
I recommend you look at the following steps to mitigate the problem;
- A concise and factual presentation should be made to senior management with the options to address the issue laid out clearly, together with the potential downside to each solution.
- Whatever solution is decided upon needs to be agreed to and signed off by senior management.
- An incident response team should be set up in order to (a) respond to any side effects from the selected plan of action or (b) in the event your systems are compromised in spite of the steps taken.
- Remember as part of the plan to ensure that all your backups have been running successfully and more importantly that you can restore them!
- Have key contact details for all relevant personnel in the event of a major problem with your systems, including contacts in third parties such as ISPs, partner companies, extranet contacts etc.
- Communicate clearly with the user population explaining why the patch is being deployed and to report any unusual behaviour.
- Ensure that all Anti-Virus signatures and software is up to date.
- Ensure all Intrusion Detection/Prevention Systems’ signatures are up to date.
- Consider how best to update remote PCs and laptops that may not be connected to your corporate network.
- Make sure your perimeter firewall is configured properly and that where possible personal firewalls are installed on desktops and more importantly on servers.
I strongly advise, as with all patches, to ensure that you test and are satisfied that the patch does not negatively impact your environment before you deploy it. It also may be worth keeping on high alert even after deploying the patch as;
- Other new vulnerabilities could still be found in this feature of Windows.
- Not everyone will patch their systems in a timely fashion as we have seen time and time again and their compromise may impact your organisation.
More details are available from the Microsoft Security Response Center and also from the Internet Storm Center. It is a pity that we do not have our own CERT here in Ireland to help coordinate a response to this issue and help Irish businesses better protect themselves.