Patch Tuesday is over and colleagues are busy sorting through various remedies from Microsoft to figure out what they are fixing. (For more on this process in action, go here.) As you may know, Patch Tuesday occurs during the second week of each month, with a summary of upcoming patches released by Microsoft each Thursday before. The summary helps network and systems admins determine the priority they should give to applying those patches - all based on Microsoft’s identification of those that are Critical, Important, or just plain old Moderate.
As with a lot of actions in the security world it is a double-edged sword, as exploit writers (black, white and gray hats alike) have a heads up as to the type of vulnerabilities that will be released - and by definition, vulnerabilities that no one has patched. This can help them all prepare their environments to the effort of reversing the patches and producing exploits. Last Thursday I checked out the summary of patches that were issued this afternoon through the eyes of a online criminal, and two leapt out at me as interesting:
Bulletin 1: The fact that all modern versions of the Windows Server and the XP/Vista/7 operating systems can be remotely compromised makes this ‘Critical’ patch attractive to any hacker hoping to reverse engineer it. This is the holy grail of exploits. Last week you could practically hear the exploit development community drooling over this one in particular.
Bulletin 2: This ‘Important’ item related to Windows Server 2003 has some appeal for hacktivists leveraging DoS attacks to create discord and embarrassment for their targets. DoS is also something most red teams/white hats are not given the right to test within their scope of work – so the defenses for these attacks are not tested until the real threat comes along. All in all, there are going to be some tired IT people next week, but in my experience working with the Exploit Writing Team at CoreLabs they will be enjoying the challenge they undertake on behalf of our customers every month to provide the security intelligence they need to prevent an attack before it happens.