Archive for December, 2008

Holes in Your Security Christmas Stockings

Posted in PCI, Penetration Testing, Vulnerability Assessment with tags , , , , , , , , , , on December 31, 2008 by Tim

Over the Holiday season, I tended to my family’s computers for their annual check-up. As usual, I initially checked which Microsoft security updates were not installed. While their computers are configured to download and install Microsoft security updates automatically, several updates usually require manual interaction to install. After the Microsoft security updates were installed, I began the daunting task of installing the non-Microsoft application security updates and upgrades that have accumulated over the course of the year.

Similarly, most organizations have setup Windows Server Update Services (WSUS) or Systems Management Server (SMS) to apply Microsoft security updates. However, most organizations still have not implemented an enterprise-wide solution for applying security patches to non-Microsoft applications. Applications such as Adobe’s Acrobat and Flash or Sun’s Java Runtime Environment are often installed as part of a base laptop image or installed by employees at a later time. While their providers often release security updates, these applications remain at the current patch level as when they were installed. As a result, organizations remain extremely vulnerable from these non-Microsoft applications. For example, on December 5, 2008, US-CERT released an advisory (US-CERT Advisory TA08-340A) concerning security vulnerabilities that could allow an attacker to obtain complete control of systems running vulnerable versions of Sun’s Java Runtime Environment.

I am not recommending organizations abandon non-Microsoft products and would encourage organizations to evaluate the alternatives. The current problem is that non-Microsoft applications are often over-looked and the emphasis in patch management is on Microsoft products.
Several enterprise solutions exist to apply patches to non-Microsoft applications. Similar to Microsoft’s WSUS and SMS, these products are not perfect and have their own flaws. In order to implement an effective solution, the following best-practices practices should be followed:

• Identify the applications that have valid business requirements

• Restrict users from installing other applications

• Implement an enterprise-wide solution that controls applying security patches to non-Microsoft applications

As Microsoft attempts to create more secure products, hackers are crafting malware to specifically exploit non-Microsoft products. For example, a Trojan masquerading as a plugin for Mozilla’s Firefox web browser was recently identified ( – Firefox Trojan). The non-Microsoft application security patches have been overlooked for many years and should become a major initiative of organizations.