Windows users might have noticed that on the morning of Nov. 13, they were greeted with a large number of updates for their systems. This is all too common of a problem for IT departments as they scramble to patch servers, desktop computers and laptops in one day. If an organization was quick to act and lucky enough, it may have successfully avoided an intrusion through one of the reported 40 vulnerabilities. According to ComputerWeekly, this Microsoft software update is almost double the size of an average security patch, and it will certainly keep IT teams busy all week. However, despite the high quantity of patched vulnerabilities, two specific updates were delayed. Ultimately, any organization supporting Windows-based devices or servers are at risk.
One massive vulnerability
A specific bug in all versions of Windows poses a threat to any business that has yet to update its systems. According to Ars Technica, all Windows operating systems that access the Internet are subject to attack due to a vulnerability inside the Microsoft Secure Channel security component that implements the transport layer security and secure sockets layers. If the system does not filter maliciously-formed packets, attackers will have the ability to send any executable attack code through malicious traffic directly to a Windows-based server.
While this poses a massive risk to all data centers, the vulnerability can affect any version of Windows. Amol Sarwate, director of engineering at Qualys, told Ars Technica that as long as the computer runs any type of software that communicates with the Internet and accepts encrypted connections, then a cybercriminal can exploit the flaw. The worst part is that this severe vulnerability has existed for the whole year and impacted every major TLS stack, according to the source. Essentially, hackers could bypass every encrypted network, which is the reason why Heartbleed was considered to be so dangerous. If the vulnerability is not patched, anyone well-versed in technology could find their way into corporate servers to steal data or execute malicious code.
How it works
The main way that a hacker can exploit the severe vulnerability is through an Internet browser on an unpatched, end-user machine. Wolfgang Kandek, chief technology officer at Qualys, explained to ComputerWeekly that cybercriminals can gain access to computers and eventually servers through a malicious website with two basic techniques, one of which requires the end user to visit any website over which a hacker has gained control. The cybercriminals can plant malicious content on such sites in the form of downloads or links to other dangerous web pages. The source provided an example of this occurring in the past, referring to the recent vulnerability in the Drupal content management system that resulted in 12 million websites falling victim to hackers.
"A second scenario has the attacker set up a new site and then direct traffic to it through search engine manipulations, such as sites purporting to have the latest pictures on a recent event of general or specific interest," Kandek told ComputerWeekly.
The good news is that a fix is available in the latest Microsoft patch under the moniker MS14-066. Organizations that do not act now could be at risk of experiencing a data breach, and right now it is unknown if any businesses were affected by the patch. According to the source, however, Kandek said that MS14-066 is the second most important patch out of the 40 in the latest Microsoft system update bulletin.
What could be worse?
The patch identified as MS14-069 will address concerns in Microsoft Word 2007 and fix a remote code execution vulnerability. Kandek explained to the source that malicious documents can be used by cybercriminals to exploit a problem in the 2007 edition of Microsoft Office. Hackers can send a document directly to their potential victims, and when the message is opened, the cybercriminals will be able to execute malicious code on that system which can travel back to servers, giving them complete control over an organization.
The two that disappeared
Once IT teams implement those two fixes, MS14-066 and MS14-069, they can rest assured knowing that corporate data centers will be secure. However, two other patches were announced in Microsoft's bulletin, but not actually released, according to ComputerWeekly.
MS14-068 and MS14-075 were both delayed, and the effects of the postponement are currently unknown. Tyler Reguly, manager of security research at Tripwire, said that this is not uncommon, but because the numbering scheme was unchanged, Microsoft must be still ironing out the quality of the patches. This means that organizations could still be at risk of intrusion through unknown vulnerabilities. However, if those companies are partnered with a third-party security provider, this can help to ensure that until the official patches are released, their systems will be secure and safe from any cybercriminals with knowledge of the existing vulnerabilities.
David Bailey is Senior Vice President at Protected Trust.
Protected Trust is a sponsor of the Print4Pay Hotel. I urge members and readers to visit their site to see their full line of products and services. More and more we need to provide well rounded strategic solutions for our customers. Protected Trust offers some unique solutions that can help us in our day to day efforts. Check them out here.