Happy new year from Prevx Research Labs!
2010 is behind us and we already started this new exciting year strongly focused on Prevx4 development. However, today we're going to write again about the Microsoft Patch Day which has been scheduled on Tuesday 11 January.
We've ended up the last year with two public 0day exploits already freely available on the web, two exploits that have not been fixed by Microsoft on December patch day. In a previous blog post I already showed how these two exploits, if used together, could be potentially more dangerous than expected.
During first days of this month another 0day exploit has been published on the web - again on the metasploit framework. This time the flaw is located inside the shimgvw.dll library - a stack overflow when the library tries to parse malformed thumbnail bitmaps containing a negative "biClrUsed" value.
With this last exploit we have a total of three 0day exploits, already documented along with their relative source code publicly available on the net: two remote code execution exploits and an Elevation of Privilege exploit. The Internet Explorer's mshtml.dll exploit has CVE-2010-3971 id and Microsoft Security Advisor 2488013 id. The Microsoft Graphics Rendering Engine flaw has CVE-2010-3970 id and Microsoft Security Advisor 2490606 id. The win32k.sys Elevation of Privilege exploit has CVE-2010-4398 id and still no Microsoft Security Advisor - remember that we have reported the flaw on 24th November 2010.
We were expecting Microsoft to have patched them on the first patch day of the year, which was scheduled on yesterday. Unfortunately, Microsoft decided to not patch any of them.
In my opinion Microsoft's choice to not patch these open flaws is questionable. While I must say that some workarounds have been posted by Microsoft to mitigate these two remote code execution exploits, I think this is not a good way to handle the problem, by increasing the gap between the uncovered flaw and the released patch. Publishing workaround solutions is good as a temporary solution to mitigate the flaw. It shouldn't be any more acceptable if the flaw is already known and documented on the web for more than a month. Moreover, we're assuming that every user is able to apply the workaround patch by themselves and we're already quite optimistic when we say that the user is aware of a workaround to be applied. Most of users just run their Windows Update and automatically download the needed patches.
The Elevation of Privilege flaw we have talked about in November 2010 is publicly available on the internet for more than 40 days. And the flaw doesn't even have a security advisor from Microsoft yet. Someone could object that there isn't any reports that show us the vulnerability is being used in the wild. Well, we should have a closer look at what the history teaches us.
This situation should ring a bell: When Stuxnet has been discovered, we have found it was using four 0day exploit. Or maybe we should say it was using just three real 0day exploits?
Actually one of the 0day exploit was already known since April 2009, when the Security Magazine Hakin9 released details of the flaw that has been later identified in Stuxnet and tagged by Microsoft as MS10-061. The exploit has been fixed by Microsoft in September 2010, 17 months later.
Perhaps the flaw had not been used widely in the wild, but it turned out it has been used in the most sophisticated targeted attack ever seen. So, the question is: is it a good strategy to delay releasing some patches just because there isn't any evidence that the flaw is being used in the wild?
At the moment - even with the operating system fully patched - if a malicious code manages to get into your PC - e.g. through a removable device or some specific exploit - and it's able to run as a medium integrity level process, then it can easily get administrative privileges - no matter if you are running it in a limited account or in a Admin Approval Mode account.
If you want to be protected from the elevation of privilege exploit, you can install Prevx for free which will prevent the flaw to be exploited - and it will give you another layer of protection along with your existing security solution.
没有评论:
发表评论