Tag: microsoft

Microsoft to end Patch Tuesday fixes

Microsoft recently showed, during their Ignite 2015 conference, some of the new security mechanisms embedded in Windows 10, which also means a change in the software update cycles, reports @iainthomson with The Register.

Terry Myerson, Head of Windows Operating System division, took a shot at Google’s approach (or lack of) in his keynote last week:

Google takes no responsibility to update customer devices, and refuses to take responsibility to update their devices, leaving end users and businesses increasingly exposed every day they use an Android device.

Google ships a big pile of [pause for effect] code, with no commitment to update your device.

The article reports:

Myerson promised that with the new version of Windows, Microsoft will release security updates to PCs, tablets and phones 24/7, as well as pushing other software “innovations,” effectively putting an end to the need for a Patch Tuesday once a month.

And,

On the data protection side, Brad Anderson, veep of enterprise client and mobility, showed off a new feature in preview builds today: Microsoft’s Advanced Threat Analytics (ATA). This tries to sense the presence of malware in a network, and locks down apps to prevent sensitive data being copied within a device…

Using Azure, administrators can choose to embed metadata in files so that managers can see who read what document, when, and where from. If a particular user is trying to access files they shouldn’t, an alert system will let the IT manager know.

Well, controls like these have been around for sometime, but most of them implemented through third party products, but its interesting to see Microsoft building these capabilities within the Operating system itself.

Microsoft’s decision to release patches whenever they are ready or available, is definitely a move in the right direction, and is in line with what Apple has been doing with Mac OS for quite sometime.

Title Image Courtesy: blog.kaspersky.com

Microsoft’s HTTP.sys vulnerability – MS15-034

Just last week Microsoft patched a critical vulnerablity that effects the Windows HTTP stack. which if exploited by an attacker by sending a specially crafted HTTP request, could give the adversary an ability to execute arbitrary code in the context of the System account.

Background
For those who aren’t aware already, the HTTP listener in Microsoft IIS, is implemented as a kernel-mode device driver called the HTTP protocol stack (HTTP.sys). IIS uses HTTP.sys for the following tasks:
  • Routing HTTP requests to the correct request queue.
  • Caching of responses in kernel mode.
  • Performing all text-based logging for the WWW service.
  • Implementing Quality of Service (QoS) functionality, which includes connection limits, connection timeouts, queue-length limits, and bandwidth throttling.
Vulnerability
The problem here stems from HTTP.sys not safely handling the Range header in a HTTP request. The Range header parameter is used to fetch part of a file from a server, which is sometimes handy for resuming downloads. If you set the range way too large, it causes the Windows kernel to crash.
I found these two articles quite useful, while researching this vulnerability.
Exploits found
Two exploits have been discovered to be in the wild as of this post: one to test if a server is vulnerable, and one that crashes it.  Mattias Geniar of hosting solutions provider Nucleus claims to have tracked down one of these exploit code and he covers it good detail here.

Patch released
Microsoft has released a patch as part of their last Patch Tuesday advisory.
The vulnerability has been assigned a reference and is further described here.

Detecting zero day attacks
Software and Hardware are bound to have bugs in them, because they are written by Human Beings! The best way to detect exploits of these bugs/vulnerabilities is to have a holistic approach to setting up an intrusion detection solution. One of the effective frameworks for thinking about cyber defense is called the Cyber Kill Chain, originally created by Lockheed Martin. This is a very interesting framework and I shall be talking in more detail about it in a later post. But briefly, as per this framework, every attack has a set of stages or sequence of steps, that an adversary performs, to accomplish his/her mission.
Cyber Kill Chain - Attack Stages
Cyber Kill Chain – Attack Stages
As per the framework, vulnerabilities are only a part of the whole attack sequence, called here the Exploitation Stage. So by having detection mechanisms that are tuned to detect anomalies at different stages of cyber attack, we get the capability of breaking the sequence even before and post-exploitation stages, thus increasing the possibilities of detecting zero day attacks.

To quote from the Lockheed Martin paper:
Using a kill chain model to describe phases of intrusions, mapping adversary kill chain indicators to defender courses of action, identifying patterns that link individual intrusions into broader campaigns, and understanding the iterative nature of intelligence gathering form the basis of intelligence-driven computer network defense (CND). Institutionalization of this approach reduces the likelihood of adversary success, informs network defense investment and resource prioritization, and yields relevant metrics of performance and effectiveness. The evolution of advanced persistent threats necessitates an intelligence-based model because in this model the defenders mitigate not just vulnerability, but the threat component of risk, too.

Hence, I believe that in order to succeed in the race with the cybersecurity adversaries, who use zero day exploits and vulnerabilities to accomplish their missions, Enterprises must evolve from using signature/discrete event based detection, to a holistic approach of using the Cyber Kill Chain based intrusion detection framework.

This is a very interesting topic, and I will be talking more about it in my forthcoming posts on this blog.

Title Image Courtesy: slashgear.com