Today was Microsoft Patch Tuesday, and Microsoft released 9 patches covering 11 vulnerabilities. Most of the patches are targeted at the Windows OS itself, although a couple address new vulnerabilities in MS Office.
One of these vulnerabilities is interesting, in that it was discovered by security researchers after a deep analysis of July’s Stuxnet worm. Stuxnet was already known to leverage a zero-day vulnerability to infect the target systems (resulting in the release of out-of-band patch MS10-046). After further study, it has also been found to leverage a previously unknown vuln in the Windows Print Spooler to inject itself deeper into the network. This vuln has been addressed this month via MS10-061. On top of all this, Stuxnet has been found to exploit two additional zero-day vulns, in order to gain more complete privileges on systems where it has gained an initial foothold (MS is still working on patches for these).
For those of you who have not kept score, this single worm has been found to exploit FOUR (!!) unique zero-day vulns in the Windows OS. This represents a HUGE (perhaps unprecedented) investment on the part of the (unknown) developer of this worm, and demonstrates an extremely high degree of skill, knowledge, and/or resources. Between Aurora and Stuxnet, it’s clear that attacks are getting more sophisticated, and more tightly targeted. Smart people are carefully selecting their targets, and building custom attacks designed to efficiently extract valuable intellectual property. In this environment, the only defenses are behavioral detection techniques (such as buffer overflow protection and host intrusion prevention) along with complete lockdown via tools like McAfee Application Control.
McAfee’s coverage for this month’s vulnerabilities is excellent:
• McAfee VirusScan's buffer overflow protection is expected to provide proactive protection against exploits of 7 out of 11 new vulnerabilities this month.
• McAfee's Host Intrusion Prevention is expected to provide proactive protection against exploits of 10 out of 11 new vulnerabilities this month.
• McAfee's Network Security Platform now has content to protect against exploits of 8 out of 11 new vulnerabilities.
• McAfee Vulnerability Manager and Policy Auditor now have content to assess whether your systems are exposed to any of these new vulnerabilities.
• McAfee Remediation Manager shortly will have content to deploy any of the new patches.
Additional countermeasures are still under investigation at this time. For the latest information, you can sign up to receive McAfee Security Advisories directly via the link below: