Tangled Web Blog

July's Wednesday Wrap-Up: Patch Tuesday in a Nutshell

It’s hard to believe a full month has passed since the last Wednesday Wrap-Up, but believe it or not, yesterday marked the second Tuesday of the month.

Unlike the “record setting” previous month, there were four patches released to fix five bugs as part of the July 2010 Patch Tuesday, three of which were rated critical.

Here’s the summary of this month’s patches:

Three of the four patches were rated critical, though the patch ranked important may actually cause some bigger issues in the future. More on that later.
Two of the patches address flaws in Windows and the other two address flaws in Microsoft Office.
Google Researcher Tavis Ormandy’s disclosure of a flaw in Microsoft’s Help and Support Center led to some significant disagreement regarding vulnerability disclosure protocol. However, as Ryan Naraine reports, Microsoft issued a critical patch for the flaw in just 33 days, almost half of Microsoft’s typical 60-day response time. This is promising for those who are full-disclosure advocates.
The bulletin ranked important for Microsoft Office—MS10-045—directly impacts all versions of Microsoft Outlook, excluding Outlook 2010. In this vulnerability, users are unable to determine if an attachment is an executable or not, thus putting users at risk. There exists potential for a large-scale spam attack to occur.
The July 2010 patches also represent the end of Windows XP SP2 (Service Pack 2) support. Basically, there will be no updates released for Windows XP SP2, along with Windows 2000, after today.

Many of the Patch Tuesday conversations seemed to focus on two specific areas. The first being the vulnerability disclosed by Ormandy a few weeks ago; the second being the end of Windows XP SP2 and Windows 2000 support.

Vulnerability Disclosures
Following Ormandy’s disclosure of the Microsoft Help and Support Center flaw, there has been significant activity in the security realm. Many agree with Ormandy, stating that full disclosure is necessary to move Microsoft along in issuing a fix sooner rather than later. On the other hand, however, many believe this just puts the end-user at greater risk.

Since the disclosure of the vulnerability, a number of malicious exploits emerged, all of which attempted to target the vulnerability, as is reported by Rob Westervelt. Elinor Mills took a deeper look at these malicious exploits as they emerged last month.

Interestingly, there has been little discussion of Microsoft’s relationship with researchers and the emergence of the MSRC. Not the MSRC we’re already familiar with (the Microsoft Security Response Center that is responsible for investigating vulnerabilities), but a new MSRC. Named the Microsoft-Spurned Researcher Collective, this group is composed of anonymous, rogue researchers that have vowed to publicize any Microsoft vulnerabilities instead of quietly reporting them to Microsoft to effectively work on a patch. It will be interesting to see where this leads as researchers immediately publish proof of concept, showing malicious hackers how to exploit vulnerabilities.

The end of Windows XP SP2 and Windows 2000
The end of Windows XP SP2 is a big deal because there are still hundreds of millions users that use this OS. When an upgrade was required of XP from SP1 to SP2, many people went ahead with the upgrade to enhance their security. There were specific benefits offered to upgrading the system. However, the upgrade from SP2 to SP3 appears to be merely for maintenance.

The retired support for XP SP2 users poses the risk of significant security threats since various flaws will only be fixed for SP3. If these flaws remain unfixed in SP2, users could become exposed to serious vulnerabilities. It is only a matter of time before a hacker identifies and takes advantage of a relevant vulnerability.

Additionally, Microsoft has completely retired the Windows 2000 OS line. It has been advised for any users with Windows 2000 to migrate to a new OS, preferably Windows 7.

Although not as record-setting as last month, July’s Patch Tuesday has left many with a call to action, more so than just rebooting your machines. If you are still operating on a Windows XP SP2 OS, take the time to upgrade to SP3. Unfortunately, according to Wolfgang Kandek of Qualys (client), upgrading from XP SP2 to Windows 7 is extremely difficult, and requires some manual work. And, as is always the case, never open an email attachment when you are unfamiliar with the sender.

Check in with us next month for the Wednesday Wrap-Up of August’s Patch Tuesday.

In the meantime, keep an eye out for our thoughts on Black Hat...leading up to the event and at the event itself. Schwartz clients that will be presenting at Black Hat include: Core Security, Damballa and Qualys.

What session or sessions are you most looking forward to attending at Black Hat this year?