Amid its patching woes, the demise of Microsoft's security webcasts and deployment priority info hits enterprises hard
With 14 security updates that include fixes for 33 separately identified
security holes, 14 new nonsecurity patches, two changes to the
installers for older security patches, and three changes for older
nonsecurity updates, November's Black Tuesday is going down as one of
the weightiest ever. But the patches themselves are only part of the
story.
This month's Black Tuesday patches started out with an odd -- though
hopeful -- sign. Microsoft voluntarily pulled two Security Bulletins
(with an unknown number of associated patches) before they were
released. Both MS14-068 and MS14-075 are listed in the official Security Bulletin summary
as "Release date to be determined." I've never seen that designation
before. Presumably Microsoft caught bugs in the patches and pulled them
at the last minute. If so, that's a very positive development.
I'm seeing sporadic reports of KB 3003743 -- part of MS14-074 -- breaking concurrent RDP sessions. Poster turducken on the My Digital Life forums pins it down:
Today's updates includes KB3003743 and with it comes termsrv.dll version 6.1.7601.18637
Jason Hart has also tweeted that KB 3003743 kills NComputing's virtualization software.
This sounds reminiscent of the problems caused last month
by KB 2984972, which also clobbered concurrent RDP sessions on some
machines. The easy solution last month was to uninstall the patch, and
RDP started working again. Microsoft has a far more complex solution in
the KB 2984972
article. There's no indication at this point if the manual solution
works with KB 3003743. I also haven't heard if any App-V packages are
affected -- another hallmark of the bad KB 2984872 patch last month.
If you're running IE11 and EMET, it's important to move to the latest
version, EMET 5.1, before installing this month's MS14-065/KB 3003057 patch. The TechNet blog puts it this way:
If you are using Internet Explorer 11, either on Windows 7 or Windows
8.1, and have deployed EMET 5.0, it is particularly important to install
EMET 5.1 as compatibility issues were discovered with the November
Internet Explorer security update and the EAF+ mitigation. Yes, EMET 5.1 was just released on Monday.
There's some concern in the press that the newly fixed "schannel" bug
may be as pervasive and exploitable as the infamous OpenSSL Heartbleed hole discovered earlier this year.
No doubt, you should install MS14-066/KB 2992611
on any Windows machine that runs a Web server, FTP server, or email
server -- sooner, rather than later. But do you need to drop everything
and patch your servers this instant? Opinions vary.
The SANS Internet Storm Center, which usually takes a very proactive patching stance, is hedging its bets
with this one. SANS has MS14-066 listed as "Critical" instead of the
more-dire "Patch Now." Dr. Johannes Ullrich goes on to say:
The most likely target are SSL services that are reachable from the outside: Web and Mail Servers would be on the top of my list. But it can't hurt to check the report from your last external scan of your infrastructure to see if you got anything else. Probably a good idea to repeat this scan if you haven't scheduled it regularly.
Next move on to internal servers. They are a bit harder to reach, but remember that you only need one internal infected workstation to expose them.
Third: Traveling laptops and the like that leave your perimeter. They should already be locked down, and are unlikely to listen for inbound SSL connections, but can't hurt to double check. Some odd SSL VPN? Maybe some instant messenger software? A quick port scan should tell you more.
A smattering of urban mythology is already forming around schannel. You
may read in the press that the schannel security hole has been around
for 19 years. Not true -- the schannel bug is identified as
CVE-2014-6321, and it was discovered by unidentified researchers
(possibly internal to Microsoft). It's a hole in the software for HTTPS connections.
The 19-year-old vulnerability, which was discovered by the IBM X-Force research team, is CVE-2014-6332. It's a hole in COM that can be exploited through VBScript. That's the bug fixed by MS14-064/KB 3011443. As best I can tell, the two security vulnerabilities have nothing in common.
Don't get confused. BBC mixed up the two security holes, and other news outlets are parroting the report.
As for the sudden disappearance of the monthly security webcast --
there's been no official announcement, but Dustin Childs, who used to
run the webcasts, has been re-assigned, and I couldn't find a webcast
for the November security bulletins. Earlier this morning, Childs tweeted:
14 bulletins instead of 16-they didn't even renumber. No deployment
priority. No overview video. No webcast. I guess things change.
That's a stunning development, particularly for anyone who has to make
sense of Microsoft's patching proclivities. Failing to renumber
bulletins won't shake anyone's faith in Microsoft's patching regimen -- I
take it as a welcome change. But the lack of a monthly security
bulletin deployment priority list, overview video, or webcast leaves
most Windows security pros in the lurch. Microsoft has been issuing an
overview video for Black Tuesday for years, and the webcast offers a lot
of down-and-dirty advice not available anywhere else.
If the webcasts have been pulled -- there's no official confirmation I
can see -- Microsoft's enterprise customers, in particular, have good
reason to complain.
Source: http://www.infoworld.com
No comments:
Post a Comment