This is a copy of an email that I sent to Russ Cooper of NTbugtraq disagreeing with his recent analysis of 60 IIS 6 vulnerabilities. Even when counting “vulnerabilities” with the server role as a web server, Russ’ counts are bit off. I’ll let you guys do the math…..
I have to respectfully disagree with Russ that he made his analysis of “60 IIS 6 vulnerabilities” and the basis upon which he made this analysis clear cut in his first email to the NTbugtraq listserve on June 2nd. In his June 4th email he makes it clearer the methodology of his “counting”: He stated in his second email that “When I did this, I included all of the products that are installed by default on such a system (although I did create a category for W2K server which did not include IIS, something you can't get by default.) OE, IE, Media Player, VM, MDAC, (not MSDE), were all included, even on W2K3.”
http://archives.neohapsis.com/archives/ntbugtraq/2004-q2/0063.html
http://archives.neohapsis.com/archives/ntbugtraq/2004-q2/0080.html
This gets back to the long long age old argument of “them” versus “us” and how do you compare two different systems and platforms. Russ said “we helped our customers stay secure despite only recommending 3 Microsoft patches be applied urgently last year”. That statement to me indicates that not all of the 60 “IIS 6.0” vulnerabilities are created equal.
So I [just for grins] took a look at each of these 60 vulnerabilities… No matter how you count the vulnerabilities… I’ve got some issues with Russ’s count of the IIS 6 vulnerabilities.
In the listing below I list the Security bulletins and my comments as an Administrator who patches for this stuff. My comments are basically my “threat analysis”. All this discussion indicates is the timing of my patching, not the application or non application of the patch. My “methodology” is that if Shavlik’s HfnetchkPro says I need it, it gets applied no matter what. It’s just a question of timing, not a question of whether it does or does not get applied.
This discussion also points out the interesting use of tool as verified by knowledge. When the bulletins come out and I read them for what they apply to, I will be therefore be expecting them to “show up” as patches to be applied by my Patch Tool of choice, Shavliks’ hfnetchkPro. Therefore, I am confirming what my tool is telling me that I need to patch. I selected this patch tool because I need to patch right “now”, this moment. Scan, push, patch, reboot, rescan to confirm, done. This technique works for me and is just one of many techniques you can do with Shavlik's patch tool.. If there is a critical issue and the folks in big server land are “patching their perimeter servers, that means I’m patching that Tuesday night.
Currently I feel that my workstations are my biggest threat vectors so the analysis I’ve made below where I don’t consider Internet Explorer patches on my server to be significant issue, on my desktops, the exact opposite is true. Russ indicates that IE patches may be more of a “home” issue, whereas in my environment, I feel that it is a desktop issue as well.
I was chatting with Brian Desmond who patches a lot more systems than I do and he uses SUS [he’s an educational environment] and he said about 75% of his network is turned off at any point in time. Thus he uses a different patch management technique to manage his network and has the workstations grab the patches as they come online. I think it’s wise to have a process in place, no matter what size you are, but that’s just my opinion.
Here’s my analysis – as always, your mileage may vary --- this is just my two cents -- I think I'll leave it to the admins and researchers out here to do their own final count.
MS03-004 (2 vulnerabilities)
Microsoft Security Bulletin MS03-004:
http://www.microsoft.com/technet/security/Bulletin/MS03-004.mspx
KB 810847 This is a IE patch prior to date of shipment for Windows
2003 and not on my SBS2k3 per scan by Shavlik hfnetchkPro? I’m not
certain this is a vulnerability for Windows 2003/IIS 6.0?
Improper Cross Domain Security Validation with dialog box CAN-2003-1326
Improper Cross Domain Security Validation with ShowHelp functionality
CAN-2003-1328
MS03-014 (1 vulnerabilities)
Microsoft Security Bulletin MS03-014:
http://www.microsoft.com/technet/security/Bulletin/MS03-014.mspx
Outlook Express patch – KB 330994 Not sure about this one? Again this
is not on my box and right around the time that Windows 2003 shipped.
But assuming it is a Win2k3/IIS 6.0 issue… I don’t use my server for
email, thus would not be a “put down my Mountain Dew and run screaming
to the server to patch” bulletin.
Vulnerability identifier: CAN-2002-0980
MS03-015 (7 vulnerabilities)
Microsoft Security Bulletin MS03-015:
http://www.microsoft.com/technet/security/Bulletin/MS03-015.mspx
CU IE KB 813489 Is this for Win2k3 system? It is not on my system and
it was right around the shipment of Windows 2003?
URLMON.DLL Buffer Overrun: CAN-2003-0113
File Upload Control vulnerability: CAN-2003-0114
Third Party plug-in rendering: CAN-2003-0115
Model Dialog script execution: CAN-2003-0116
In the spirit of full disclosure, I’m not a security researcher; I’m
an administrator so I’m not sure why there are 7 vulnerabilities
counted by Russ and 4 CAN vulnerability tracking numbers listed? I
can’t tell the methodology that Russ is using for that count, so I
won't comment either way.
MS03-017 (1 vulnerabilities)
Microsoft Security Bulletin MS03-017:
http://www.microsoft.com/technet/security/Bulletin/MS03-017.mspx
Media player skins. I could care less about downloading skins on any
media player on my server.
Customers running Windows Media Player 7.1 and Windows Media Player
for Windows XP (Version 8) should apply the patch.
I have media player 9 on my server anyway? I don’t have this bulletin
on my SBS 2k3/Win2k3 server? Not on my SBS2k3 per scan by Shavlik
hfnetchkPro. Thus, I confirmed that I have Windows media 9 on my SBS
2k3 [Windows 2003] and thus this does not apply. For the record the
only time I opened up the media player on my server was to check what
version I had for this exercise.
MS03-020 (2 vulnerabilities)
Microsoft Security Bulletin MS03-020:
http://www.microsoft.com/technet/security/Bulletin/MS03-020.mspx
CU IE By default, Internet Explorer on Windows Server 2003 runs in
Enhanced Security Configuration. This default configuration of
Internet Explorer blocks these attacks. If Internet Explorer Enhanced
Security Configuration has been disabled, the protections put in place
that prevent these vulnerabilities from being exploited would be removed.
Object Tag Vulnerability: CAN-2003-0344
File Download Dialog Vulnerability: CAN-2003-0309
My server lists that I have 03-023 which Russ does not, which according
to his methodology of "what should be on a IIS 6.0 box" should be
included according to my read. By default SBS 2003 is running IIS 6.0
http://www.microsoft.com/technet/security/Bulletin/MS03-023.mspx
Affected software Windows 2003
Vulnerability identifier: CAN-2003-0469
MS03-026 (1 vulnerabilities)
Microsoft Security Bulletin MS03-026:
http://www.microsoft.com/technet/security/Bulletin/MS03-026.mspx
Our first RPC vuln.. yup I was patching that night…that said the ports
in question should be blocked… port 135, 139, 445 or 593
Vulnerability identifier: CAN-2003-0352
My server lists that I have 03-030 which you don’t list, which according
to your methodology should be included Microsoft Security Bulletin
MS03-030:
http://www.microsoft.com/technet/security/Bulletin/MS03-030.mspx
Microsoft DirectX 8.1 on Windows XP or Windows Server 2003
Vulnerability identifier: CAN-2003-0346
MS03-032 (5 vulnerabilities)
Microsoft Security Bulletin MS03-032:
http://www.microsoft.com/technet/security/Bulletin/MS03-032.mspx
CU IE - By default, Internet Explorer on Windows Server 2003 runs in
Enhanced Security Configuration. This default configuration of
Internet Explorer blocks these attacks. If Internet Explorer Enhanced
Security Configuration has been disabled, the protections put in place
that prevent these vulnerabilities from being exploited would be
removed. Again, have that in place, don’t surf at the server… I only
see three CAN vulns?
BR549.DLL Buffer Overrun:CAN-2003-0530
Browser Cache Script Execution in My Computer Zone:CAN-2003-0531
Object Type Vulnerability:CAN-2003-0532
MS03-033 (1 vulnerabilities)
Microsoft Security Bulletin MS03-033:
http://www.microsoft.com/technet/security/Bulletin/MS03-033.mspx
MDAC vuln… depends on if that server is listing on the SQL ports
Vulnerability identifier: CAN-2003-0353
[UPDATE Bernard Cheah IIS MVP points out that this does not affect MDAC 2.8, thus this is not a needed patch]
MS03-034 (1 vulnerabilities)
Microsoft Security Bulletin MS03-034:
http://www.microsoft.com/technet/security/Bulletin/MS03-034.mspx
Netbios flaw… I hope you don’t have port 137 open on a IIS web server.
If you do, you deserve to be hacked. Low vulnerability, this one
didn’t phase me in the least….
Vulnerability identifier: CAN-2003-0661
MS03-039 (2 vulnerabilities)
Microsoft Security Bulletin MS03-039:
http://www.microsoft.com/technet/security/Bulletin/MS03-039.mspx
RPC vuln
I can tell you exactly where I was when this one came out.. I was
patching pretty quickly on this one. And this list three CAN
identifiers not two? But again, I’m not sure of Russ’ methodology on
counting “raw” vulnerabilities.
Buffer Overrun: CAN-2003-0715
Buffer Overrun: CAN-2003-0528
Denial of Service: CAN-2003-0605
MS03-040 (3 vulnerabilities)
Microsoft Security Bulletin MS03-040:
http://www.microsoft.com/technet/security/Bulletin/MS03-040.mspx
CU IE By default, Internet Explorer on Windows Server 2003 runs in
Enhanced Security Configuration. This default configuration of
Internet Explorer blocks automatic exploitation of this attack. If
Internet Explorer Enhanced Security Configuration has been disabled,
the protections put in place that prevent this vulnerability from
being automatically exploited would be removed. This ones moderate…
not breaking a sweat… I only see two CAN identifiers in this bulletin?
• Object Tag vulnerability in Popup Window: CAN-2003-0838
• Object Tag vulnerability with XML data binding: CAN-2003-0809
MS03-041 (1 vulnerabilities)
Microsoft Security Bulletin MS03-041:
http://www.microsoft.com/technet/security/Bulletin/MS03-041.mspx
Authenicode vuln
“By default, Internet Explorer on Windows Server 2003 runs in Enhanced
Security Configuration. This default configuration of Internet
Explorer blocks automatic exploitation of this attack. If Internet
Explorer Enhanced Security Configuration has been disabled, the
protections put in place that prevent this vulnerability from being
automatically exploited would be removed. “ I don’t surf and don’t
take off the IE locking… not breaking a sweat.
Vulnerability identifier: CAN-2003-0660
MS03-043 (1 vulnerabilities)
Microsoft Security Bulletin MS03-043:
http://www.microsoft.com/technet/security/Bulletin/MS03-043.mspx
Messenger service overrun
“On Windows Server 2003 systems, the Messenger Service is disabled by
default.” Not breaking a sweat on this one… I’ll patch when I get
around to it.
Vulnerability identifier: CAN-2003-0717
MS03-044 (2 vulnerabilities)
Microsoft Security Article MS03-044:
http://www.microsoft.com/technet/security/Bulletin/MS03-044.mspx
Help and support center… this one was interesting to me at the time
since it was rated critical but I’m not surfing or emailing at the
server so I would have not rated it quite so critical.
Vulnerability identifier: CAN-2003-0711
MS03-045 (1 vulnerabilities)
Microsoft Security Bulletin MS03-045: List box/combo box vuln
http://www.microsoft.com/technet/security/Bulletin/MS03-045.mspx
An attacker must have valid logon credentials to exploit the
vulnerability. The vulnerability could not be exploited remotely.
Properly-secured systems are at little risk from this vulnerability.
Standard best practices recommend only allowing trusted users to log
on to systems interactively.
This one is low threat vector and someone has to logon… not even
breaking a sweat on this one. This one I noticed has only one CAN
identifier but Russ says 2? Not sure on that one.
Vulnerability identifier: CAN-2003-0659
[actually it's the 03-044 that he says 2 and the CAN lists one, not this one... so we all make mistakes]
MS03-048 (5 vulnerabilities)
Microsoft Security Bulletin MS03-048: IE cumulative
http://www.microsoft.com/technet/security/Bulletin/MS03-048.mspx
“By default, Internet Explorer on Windows Server 2003 runs in Enhanced
Security Configuration. This default configuration of Internet
Explorer blocks automatic exploitation of this attack. If Internet
Explorer Enhanced Security Configuration has been disabled, the
protections that are put in place that prevent these vulnerabilities
from being automatically exploited would be removed. “ Repeat after
me… “we don’t surf on servers” I’ll patch but I’m not breaking a sweat.
• ExecCommand Cross Domain Vulnerability: CAN-2003-0814
• Function Pointer Override Cross Domain Vulnerability: CAN-2003-0815
• Script URLs Cross Domain Vulnerability: CAN-2003-0816
• XML Object Vulnerability: CAN-2003-0817
• Drag-and-Drop Operation Vulnerability: : CAN-2003-0823
MS04-001 (1 vulnerabilities)
Microsoft Security Bulletin MS04-001: ISA server patch
http://www.microsoft.com/technet/security/Bulletin/MS04-001.mspx
Hmmm… this one is interesting….Why this one is in here I’m not sure…
for one it’s a ISA server patch and if Russ is including it because it
mentions Small Business Server 2003 because we have IIS 6.0, the
vulnerability is only in the premium version and the H323 attack
vector isn’t even a threat to us sense it’s not enabled by default
anyway [we never used it on SBS 2000, they shut it off on SBS 2003]
This is not a IIS 6.0 vulnerability in my book. I patched this in my
network, but unless you have ISA server [and you might even just be
running with IPsec filters on that web server anyway, this one is ISA
server vulnerability and not on a default installed IIS 6.0 and not
necessarily on a default installed SBS 2003.
Vulnerability identifier: CAN-2003-0819
MS04-003 (1 vulnerabilities)
Microsoft Security Bulletin MS04-003: MDAC vulns
http://www.microsoft.com/technet/security/Bulletin/MS04-003.mspx
This one may or may not be of interest to folks depending on if a
database resides on that IIS and if you have the SQL server ports open.
Vulnerability identifier: CAN-2003-0903
MS04-004 (5 vulnerabilities)
Microsoft Security Bulletin MS04-004: The IE Phishing one
http://www.microsoft.com/technet/security/Bulletin/MS04-004.mspx
Repeat after me… We don’t surf on our servers. This one, didn’t even
phase me one bit… IE is in enhanced lockdown and again, I’m not
surfing from that box at all to worry about phishing and spoofing.
Patched but did not break a sweat on this one.
• Travel Log Cross Domain Vulnerability CAN-2003-1026
• Function Pointer Drag and Drop Vulnerability CAN-2003-1027
• Improper URL Canonicalization Vulnerability CAN-2003-1025
MS04-006 (1 vulnerabilities)
Microsoft Security Bulletin MS04-006: WINS vulnerability
http://www.microsoft.com/technet/security/Bulletin/MS04-006.mspx
This one is an interesting one…I would hope that you would not have
WINS running on a web server but who am I to say, and who knows what
applications running on that server may need it. Furthermore and more
importantly, I hope that you would not have those ports being open. In
SBSland because of Exchange we are still running with WINS, but given
that I don’t open these ports from the outside, not breaking a sweat
over this one.
Vulnerability identifier: CAN-2003-0825
MS04-007 (1 vulnerabilities)
Microsoft Security Bulletin MS04-007: This is that ANS.1 patch
http://www.microsoft.com/technet/security/Bulletin/MS04-007.mspx
This one I patched on that night. I read the Eeye bulletins on this,
saw the "chatter" on the listserves, and put down Mountain Dew and
patched the fleet that night. Yes, that night. "Chatter" on the
listserves had others patching their perimeter machines without
testing whatsoever. When I hear that I'll risk it and know I've got
backups in place. Interestingly enough, this wasn't the "nasty" that
the "chatter" thought it would be. But I was ready for it anyway.
Vulnerability identifier: CAN-2003-0818
MS04-011 (8 vulnerabilities)
Microsoft Security Bulletin MS04-011: Security Update for Microsoft
Windows (835732):
http://www.microsoft.com/technet/security/Bulletin/MS04-011.mspx Eeye
is listed in here along with the buzzwords ANS.1 and SSL. There’s also
enough who’s who of security researchers listed in this one to make me
put this one on the fast track. I thought this had 14 vulnerabilities
as well? But again, I’m not a security researcher. For me it’s just
one bulletin.
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0533
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0663
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0719
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0806
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0906
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0907
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0908
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0909
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0910
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0117
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0118
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=%20CAN-2004-0119
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=%20CAN-2004-0120
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=%20CAN-2004-0123
MS04-012 (3 vulnerabilities)
Microsoft Security Bulletin MS04-012: Cumulative Update for Microsoft
RPC/DCOM (828741):
http://www.microsoft.com/technet/security/Bulletin/MS04-012.mspx
Anything with DCOM, Bindview and EEye in the description, I’m
patching. I don’t care what it is. That said most of these in there
are going to be banging on ports that I have shut tight from the
outside anyway. The one specific item about IIS 6.0 “IIS 6.0 mode uses
RPC over HTTP v2. IIS 6.0 mode does not contain the vulnerability”
indicates a mitigation factor.
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0813
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0116
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0807
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0124
MS04-013 (1 vulnerabilities)
Microsoft Security Bulletin MS04-013: Cumulative Security Update for
Outlook Express (837009):
http://www.microsoft.com/technet/security/Bulletin/MS04-013.mspx
I don’t know about you but no one reads emails from my servers and IE
is still in that annoying lockdown mode. I’ll patch during the normal
cycle but I’m not breaking a sweat over this one.
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0380
MS04-014 (1 vulnerabilities)
Microsoft Security Bulletin MS04-014: Vulnerability in the Microsoft
Jet Database Engine Could Allow Code Execution (837001):
http://www.microsoft.com/technet/security/Bulletin/MS04-014.mspx
vulnerability exists in the Microsoft Jet Database Engine (Jet) that
could allow remote code execution on an affected system. An attacker
could exploit the vulnerability by creating a specially crafted
database query and sending it through an application that is using Jet
on an affected system. Affects a Windows 2003 server running IIS? Yes.
Enough to make be run to the server screaming? No. But I patched
during my normal cycle anyway.
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0197
MS04-015 (1 vulnerabilities)
Microsoft Security Bulletin MS04-015: Vulnerability in Help and
Support Center Could Allow Remote Code Execution (840374):
http://www.microsoft.com/technet/security/Bulletin/MS04-015.mspx
“A remote code execution vulnerability exists in the Help and Support
Center because of the way that it handles HCP URL validation. An
attacker could exploit the vulnerability by constructing a malicious
HCP URL that could potentially allow remote code execution if a user
visited a malicious Web site or viewed a malicious e-mail message. An
attacker who successfully exploited this vulnerability could take
complete control of an affected system. However, significant user
interaction is required to exploit this vulnerability.” Affects a
Windows 2003 server running IIS? Yes. Enough to make be run to the
server screaming? No. But I patched during my normal cycle anyway.
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0199
Bottom line I think this exercise proves that you need a patch scanning/patch management tool, but that's just my opinion. Just a reminder... next Tuesday is patch day. And Microsoft now has Security bulletins via RSS feeds -- http://www.microsoft.com/technet/security/bulletin/secrss.aspx I now have this feed in Newsgator to "push" me the bulletin info.
Susan
the wacko SBSer