Microsoft Dec 2009 updates-MS Updates Dec 2009

This is the month that I declare Microsoft is “insane.”
They have released a number of patches that are clearly security patches as “non security patches.” What galls me about this is that many administrators have various group policies or WSUS systems in place to automatically push out critical security patches; patches that are improperly labeled as “non-security” fall through the cracks, leaving systems vulnerable longer than intended.
In addition, it looks like they’ve unofficially declared the fourth Tuesday of each month to be a secondary Patch Tuesday. They are consistently releasing non-security patches and updates then as well. A few months ago, this made sense, because Windows 7 and Window Server 2008 R2 had just dropped, and a bunch of minor issues were being found and fixed as quickly as possible. But now there is no excuse for it; things like a Daylight Savings patch can and should wait until Patch Tuesday. I tend to stick up for Microsoft, but in this case, there is no excuse and this situation needs to be changed immediately.

Security Patches

• MS09-069/KB974392 - Important (XP, 2000, 2003): This patch resolves a DoS (Denial of Service) vulnerability in Windows’ Local Security Authority Subsystem Service (LSASS). This patch is not super critical but you should definitely install it on your next patch cycle. 600KB - 1.3MB
• MS09-070/KB971726 - Important (2003, 2008): There is a hole in ADFS (Active Directory Federation Services) which could allow a remote code execution exploit. Luckily, the attacker already needs to be authenticated to trigger the exploit. Microsoft calls this “important” but I call it “critical”. 450KB - 1MB
• MS09-071/KB974318 - Moderate (XP)/Important (Vista, 2000, 2003)/Critical (2008): Problems with PEAP authentication in Windows can lead to remote code execution vulnerabilities when working with MS-CHAP v2 authentication. You’ll want to get this fixed immediately on your servers. 275KB - 1.2MB
• MS09-072/KB976325 - Moderate to Critical (IE5, IE6, IE7, IE8): This patch resolves five problems in Internet Explorer which can result in remote code execution exploits, some via “specially crafted Web pages” and some through ActiveX. The criticality matrix on this patch is crazy. Let’s just call it “critical” for all versions IE and Windows, install it immediately, and move on. 3MB - 48.7MB
• MS09-073/KB975539 - Important (2000, XP, 2003, Office XP, Office 2003, Works 8.5, Office Converter Pack): Issues in WordPad and some versions of Office allow an attacker to perform remote code execution exploits with a bad Word 97 file. The attacker would get the same privileges as the user. Microsoft doesn’t consider this a top level issue, but given the prevalence of Office files and user behavior around them, I suggest that you install the patch as soon as you can. 855KB - 2.6MB
• MS09-074/KB967183: Important (Project 2002, Project 2003)/Critical (Project 2000): This is another “specially crafted files can lead to remote code execution” patch, this time for Microsoft Project. You will want to install this immediately as well.
• KB954157 and KB976138: A problem in the Indeo codec in 2000, XP, and 2003 can allow an attacker with a specially crafted media file to perform a remote code execution attack. Somehow, Microsoft has not released a security bulletin for this issue and they are not labeling it as a security update in the system! It doesn’t matter what Microsoft chooses to call this, it is a critical security patch. 689KB - 1.6MB

Other Updates

• KB954157: A problem in the Indeo codec in 2000, XP, and 2003 can allow an attacker with a specially crafted media file to perform a remote code execution attack. Somehow, Microsoft has not released a security bulletin for this issue, and they are not labeling it as a security update in the system! It doesn’t matter what Microsoft chooses to call this, it is a critical security patch. 689KB - 1.6MB
• KB970430, KB971737, and KB973917: This trio of patches upgrades the security for authentication in HTTP and IIS on XP, Vista, 2003, and 2008. 530KB - 4.0MB
• “The Usual Suspects”: Updates to the Malicious Software Removal Tool (9.4 - 9.7MB) and Junk Email filters (2.2MB).

Changed, but not significantly:

• IE8 for 2008 and Vista
• MS08-037/KB051748 - Security update for 2000

Updates since the last Patch Tuesday

We did not have any security patches release out of band since the last Patch Tuesday.
There have been a number of minor items added since the last Patch Tuesday:

• Root Certificates Update (KB931125) for XP. 324KB
• Windows Home Server Power Pack 3 (KB968249) adds features like W7 compatibility, better searching, and fixes a number of bugs. 27.3MB
• Remote Desktop Connection 7.0 Client for XP and Vista (KB969084) adds support for the new Remote Desktop features in W7 and 2008 R2. 2MB - 3.3MB
• Update to XML Core Services 4.0 SP3 (KB973685) resolves a problem which can cause the XML processing library to get stuck and put out far too any HTTP calls. They aren’t calling this a security update, but it really is, and it should be installed immediately. 2MB
• Update XML Core Services 6.0 SP2 (KB973686) is the same as the patch for XML Core Services 4.0, for the same problem. It too should be installed ASAP. 956KB - 2.7MB
• Update for Windows Server 2008, Windows Vista, Windows Server 2003, and Windows XP (KB973687) also addresses the XML issue. 937KB - 3.7MB
• Update to XML Core Services 4.0 Service Pack 2 (KB973688) - same problem, different version of the library. 5.6MB
• Update for W7 (KB976092) which fixes a possible data corruption problem when moving data to SD cards. 75KB
• Daylight Savings Time Update (KB976098) to account for new DST laws around the world. 140KB - 1.1MB
• Update for 2008 and Vista (KB976470) which resolves an issue where the “Date and Time” applet in Control Panel displays an error message for no reason. 413KB - 834KB

Changed, but not significantly:

• MS08-076/KB952069 - Security update for Windows Media Components for Windows XP

Are digital ants the answer to malware?

One of my favorite topics is anti-malware technology, especially when it portends “outside-the-box” thinking. Collective Intelligence, leveraged in Cloud Antivirus is one such example. Recently, I came across another interesting concept and it’s definitely unconventional.

PNNL’s research

Research coming out of Pacific Northwest National Laboratory (PNNL) always interests me. First, one of the lab’s mission is to resolve cyber-security issues. Second, their conclusions can be unorthodox. Case in point, Dr. Glenn Fink, Senior Research Scientist at PNNL believes Nature provides examples of how we can protect computers by using collective intelligence.
To help defend his position, Dr. Fink enlisted Dr. Errin Fulp, Associate Professor of Computer Science at Wake Forest University, specifically because of Dr. Fulp’s ground-breaking work with parallel processing. Together, the two researchers developed software capable of running multiple security scans contiguously, with each scan targeting a different threat. A technique it seems, Dr. Fink acquired from studying behavior exhibited by ant colonies.

Why ants?

In the Wake Forest University article, “Ants vs. Worms” by Eric Frazier, Professor Fulp describes why the researchers chose to mimic ants:
“In nature, we know that ants defend against threats very successfully. They can ramp up their defense rapidly, and then resume routine behavior quickly after an intruder has been stopped. We are trying to achieve that same framework in a computer system.”

All one has to do is watch a National Geographic special about ants to appreciate their collective capabilities. So, the doctors’ reasoning does makes sense.

Swarm Intelligence

The researchers call their technology Swarm Intelligence and for a good reason. According to Wikipedia, Swarm Intelligence is a system:
“Typically made up of a population of simple agents or boids interacting locally with one another and with their environment. The agents follow very simple rules, and although there is no centralized control structure dictating how individual agents should behave, local, and to a certain degree random interactions between such agents lead to the emergence of “intelligent” global behavior, unknown to the individual agents.”
The digital Swarm Intelligence consists of three components:
Digital ant: Software designed to crawl through computer code, looking for evidence of malware. The researchers mentioned that ultimately there will be 3000 different types of Digital Ants employed.
Sentinel is the autonomic manager of digital ants congregated on an individual computer. It receives information from the ants, determines the state of the local host, and decides if any further action is required. It also reports to the Sergeant.
Sergeant is also an autonomic manager, albeit of multiple Sentinels. If I understand correctly, the size of the network determines how many Sergeants are used. Also, Sergeants interface with human supervisors. The following slide courtesy of the researchers and the IEEE, depicts the collective arrangement:

In my world, Swarm Intelligence is complicated. So I needed to ask some questions:

Question: How do Digital Ants work? Are they similar to local anti-virus scanners?
Dr. Fulp’s answer: Ants migrate about the system checking for evidence. The evidence is typically a simple check (network statistics, process-table info), and different ant populations check for different things. If an ant finds something abnormal, it leaves a pheromone trail which will attract more ants to the same computer. Given more ants (which provide different pieces of information), a clearer understanding of the threat can be obtained. This is different from an AV program, since they have to continuously run all the scans (looking for the different pieces of evidence). Using our approach, the population of ants can change based on the threat level.
Question: On the surface, the Digital Ant, Sentinel, and Sergeant relationship appears sophisticated. Could you please explain how it works?
Dr. Fulp’s answer: Ants are simple agents that check for a piece of evidence (malware) and leave pheromone (so other ants can locate the evidence) if malware is found. Sentinels reside on individual computers and interact with ants to discover any threats based on the ants’ findings. Sergeants interact with Sentinels and can observe changes over multiple computers.
Question: When Digital Ants are checking for evidence, how do they know if a particular parameter is out-of spec? Is an initial system footprint taken?
Dr. Fulps’ answer: Yes, the Sentinel has to be initially trained to understand “normal”.
Question: How are more Digital Ants created?
Dr. Fulp’s answer: If an ant is successful (its evidence is helpful in finding a threat) then it is duplicated, if not it dies. Of course a base population of ants is maintained.
Question: You mention the Digital Ant gets rewarded or it dies. In software-speak; does that mean a counter/timer is incorporated in the Digital Ant? With death occurring when the counter/timer is not reset?
Dr. Fulp’s answer: The Digital Ant actually lives as long as it has “energy” which is supplied to it if it is rewarded. If unsuccessful, then the energy will exhaust and the ant terminates.
Question: What is the software equivalent of the term pheromone? Is it a software tag or pointer informing other Digital Ants what to focus on?
Dr. Fulp’s answer: Yes, for the current implementation it is a file provided by the Sentinel, it can be digitally signed to prevent alteration by malware.
Question: Is Digital Ant technology network-based or can it function on an individual computer?
Dr. Fulp’s answer: This technology is intended for use on a network, but could be a set of VMs in a single computer.
Question: An anti-virus developer employs what they call Collective Intelligence; is Swarm Intelligence similar?
Dr. Fulp’s answer: Similar ideas, the difference being a collection of agents provides information that an individual agent cannot.
Question: The Sentinel resides on the local host. What prevents it from being corrupted by malware?
Dr. Fulp’s answer: The Sergeant has to verify if the Sentinel is behaving correctly. The system is not perfect. One approach is to use digital signatures to prove the code has not been corrupted.
Question: TechRepublic members were concerned about Collective Intelligence relying on a single “in-the-cloud” source for management and malware diagnosis. Is Swarm Intelligence a more secure approach?
Dr. Fulp’s answer: I think it is a more scalable and robust design. One drawback is speed, as these systems require some time to ramp-up and down. Still, I think it’s a worthwhile approach for the massively parallel systems we will face in the future.
Final thoughts

This past summer, Dr. Fink invited Dr. Fulp and Wake Forest graduate students Wes Featherstun and Brian Williams to PNNL to test the theory on a live network. The results were encouraging; every time Dr. Fulp introduced a worm into the network, the Digital Ants successfully located it. I find that uniquely telling; technologists are learning from Nature.
I would like to thank Dr. Fink, Dr. Fulp, Mr. Featherstun, and Mr. Williams for their part in Swarm Intelligence. A special thanks to Dr. Fulp for taking the time to answer my numerous questions.


Thanks : teckrepublic