Microsoft scratches BEAST patch at last minute, but fixes Duqu bug

Admits Duqu-like browser-based attacks possible

Microsoft today issued 13 security updates, one less than expected, that patched 19 vulnerabilities in Windows, Internet Explorer (IE), Office, and Windows Media Player.

The company punted on one bulletin it had planned to deliver today after SAP told it that the patch broke some of its software.

"The bulletin scheduled to address Security Advisory 2588513 was postponed due to a third-party application compatibility issue that will be addressed by the vendor, with whom we're working directly," Jerry Bryant, group manager in Microsoft's Trustworthy Computing team, said in a statement.

The scrubbed security update was to fix the SSL (secure socket layer) 3.0 and TLS (transport layer security) 1.0 bug demonstrated in September 2011 by researchers who crafted a hacking tool dubbed BEAST, for "Browser Exploit Against SSL/TLS."

SAP, the German developer that creates enterprise business operations and management software, was the third-party vendor who reported compatibility problems. Microsoft added that it would rather pull a bulletin than "ship something that might inconvenience customers."

Microsoft did patch the vulnerability exploited by the Duqu intelligence-gathering Trojan, however; that flaw had been the subject of an advisory the company issued in early November after news broke of what some called a possible precursor to the next Stuxnet, the ultra-sophisticated worm that sabotaged Iran's nuclear program in 2010.

That update -- Microsoft calls them "bulletins" -- was one of three rated "critical," the company's top threat ranking. The remaining 10 were labeled "important," the next-lowest rating.

Microsoft called out the Duqu update, MS11-087, and another, MS11-092, as the ones customers should apply first. The latter affects Windows Media Player, Microsoft's audio-video-rich content utility.

Several security experts agreed with Microsoft's assessment of MS11-087.

"Duqu had to be at the top of the list, even though it was a very targeted attack," said Andrew Storms, director of security operations at nCircle Security.

"Now that they've patched the vulnerability, we'll have lots of people reverse engineering the patch to weaponize a drive-by exploit," said Wolfgang Kandek, chief technology officer at Qualys.

Duqu attacks uncovered this fall relied on malicious Word documents fed to victims as email attachments. But today Microsoft acknowledged that the underlying vulnerability could also be exploited using browser-based attacks.

In a post to Microsoft's Security & Defense Research blog, Chengyun Chu and Jonathan Ness, engineers at the Microsoft Security Response Center, noted an until-now-undisclosed "browser-based attack vector" via IE.

Jason Miller, of VMware's research and development team, warned that other browsers might be vulnerable to such attacks, too. For that reason and others, Miller expected hackers to eagerly dig into the Duqu fix.

"Microsoft dug deeper into the vulnerability, and discovered more attack vectors [than Word] because they are privy to the source code," Miller said, praising Microsoft's work. "But if I'm an attacker and I know Duqu was effective, I'd look into whether it could affect multiple browsers. That would give me an even bigger attack vector to use."

The other bulletin Microsoft put on its patch-now list was MS11-092, which fixes a single critical bug in Windows Media Player.

Storms and Kandek echoed Microsoft's stance.

"Windows Media Player's [vulnerability] is a drive-by," said Storms, referring to attacks that only require users to steer their browser to a site hosting malicious content to be successful.

But Miller disagreed. "The file extension [that contains the vulnerability] is not a common one," Miller said. "I'd expect it to be blocked at the firewall by most machines."

Instead, Miller championed MS11-099, a three-patch update for IE, as a must-do -- even though Microsoft rated it as important, a departure from the critical ranking browser updates usually receive. "Any IE vulnerability scares me because browsers are the most-used attack vector," said Miller.

But Storms and Kandek both downplayed the need to immediately apply the IE fixes.

"It's probably the only time that an IE update hasn't been rated critical," said Storms. "But there are no memory corruption vulnerabilities that can be exploited by remote code, so we're not looking a critical release."

Two of the IE bugs were tagged as information disclosure flaws, while the third was yet another in a series of vulnerabilities grouped under the "DLL load hijacking" classification.

DLL load hijacking, sometimes referred to as "binary pre-loading," describes a category of bugs that can be exploited by tricking an application into loading a malicious file with the same name as a required dynamic link library, or DLL. Microsoft patched two DLL load hijacking bugs today -- the other was in PowerPoint 2007 and 2010 on Windows and PowerPoint 2008 on Mac -- making an even 20 load hijacking-related updates it has issued since November 2010.

Other bulletins caught the eye of some experts, but not all.

Kandek, for example, flagged MS11-089, a one-patch update for Word 2007 and 2010 on Windows, and Word 2011 on Mac.

"Office vulnerabilities are always important to patch, even if an exploit requires that the user open a file to trigger it," said Kandek. "It's very common for users to open Word documents," he said, citing several examples of targeted attacks, including a March hack of RSA Security and the Duqu attacks that began last spring, which succeeded by dangling malicious Word or Excel files in front of users.

The patch in MS11-089 was the first-ever by Microsoft for the .docx file format, an XML-based format that Microsoft debuted in Office 2007 in late 2006.

Microsoft also patched bugs in other software and Windows components, ranging from the Publisher program to Active Directory.

Not surprisingly, all three researchers commented on Microsoft pulling the BEAST-related patch at the last minute. Storms was the most positive about the move.

"If nothing else, this calls out the extensive testing that they do," said Storms. "They've been criticized for slow release cycles in the past, but they'll probably point to this in the future and say, 'Hey, look, this works.'"

It's not a total surprise that Microsoft gives major third-party vendors like SAP an early look at updates for just this reason, said Storms, although Microsoft hasn't actually publicized that practice.

"It's certain that a subset of vendors get the patches early, although they won't say who," noted Storms. "But they're much better off releasing early to vendors that have their own labs to test out."

December's security patches -- with the exception of MS11-088 -- can be downloaded and installed via the Microsoft Update and Windows Update services, as well as through Windows Server Update Services.

The MS11-088 update, which affects only Chinese users of Word 2010 -- is currently available only through a manual download from Microsoft's download center. "The update will also be provided through our other standard distribution methods once testing has been completed to ensure distribution will be successful through these channels," Microsoft said in the accompanying write-up of the vulnerability.

Gregg Keizer covers Microsoft, security issues, Apple, Web browsers and general technology breaking news for Computerworld. Follow Gregg on Twitter at @gkeizer, on Google+ or subscribe to Gregg's RSS feed . His e-mail address is gkeizer@computerworld.com.

See more articles by Gregg Keizer.

FREE Computerworld Insider Guide: IT Certification Study Tips
Editors' Picks
Join the discussion
Be the first to comment on this article. Our Commenting Policies