The Five Essential Security Patches of 2009

Fact: Everyone who patches is safer. Fact: Not everyone patches.

The gap between the two facts is too deep for even security experts to explain, although they try, with theories running from the conspiratorial -- pirates hate to patch, they say, because they're afraid vendors, Microsoft mostly, will spy them out -- to the prosaic ... that people are, by nature, just lazy.

So rather than recite 2009's patch history -- dismal as it was, with Microsoft, for instance, setting a record in October for the most updates and most flaws fixed in a single month -- Computerworld thought it would be more useful to more users to simply spell out the year's five most important patches.

It wasn't our idea, really. We cribbed it from Qualys' chief technology officer, Wolfgang Kandek, who just last month dug into his company's data to come to an amazing conclusion: People running Microsoft Office could protect themselves against 71% of all attacks targeting the suite by applying just one patch, and a three-year-old patch at that.

With that kind of compensation for a single patch, one has to wonder what big-bang-for-the-buck patches were released in 2009. To find out, Computerworld polled a panel of patch and vulnerability experts to find the five security fixes everyone should deploy from the last 12 months.

If you roll out any updates from 2009, these are the ones.

Microsoft's ATL fixes, July and later. Last July, Microsoft rushed out a pair of updates to preempt a presentation at Black Hat that was to reveal a way for attackers to bypass the "kill-bit" defenses that Microsoft frequently deploys as a stop-gap measure for fixing bugs. That same day, Microsoft also admitted that an extraneous "&" character in its Active Template Library (ATL), a code library used by both Microsoft and third-party developers to build software, was the root of the bug.

"[ MS09-035 ] was one of a handful released to address a flaw in the Active Template Library used to build ActiveX controls," said HD Moore, the creator of Metasploit and chief security officer for security company Rapid7. "A bug in the private version of this library used by Microsoft resulted in a complete negation of all ActiveX security up to the point it was patched. We are still seeing patches come out, months later, as even more controls are identified as containing the buggy code."

MS09-035 is a developers-only patch, aimed at third-party programmers who use Microsoft's popular Visual Studio to craft their own software. Developers needed to apply this patch to Visual Studio, then recompile their code to produce vulnerability-free programs.

But as Andrew Storms, director of security operations at nCircle Network Security, notes, there were plenty of ATL patches for end users to apply. "The Active Template Library coding flaw was one of the most serious and long-lived bugs this year," said Storms. "This library is used everywhere throughout the Microsoft product line. In 2009 alone, they have had to release patches for their operating systems and popular applications including Office, IE , Visual Studio, Visio and Messenger, because of ATL bugs."

This patch -- or more accurately, patches, as Storms pointed out -- came close to getting a unanimous nod as one of 2009's must-do updates.

Latest Adobe Reader patch, October. Qualys' Kandek nominated the most recent security update for Adobe's popular PDF viewer.

"The PDF format has seen heavy usage by attackers, [and] users consider it a serious and trusted format, unlike other media formats such as MP3 and movies," said Kandek. "Attackers take advantage of the trust and exploit the security holes in the powerful processing capabilities embedded in PDF."

Like security updates for many other programs -- browsers come to mind -- Adobe updates for Reader are cumulative , meaning that all that's necessary to stay as secure as possible is the newest version.

In October, Adobe patched 29 vulnerabilities in Reader, as well as the more expensive, more functional PDF editing application dubbed Acrobat, to bring the Windows, Mac and Linux versions up to 9.2. At least one of the 29 flaws was being exploited by the time Adobe got a patch out to users.

Kandek's certainly right about hackers leveraging PDF vulnerabilities. So far this year, criminals have beaten Adobe to the patch punch five times by launching attacks exploiting PDF bugs before those bugs were quashed.

The fifth "zero-day" vulnerability, in fact, was revealed just last week . According to some security companies, hackers have been using it in their attacks since at least Nov. 20. Adobe, however, has decided to roll the fix for the newest flaw into the security update slated for Jan. 12, rather than issue an emergency patch .

So although the October update is the one to get now, it will be out-of-date in just a few weeks. But then, that's security for you.

Microsoft .Net Framework. October. Both HD Moore of Rapid7 and Jason Miller, data and security team leader at Shavlik Technologies, pegged MS09-061 , a three-patch October update, as one of the most important of the year.

"What makes these vulnerabilities important is how they cut through the sandbox model around .Net applications," observed Moore. "These flaws would allow a malicious .Net application, an ASP .Net Web component or a Silverlight browser component to execute native code. Since a large portion of Microsoft's security strategy relies on the security of managed code, this is a major hit to their platform."

For his part, Miller reminded users that although Microsoft's update patched the vulnerability in Windows and its own Internet Explorer browser, "the vulnerability still existed for other browsers such as Firefox," he said. "Even with a fully-patched Firefox browser, a user could be stricken by a drive-by [attack] from a Web site that exploited the vulnerable Microsoft code."

SMBv2, October Although finally patched with MS09-050 in mid-October, one of the three bugs in this three-patch update came to light the month before to much fanfare.

In early September, researchers announced that exploit code had gone public for a new flaw in Vista and Windows 7. The bug in SMBv2 (Server Message Block version 2), a file- and printer-sharing protocol used by Windows, was first thought to only crash the operating system, bringing up the dreaded "Blue Screen of Death." However, researchers quickly figured out how to create reliable exploits that could hijack a PC.

Until it had a patch ready, Microsoft told users to run one of its "Fix-it" automated tools to disable SMBv2.

During its investigation, Microsoft also confirmed that although Vista and Windows Server 2008 were vulnerable; Windows 7 -- the final bits, anyway -- was not. Windows 7 Release Candidate (RC), the free preview Microsoft handed out to millions starting last May, contained the bug, however.

After it released MS09-050 in October, Microsoft made another mea culpa, and acknowledged that a programming error had been introduced by company engineers. They caught it in the final run-up to Windows 7's release, though ... and patched it for the operating system's so-called RTM, or release-to-manufacturing, build.

Computerworld 's ad hoc panel of researchers took sides on how Microsoft handled the whole deal. Moore, for instance, dinged the company: "This flaw, originally thought to be a denial-of-service by the researcher, turned out to be a great way of remotely running code in the kernel of Microsoft's latest operating systems," he said. "To confuse matters, Microsoft had already fixed the bug in Windows 7 RTM, but didn't backport it to Server 2008 or Windows Vista."

Miller sounded more pro-Microsoft. "They researched and found that only Windows 7 Release Candidate versions were affected by this vulnerability on the Windows 7 side," Miller said. "This vulnerability created a scare which proves that waiting for Microsoft to validate the vulnerability is the best option as they will provide accurate information."

Conficker patch, last year. Although Microsoft shipped the MS08-067 update in late October 2008, several researchers fingered it as one of 2009's musts.

Don't remember MS08-067? You should ... it's the patch that plugged the hole that the notorious Conficker worm later exploited. And Conficker, though it didn't bring down the Internet last April, as some speculated, hasn't exactly gone quietly into the night: Earlier this month, Microsoft's Malicious Software Removal Tool (MSRT) removed Conficker from over 156,000 PCs in a one-week period.

Those 156,000 machines wouldn't have become infected if their owners had applied the MS08-067 update.

"While companies seems to have a good handle on this vulnerability, Conficker numbers are still growing," said Qualys' Kandek while recommending last year's patch for this year's list. "Conficker scanning is one of the most prevalent types on the Internet."

"Yes, this patch was released in October of 2008, but, it is important to note that the first substantiated attack against this vulnerability happened in February of 2009 ... four months after the security bulletin was released," said Miller of Shavlik. "This shows that patch management is still an issue that many companies have not seriously addressed yet."

Subscribe to the Security Watch Newsletter

Comments