Zero-days and Patch Tuesdays

Posted on September 27, 2006
Filed Under Internet, Security, Software, Windows |

On Tuesday, Microsoft released an “out of band” security patch for Microsoft Internet Explorer. The vulnerability is considered a Zero-day (more on that in minute) threat and Secunia (http://secunia.com), a prominent computer security corporation, is calling the vulnerability extremely critical.

Zero-day is a term in the IT industry that has a few meanings. In terms of illegal, or pirated, software Zero-day refers to the software being pirated or otherwise illegitimately gotten on the same day as, or even before, the official release date.

In terms of a security vulnerability, a Zero-day exploit refers to an exploit that appears the same day as a vulnerability becomes known. This can be due to an exploit being released that takes advantage of a vulnerability that was previously unknown or simply an exploit someone develops quickly after learning of the vulnerability.

This particular vulnerability involves VML (Vector Markup Language) rendering in Internet Explorer 6. VML is a cool technology that strives to transform how images are generated and displayed on web pages. Sadly there is already an exploit included in a Russian “toolkit” that makes it easy to create web pages that take advantage of the vulnerability.

At the time of this writing (Wednesday September 27, 2006) the vulnerability has been known about for 9 days and was discovered by Sunbelt Software. Sunbelt became aware of the vulnerability by funding an exploit that takes advantage of it and thus the exploit became 0-day.

Since 2004 Microsoft has tried to limit releases of patches for such vulnerabilities to a single day every month. “Patch Tuesday” is the second Tuesday of the month.

While there are a number of reasons why Microsoft chose this patch deployment method, reality is that sometimes patches cause problems. Tuesday was selected as it leaves enough time in the week to resolve problems a patch might cause and monthly scheduled updates were chosen so that administrators can be prepared for any problems that might arise. Patches are released occasionally “out of band” or on other days but they are the exception and not the rule.

In the case of the newly discovered VML vulnerability, Microsoft at first maintained that it would not release a patch until next Patch Tuesday on October 10th. Because the threat is considered critical however, this met with some criticism as three weeks would pass from the discovery of the vulnerability and an exploit of it, to the release of a fix for the underlying problem.

On Friday of last week, without an out of band release from Microsoft, the Zeroday Emergency Response Team (ZERT) released one of their own. ZERT also created a tool to test whether a computer is affected by the vulnerability and it can be found at http://www.isotf.org/zert/testvml.htm

Microsoft advised against installing the ZERT patch and on Tuesday released an out of band patch of its own. ZERT followed by discontinuing its patch and posted a notice on its web site that a Microsoft patch was now available. The Microsoft patch can be found at http://www.microsoft.com/technet/security/bulletin/ms06-055.mspx

Unlike many others of its kind, there is little one can do other than install the patch to prevent becoming a victim of this exploit. VML rendering is built in to Internet Explorer. Firewalls typically allow web browsing, and antivirus software, at least so far, is ineffective. There are a few things that can be done to mitigate the risk but the patch is the only real answer.

Comments

Copyright © 2007 Glen Bowes • Using Modernpaper theme created by Performancing