Sandworm versus Poodle

Equal opportunities for sysadmins this week as a round of security advisories see just about everyone doing the manic patching dance (twerking optional).

Tuesday saw Microsoft patch a handful of nasty zero day vulnerabilities, Wednesday saw another hole in SSLv3 appear, yet more patches to prevent the beleaguered OpenSSL library from spilling your server’s secrets, and a set of new patches from Adobe and Oracle.

Quite a lot to take in, so where to start? Despite SSL bugs being flavour of the month, in reality POODLE poses less of a risk to most businesses when compared to the vulnerabilities the Microsoft patches address. There are two in particular that are being actively exploited and you should make a priority for testing and deployment. MS14-058 is to do with the way Windows handles fonts and is particularly nasty in that it allows privilege escalation (i.e. you can get local admin privileges on the box with this one). It’s been used in the wild by the Chinese (so we hear) in targeted attacks but doesn’t seem to be in use by a wider audience just yet. The one for which exploit code is definitely kicking around on a wider scale is MS14-060 aka the ‘Sandworm’ exploit (the Russian choice, so we hear). This one doesn’t have the privilege escalation component and Microsoft only rate it as Critical because it also involves user interaction (i.e. opening a file) but nonetheless the fact it’s more prevalent out in the wild should make it a priority for desktops in particular. More details on these from Microsoft over at: http://blogs.technet.com/b/srd/archive/2014/10/14/accessing-risk-for-the-october-2014-security-updates.aspx

So once you’ve done that lot, move on to looking at POODLE. Adam Langley of Google was involved in the discovery and has the authoritative technical-yet-comprehensible write up over at https://www.imperialviolet.org/2014/10/14/poodle.html. To cut a long story short this one needs an attacker to be a ‘man in the middle’ and is thus relatively hard to actually pull off outside of the ‘evil-hotspot’ public wifi type scenarios. Nonetheless, it’s as good a reason as any to finally switch off SSLv3 where you can. Oh, whilst you’re doing that, be sure to check whether your servers are vulnerable to CVE-2014-3513 (this one doesn’t have a catchy name yet). This doesn’t affect anywhere near as many versions of OpenSSL as heartbleed but is still pretty nasty as an effective denial of service exploit (an attacker can cause memory exhaustion on an affected server). I’ll be honest, I haven’t even looked at those Oracle and Adobe announcements but I’m sure they all warrant immediate patching action too.

One thing this particularly busy week surely brings into focus is the importance of a developed vulnerability management process.

It’s long been impossible to manually keep track of which versions of what application have security holes but the recent surge of activity around open source code in particular has made it more apparent than ever this isn’t a problem purely confined to the Windows world. There are great tools you can use to get a grip on this stuff quickly. It’s something we at ITC have lots of experience with so please don’t hesitate to get in touch if you need some help. Call us on 020 7517 3900 or email [email protected] to get in touch.