|
|
|
Feb09 Security Bulletin SDL Benefit Summary |
Si vous voulez bloquer ce service sur vos fils RSS
Si vous voulez nous contacter ou nous proposer un fil RSS
Menu > Articles de la revue de presse : - l'ensemble [ tous | francophone] - par mots clé [ tous] - par site [ tous] - le tagwall [ voir] - Top bi-hebdo de la revue de presse [ Voir]
Présentation : Summaries from previous months: * Jan09 Security Bulletin SDL Benefit Summary When I do analysis and reports on Microsoft products, I typically look for where the Security Development Lifecycle (SDL) has helped to provide improvement and provide some stats on that. This year, I decided to try and do this monthly to make it easier for me that when I do it all at once. This report is my attempt to capture and share that information. I hope you find it useful. February Summary ================ First, here is a summary of the 8 vulnerabilities addressed in February, which were addressed in a five updates (MS09-002, MS09-003, MS09-004, and MS09-005). Vulnerability Any Windows SDL Benefit Comment Non-Windows Product CVE-2009-0075 C-NA Reduced severity (IE-ESC), Modularity IE-ESC on Servers, No IE on Core CVE-2009-0076 C-NA Reduced severity (IE-ESC), Modularity IE-ESC on Servers, No IE on Core CVE-2009-0098 none Exchange 2000, 2003, 2007 CVE-2009-0099 Fewer vulns No vuln in ExCh2007 Exchange 2000, 2003 CVE-2008-5416 I none Affects all versions equally - Important SQL, WMSDE, Wyukon CVE-2009-0095 none Affects all versions equally - Important Visio 2000, 2003, 2007 CVE-2009-0096 none Affects all versions equally - Important Visio 2000, 2003, 2007 CVE-2009-0097 Fewer vulns No Vuln in Visio 2007 - Important on others Visio 2000, 2003 Four of the eight vulnerabilities fixed in February had some level of SDL Benefit. Only 3 of the 8 vulnerabilities affected a Windows platform: * MS09-002, the IE update, addressed two vulnerabilities * MS09-004, the SQL update, addressed one vulnerability * Note that WMSDE ships with WS2003 to support UDDI * Note the WYukon ships with WS2008 (and Core) to support various services Though I am primarily focusing on Windows components in this monthly summary, I do note that the 2007 versions of both Exchange and Office had fewer vulnerabilities compared with earlier releases. SDL Vulnerability Benefit This section summarizes the vulnerabilities and any corresponding SDL benefit for Windows and Windows components. Because of interest in browsers, I?ll also break out Internet Explorer separately. Internet Explorer Product Vulnerabilities Not Affected Lesser severity Any IE 2 IE6, all 0 2 0 IE7, XP or Vista 2 0 0 IE7, WS2003 or WS2008 2 0 2 IE7 WS2008 Core 0 2 0 Windows (including IE) Product Vulnerabilities Not Affected Lesser severity Any Windows 3 Windows XP SPx 2 1 0 Windows Vista 2 1 0 Windows Server 2003 3 0 2 Windows Server 2008 3 0 2 WS2008 Core 1 2 0 Here is the key for this table: * The first (non-header) row counts all vulnerabilities that affected any version of Windows ? 3 this month. * For each product row, the second column counts how many affected that product and the third column reflects how many did not affect that version ? column 2 and 3 should always add up to the total from the first row (3 this month). * The last column counts how many vulnerabilities had the severity mitigated to some degree. * The numbers in parentheses are the deltas from last month For products where different versions of built-in applications could be installed (e.g. IE6 or IE7), I am taking the worst cast value and counting when any of the versions are affected. Update Scenarios I also want to take a look at how updating is impacted or not. It is likely that two versions may have the same number of updates, though each mitigates differing numbers of vulnerabilities or different levels of risk. (For example, a single update might address one Moderate issue on WS2008 while the same update addresses two Critical issues on WS2003). Companies have differing patch policies, so for the sake of illustration, I am going to assume a very simple update policy: * Critical or Important ? will be rolled out immediately * Moderate or Low ? will be deferred until a periodic roll-up update (perhaps annual or semi-annual) Internet Explorer Product Updates Deployed Deferred Any IE 1 IE6, all 0 0 0 IE7, XP or Vista 1 1 (2C) 0 IE7, WS2003 or WS2008 1 0 1 (2M) IE7, WS2008 Core 0 0 0 Windows (including IE) Product Updates Deployed Deferred Any Windows 2 Windows XP SPx 1 (2C) Windows Vista 1 (2C) Windows Server 2003 2 (1I) (2M) Windows Server 2008 2 (1I) (2M) WS2008 Core 1 (1I) Using this table, I?ll look at two fictional company scenarios: * Company A: Has a Windows XP and Windows Server 2003 environment * Company B: Has a Windows Vista and Windows Server 2008 environment * Company C: Has a Windows XP, Vista, Server 2003 and Server 2008 environment * Company D: Uses only servers implemented using Windows Server Core. Company A has to (potentially) roll out one update for all client machines in February (if IE7 is deployed) and one update for server machines. Company B has to roll out one update for all client machines in February and one update for server machines. Company C has to roll out one update for all client machines in February and one update for server machines. Company D has to roll out one update for its Windows Server Core machines. 2009 Year-to-Date Summary ========================= In addition the the monthly summary, I am going to try and keep a running count of the year-to-date values as well. I am doing the math in these table by hand and I am trying to be careful, but I apologize in advance for the errors I will likely make before the end of the year. Point them out and I?ll correct them ;-) SDL Vulnerability Benefit (YTD) Looking at the tables below, I find some interesting key points already after February: * Out of 6 possible Windows vulnerabilities, * Windows Vista - two have not affected Windows Vista and one additional one had a reduced severity. * Window Server 2008 ? 1 did not affect Windows Server and 3 additional had a reduced severity. * Windows Server Core (WSC) ? 3 did not affect WSC and one additional had a reduced severity, meaning that 66% of possible Windows vulnerabilities either didn?t affect or had reduced severity on WSC. Internet Explorer Product Vulnerabilities Not Affected Lesser severity Any IE 2 (+2) IE6, all 0 2 (+2) 0 IE7, XP or Vista 2 (+2) 0 0 IE7, WS2003 or WS2008 2 (+2) 0 2 IE7 WS2008 Core 0 2 (+2) 0 Windows (including IE) Product Vulnerabilities Not Affected Lesser severity Any Windows 6 (+3) Windows XP SPx 5 (+2) 1 0 Windows Vista 4 (+2) 2 (+1) 1 Windows Server 2003 6 (+3) 0 2 (+2) Windows Server 2008 5 (+3) 1 3 (+2) WS2008 Core 3 (+1) 3 (+2) 1 Here is the key for this table: * The first (non-header) row counts all vulnerabilities that affected any version of Windows ? 6 this year. * For each product row, the second column counts how many have affected that product and the third column reflects how many have not affected that version ? column 2 and 3 should always add up to the total from the first row (6 this year). * The last column counts how many vulnerabilities had the severity mitigated to some degree. * The numbers in parentheses are the deltas from last month?s cumulative totals. Update Scenarios (YTD) Looking at the Update deployment summary (below) compared to the vulnerability summaries (above), there are some interesting observations: * Windows Vista, Windows Server 2008 and Windows Server Core did not have to immediately roll out 2/3 of the Updates so far this year. This is a solid benefit. * Though the same number of Updates were ?applicable? for some different versions, the severity policies as applied resulted in fewer being deployed immediately in some cases. Windows (including IE) Product Updates Deployed Deferred Any Windows 3 Windows XP SPx 2 (2C1M)(2C) 0 Windows Vista 2 (2C) (2M) Windows Server 2003 3 (2C1M)(1I) (2M) Windows Server 2008 3 (1I) (2M)(2M) WS2008 Core 2 (1I) (2M) Using this table, I?ll look at two fictional company scenarios: * Company A: Has a Windows XP and Windows Server 2003 environment * Company B: Has a Windows Vista and Windows Server 2008 environment * Company C: Has a Windows XP, Vista, Server 2003 and Server 2008 environment * Company D: Uses only servers implemented using Windows Server Core. Company A has rolled out a total of three updates (out of 3 possible) year-to-date ? one on clients, one on servers and one on both. One browser update could be deferred for server machines. Company B has rolled out a total of two updates (out of 3 possible) year-to-date ? one on clients and one on servers. One update could be deferred. Additionally the browser update could be deferred for server machines. Company C has rolled out a total of three updates (out of 3 possible) year-to-date. Company D has rolled out one update (out of 3 possible) year-to-date. One update did not apply to Windows Core and the other could be deferred because of reduced severity. ________________________________ Regards ~ Jeff []
Les mots clés de la revue de presse pour cet article : security
Les videos sur SecuObs pour les mots clés : security
Les mots clés pour les articles publiés sur SecuObs : security
Les éléments de la revue Twitter pour les mots clé : security
Les derniers articles du site "Jeff Jones Security Blog" :
- Scott Charney Deconstructing Cyber Threat
- Nobody Attacks Thinking About The Apache.org Attacks
- sPAM of the Day Auditor Wants to Share 100M of Abandoned MOney
- Miami-dade Inmates Hack the Phone System, Charge Calls to Strangers
- SDL Awareness and Adoption High Among Security Professionals
- Be Safer - Run as Standard User
- Computerworld Apple delivers record monster security update
- Change Your Tweetdeck Account Password
- Profile of A Global Cybercrime Business Innovative Marketing
- Woot New Laptop
Menu > Articles de la revue de presse : - l'ensemble [ tous | francophone] - par mots clé [ tous] - par site [ tous] - le tagwall [ voir] - Top bi-hebdo de la revue de presse [ Voir]
Si vous voulez bloquer ce service sur vos fils RSS :
- avec iptables "iptables -A INPUT -s 88.191.75.173 --dport 80 -j DROP"
- avec ipfw et wipfw "ipfw add deny from 88.191.75.173 to any 80"
- Nous contacter par mail
| Mini-Tagwall des articles publiés sur SecuObs : | | | | sécurité, exploit, windows, attaque, outil, microsoft, réseau, audit, metasploit, vulnérabilité, système, virus, internet, usbsploit, données, source, linux, protocol, présentation, scanne, réseaux, scanner, bluetooth, conférence, reverse, shell, meterpreter, vista, rootkit, détection, mobile, security, malicieux, engineering, téléphone, paquet, trames, https, noyau, utilisant, intel, wishmaster, google, sysun, libre |
| Mini-Tagwall de l'annuaire video : | | | | curit, security, biomet, metasploit, biometric, cking, password, windows, botnet, defcon, tutorial, crypt, xploit, exploit, lockpicking, linux, attack, wireshark, vmware, rootkit, conference, network, shmoocon, backtrack, virus, conficker, elcom, etter, elcomsoft, server, meterpreter, openvpn, ettercap, openbs, iphone, shell, openbsd, iptables, securitytube, deepsec, source, office, systm, openssh, radio |
| Mini-Tagwall des articles de la revue de presse : | | | | security, microsoft, windows, hacker, attack, network, vulnerability, google, exploit, malware, internet, remote, iphone, server, inject, patch, apple, twitter, mobile, virus, ebook, facebook, vulnérabilité, crypt, source, linux, password, intel, research, virtual, phish, access, tutorial, trojan, social, privacy, firefox, adobe, overflow, office, cisco, conficker, botnet, pirate, sécurité |
| Mini-Tagwall des Tweets de la revue Twitter : | | | | security, linux, botnet, attack, metasploit, cisco, defcon, phish, exploit, google, inject, server, firewall, network, twitter, vmware, windows, microsoft, compliance, vulnerability, python, engineering, source, kernel, crypt, social, overflow, nessus, crack, hacker, virus, iphone, patch, virtual, javascript, malware, conficker, pentest, research, email, password, adobe, apache, proxy, backtrack |
|
|
|
|
|
