Today we released twelve security bulletins addressing 57 CVE’s. Five of the bulletins have a maximum severity rating of Critical, and seven have a maximum severity rating of Important. We hope that the table below helps you prioritize the deployment of the updates appropriately for your environment.
(Oracle Outside In for Exchange)
(Windows drivers [win32k.sys])
(FAST Search Server for Sharepoint)
(NFS server role)
- Jonathan Ness, MSRC Engineering
MS13-018 addresses a potential denial-of-service condition in the Windows TCP/IP stack. This vulnerability could be leveraged by an attacker in certain circumstances to exhaust a server’s non paged pool, preventing it from making new TCP connections. The vulnerability is as follows:
In this scenario, the Windows machine doesn’t release the non-paged pool data structures associated with this TCP connection. If steps 1 and 2 above occur repeatedly, it could potentially exhaust the Windows machine’s non-paged pool, leading to the inability to open new TCP connections. The below diagram shows the FIN_WAIT_2 state in which this connection gets stuck:
To trigger this resource exhaustion vulnerability, the attacker would need to find a way to repeatedly establish TCP connections with the Windows victim machine and have the victim machine each time initiate the connection teardown sequence by sending a TCP FIN packet to the attacker machine.
An internet-based attacker would, of course, be blocked by any existing firewalls. The internet-based attacker may also have a difficult time finding a way to cause a targeted application on a Windows-based victim machine to initiate the connection teardown sequence (by sending the FIN packet to the attacker machine). Further, we have determined that HTTP.sys, the stack upon which IIS resides, is not vulnerable to this issue. This issue is more likely to be exposed to attackers within the perimeter firewall.
Below is a graph of the kernel’s non-paged pool usage when a custom script that executes the above steps repeatedly is run overnight:
As shown above, the simulated attack consumes the victim’s non-paged pool up until the point that memory management mechanisms limit the usage and memory consumption plateaus. At this point, the resource exhaustion prevents any new TCP connections from being created, disrupting the server’s intended purpose.
Thanks to Swamy Shivaganga Nagaraju for his investigative work on this case.
- Neil Sikka, MSRC Engineering
We are pleased to announce that as of today customers with access to Microsoft Services Premier and Professional Support can receive EMET related technical assistance. This is an important step for us to better support professional and enterprise customers and answer questions related to EMET deployment, configuration, and troubleshooting. The support will be fee based. Also, while there is support for EMET, servicing is done via version releases and there will be no hotfix support.
The EMET 3.0 is currently the only version offered support through Microsoft Services Support channels.
As we have since its inception, we will continue to provide support through Technet forums (http://social.technet.microsoft.com/Forums/en/emet/threads) for version 2.1 of EMET, as well as for consumers and all those who do not have a Premier or Professional contracts.
Remember to also visit our TechNet page where you can find the latest articles, downloads and news related to EMET at the page www.microsoft.com/emet.
- Gerardo Di Giacomo, MSRC
We are pleased to announce the release of a stable version of the open source web application firewall module ModSecurity IIS 2.7.2. Since the announcement of availability of the beta version in July 2012, we have been working very hard to bring the quality of the module to meet the enterprise class product requirements. In addition to numerous reliability improvements, we have introduced following changes since the first beta version was released:
Microsoft also released recently a TechNet article entitled "Security Best Practices to Protect Internet Facing Web Servers", which explains in details benefits of deploying a WAF module on a web server.
In version 2.7.2 of ModSecurity IIS we have included OWASP Core Rules Set pre-configured to serve most common scenarios encountered on IIS server. The rule set gets installed into c:\inetpub\wwwroot\owasp_crs directory, from which it can be included in any web.config file by adding:
<ModSecurity enabled="true" configFile="owasp_crs\modsecurity_iis.conf" />
The default setting enables request body access, disables response body access, does not use audit log, and sets temporary files and data folder to c:\inetpub\temp. User canenable or modify these and other features by uncommenting appropriate ModSecurity directives in modsecurity.conf or modsecurity_crs_10_setup.conf files.
Russ McRee over at HolisticInfosec held open voting in January for the 2012 Toolsmith Tool of the Year Award and ModSecurity for IIS won!
We are glad that the Toolsmith readers found value in the IIS version of ModSecurity and we hope that it will help them to quickly mitigate emerging threats to their Microsoft IIS/ASP/.Net environments.
I would like to thank Nazim Lala and Ashish Kurmi from Microsoft for their help in module testing, Breno Silva and Ryan Barnett from Trustwave for continuous support of the IIS version, and Simon Kosinski for his valuable insights and suggestions.
Greg Wroblewski, MSRC