Am I being Chicken Little in thinking that remote kernel attacks such as one leveraging the MS08-001 vulnerability will be the next chapter in the arms race between hackers and network defenders?

Alex Wheeler, one of the two responsible for discovering and researching the vulnerability said this; “This is a severe vulnerability across the board. I agree with Microsoft that this is critical and wormable.”

Holly Stewart of ISS said the following on the X-force’s blog; Frequency X

These issues are kernel-level vulnerabilities in TCP/IP and are so low in the stack that most host-based protection products would miss them. Even if you have IPS in your host product, the standard APIs that protection vendors hook into on XP and Windows 2000 do not provide protection at this low level in TCP/IP.

I usually have a good FUD radar (FUD-ar?) and it isn’t picking up anything on recent chatter on MS08-001. So far I’m hearing specifics on why this is potentially a big deal, not to mention the caliber of analysts chiming in on the subject.

This week I’ve been sending emails to vendors of our various security applications, seeking clarification on what level of protection they provide. One prominent vendor replied with the following:

Based on the information contained in the MS bulletin we are unsure that [our HIPS product] would mitigate against an exploit targetting that vulnerability – that is why its not listed in that particular row [of a spreadsheet detailing protection levels].

The disclaimer in the [snip] document is because there has been no exploit testing. Just because there is a MS vulnerability does not mean an exploit will be written against it or available.

This despite the fact that Immunity has already publicly demonstrated a successful attack method.

Now I’d like to revisit what Holly said; “These issues are kernel-level vulnerabilities in TCP/IP and are so low in the stack that most host-based protection products would miss them.” (emphasis mine)

To me this indicates a significant threat and quite possibly the beginning of a new trend in remote attacks. If I were a hacker, this one would get a lot of attention from me because 1) both XP and Vista are ripe for the picking and 2) it likely gets my code in a position where most security software can’t see or touch it. I’d worm that sucker and use it to deliver my bot and grow a big, nearly bullet-proof bot net that could be diced up and rented to the highest bidders.

Or maybe I’m wrong and the vendor has it right and this is just another MS vulnerability that will come and go. I’m still digging bomb shelters, just in case.

I’ve spent the last two or three years focusing the lion’s share of my security energy on implementing proactive measures to reduce our dependence on Microsoft patches. To wit, here is what my Black Tuesday routine looks like:

Tuesday – I usually wait for the ISC to publish their overview, which is easily digested. I then check out Microsoft’s bulletins and see how they impact our environment. I also check out information received from our IPS vendor as well as other news groups I’m a member of.

Wednesday – I release a bulletin to our security group that summarizes information from all the sources I’ve read. We have a policy that all workstations be patched within one week of that bulletin and all servers be patched within thirty days. Each office is responsible for their networks and I prod them along with random checks for compliance.

I also go through and verify what level of protection our IPS and HIPS provides so that I can inform the team. Usually we get about 70% or better coverage from the IPS units, meaning they can detect and/or protect against 70% of the exploits directly through virtual patching and/or malicious behavior detection. Firewall best practices usually protect against another 10 – 20% of attacks. That includes the firewalls deployed through the HIPS to road warriors as well as network firewall appliancess in all offices.

I also investigate email filters on possible email-borne attacks. We filter email attachments based on MS KB262631 but attackers are increasingly using HTML email to bypass email gateway filters, so its getting trickier to protect your email clients.

That leaves about 10 – 20% exposure, which is usually in the form vulnerabilities we have to accept due to business impact. For example, images are a big part of our business model, therefore we can’t filter them from emails proactively and we can’t have over-zealous IPS units sniping them from web pages, web-based email, FTP transfers, etc. So in all cases where we can’t protect, we at least detect. That way in the event of a compromise, we know what hit us, where it hit us, and what damage it caused. Case in point; we had a laptop pwned while it was on a client’s network. We had the HIPS downgraded to HIDS mode for troubleshooting a problem so we were able to determine the extent of compromise easily and quickly.

We also harden hosts directly exposed to the Internet, such as public FTP servers, web servers, DNS servers etc. This serves several purposes; first it makes them harder to hack. Second it serves as damage control to minimize our exposure when one does get hacked. Third it makes forensics easier due to hyper-logging.

The main point you should take home from this is that defense-in-depth is the best course of action in reducing one’s dependency on Microsoft patches for network security. If your IT department looks like the Keystone Cops every four weeks trying to ensure your hosts are patched then you’re doing something wrong. Black Tuesday should be the start of a relaxed but controlled and methodical monthly routine of assessing your exposure to attack.

Last year I vowed to do whatever I could to get myself weaned off as much dependence on Microsoft patches as I could. To wit; I started purchasing IPS and UTM devices for our offices. The main offices got the IPS units behind the beefcake firewalls and the satellite offices got UTM devices in lieu of a firewall. I also aggressively ramped up our HIPS deployment to try to get as close to 100% of our laptops covered as possible.

All that hard work and capital is paying off now. Today I sent an internal advisory about Tuesday’s patch release and on all the patches that are critical to our environment I was able to say that we already have strong (though not complete) protection for most attacks.

IPS isn’t dead nor useless. When leveraged correctly it can help take some of the pressure off of patch Tuesday and reboot Wednesday. Granted, nothing replaces patches in your security regimen, but IPS technology can give you more time to test thoroughly before deploying to production.

I think this is the last I blog of this nonsense.

Hopefully by now I’ve gotten the point across that if you are depending on vendor patches as your primary means of security, you deserve to be sweating things like this.

I’m cranky.

From Microsoft’s Security Response Center blog:

We’ve made some progress in our testing pass for the update and are now evaluating releasing this outside the monthly cycle, as we do any time customers are under threat and we believe we can issue an update that meets our quality bar for widespread deployment. So right now we’re looking at where we hit that quality bar and if that occurs prior to the monthly cycle then we will release.

Could it be they’re feeling the pressure?