Sponsored by..

Wednesday, 14 January 2009

MS09-001 prognosis. Install it now? Leave it for later?

It's patch Tuesday again, with just a single update from Microsoft: MS09-001.

If you are administering a corporate network, then the question that you probably ask yourself each week is "do I need to patch my servers"?

The prognosis for this one seems to be.. "maybe". Microsoft's own bulletin summary gives MS09-001 an exploitability index of "3 - Functioning exploit code unlikely". But the flaw itself is rated "Critical" and could lead to remote code execution.. so there is a low probability of a very serious exploit.

It turns out that it is much more likely that an attempted attack using MS09-001 would blue screen the target system - and that is more likely to be a worry, especially on delicate servers. The Microsoft Security blog has a good writeup and recommends the following priorities:

In terms of prioritizing the deployment of this update, we recommend updating SMB servers and Domain Controllers immediately since a system DoS would have a high impact. Other configurations should be assessed based on the role of the machine. For example, non-critical workstations could be considered lower priority assuming a system DoS is an acceptable risk. Systems with SMB blocked at the host firewall could also be updated more slowly.

Some further reading gives mixed signals: Sophos labels this as a medium threat, SC Magazine reports differing opinions, ZDnet also mentions the denial of service risk, ISC rates it as "Critical" but not "Patch now".

Given that it doesn't take long for the bad guys to implement an exploit for these flaws, and the recent well-publicised spread of the Downadup / Conficker worm then perhaps Microsoft's advice is very pertinent - start by protecting those systems that would suffer the most if they crashed, but there is perhaps not the urgency of the MS08-067 patch that came late last year.

1 comment:

Hallstein Lohne said...

Thanks for your information here. I appreciate it! Just updated my information on using mbsa for listing servers with this flaw: http://winh4x.blogspot.com/