know the flaws. beat the clock. defend the enterprise.        

    vectorblog  about  contact

MSN Search

 

Microsoft Security Bulletins

 

 

 

 

 


Just In Time: Microsoft's Time to Exploit 3             Download PDF

September - December 2005

infectionvectors.com

December 2005

 

Overview

 

This report continues the story of Microsoft-product-based vectors in 2005; the “Time to Exploit” series consists of two previous parts:

 

Time to Exploit 1: January through April 2005

Time to Exploit 2: May through August 2005

 

Part three examines the fallout from the Zotob worm (released right after the notification for a security flaw in August) and the malcode associated with “0-day” flaws in Internet Explorer.

 

Second Half Blues

 

After a relatively quiet first half of the year, Microsoft was hit with two noisy problems in the latter part of 2005. Right after the release of part two of this document, the Zotob worm garnered media attention. This worm, a cousin to the Mytob series of worms distributed throughout 2005, was released four days after Microsoft’s bulletin announcing the flaw in Windows 2000’s Plug and Play service. Although infection numbers have not been proven to be especially large, the high profile infections that were verified (CNN, etc.) made for a lot of press coverage.

 

In November, Internet Explorer found itself in the crosshairs of security analysts yet again a DoS javascript flaw from the summer was redrafted to allow for remote code execution.

 

The associated Proof of Concept and malware code for Microsoft vulnerabilities in 2005 is below:

 

Vulnerability (Date Released)

Description

Malware (Date Discovered)

MS05-001 (11 January 2005)

HTML Local Zone Security Bypass

Phel (27 December 2004)

Magise (21 March 2005)

MS05-002 (11 January 2005)

Malformed Cursor/Icon

Globe (12 January 2005)

Hebolani (27 January 2005)

Anicmoo (16 February 2005)

MS05-003 (11 January 2005)

Indexing Service

N/A

MS05-004 (8 February 2005)

ASP.NET Path Validation

N/A

MS05-005 (8 February 2005)

Link Processing

PoC (8 February 2005)

MS05-006 (8 February 2005)

Sharepoint Services

N/A

MS05-007 (8 February 2005)

Windows Info Disclosure

N/A

MS05-008 (8 February 2005)

Windows Shell

N/A

MS05-009 (8 February 2005)

WMP/Messenger PNG

PoC (10 February 2005)

MS05-010 (8 February 2005)

License Logging Overrun

PoC (8 February 2005)

MS05-011 (8 February 2005)

SMB Vulnerability

N/A

MS05-012 (8 February 2005)

OLE/COM Vulnerability

N/A

MS05-013 (8 February 2005)

DHTML Editing/ActiveX

N/A

MS05-014 (8 February 2005)

IE Cumulative Update

N/A

MS05-015 (8 February 2005)

Hyperlink Object Library

N/A

MS05-016 (12 April 2005)

Windows Shell

VBS_RUNEXPLT (22 April 2005)

MS05-017 (12 April 2005)

Message Queuing

N/A

MS05-018 (12 April 2005)

Windows Kernel

N/A

MS05-019 (12 April 2005)

TCP/IP – ICMP Vuln

N/A

MS05-020 (12 April 2005)

IE Cumulative Update

PoC (18 April 2005)

MS05-021 (12 April 2005)

Exchange

PoC (19 April 2005)

MS05-022 (12 April 2005)

MSN Messenger 6.2

N/A

MS05-023 (12 April 2005)

MS Word Vulnerability

N/A

MS05-024 (10 May 2005)

Explorer Web View (W2K)

PoC (May 2005)

MS05-025 (14 June 2005)

IE Cumulative Update

N/A

MS05-026 (14 June 2005)

HTML Help

Phel.Q (3 July 2005)

MS05-027 (14 June 2005)

SMB Validation

N/A

MS05-028 (14 June 2005)

Web Client Service

N/A

MS05-029 (14 June 2005)

OWA Cross Site Scripting

PoC Available (15 June 2005)

MS05-030 (14 June 2005)

Outlook Express Update

PoC (21 June 2005)

MS05-031 (14 June 2005)

Interactive Training

N/A

MS05-032 (14 June 2005)

MS Agent Spoofing

N/A

MS05-033 (14 June 2005)

Telnet Information Disclosure

N/A

MS05-034 (14 June 2005)

Cumulative Update for ISA Server

PoC Available (10 June 2005)

MS05-035 (12 July 2005)

Word Font Parsing

N/A

MS05-036 (12 July 2005)

Color Management Module

PoC (21 July 2005)

MS05-037 (12 July 2005)

JVIEW Profiler

Jevprox (12 July 2005)

MS05-038 (9 Aug 2005)

Cumulative IE Update

PoC Available (Aug 2005)

MS05-039 (9 Aug 2005)

Plug and Play Flaw

Zotob/Spybot (13 Aug 2005)

MS05-040 (9 Aug 2005)

TAPI Vulnerability

N/A

MS05-041 (9 Aug 2005)

RDP Flaw

PoC Available (9 Aug 2005)

MS05-042 (9 Aug 2005)

Kerberos Disclosure/Spoof

N/A

MS05-043 (9 Aug 2005)

Print Spooler

N/A

MS05-044 (11 Oct 2005)

FTP Client

PoC (17 Oct 2005)

MS05-045 (11 Oct 2005)

Network Connection Mgr

PoC (17 Oct 2005)

MS05-046 (11 Oct 2005)

Services for Netware

N/A

MS05-047 (11 Oct 2005)

Plug & Play

PoC (22 Oct 2005)

MS05-048 (11 Oct 2005)

CDO Object

PoC (17 Oct 2005)

MS05-049 (11 Oct 2005)

Windows Shell

N/A

MS05-050 (11 Oct 2005)

Direct Show

N/A

MS05-051 (11 Oct 2005)

MSDTC and COM+ Flaw

PoC (27 Nov 2005)

Dasher (15 Dec 2005)

MS05-052 (11 Oct 2005)

IE Cumulative Update

 

MS05-053 (2 Nov 2005)

Graphics Rendering Engine

PoC Code (30 Nov 2005)

MS05-054 (13 Dec 2005)

IE Cumulative Update

PoC/Trojan Delf (20 November 2005)

MS05-055 (13 Dec 2005)

Windows Kernel

N/A

 

 

As with the previous installation, there is always a danger that the worst worm of Internet history will be deployed right after the publication of the report. Except for the malware associated with the earliest and latest bulletins, 2005 saw relatively few spikes in worms. Even those that did exist were rather localized – Zotob, a worm that only affected Windows 2000 systems (an OS that is now over 5 years old in production), did the most damage in terms of broad infectors. Email-based attacks such as the very successful Sober.X worm did not take advantage of operating system or application flaws to spread.

 

Please note that this report in no way attempts to correlate the number of bulletins that turn into worms as a measure of an operating system’s security.

 

Over half of the bulletins released did not have correlating public proof-of-concept code, and more than that had no corresponding malware. Certainly, there is still a need to patch vulnerable systems as fast as prudently possible as malware that was released hit the streets very quickly. Of the malware in circulation:

 

Malware

(Common Name/Symantec)

Associated Flaw

(MS Bulletin #)

Days Between Malware Release and Bulletin

Phel

MS05-001

-15

Globe

MS05-002

1

VBS_RUNEXPLT

MS05-016

10

Phel.Q

MS05-026

19

Jevprox

MS05-037

0

Zotob

MS05-039

4

Dasher

MS05-051

63

Delf

MS05-054

-23

 

Using tables like the above to come to any serious conclusion, however, is ridiculous. By combining all of the malware and averaging the days to exploit, one would have to start with and assumption that all malware coders began working on applications as soon as they heard of a flaw and did not stop until something was produced. Furthermore, writing a worm like Dasher throws the entire “averaging” system off in favor of Microsoft. Arbitrarily removing certain “inconsequential” or outlying examples skews the table in favor of the anti-Microsoft zealots. There is no sense in trying to make an overarching conclusion about how well Microsoft is doing based on when malcode is released.

 

With that said, the time to exploit table could be of research value, especially when compared to the release cycle of other operating systems. In addition, it would appear to be a good year for Microsoft operating systems in terms of severe network-based malware outbreaks, which were extremely limited.

 

Based on the popularity of the “time to exploit” research, this report is likely to be a recurring feature in 2006. Please check with infectionvectors.com for updates.

Copyright Ó 2005 infectionvectors.com. All rights reserved.