(2011-04-26) How to read a Microsoft security bulletin

If you read security bulletins, youll probably come across a number of terms that everyone just accepts. But how many of them do you really know? Ive compiled the explanations from some of my other texts to give you a brief rundown of what you must understand when you read a Microsoft Security bulletin.
One bulletin may describe a fix for many vulnerabilities.

Maximum Security Impact

This category tells you what is the worst thing an attacker may be able to do to a vulnerable system.

Denial of service
An attack that causes a system to fail, stop responding or to slow down to a crawl is known as a denial of service attack. The most common way to perform this type of attack is to overwhelm the system with a large amount of repeated requests. A vulnerability that allows an attacker to take a whole system or service down by sending a few malformed requests is said to have Denial of service as its Maximum Security Impact.

Elevation of privilege
This category contains vulnerabilities which can be used to give an attacker more privileges and permissions on a system. The most common way this happens is when an attacker starts out as anonymous (not authenticated) and then uses an exploit to make himself an administrator. This is sometimes known as rooting a system after the Unix super user known as root. This category of attack can sometimes also be used to impersonate another user.

Remote Code Execution
A vulnerability that allows for users to run a program or script on a system when theyre not logged in to it on the console, is known as a Remote Code execution vulnerability.

Information Disclosure
Some vulnerabilities allow you to retrieve information that you normally shouldnt be allowed to get. An example could be when you can read the contents of an asp-script or read files that require permissions you do not have.

Microsoft Exploitability Index

As all of you know, Microsoft rate their vulnerabilities on a scale ranging from low to critical. They call this the "Maximum Severity Rating". But it's far less common knowledge that they also have an "Exploitability Index" rating on every bulletin.

An example:

"MS09-036
Vulnerability in ASP.NET in Microsoft Windows Could Allow Denial of Service (970957)
CVE-2009-1536
3 - Functioning exploit code unlikely
A denial-of-service tool is likely. However, functioning exploit code for remote code execution is unlikely."

The Exploitability index for this vulnerability is 3, which is the lowest rating.

- A rating of 3 means the exploit code is unlikely work. It may cause an effect, but it will probably not work well enough to allow for something like remote code execution. Example: if the exploit only works 1 time out of 100 when you attack a system, it is not considered a stable exploit.

- A rating of 2 means that the exploit code work but will not be successful often enough to be considered stable.

- A rating of 1 means that the exploit code will work repeatedly.

Heres the official guide to software updates from Microsoft:
http://support.microsoft.com/kb/824684/en-us


Tags: Microsoft Security bulletins, IT-Security
Posted: 2011-04-26 by Erik Zalitis
Changed: 2011-04-26 by Erik Zalitis

News archive