Think you're patched? Think again... MS Security Advisory - 2719662

Billy Austin

Today's battle against the monthly Microsoft Tuesday saga creates drama for mitigating risk against tomorrow's attack, not to mention maintaining compliance.

Many security admins understand the importance of vulnerability remediation with vendors providing patch updates. So why do vulnerabilities continuously appear on security reports time-after-time when you think you’re patched? Unfortunately, many have become too dependent on vendor updates to tell us whether we are at risk or not for plugging software flaws and security deficiencies.

Let’s pick on a vulnerability I see daily that needs attention:
Microsoft Security Advisory 2719662
Vulnerabilities in Gadgets Could Allow Remote Code Execution

Several reasons why most systems are still vulnerable:
1. Neither Microsoft nor Windows Update fix this threat and many assume we are secure and up-to-date
2. No CVE # that has been assigned since becoming disclosed in early July 2012
3. No CVSS score providing the severity level of where prioritization should take place
4. Employees tend to want Weather, Stocks and Sports scores as a gadget on Windows 7 and Vista systems
5. Employees plan on migrating to Macs next month so ignore the threat (my Texan sarcasm)
6. Due to the above, many threats in similarity are moved to the "get-to-it-later" folder

How about some more publicity:
BlackHat pre-announced talk "We have you by the gadgets" on this specific threat
2 November 2012 a remote exploit gets published

What's crazier?
- No exploit for this advisory is needed to successfully compromise such a target as there are many juicy options for the attacker.
- Browsers and JAVA vulnerabilities are stealing media thunder as of late, but at least they have configurable controls for mitigating remote code injection unlike the "Gadget Platform"

Now that Windows 7 has taken market share over XP, one can expect to see successful compromises for those that don't prioritize this under-the-radar easy-to-attack vulnerability.

How to repair the nasty threat:
- Non-Gadget User - (Most Vista and 7 users are) - REMOVE the sidebar functionality and good ole faithful "Mr. Fix It" from Microsoft can do it for you here: http://support.microsoft.com/kb/2719662
- Gadget User - Install trusted signed gadgets (keep in mind most gadgets are not signed)

How to identify if you have this vulnerability:
Run a free online scan sponsored by MAX Risk Intelligence.

Don't put all your bets on "vendor updates" mitigating you against popular cyber threats – known vulnerabilities.

Another example of compliance not equal  to security, and vice versa.