Microsoft Patch Tuesday Roundup - February 2011

And the race is on to apply patches to the Microsoft Windows systems in your environment! One of the bulletins this month, MS011-04, fixes remotely exploitable issues in the IIS FTP service. To me, FTP falls in the same category as Telnet, which is "You should be using SSH instead". Despite the lack of security that FTP offers, it still appears to be wildly popular decades later. I performed some searches using "SHODAN", "The Computer Search Engine", which scours the Internet looking for open ports, services and banners. I told it to find systems with port 21 (FTP) open and got the following results:

• United States: 27,355
• China: 15,341
• India: 11,122
• Egypt: 10,476
• Thailand: 10,068

I then told it to find the systems known to be running SSH (port 22):

• United States: 21,484
• Germany: 2,458
• France: 904
• United Kingdom: 893
• Japan: 751

Could it be that FTP is more popular than SSH? Wow, not only do we have patches to apply, but it seems we've got some protocols to replace/update as well. Just in case you were wondering, here are the results for Telnet (port 23):

• United States: 363,931
• Korea, Republic of: 340,240
• China: 225,079
• Brazil: 99,653
• Italy: 58,918

My guess is that SHODAN is doing more intensive scanning for Telnet than SSH or FTP protocols. Even if the above numbers are just samples of even small to medium numbers of systems, we've still got a lot of systems that are using these older protocols. Why does this matter? First, protocols that send credentials and data in clear text have a very limited use, if any, for transmitting information across the network as they do not offer confidentiality or integrity of the data. Second, the fewer services you run and expose to the Internet, the better off you are with respects to patching. You may be reading this and thinking, "Yes, but I'm not running these services". My question to you is, “When was the last time you checked?” There are obviously more than a few systems out there still running FTP and Telnet.

To further aid in your efforts to evaluate the dangers of the vulnerabilities addressed by Microsoft’s Patch Tuesday, Tenable's Research team has published plugins for each of the security bulletins issued this month:

• MS11-003 - Nessus Plugin ID 51903 (Credentialed Check)
• MS11-004 - Nessus Plugin ID 51904 (Credentialed Check)
• MS11-005 - Nessus Plugin ID 51905 (Credentialed Check)
• MS11-006 - Nessus Plugin ID 51906 (Credentialed Check)
• MS11-007 - Nessus Plugin ID 51907 (Credentialed Check)
• MS11-008 - Nessus Plugin ID51908 (Credentialed Check)
• MS11-009 - Nessus Plugin ID 51909 (Credentialed Check)
• MS11-010 - Nessus Plugin ID 51910 (Credentialed Check)
• MS11-011 - Nessus Plugin ID 51911 (Credentialed Check)
• MS11-012 - Nessus Plugin ID 51912 (Credentialed Check)
• MS11-013 - Nessus Plugin ID 51913 (Credentialed Check)
• MS11-014 - Nessus Plugin ID 51914 (Credentialed Check)

Resources

• Microsoft Security Bulletin Summary for February 2011
• OSVDB Microsoft Bulletins - Complete Reference
• February 2011 Security Bulletin Release (Microsoft Security Response Center Blog)