Windows Patching

WannaCry was an eye opener for a lot of companies. For anyone that did not hear about it (and I don’t know how since it was even on the nightly news) it was ransomware that made use of a NSA tool called Eternal Blue, which was released by Shadow Brokers as part of Vault7. Eternal Blue made use of a flaw in SMB version 1 which allowed the ransomware to spread to other computers without end user interaction. Microsoft released a patch (MS17-010) to close this flaw but a lot of companies were too relaxed with system patching. Of course, this meant that a lot of computers were vulnerable to the ransomware. This made a lot of IT people really nervous.

Microsoft releases at least a couple of patches each month, and sometimes releases critical ones out of the normal cycle. Fortunately, they have a free service for patching home computers and offer a solution for enterprises. In addition, there are 3rd party products that will do the same and more. However, there is a problem with the patching cycle: when Microsoft releases a service pack, their patching solutions will no longer offer any new patches. What I mean is that the only thing offered is the service pack and only after it is installed will the computer ask for more patches. How is this a problem? Well, companies may not want to push service packs to computers the same way as patches as it can be a bandwidth problem and tie up computers for longer than normal patching. This could mean that companies would think they are compliant with patches like MS17-010 (no computers reporting that the patch is needed) when in reality there are vulnerable machines.

How can IT determine if a computer is vulnerable if a patch is not reported as needed? NMAP to the rescue (http://nmap.org). NMAP is a free tool to scan computers for open ports and is part of my own arsenal of security tools – highly recommended. There is even a GUI front end called ZenMap to make it easy for anyone to use. If you go to https://nmap.org/nsedoc/categories/vuln.html you can see a list of scripts that people have written to help NMAP look for specific vulnerabilities. Download smb-vuln-ms17-010 and follow the directions in the script on how to run it – it is really easy and you can point it at any machine. In a very short time you will know if the machine is vulnerable to the SMB bug.

An alternative is a free (for now) scanner called Eternal Blues. It was written by Elad Erez, Director of Innovation at Imperva. Recently, I had an email conversation with Elad to help with some bugs and I did some testing for him to help the program. Eternal Blues can be found at http://omerez.com/eternalblues/ and it offers a simple GUI. Just enter a range of IP addresses (or just a single one) and the program will scan for SMB vulnerabilities.

In short, Ransomware writers are getting trickier and their software is getting more sinister. As an IT Security professional, this is something that worries me especially after I talk with some of my clients. Fortunately, there are tools out there to help. Just because the patching tool does not report a patch is needed does not always mean there is no problem. Stay vigilant and we can diminish the risk.

This entry was posted in Patching and tagged , , , , , . Bookmark the permalink.