Statistics on Active Directory-related Security Bulletins
It’s not very uncommon for Microsoft to issue a patch for a problem in Active Directory technologies (including Active Directory Domain Services, Lightweight Directory Services, Certificate Services, Rights Management Services, Federation Services and Group Policy).
In this blog post, let’s look at some statistics:
Domain Services & Lightweight Directory Services
Active Directory Domain Services and Active Directory Lightweight Directory Services (on earlier Windows Operating Systems, this technology was called Active Directory Application Mode or ADAM) share a lot of protocols and code. A lot of the vulnerabilities in Active Directory Domain Services, therefore, also apply to ADLDS.
Since 2001, Microsoft has issued 18 Security Bulletins with patches to address issues in Active Directory Directory Services, Active Directory Lightweight Directory Services and ADAM.
Four of these Security Bulletins (MS04-011, MS07-039, MS08-060 and MS09-018) (22%)were classified as Critical, but only for pre-Windows Server 2003 Operating Systems. For Windows Server 2003, Windows Server 2003 R2, Windows Server 2008 and Windows Server 2008 R2 no Security Bulletins for Active Directory Domain Services, ADLDS and ADAM were classified as Critical. (94%) One Security Bulleting (MS05-042) was classified as Moderate. (the remaining 6%)
Microsoft issued 1 Security Bulletin addressing an issue in Active Directory Certificate Services; a cross site scripting flaw in the Web Enrollment pages (MS11-051) This Security Bulleting was classified as Important.
Microsoft issued 1 Important Security Bulletin (MS09-070) for Active Directory Federation Services (ADFS) on Windows Server 2003 and Windows Server 2008. This Security Bulleting was classified as Important.
Microsoft issued 2 updates for issues with Group Policy, which were the only two updates that were classified as Moderate. (MS02-016 and MS02-070). Both these Security Bulletins were classified as Moderate. The last Group Policy-related Security Bulletin is over 9 years old!
Rights Management Services
Microsoft issued an update for Active Directory Rights Management Services (ADRMS), without an accompanying Security Bulletin. (KB979099) This update has no associated Security Bulletin, since only unused functionality from the original product was removed with this update.
Since the launch of Windows 2000 Server a whole list of Active Directory-related Security Bulletins has been released, but still Active Directory is one of the least vulnerable roles in Windows Server today. Luckily so, since Active Directory is the center of Identity & Access in any Microsoft-based networking infrastructure.
MS11-095 Vulnerability in Active Directory Could Allow Remote Code Execution
MS11-086 Vulnerability in Active Directory Could Allow Elevation of Privilege
MS11-051 Vulnerability in Active Directory Certificate Services Web Enrollment Could …
MS11-005 Vulnerability in Active Directory Could Allow Denial of Service
MS10-068 Vulnerability in LSASS Could Allow Elevation of Privilege
MS10-101 Vulnerability in Windows Netlogon Service Could Allow Denial of Service
MS09-070 Vulnerabilities in Active Directory Federation Services Could Allow Remote …
MS09-066 Vulnerability in Active Directory Could Allow Denial of Service
MS09-018 Vulnerabilities in Active Directory Could Allow Remote Code Execution
MS08-060 Vulnerability in Active Directory Could Allow Remote Code Execution
MS08-035 Vulnerability in Active Directory Could Allow Denial of Service
MS08-003 Vulnerability in Active Directory Could Allow Denial of Service
MS07-039 Vulnerability in Windows Active Directory Could Allow Remote Code Execution
MS05-042 Vulnerabilities in Kerberos Could Allow Denial of Service, Information …
MS04-044 Vulnerabilities in Windows Kernel and LSASS Could Allow Elevation of Privilege
MS04-011 Security Update for Microsoft Windows
MS02-070 Flaw in SMB Signing Could Enable Group Policy to be Modified
MS02-016 Opening Group Policy Files for Exclusive Read Blocks Policy Application
MS02-001 Trusting Domains Do Not Verify Domain Membership of SIDs in …
MS01-024 Malformed Request to Domain Controller can Cause Memory Exhaustion
MS01-011 Malformed Request to Domain Controller can Cause CPU Exhaustion
MS01-008 Malformed NTLMSSP Request Can Enable Code to Run with System Privileges