Monthly Archives: April 2008

Microsoft Security Bulletin Summary for April 2008

Posted on by
Reply

Microsoft released a total of 5 Critical and 3 Important security bulletins for the month of April. The breakdown is as follows:

MS08-018 – Critical – Vulnerability in Microsoft Project Could Allow Remote Code Execution (950183)

Undisclosed vulnerabilities in Microsoft Office Project. These could allow an attacker to use a specially crafted Project file to take complete control of the affected system.

Affected software:
Microsoft Project 2000 Service Release 1 (KB949043)
Microsoft Project 2002 Service Pack 1 (KB949005)
Microsoft Project 2003 Service Pack 2 (KB948962)

For full details see the original advisory at:
http://www.microsoft.com/technet/security/bulletin/ms08-018.mspx

MS08-021 – Critical – Vulnerabilities in GDI Could Allow Remote Code Execution (948590)

Undisclosed vulnerabilities in GDI. These could allow an attacker to use a specially      crafted EMF or WMF image files to take complete control of the affected system.

Affected Software
Microsoft Windows 2000 Service Pack 4
Windows XP Service Pack 2
Windows XP Professional x64 Edition and Windows XP Professional x64 Edition Service Pack 2
Windows Server 2003 Service Pack 1 and Windows Server 2003 Service Pack 2
Windows Server 2003 x64 Edition and Windows Server 2003 x64 Edition Service Pack 2
Windows Server 2003 with SP1 for Itanium-based Systems and Windows Server 2003 with SP2 for Itanium based Systems
(Note that for the above platforms MS08-021 replaces MS07-046)
Windows Vista and Windows Vista Service Pack 1
Windows Vista x64 Edition and Windows Vista x64 Edition Service Pack 1
Windows Server 2008 for 32-bit Systems
Windows Server 2008 for x64-based Systems
Windows Server 2008 for Itanium-based Systems

For full details see the original advisory at:
http://www.microsoft.com/technet/security/bulletin/ms08-021.mspx

MS08-022 – Critical – Vulnerability in VBScript and JScript Scripting Engines Could Allow Remote Code Execution (944338)

Undisclosed vulnerabilities in the VBScript and JScript scripting engines. These could allow an attacker to take complete control of the affected system.

Affected Software
VBScript 5.1 and JScript 5.1 on Microsoft Windows 2000 Service Pack 4
VBScript 5.6 and JScript 5.6 on Microsoft Windows 2000 Service Pack 4
VBScript 5.6 and JScript 5.6 on Windows XP Service Pack 2
VBScript 5.6 and JScript 5.6 on Windows XP Professional x64 Edition and Windows XP     Professional x64 Edition Service Pack 2
VBScript 5.6 and JScript 5.6 on Windows Server 2003 Service Pack 1 and Windows Server 2003 Service Pack 2
VBScript 5.6 and JScript 5.6 on Windows Server 2003 x64 Edition and Windows Server 2003 x64 Edition Service Pack 2
VBScript 5.6 and JScript 5.6 on Windows Server 2003 with SP1 for Itanium-based Systems and Windows Server 2003 with SP2 for Itanium based Systems
(Note that for the above platforms MS08-022 replaces MS06-023)

For full details see the original advisory at:
http://www.microsoft.com/technet/security/bulletin/ms08-022.mspx

MS08-023 – Critical – Security Update of ActiveX Kill Bits (948881)

An undisclosed vulnerability for ActiveX components. The vulnerability could allow an attacker to use a specially crafted Web page as a vector for remote code execution. The
severity of any compromise may depend upon the level of administrative rights of the user account.

Affected Software:
Microsoft Windows 2000 Service Pack 4 with Internet Explorer 5.01 Service Pack 4
Microsoft Windows 2000 Service Pack 4 with Internet Explorer 6 Service Pack 1
Windows XP Service Pack 2
Windows XP Professional x64 Edition and Windows XP Professional x64 Edition Service Pack 2
Windows Server 2003 Service Pack 1 and Windows Server 2003 Service Pack 2
Windows Server 2003 x64 Edition and Windows Server 2003 x64 Edition Service Pack 2
Windows Server 2003 with SP1 for Itanium-based Systems and Windows Server 2003 with SP2 for Itanium-based Systems
Windows Vista and Windows Vista Service Pack 1
Windows Vista x64 Edition and Windows Vista x64 Edition Service Pack 1
Windows Server 2008 for 32-bit Systems
Windows Server 2008 for x64-based Systems
Windows Server 2008 for Itanium-based Systems

For full details see the original advisory at:
http://www.microsoft.com/technet/security/bulletin/ms08-023.mspx

MS08-024 – Critical – Cumulative Security Update for Internet Explorer (947864)

This security update resolves one privately reported vulnerability. The vulnerability could allow remote code execution if a user viewed a specially crafted Web page using Internet Explorer. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.

Microsoft Windows 2000 Service Pack 4
with Internet Explorer 5.01 Service Pack 4
or Internet Explorer 6 Service Pack 1

Windows XP Service Pack 2
Windows XP Professional x64 Edition and Windows XP Professional x64 Edition Service Pack 2
Windows Server 2003 Service Pack 1 and Windows Server 2003 Service Pack 2
Windows Server 2003 x64 Edition and Windows Server 2003 x64 Edition Service Pack 2
Windows Server 2003 with SP1 for Itanium-based Systems and Windows Server 2003 with SP2 for Itanium-based Systems
with Internet Explorer 6

Windows XP Service Pack 2
Windows XP Professional x64 Edition and Windows XP Professional x64 Edition Service Pack 2
Windows Server 2003 Service Pack 1 and Windows Server 2003 Service Pack 2
Windows Server 2003 x64 Edition and Windows Server 2003 x64 Edition Service Pack 2
Windows Server 2003 with SP1 for Itanium-based Systems and Windows Server 2003 with SP2 for Itanium-based Systems
Windows Vista and Windows Vista Service Pack 1
Windows Vista x64 Edition and Windows Vista x64 Edition Service Pack 1
Windows Server 2008 for 32-bit Systems
Windows Server 2008 for x64-based Systems
Windows Server 2008 for Itanium-based Systems
with Internet Explorer 7

For full details see the original advisory at:
http://www.microsoft.com/technet/security/bulletin/ms08-024.mspx

MS08-020 – Important – Vulnerability in DNS Client Could Allow Spoofing (945553)

An undisclosed vulnerability that could allow an attacker to spoof or redirect Internet traffic on affected systems.

For full details see the original advisory at:
http://www.microsoft.com/technet/security/bulletin/ms08-020.mspx

MS08-025 – Important –Vulnerability in Windows Kernel Could Allow Elevation of Privilege (941693)

An undisclosed vulnerability in the Windows kernel. Can allow a local attacker to take complete control of an affected system.

For full details see the original advisory at:
http://www.microsoft.com/technet/security/bulletin/ms08-025.mspx

MS08-019 – Important –Vulnerabilities in Microsoft Visio Could Allow Remote Code Execution (949032)

Undisclosed vulnerabilities in Microsoft Office Visio. These could allow an attacker to use specially crafted Visio files to perform remote code execution or take complete control of an affected system.

For full details see the original advisory at:
http://www.microsoft.com/technet/security/bulletin/ms08-019.mspx

New MSI Tool for Analyzing Your Security Program

Posted on by
Reply

MSI is proud to release a new tool to help security managers analyze the overall balance, maturity and capability of their security program. The new tool is a simple matrix based around quantifying the amount of controls, efforts and processes you are employing.

Using the tool as brainstorming aid is also possible. Security engineers have told us that the process works for them to analyze particular applications and other security undertakings. Simply build out the matrix on paper or in your chosen office product and it should help you clarify where your security initiative stands.

Effective, mature security programs should be well rounded in the matrix and should be well balanced between all of the cells. They also tend to balance out between strategic and tactical approaches.

Feel free to give us feedback on this project and let us know if we can answer any questions you may have.

You can obtain the relevant file here.

SecurityProgramAnalysis.pdf

It is licensed under Creative Commons. Check out the PDF for details.

The “TSA Week at a Glance” Content – Huh???

Posted on by
Reply

This just in from the “No, we swear this isn’t propaganda” department.

The TSA seems to have added a section to their web site where you can keep tabs on just what they have been up to this week. You can check it out here.

As of this moment, here is what they have been doing so far this week:

* 15 passengers were arrested due to suspicious behavior or fraudulent travel documents

* 18 firearms found at checkpoints

* 12 incidents that involved a checkpoint closure, terminal evacuation or sterile area breach

* 16 disruptive passengers on flights

So, basically, according to those figures – they apparently have worked 61 “incidents” this week alone. Unfortunately, what they don’t seem to show is a graphic that shows where this lies as a historical piece of data. Wouldn’t it be whiz bang cool if they had a graph that showed historic trending? Maybe they could also do some sort of predictive “threat radar” that could turn various colors and make beeping sounds when they think more disruptive passengers are expected- like say the next time airlines go out of business, strand travelers, treat them without dignity – oh wait, that seems to be usual air travel today. No wonder they don’t have any sort of historic metrics…
I also particularly liked the large window at the top of the page that currently says something to the effect of “Chilling details have emerged about a trans-atlantic terror plot.” I am pretty sure that’s what I want to read from the TSA – horror stories. Is it just me or does this stuff seem like maybe it belongs someplace else? I really don’t want to view that material from the government group that’s supposed to protect me. Sure, you have the details. Sure, you might even have caught them, but I also think it induces more fear than it calms and reassures.
Hey TSA, how about a lot less marketing and a lot more focus on the presenting the details that we NEED TO KNOW. Please, refrain from using FUD to justify your presence in our lives and your budget dollars. Thanks!!!

The Dangers of “We Find Vulns or It’s Free” Security Offers…

Posted on by
Reply

I was astounded at this posting this morning in Credit Union Times.

These types of offers always make me cringe when I see them. At first blush, they may seem like a good idea. Why not, after all, we all want to believe that our application is secure and we all want something for free. This certainly seems like the best of both worlds. How could this be bad?

Well, first off, security testing choices should not be based on price. They should be based on risk. The goal is to reduce the risk that any given operation (application, network, system, process, etc.) presents to the organization to a level that is manageable. Trust me, I have been in the security business for 20 years and all vendor processes are NOT created equal. Many variations exist in depth, skill level, scope, reporting capability, experience, etc. As such, selecting security testing vendors based upon price is a really really really bad idea. Matching vendors specific experience, reporting styles and technical capabilities to your environment and needs is a far better solution for too many reasons to expound upon here.

Second, the “find vulnerabilities or it’s free” mentality can really back fire for everyone involved. It’s hard enough for developers and technical teams to take their lumps from a security test when holes emerge, but to now also tie that to price makes it doubly difficult for them to take. “Great, I pay now because Tommy made some silly mistake!” is just one possibility. How do you think management may handle that? What about Tommy? Believe me, there can be long term side effects for Tommy’s career, especially if he is also blamed for breaking the team’s budget in addition to causing them to fail an audit.

Thirdly, it actually encourages the security assessment team to make mountains out of mole hills. Since they are rewarded only when they find vulnerabilities and the customer expectations of value are automatically built on severity (it’s human nature), then it certainly (even if only unconsciously) behooves the security team to note even small issues as serious security holes. In our experience, this can drastically impact the perceived risk of identified security issues in both technicians and management and has even been known to cause knee-jerk reactions and unneeded panic when reports arrive that show things like simple information leakage as “critical vulnerabilities”. Clearly, if the vendor is not extremely careful and mindful of ethical behavior among their teams, you can get serious skewed views between perceived risk and real-world risk, again primarily motivated by the need to find issues to make the engagement profitable.

Lastly, I am the first to admit that such marketing approaches simply “bother me”. They lend a certain air of “used car dealer” salesmanship to the security industry. This is hardly something that, in my opinion, our industry needs. We are already working hard to overcome the idea that many vendors have glommed onto for decades – that fear sells products. This enough challenge for us for now, so the last thing we need is for our industry to be viewed as is another marketplace full of “gimmicks”.

In my opinion, let’s stick to plain old value. My organization helps you find and manage your risk. We help you focus on the specific technical vulnerabilities in networks, systems, applications and operations that attackers could exploit to cause you damage. To do this, my company employs security engineers. These deeply skilled experts earn a wage and thus cost money. Our services are based around the idea that the work we do has value. The damages that we prevent from occurring save your company money. Some of that money pays us for our services and thus, we pay our experts. Value. End of story.

No gimmicks, sales hype or catchy marketing will ever replace value or the truth. Between you and me, I think that’s a very good thing!

HP OpenView Network Node Manager Vulnerabilities

Posted on by
Reply

An independent researcher, Luigi Auriemma, has found several vulnerabilities in Version 7.53 of HP’s OpenView Network Node Manager. These include a format string error and stack based buffer overflows and Denial of Service issues. All of the vulnerabilities were discovered within the ovalarmsrv.exe process which listens on ports 2953 and 2954. If you are running this product you should ensure that access is limited to known and trusted parties. The original advisory can be found at: http://aluigi.altervista.org/adv/ovalarmsrv-adv.txt

Cisco Unified Communications Disaster Recovery Framework Vulnerability

Posted on by
Reply

The Disaster Recovery Framework is able to receive and execute commands without authentication. This can allow an attacker to cause denial of service conditions, obtain sensitive configuration information, overwrite configuration parameters, or execute DRF-related commands, including arbitrary system commands with full administrative privileges.

For further details and mitigation suggestions please see the original advisory at:http://www.cisco.com/warp/public/707/cisco-sa-20080403-drf.shtml

Bot-nets Continue to Grow in Scope and Danger

Posted on by
Reply

There is quite a bit of talk online right now about a new bot-net that is supposedly quite a bit larger than Storm. This new bot-net, called Kraken, was discovered and initially revealed by another security team. Various folks are pointing at it as another evolutionary step in the growth of the bot-net threat and as a major new development in the area of cyber-crime.

Bot-nets, it seems, are today’s Internet worms. Their power, capability to produce FUD and impact make them on par with the Slammer, Code Red and Nimda worms of the past as significant threat evolutions. However, just like the worms of yesterday, there are some pretty common – albeit sometimes tough – things you can do to help minimize your risk of exposure.

First, segregate your network. Create enclaves that separate and manage access to servers that hold critical or sensitive data. Basically, segregate any and all user systems into untrusted areas and manage them as if they were untrusted systems (they are!!!)

Next, deploy egress controls as tightly as possible for all user -> Internet activity. Apply egress controls as tightly as possible to all enclaves.

Now, ensure that you have proper preventative and monitoring controls on all of the enclaves. Check for unneeded services, missing patches (OS and applications), bad configurations and known security issues. Mitigate or repair as many as possible. Monitor everything at the egress point for forensics and help with finding infected hosts. Deploy HoneyPoint sensors in user community and all enclaves.

Harden the user systems to the largest extent possible. AV, personal firewalls, patches, consider hardening or changing browsers. No matter what, consider user systems as untrusted hosts!

Educate your users about threats, their responsibilities and security mechanisms for their systems when outside the corporate network.

Monitor, manage and handle incidents quickly and with public consequences. If you find an infected machine and can trace it back to porn downloads on a company machine, fire the person and make a public example of the fact that actions against security policy (you have one of those, right?) have consequences…

Doing these basics will increase your overall security and greatly reduce your risk from bot-nets (and other threats). Is it easy? No. Is it expensive? It can be, depending on your size, complexity and technology level. Is it worth doing? Yes. It reduces risk and is much more interesting than ignoring the problem and/or continually working reactively to various incidents and compromises.

Apache Tomcat Connector Exploit

Posted on by
Reply

An exploit has been released into the wild for Tomcat Connector version jk2-2.0.2. The vulnerability exploited exists in the Host Header field of the apache jk2 module. At this point it’s known to work on Fedora Core versions 6,7, and 8. Other distros will likely also be affected by the exploit. If you are using the legacy 2.0.x tree of the Apache Tomcat Connector, upgrade to version 2.0.4, or use the newest version of mod_jk.

The Application Layer is Where the Action Is…

Posted on by
Reply

I thought this particular “hacker” article was pretty interesting. Thanks to Dr. Anton Chuvakin’s “Security Warrior” blog for pointing it out.

Once you look beyond the manifesto hype, you can really get a feel for what it represents. It represents a call to action to remind security professionals that the game has changed. The network and systems that it is composed of remain but a part of the security equation. The real target of the attackers that represent the REAL THREAT is the data that the network and systems hold.

Attackers have definitely moved up the stack. They do not care that most organizations are still focused on the network layer and more than a few are still trying to get the basics of that right. In fact, it simply empowers them more.

Today, attackers are focused on the application. That is true whether you look at holes like SQL injection and XSS or at the browser vulnerabilities that are at the root of a majority of malware and bot-net activity today. Today’s attackers have excellent tools for exploit development that have seriously changed the security landscape. More attackers understand the deeper nuances of computer science than ever before. Man security teams and professionals are lagging behind in knowledge, resources and capability.

One of the big reinforcers of this ideal to me was a presentation I gave a few weeks ago about application security. During the research for it, I found that according to several sources, a HUGE amount – roughly a third – of all reported security incidents last year involved SQL injection and XSS. Almost 2/3s of all reported incidents were web-application focused. Clearly, there is no denying that the attackers have moved up the security stack – the question is – have the defenders…

What are you, your security team and your security partners doing today to ensure that your data is protected tomorrow?

Symantec Internet Security 2008 Vulnerable ActiveX

Posted on by
Reply

There appears to be two vulnerable ActiveX controls in Symantec Internet Security 2008. The following ActiveX controls are vulnerable:

Progid: SymAData.ActiveDataInfo.1

Clsid: 3451DEDE-631F-421c-8127-FD793AFC6CC8

File: C:\PROGRA~1\COMMON~1\SYMANT~1\SUPPOR~1\SymAData.dll

Version: 2.7.0.1 

  Clsid: 3451DEDE-631F-421c-8127-FD793AFC6CC8
  File: C:\PROGRA~1\COMMON~1\SYMANT~1\SUPPOR~1\SymAData.dll
  Version 2.7.0.1


These ActiveX are marked safe for scripting by Symantec. According to Symantec, although they are marked safe for scripting, they will only run from the “symantec.com” domain. Successful exploitation would require the use of XSS or DNS poisoning techniques, but could allow for complete control over a users system simply by viewing a malicious page. Symantec has issued updates to fix these vulnerabilities.