There have been several publicized releases of web scanning tools this week. Three specific ones come to mind, that enable assessors to automate a large part of the web application/site assessments. With this, there’s a lot of buzz on mailing lists about these tools, so expect an increase in threat to any web facing applications or sites. All of these tools are freely available for download.
It’s possible to bypass the security zones within Internet Explorer. An issue has been identified in the way that security policies are applied when a URI is specified in the UNC form: \\MACHINE_NAME_OR_IP\PATH_TO_RESOURCE’. When a URI like this is accessed remotely, Internet Explorer does not apply the correct Security Zone Permissions. This issue affects Internet Explorer 5,6 and 7 under all versions of Windows.
Microsoft has released a work around for this issue. The work around can be found in Microsoft’s techbulletin for this issue. http://www.microsoft.com/technet/security/bulletin/ms08-048.mspx
We are getting many reports of mail servers under heavy load because of SPAM backscatter. This happens when a spammer uses a company’s email address to forge the “FROM” field in the email. When mail servers get these spam emails and reject them because they are sent to a user that doesn’t exist, the SPAM targeted mail server will send a bounce back message to the forged “FROM” field. Now as you might imagine, when a spammer sends out over a million emails it’s very likely that many of those will go to addresses that no longer exist, and innocent company in the “FROM” field gets blasted by thousands of bounce backs.
What can we do about this though? Unfortunately if you’re the one getting the backscatter, not a whole lot. However, you can help to prevent backscatter for others. We recommend that email servers be configured to REJECT bad email during the initial transaction instead of accepting it and creating a bounce back reply. Also consider not using “out of office” email replies. This also creates backscatter when the vacationed user receives spam. This could also land you on a spam blacklist, if whoever got the backscatter happened to report your mail server as a backscatter sender.
I spent a few minutes this morning looking at the newest release of Ignuma. If you aren’t familiar with it, it is another penetration testing framework, mostly focused on Oracle servers, but has plenty of other capabilities and front ends a number of fuzzing and host discovery tools.
The tool is written in Python and has both command line and GUI interfaces, including a QT-based GUI and a more traditional “curses-based” GUI. The tool is pretty easy to get working and adapts itself pretty well to some easy scans, probes and fuzzing. In the hands of someone with skills in vuln dev, this could be a capable tool for finding some new vulnerabilities.
The tools is written to be extendable and the Python code is easy to read. It is not overly well documented, but enough so that a proficient programmer could add in new modules and extend the capabilities of it pretty easily.
The tool is still in heavy development and it looks like it could be interesting over the next few months as it matures. Keep you eyes on it if you are interested in such things. You can find the latest version of Ignuma here.
An activex control installed by Cisco WebEx Meeting Manager is vulnerable to remote code execution or denial of service. The activex control, atucfobj.dll, is installed when a user connects to a WebEx meeting service. When users connect to an upgraded meeting service, the client side activex is automatically upgraded. Exploit code for this vulnerability has been publicly released.
As an aside, the interesting part of this vulnerability, according to a post from NANOG, is that even if you have cleaned the install of the client off your machine and have the latest version, if you connect to a meeting service that is NOT up to date, you could then become vulnerable again.
The full vulnerability details can be found at http://www.cisco.com/warp/public/707/cisco-sa-20080814-webex.shtml
OK, now we have some more bad news on the DNS front. There have been new developments along the exploit front that raise the bar for protecting DNS servers against the cache poisoning attacks that became all the focus a few weeks ago.
A new set of exploits have emerged that allow successful cache poisoning attacks against BIND servers, even with the source port randomization patches applied!
The new exploits make the attack around 60% likely to succeed in a 12 hour time period and the attack is roughly equivalent in scope to a typical brute force attack against passwords, sessions or other credentials. The same techniques are likely to get applied to other DNS servers in the coming days and could reopen the entire DNS system to further security issues and exploitation. While the only published exploits we have seen so far are against BIND, we feel it is likely that additional targets will follow in the future.
It should be noted that attackers need high speed access and adequate systems to perform the current exploit, but a distributed version of the attack that could be performed via a coordinated mechanism such as a bot-net could dramatically change that model.
BTW – according to the exploit code, the target testing system used fully randomized source ports, using roughly 64,000 ports, and the attack was still successful. That means that if your server only implemented smaller port windows (as a few did), then the attack will be even easier against those systems.
Please note that this is NOT a new exploit, but a faster, more powerful way to exploit the attack that DK discovered. You can read about Dan’s view of the issue here (**Spoiler** He is all about risk acceptance in business. Alex Hutton, do you care to weigh in on this one?)
This brings to mind the reminder that ATTACKERS HAVE THE FINAL SAY IN THE EVOLUTION OF ATTACKS and that when they change the paradigm of the attack vector, bad things can and do happen.
PS – DNS Doberman, the tool we released a couple of days ago, will detect the cache poisoning if/when it occurs! You can get more info about our tool here.
It’s that time of the month again, it’s release day for the Microsoft patch cycle. This month there were 11 new updates. Six of those eleven carry ratings of “critical”. The updates patch several things, and finally include an update for IE that corrects six vulnerabilities. Some of the other critical updates fix vulernabilities in Microsoft Office. As usual, test these updates and roll them out as soon as possible.
Now your organization can have a 24/7 guard dog to monitor key DNS resolutions and protect against the effects of DNS cache poisoning, DNS tampering and other resolution attacks. Our tool is an easy to use, yet quite flexible and powerful solution to monitoring for attacks that have modified your (or your upstream ISPs’) resolutions for sites such as search engines, software updates, key business partners, etc.
DNS Doberman is configured with a set of trusted host names and IP address combinations (yes, you can have more than one IP per host…) which are then checked on a timed basis. If any of your monitored hosts returns an IP that the DNS Doberman doesn’t trust – then it alerts you and your security team. It supports a variety of alerting methods to support every environment from home users to enterprises.
You can learn more about the tool and download the FREE version from the link below. The FREE version is completely useable and if it suits your needs, you are welcome to continue to use it indefinitely. The FREE version is restricted to 5 hosts and only checks each host once per hour. Registered users ($99.95) will receive support, minor version upgrades and the ability to check an unlimited number of hosts every 15 minutes!
To learn more or get your copy today, please visit the MSI main web site, here.
Another company gets a laptop stolen with customer data on it. Fortunately this time it appears that all of the sensitive data was encrypted. They’re not sure of the number of customers but affected, but said it was “a very small number”. This is just another incident in a long list of stolen and lost customer information. This time they were prepared, and it’s probably going to save people some grief. If one of your company’s laptops get stolen, will you be just as prepared?
Several vulnerabilities have been identified and subsequently patched in the newest version of Ruby. If you are a Ruby developer, make sure you download this as it contains an important update. A fix for the DNS logic within the resolv.rb script. The update implements randomized source ports, in order to help protect from spoofing attacks. Upgrade to 1.8.6-p286, or 1.8.7-p71, to mitigate this and other issues identified.