Public Events — Today, July 14

Brent H.
Jul 14
11:45 AM
Brent H.
has left the room
Jul 14
12:00 PM
Mary R.
has left the room
Jul 14
2:20 PM
Brent H.
has entered the room
Jul 14
2:40 PM
nick
has entered the room
nick
has left the room
Nick B.
has entered the room
Jul 14
2:50 PM
Todd F.
has entered the room
Jul 14
3:25 PM
Bruce W.
has entered the room
Bruce W.
Hi folks
Brent H.
Hello all, welcome. The event will begin at 4pm Eastern.
Bruce W.
oops - be back in a bit
Jul 14
3:40 PM
Bruce W.
has left the room
Nathan G.
has entered the room
Jul 14
3:45 PM
Mary R.
has entered the room
Jul 14
3:55 PM
Brent H.
Hello all, we will get started shortly.
Adam H.
has entered the room
Jeff F.
has entered the room
Pedro G.
has entered the room
Brent H.
Welcome all. We will be getting started in just a moment.
jimklun
has entered the room
Jul 14
4:00 PM
Brent H.
In the meantime, if you have not yet read our Risk Assessment document, please feel free to download it from the link on the right of your screen
Adam H.
has left the room
Bill P.
has entered the room
Connie M.
has entered the room
Bruce W.
has entered the room
Adam H.
has entered the room
Phil G.
has entered the room
Connie M.
good afternoon
jimklun
Hello
Brent H.
Brent H.
Hello all, thanks for attending.
Brent H.
We wanted to folks a chance to discuss the issues with the current Active-X Threat CVE-2009-1136
Brent H.
The threat assessment from MSI has not changed. We still see this as a medium level enterprise threat.
jimklun
Because it requires user interaction?
Brent H.
We have also been able to verify that MS09-032 does NOT contain the kill bits from the advisory for this issue.
Brent H.
Our medium level assessment is due to a variety of factors.
Brent H.
1. That servers should largely remain unaffected.
Jul 14
4:05 PM
Brent H.
2. That user intervention is required.
Brent H.
3. That best practice based security architectures should have controls in place to manage the effects of compromised end user workstations.
Brent H.
We do feel, as we stated earlier today, that the probability of compromised end user systems from this issue is high.
Ian T.
has entered the room
Bruce W.
When you say that no user intervention is required...
Bruce W.
...is that because a user has to allow the ActiveX control to run? Therefore there's some level of intervention?
Brent H.
User is intervention is required for all but the malicious web page exploit.
Brent H.
If a user visits a page with malicious content on a vulnerable system, they will get exploited. However, our enterprise risk evaluation accounts for user system compromise.
jimklun
...and even then they have to go there, but that is easy to force.
Amy B.
has entered the room
Bruce W.
Meaning that a user has to go to a web page that has the exploit code...but will the code execute on its own, or require intervention?
Brent H.
Correct. The user must visit the page (easy to social engineer), be on a vulnerable system and not have the kill bits installed.
Bruce W.
Okay, that was my understanding.
jimklun
Where is Microsoft hiding the killbit doc?
Jul 14
4:10 PM
Brent H.
Additional mitigating controls are also available. AV signatures are becoming available for the primary exploit code.
Bruce W.
There's a blog with it...I have it and have already created a batch file to enable on our network workstations through a login script
Brent H.
The kill bit document can be found at SANS. Hold for a link.
Brent H.
Bruce W.
Here's Microsoft's blog info: http://blogs.technet.com/srd/archive/2009/…
jimklun
Originally Microsoft had it on their primary KB link - its gone
Bruce W.
nice *sigh*
Brent H.
Again, please also note that today's hot fix 09-032 DOES NOT contain the killbits for this issue. It contains the killbits for previous issues. http://support.microsoft.com/kb/973346/
Bruce W.
ah..that explains why
Nick B.
I've gotten questions about email messages with .xls attachments. From what I've seen, the exploit is entirely javascript-based, and requires no attachments. Has anyone heard differently?
jimklun
http://support.microsoft.com/kb/973472 was the link originally - content has changed
Brent H.
Yes, there are cases of exploitation through attached XLS documents
Brent H.
In at least one case, there was HTML embebeded that triggered the exploit. I saw that notice on SANS earlier today.
Brent H.
View paste 
A highly targeted attack against an organization earlier today who received a Microsoft Office document with embedded HTML.  This one was particularly nasty, it was specifically crafted for the target - with the document being tailored with appropriate contact information and subject matter that were specific to the targeted recipient. Analysis of the document and secondary payload found the attacker used a firewall on the malicious server so that all IP traffic outside of the targeted victim's domain/IP range would not reach with the server.
Brent H.
That came from the SANS page and mentions Office documents with embedded HTML to trigger the payload.
Jul 14
4:15 PM
Brent H.
Currently, the only known mitigations we have seen are using the kill bits, and not using a browser with Active-X components (such as FireFox)
Brent H.
Please note, even if you choose to not use Internet Explorer, you may still remain vulnerable to the issue through Outlook or attachment documents, etc.
Brian R.
has entered the room
Brent H.
The kill bits seem to be the most effective measure.
Brent H.
Nick, did that answer your question?
Brent H.
Has anyone seen any issues with deploying the kill bits solution?
Nick B.
Do you have a link or more info about an XLS attachment itself being part of the exploit?
Adam H.
According to MS, Outlook is not affected unless you click on a link or open an attachment. An HTML email exploit would fail.
Brent H.
Correct Adam. The user would have to follow a link or open an attachment.
Brent H.
Nick, I do not have any more information of XLS attachment exploits. The only information I have seen is what I pasted in from the SANS Sotrm Center web site.
Bruce W.
I have begun deploying the killbits solution/workaround/fix and have not seen problems yet. However, we've only just begun.
Jul 14
4:20 PM
Nick B.
I have to apologize. I'm viewing this in IE8 and it is cuttong off long lines so I can't read some of your responses entirely.
Nick B.
"cutting off" long lines, I mean.
Bruce W.
Microsoft does state that the ActiveX control involved is actually a deprecated control, so there may be some mitigating factors with it having much negative impact.
Brent H.
I doubt the kill bits will cause any issues. Here is an MS blog entry I found that explains that the feature had been deprecated. http://blogs.technet.com/msrc/archive/2009…
Bruce W.
At least...so says there blog entry.
Nick B.
has entered the room
Brent H.
Correct. I talked to some folks on Twitter who said they had an app that used it, but it stopped working in IE8 anyway. They are the only users I have heard from that even knew about it.
Brent H.
Nick, sorry for the cutoff issue.
Brent H.
Amy, do you have any questions about the issue?
Brent H.
Any other questions about what we know so far?
Nick B.
No problem. It displays correctly in FF.
Brent H.
Did folks find the write up helpful?
Brent H.
Nick, :)
Brent H.
I guess the last big point from us is to start building awareness of the issue in your user population.
Jul 14
4:25 PM
Brent H.
We feel that it is likely that this will eventually make it's way into mass exploitation such as via malware or a bot-net.
Brent H.
This is especially true since several very stable and easy to use exploit examples are circulating and that home users still do not have an automated patch for the kill bits
Nick B.
So far, has a targeted attack been the only "wild" exploitation observed?
Brent H.
We have seen at least 2 very stable exploits, and a couple of others that are technically feasible.
Brent H.
So far, yes. A number of organizations have reported activity, but nothing "worm-like" has been thus far reported.
Nick B.
I've seen the eeye exploit and the metasploit exploit, but I haven't been able to get my hands on a worm yet. I agree that there likely will be one soon... what a week for me to be on-call :-(
Bruce W.
How widespread have the exploits been so far? Only a few sites, or is ramping up?
Brent H.
However, the exploit code available would make mass infections pretty easy to perform.
Brent H.
The trend is up, as far as we can tell. So far, we have heard of small pockets of activity. Obviously though, we expect it to continue and evolve.
Brent H.
We have not yet captured anything in our spam sensors with known exploits, though obviously we can't follow and analyze all of the links.
jimklun
Confirm that this is best Microsoft doc on the required killbits: http://blogs.technet.com/srd/archive/2009/…
Jul 14
4:30 PM
Brent H.
The paul-dot-com article was kind enough to give attackers the walkthrough of using metagoofil to footprint their targets, so it might be wise to check how much info that toolset can gather about your organization.
Brent H.
Klun, confirmed. That is the best one I know of.
Brent H.
The second would be SANS, which also has other info, links and sample Snort signatures. http://isc.sans.org/diary.html?storyid=6778
Brent H.
Please note with AV, content filtering and NIDS that signature evolution, encoding and encryption may impact how well heuristic signatures perform.
Brent H.
Even if you have those controls in place, the kill bits should ALSO be deployed as soon as possible in my opinion.
Nick B.
Does anyone know of any legitimate features which are broken by the killbits?
Jul 14
4:35 PM
Brent H.
The only one I know of is one person had an app with an embedded XLS view option. Otherwise, no.
Brent H.
Any other questions?
Bruce W.
has left the room
Brent H.
Thanks to everyone for attending. If you should have any questions or issues, please let us know.
Brent H.
You can reach us at info@microsolved.com or @lbhuston on Twitter.
Brent H.
Brent H.
We hope this has been helpful and we wish you a happy and safe afternoon!
Nick B.
Thanks, Brent. If you think about it, ask CampFire to fix their CSS so that IE8 works... even though no decent security goon should be using IE ;-)
Brent H.
Thanks again. I will stay online in case there are questions.
Brent H.
hehe, I will send them feedback Nick. Sorry for the issue!
Jeff F.
has left the room
Todd F.
has left the room
Brent H.
Ian, did you get your questions answered?
jimklun
The confusion with Microsofts doc on this bothers me, Brent.
Brent H.
Amy, any questions on your end?
Brent H.
Jim, yes, it seems they are getting confused themselves. They have a ton of cross-linking and no real single source for the information.
Jul 14
4:40 PM
Brent H.
I have 7 Microsoft pages open in my browser, each with a piece of the puzzle.
Ian T.
Yes, thanks
Brent H.
Brent H.
Brent H.
Brent H.
Brent H.
Brent H.
Ian T.
has left the room
Brent H.
Plus a couple of others.....
jimklun
So net message is "best practice" as usual + do the killbits.
Brent H.
They really need some sort of focal site.
Brent H.
yes, do the killbits.
Brent H.
However, if your environment does not have best practices in place to handle compromised end user systems, then do the killbits asap
Nick B.
best practices = infinite budget
Brent H.
also, as always, completely rebuild any infected machines.
Amy B.
Thanks Brent. No questions from me. I'm a victim of IE8 cutoff so I'll need to re-read the whole chat from the top.
Brent H.
Sorry, Amy. Email us if you need a transcript emailed to you.
jimklun
One to me too Brent... thanks!
Jul 14
4:45 PM
Brent H.
Nick, it is possible to do many of this through the 80/20 rule. Infinite budget not required, but a large deal of influence and control is required for large organizations.
Brent H.
I will post the transcript link on stateofsecurity.com. Would that be helpful?
Pedro G.
has left the room
Nick B.
Sure, I agree... but we can never do everything we want to do to achieve best practices, unfortunately. "There's no budget for that" and all. Oh well.
Brent H.
agreed Nick.
Jul 14
4:50 PM
Mary R.
has left the room
Amy B.
transcript link would be most helpful. thanks!
Brent H.
Excellent. Check stateofsecurity.com in a few minutes and I will add a link to it.
Brent H.
Thanks everyone. Have a good day. I will be closing the room unless there are any further questions.