From alertmailinglist at skiifwrald.com Fri Dec 12 23:03:10 2008 From: alertmailinglist at skiifwrald.com (Security and IT News Alerts) Date: Fri, 12 Dec 2008 23:33:10 +1030 Subject: [Sunnet Alert] Advisory #262 - Microsoft (Multiple), Multiple News Message-ID: S?nnet Beskerming Alert List Advisory #262 You are receiving this message because you have subscribed to our Information Security Alert Mailing List, or have been selected for a specific one-off copy. If you believe that you are receiving this message in error,pleasecontactinfo at beskerming.com to resolve the error. Why not upgrade to get same day notification on security threats? Details and rates available online - (http://www.beskerming.com/premium/generic_advisory.html). Why not go the next step and get delivery tailored just for your company? (http://www.beskerming.com/premium/focussed_advisory.html) Contents -------------------------------------------------------------------- 1. SECURITY -------------------------------------------------------------------- 1.1 Microsoft (Multiple) - Remote Hacker Automatic Control - Time Since Discovery - 2 days ======================================= /* - Remote or Local - Can it be achieved through a network or does it require physical access? - Hacker - The bad guy - Manual or Automatic - Does the vulnerability need to be manually performed, or can it be automated? - Control, Denial of Service or Data Theft - Will the hacker get control of your system / website, will they prevent you from using it, or will they steal data. */ -------------------------------------------------------------------- 2. NEWS -------------------------------------------------------------------- 2.1 A Compromised Network Leads to Military Exercise Failure 2.2 Live OneCare is Dead, Long Live Live OneCare (and Morro) 2.3 How to Survive the Economic Downturn (Discounts for All!) 2.4 Time To Check For The Reds Under Your Bed 2.5 An Interesting Internet Explorer 0-day 2.6 Another Interesting Microsoft 0-day Exploit 2.7 PHP Project Updates, Then Rapidly Updates Again due to bug 2.8 National Internet Censorship Plans Attract Criticism ===================================== 1. SECURITY 1.1 Microsoft (Multiple) - Remote Hacker Automatic Control -- Products Affected -- Windows Office SharePoint -- Technical Description -- MS08-070 - ActiveX (VisualBasic). Multiple Code Execution. Critical MS08-071 - Windows. Multiple Code Execution. Replaces MS08-021. Critical MS08-072 - Word. Multiple Code Execution. Replaces MS08-026, MS08-042, MS08-052, MS08-057. Critical MS08-073 - Internet Explorer. Multiple Code Execution. Replaces MS08-058. Critical MS08-074 - Excel. Multiple Code Execution. Critical MS08-075 - Windows Explorer. Multiple Code Execution. Critical MS08-076 - Windows Media Player. Multiple Code Execution. Important MS08-077 - SharePoint. Authentication Bypass. Replaces MS07-059. Important -- Description -- With the final Security Patch Release for 2008, Microsoft have issued eight patches, which have addressed a large number of individual vulnerabilities across Windows, Office, and SharePoint components. Also of significance is the high number of previous patches replaced as part of this update. Two unpatched 0-day exploits have also been seen following this month?s release, with one likely to spread rapidly. It is imperative that users and administrators apply the patches as soon as possible. -- Recommended Action -- All users and administrators should apply the updates at the earliest opportunity. -- Source -- http://www.microsoft.com/technet/security/bulletin/ms08-dec.mspx http://www.beskerming.com/premium/patch_pack.html http://store.eSellerate.net/s.asp?s=STR3448907936&Cmd=CATALOG&CategoryID=9811 -- Updates Available -- http://www.microsoft.com/technet/security/bulletin/ms08-070.mspx http://www.microsoft.com/technet/security/bulletin/ms08-071.mspx http://www.microsoft.com/technet/security/bulletin/ms08-072.mspx http://www.microsoft.com/technet/security/bulletin/ms08-073.mspx http://www.microsoft.com/technet/security/bulletin/ms08-074.mspx http://www.microsoft.com/technet/security/bulletin/ms08-075.mspx http://www.microsoft.com/technet/security/bulletin/ms08-076.mspx http://www.microsoft.com/technet/security/bulletin/ms08-077.mspx -- External Tracking Data -- CVE-ID: CVE-2008-3704 (MS08-070) CVE-ID: CVE-2008-4252 (MS08-070) CVE-ID: CVE-2008-4256 (MS08-070) CVE-ID: CVE-2008-4253 (MS08-070) CVE-ID: CVE-2008-4254 (MS08-070) CVE-ID: CVE-2008-4255 (MS08-070) CVE-ID: CVE-2008-3465 (MS08-071) CVE-ID: CVE-2008-2249 (MS08-071) CVE-ID: CVE-2008-4024 (MS08-072) CVE-ID: CVE-2008-4025 (MS08-072) CVE-ID: CVE-2008-4026 (MS08-072) CVE-ID: CVE-2008-4027 (MS08-072) CVE-ID: CVE-2008-4028 (MS08-072) CVE-ID: CVE-2008-4030 (MS08-072) CVE-ID: CVE-2008-4031 (MS08-072) CVE-ID: CVE-2008-4837 (MS08-072) CVE-ID: CVE-2008-4258 (MS08-073) CVE-ID: CVE-2008-4259 (MS08-073) CVE-ID: CVE-2008-4260 (MS08-073) CVE-ID: CVE-2008-4261 (MS08-073) CVE-ID: CVE-2008-4265 (MS08-074) CVE-ID: CVE-2008-4264 (MS08-074) CVE-ID: CVE-2008-4266 (MS08-074) CVE-ID: CVE-2008-4269 (MS08-075) CVE-ID: CVE-2008-4268 (MS08-075) CVE-ID: CVE-2008-3010 (MS08-076) CVE-ID: CVE-2008-3009 (MS08-076) CVE-ID: CVE-2008-4032 (MS08-077) -- Threat Matrix -- U O Home User 10 10 (Highly Critical) Corporate 10 10 (Highly Critical) ======================================= /* Threat Matrix: U - User O - Operator Harmless - 0 ----- 10 - Highly Critical */ ======================================= 2. NEWS 2.1 A Compromised Network Leads to Military Exercise Failure An interesting claim has been made about the extent to which a compromised computer network was able to lead to failure of a military exercise for a Chinese Armour Brigade. The claim is that a virus had compromised an unpatched system and was able to interrupt supply orders being passed across the network which were meant to send extra ammunition to the engaged armour. Since the orders were interrupted, the ammunition was never sent forward and the main attack force eventually ran out of ammunition, troops were lost (simulated), and the battle was lost. Not only does the case provide an interesting insight into the reliance upon computer networks for normal operation and function, but it also highlights the importance of having reliable and functional non-computerised systems to carry out critical functions. It is surprising that the Chinese military did not have those fallback systems in place, however it may have been an important part of the exercise - to test the reliability of the computerised systems for normal operations. Despite the hype and chest beating that a lot of militaries put forward about Network Centric Warfare, it is something that many then find extremely difficult to implement. It only takes a single oversight in order for the whole system to come crashing down. As quoted in the Dark Visitor article, the commander of the armoured brigade involved, Li Jintai, succinctly described the problem as: "If there is insufficient importance attached to information security, a lack of network defense consciousness and methodology, it can leave a crack that your adversary can take advantage of and lead to grave consequences.". Advice that is pertinent for everyone, not just the Chinese military. 2.2 Live OneCare is Dead, Long Live Live OneCare (and Morro) Microsoft is set to cancel the fee based Live OneCare for consumers from mid-2009, replacing it with a free product, currently named Morro. In a seemingly user-aware move, Microsoft have acknowledged that the clear majority of users in both developed and developing markets that do not maintain current security protection on their systems. Morro is being designed to address this problem, meant to provide capability to address this protection gap. With Microsoft identifying low-bandwidth and older systems as target installations, it will be interesting to observe how they end up managing to deliver this capability when many competing offerings are renown for being able to bring high spec systems to an effective grinding halt. From the published details, Morro will be a stripped down version of the existing OneCare suite (which may remain as a fee-based full service offering under another name), missing some of the printer sharing / multi-PC / disk defragmentation features that OneCare currently has. A side benefit of the new suite will be that future Microsoft Security Reporting will have a much larger number of sources from which to gather data, and which hopefully will address some of the weaknesses of their previous reports. 2.3 How to Survive the Economic Downturn (Discounts for All!) Much has been written about the ongoing financial crisis that is gripping the world, from Wall Street and Main Street, to High Street and your street. Your company might be finding it more difficult to attract external funding, you might be finding it difficult to attract new customers or to retain those you already have. You might even be finding it difficult to get your existing customers to pay their accounts. In all probability there have been job losses (maybe even yours) in your company, and almost certainly there have been losses in your industry. So, how do you make sure that your company's Information Security needs (and your own) continue to be met when budgets are being frozen or cut and personnel are being stretched to do more with far less? If you are running an internal security team, you can always use extra resources from experts in the field - us! Join some of the biggest global companies and government agencies and begin benefitting from our special approach to Information Security. If you are no longer running your own internal team (or if you are the security team) then we are here to help you maintain the security posture that you have been tasked to achieve. S?nnet Beskerming is the ultimate force multiplier. Make use of our advanced capabilities do deliver results that will amaze and astound and make it look like you have an army of experts at your command. You do. Us. We here at S?nnet Beskerming recognise the difficulty that many now find themselves in and so are offering 25% off all of our products and services for as long as it takes for the economic downturn to be turned around (even if it takes years). To claim this extremely valuable offering, merely enter the coupon code 'DOWNTURNBUSTER' when ordering any of our Premium Services. Since it is also the start of the festive shopping season, we would like to spread some festive cheer to all our valued clients and soon- to-be clients, with 33% off all of our products and services. To claim this even more valuable offering, merely enter the coupon code 'FESTIVE08' when ordering any of our Premium Services. If the deep discounts on our already competitively-priced services aren't enough for you, please contact us to see what we can do for you inside your budgetary constraints. If you just have no available budget, then our various free services are there to be an important keystone for protecting and informing you. S?nnet Beskerming is there to help you and your company survive this economic crisis with confidence that your Information Security needs are being met. The coupon codes, for easy reference: FESTIVE08 - 33% off all services and products, valid until 31 December, 2008. DOWNTURNBUSTER - 25% off all services and products, valid until such time that there is consensus that the economic downturn has ended. 2.4 Time To Check For The Reds Under Your Bed Reporting on a recent set of compromises to US military systems in Afghanistan has identified different attackers, depending on who you listen to. On the one hand we have the attacks being tenuously linked to attackers based in Russia, and on the other we have the attacks being tenuously linked to attackers based in China. Aside from the poor light it casts the military in (not being able to determine roughly who is behind a network attack) it suggests that the bad old days of the cold war haven't really gone away very far. If anything, the location for confrontation has shifted into the information systems and away from the proxy wars and world oceans. Whether that is still the case is a topic for another time. It certainly wouldn't hurt some military planners and leaders to have a well-defined set of enemies again, nation states instead of the stateless bodies that are the current enemy-du-jour. With this in mind it doesn't take too much to see this as being something that is a lot less than is being claimed by the military. Certainly, the network compromises are embarrassing and potentially risky for national security, but there may be too much being read into why the attacks have taken place. It is highly likely that whoever is carrying out these attacks is using resources in Russia and China to achieve their goals, hence it looking like the attacker might be coming from two places at once. It is also highly likely that the attacks have been opportunistic and not purely a result of targeted attacks. Targeted attacks are more likely to show up as 0-day infections, such as the various Office vulnerabilities that have been used over the years to compromise government networks. Sure, it might be possible that a targeted attack against military systems was carried out using and AUTORUN infector that is not leading edge and which had no guarantee of ever making it onto the military systems (social engineering notwithstanding), but it is more likely that a targeted attack isn't going to be as obvious. If you are a conspiracy nut, then perhaps it is being used as misdirection, while the real targeted attack is taking place through other channels... There are plenty of people in Information Security who dismiss the concept of each device on a network having its own protection against other devices but it is a key part to a full defense in depth approach to security. In cases like this, effective defences between systems on the same network segments would have limited the ability of the malware to spread and take hold within the military networks. 2.5 An Interesting Internet Explorer 0-day News of what is the closest thing to a widespread 0-day attack against Internet Explorer for some time has been spreading across the Internet, complete with fully described exploits code, available from a number of sources, such as the dependable milw0rm. Microsoft's own notice on the vulnerability identifies that the vulnerable platforms are Internet Explorer version 7 on Windows XP, 2003, Vista, and 2008. Microsoft have identified that setting the Internet zone security setting to High blocks the current implementations of the attack, and running Internet Explorer with Data Execution Prevention (DEP) will limit attack options. The biggest problem with the High setting on the Internet zone security settings is that it effectively disables ActiveX and Active Scripting for all sites that haven't previously been identified as Trusted. For many users this particular step may lead to significant usability difficulties when visiting their regular Internet sites, and, as described below, the use of the attack in blended attacks means that even a trusted site can become affected by this particular vulnerability in a very short period of time. Already several different versions are available, varying in how they go about filling the arrays before launching the attack (and exactly how the attack is launched). From the ISC writeup, it seems that many of the sites currently using this vulnerability to target Windows XP, Vista, and 2008 users, are using the version (or a derivative) that the ISC initially received. The milw0rm version is slightly different in makeup and is expected to become the dominant version once other malware distributors pick up this distribution method. The ISC write up also highlights the appearance in blended attacks, making use of SQL injection as the delivery vector to implant an infected link on a site which then silently loads the Internet Explorer 0-day. Until such time as detection has been included in the major antimalware detection engines, and Microsoft has been able to release an appropriate patch to address the issue, it is recommended that users consider the use of alternate browsers for their Internet use (the preferred solution), or to apply the non-patch mitigation steps recommended by Microsoft (and listed above). 2.6 Another Interesting Microsoft 0-day Exploit Earlier this week Microsoft published a Security Advisory dealing with a remote code execution vulnerability in WordPad that is being actively exploited, though only in a limited capacity at the time of publishing. How a basic text editor could be vulnerable to a remote code execution flaw is an interesting case. It appears that the problem is with the text converter used to convert Word 97 files to a format appropriate for display in WordPad. This puts it in the same sort of league as antivirus scanning engine vulnerabilities that can be targeted by the very malware that it is trying to detect. While detailed technical details have yet to be released describing how the vulnerability specifically works, it is believed that there are one or more weak conversion / filtering routines in the text converter that can be targeted with specific Word 97 formatting and from there allow the execution of code in the context of the current user. Users who are running Windows 2000, XP (Service Pack 2 and earlier), and 2003 are vulnerable to this particular issue and the discovery that there are active attacks targeting this flaw means that there is greater importance in applying special handling to .wri filetypes, filetypes that many had previously considered safe when associated with WordPad. 2.7 PHP Project Updates, Then Rapidly Updates Again due to bug PHP version 5.2.7 was only released earlier this week, but it introduced a serious bug. Effectively magic_quotes was forced off, irrespective of the local php.ini settings. While the feature is deprecated and being removed with PHP 6.0, it is still available within the PHP 5 branch. Relying on magic_quotes became a crutch for many PHP developers when it came to managing user input and any other input that was passed to any particular script. It was the lazy developer's approach to security and is undoubtedly present in many, many scripts in use across the Internet (and many intranets). The forced disablement of magic_quotes would have made many of these scripts extremely vulnerable to exploitation. Initial guidance for administrators and users who had updated and applied 5.2.7 was to revert to 5.2.6 until the issue could be addressed. Fortunately, this did not take long, and 5.2.8 is now available. All of the security improvements that were originally with 5.2.7 have been included and now there is the fix for the magic_quotes issue, as well. Administrators also had the option of recompiling 5.2.7 and disabling ext/filter, which is where the vulnerable code was. 2.8 National Internet Censorship Plans Attract Criticism Plans to introduce a national ISP-level Internet censorship and filtering system in Australia have attracted vocal criticism, with an almost unanimous slamming of the proposed plan by users and industry experts alike. With the Federal Communications Minister introducing a consultation blog to attract public comments on the proposed filtering (and other national level communications issues) it is likely that the comments will be swamped with open criticism. Despite the level of criticism and public demonstration planned to highlight the problem, it seems that the Federal government is resolutely proceeding with the plan. While the tested systems have all fallen short of effectively filtering the content they were meant to, and with serious network speed problems encountered whenever the filters were activated, there is still a broader test that is scheduled to take place on a closed network. Use of a closed network raises concerns that the results are going to be stage managed to a greater extent than they would be in a live test - where users will be able to experience first hand exactly how the systems are supposed to work (or not). In the UK, a voluntary filtering system that is in use by almost all ISPs has demonstrated the risks associated with arbitrarily blocking sites. The Internet Watch Foundation (IWF) listed Wikipedia as a blocked site due to the appearance of an image from an album cover from the 1970s that they deemed to be child pornography. With the effect that all traffic from affected ISP customers to Wikipedia now appeared to source from the IWF, Wikipedia took steps to limit the risk of vandalism and so limited the ability of visitors from those IP addresses to modify Wikipedia. A matching announcement on Wikipedia describing what had taken place did more to raise awareness and complaints than the actual blocking did. As with most attempts to block online content, there were multiple means available to access the blocked content, which was readily available on other sites (like Amazon), as well as different methods for accessing the blocked content on Wikipedia itself. The actual blocking appeared to many as a simple network error, but it wasn't long before the real reason for the strange errors to become apparent. The minor inconvenience of not being able to easily view the Scorpions album cover has led to awareness that there is active filtering taking place in an environment where many users had previously not considered any filtering to be taking place. There are bound to be questions asked in the future about just how much other content is being surreptitiously filtered out for UK Internet users. As some observers have pointed out, the censorship is very inconsistently applied. If the Scorpions album was identified as potentially being child pornography, then Nirvana's Nevermind, Blind Faith's Blind Faith, Led Zeppelin's Houses of the Holy, and many other albums should also be actively blocked or otherwise restricted. This gives the impression that, even years after the first series of internet filters appeared, that what makes it onto and off the filter lists is being driven by a minority of outraged special interests that aren't necessarily able to recognise that some of what they find annoying is seen as acceptable by the silent majority. While the IWF has since reversed their decision to block the image, which in a case of the Streissand effect saw the image promoted far more following the blocking than it was beforehand, they have not acknowledged that their censorship approach may be fundamentally flawed (something that a growing number of users believe), only that it didn't work in this public instance. The Great Firewall of China might have entered the vernacular of Information Security specialists, but the idea of a Great Firewall of Australia or the UK is not sitting comfortably with many, including many of the strongest supporters of the censorship plans. ======================================= Sincerely, S?nnet Beskerming Team info at beskerming.com S?nnet Beskerming Pty. Ltd. Adelaide, Australia http://www.beskerming.com Tel: +61 (0) 410 707 444 ** S?nnet Beskerming Pty. Ltd. ** Established in mid 2004, S?nnet Beskerming Pty. Ltd. is the sister company to Jongsma & Jongsma Pty. Ltd., and was formed to develop and commercialise the research coming out of Jongsma & Jongsma Pty. Ltd.. S?nnet Beskerming Pty. Ltd. is an Information Security specialist and, in conjunction with the tools developed by Jongsma & Jongsma Pty. Ltd., provides total security solutions and services, from the perimeter to internal data stores, including web application security and security testing and analysis.