[Sunnet Alert] Advisory #262 - Microsoft (Multiple), Multiple News
Security and IT News Alerts
alertmailinglist at skiifwrald.com
Fri Dec 12 23:03:10 EST 2008
Sûnnet Beskerming Alert List Advisory #262
You are receiving this message because you have subscribed to our
Information Security Alert Mailing List, or have been selected for a
specific one-off copy. If you believe that you are receiving this
message in error,pleasecontactinfo at beskerming.com to resolve the error.
Why not upgrade to get same day notification on security threats?
Details and rates available online -
(http://www.beskerming.com/premium/generic_advisory.html).
Why not go the next step and get delivery tailored just for your
company?
(http://www.beskerming.com/premium/focussed_advisory.html)
Contents
--------------------------------------------------------------------
1. SECURITY
--------------------------------------------------------------------
1.1 Microsoft (Multiple)
- Remote Hacker Automatic Control
- Time Since Discovery - 2 days
=======================================
/*
- Remote or Local - Can it be achieved through a network or does it
require physical access?
- Hacker - The bad guy
- Manual or Automatic - Does the vulnerability need to be manually
performed, or can it be automated?
- Control, Denial of Service or Data Theft - Will the hacker get
control of your system / website, will they prevent you from using it,
or will they steal data.
*/
--------------------------------------------------------------------
2. NEWS
--------------------------------------------------------------------
2.1 A Compromised Network Leads to Military Exercise Failure
2.2 Live OneCare is Dead, Long Live Live OneCare (and Morro)
2.3 How to Survive the Economic Downturn (Discounts for All!)
2.4 Time To Check For The Reds Under Your Bed
2.5 An Interesting Internet Explorer 0-day
2.6 Another Interesting Microsoft 0-day Exploit
2.7 PHP Project Updates, Then Rapidly Updates Again due to bug
2.8 National Internet Censorship Plans Attract Criticism
=====================================
1. SECURITY
1.1 Microsoft (Multiple) - Remote Hacker Automatic Control
-- Products Affected --
Windows
Office
SharePoint
-- Technical Description --
MS08-070 - ActiveX (VisualBasic). Multiple Code Execution. Critical
MS08-071 - Windows. Multiple Code Execution. Replaces MS08-021.
Critical
MS08-072 - Word. Multiple Code Execution. Replaces MS08-026,
MS08-042, MS08-052, MS08-057. Critical
MS08-073 - Internet Explorer. Multiple Code Execution. Replaces
MS08-058. Critical
MS08-074 - Excel. Multiple Code Execution. Critical
MS08-075 - Windows Explorer. Multiple Code Execution. Critical
MS08-076 - Windows Media Player. Multiple Code Execution. Important
MS08-077 - SharePoint. Authentication Bypass. Replaces MS07-059.
Important
-- Description --
With the final Security Patch Release for 2008, Microsoft have issued
eight patches, which have addressed a large number of individual
vulnerabilities across Windows, Office, and SharePoint components.
Also of significance is the high number of previous patches replaced
as part of this update. Two unpatched 0-day exploits have also been
seen following this month’s release, with one likely to spread
rapidly. It is imperative that users and administrators apply the
patches as soon as possible.
-- Recommended Action --
All users and administrators should apply the updates at the earliest
opportunity.
-- Source --
http://www.microsoft.com/technet/security/bulletin/ms08-dec.mspx
http://www.beskerming.com/premium/patch_pack.html
http://store.eSellerate.net/s.asp?s=STR3448907936&Cmd=CATALOG&CategoryID=9811
-- Updates Available --
http://www.microsoft.com/technet/security/bulletin/ms08-070.mspx
http://www.microsoft.com/technet/security/bulletin/ms08-071.mspx
http://www.microsoft.com/technet/security/bulletin/ms08-072.mspx
http://www.microsoft.com/technet/security/bulletin/ms08-073.mspx
http://www.microsoft.com/technet/security/bulletin/ms08-074.mspx
http://www.microsoft.com/technet/security/bulletin/ms08-075.mspx
http://www.microsoft.com/technet/security/bulletin/ms08-076.mspx
http://www.microsoft.com/technet/security/bulletin/ms08-077.mspx
-- External Tracking Data --
CVE-ID: CVE-2008-3704 (MS08-070)
CVE-ID: CVE-2008-4252 (MS08-070)
CVE-ID: CVE-2008-4256 (MS08-070)
CVE-ID: CVE-2008-4253 (MS08-070)
CVE-ID: CVE-2008-4254 (MS08-070)
CVE-ID: CVE-2008-4255 (MS08-070)
CVE-ID: CVE-2008-3465 (MS08-071)
CVE-ID: CVE-2008-2249 (MS08-071)
CVE-ID: CVE-2008-4024 (MS08-072)
CVE-ID: CVE-2008-4025 (MS08-072)
CVE-ID: CVE-2008-4026 (MS08-072)
CVE-ID: CVE-2008-4027 (MS08-072)
CVE-ID: CVE-2008-4028 (MS08-072)
CVE-ID: CVE-2008-4030 (MS08-072)
CVE-ID: CVE-2008-4031 (MS08-072)
CVE-ID: CVE-2008-4837 (MS08-072)
CVE-ID: CVE-2008-4258 (MS08-073)
CVE-ID: CVE-2008-4259 (MS08-073)
CVE-ID: CVE-2008-4260 (MS08-073)
CVE-ID: CVE-2008-4261 (MS08-073)
CVE-ID: CVE-2008-4265 (MS08-074)
CVE-ID: CVE-2008-4264 (MS08-074)
CVE-ID: CVE-2008-4266 (MS08-074)
CVE-ID: CVE-2008-4269 (MS08-075)
CVE-ID: CVE-2008-4268 (MS08-075)
CVE-ID: CVE-2008-3010 (MS08-076)
CVE-ID: CVE-2008-3009 (MS08-076)
CVE-ID: CVE-2008-4032 (MS08-077)
-- Threat Matrix --
U O
Home User 10 10 (Highly Critical)
Corporate 10 10 (Highly Critical)
=======================================
/*
Threat Matrix:
U - User
O - Operator
Harmless - 0 ----- 10 - Highly Critical
*/
=======================================
2. NEWS
2.1 A Compromised Network Leads to Military Exercise Failure
An interesting claim has been made about the extent to which a
compromised computer network was able to lead to failure of a military
exercise for a Chinese Armour Brigade.
The claim is that a virus had compromised an unpatched system and was
able to interrupt supply orders being passed across the network which
were meant to send extra ammunition to the engaged armour. Since the
orders were interrupted, the ammunition was never sent forward and the
main attack force eventually ran out of ammunition, troops were lost
(simulated), and the battle was lost.
Not only does the case provide an interesting insight into the
reliance upon computer networks for normal operation and function, but
it also highlights the importance of having reliable and functional
non-computerised systems to carry out critical functions. It is
surprising that the Chinese military did not have those fallback
systems in place, however it may have been an important part of the
exercise - to test the reliability of the computerised systems for
normal operations.
Despite the hype and chest beating that a lot of militaries put
forward about Network Centric Warfare, it is something that many then
find extremely difficult to implement. It only takes a single
oversight in order for the whole system to come crashing down. As
quoted in the Dark Visitor article, the commander of the armoured
brigade involved, Li Jintai, succinctly described the problem as:
"If there is insufficient importance attached to information security,
a lack of network defense consciousness and methodology, it can leave
a crack that your adversary can take advantage of and lead to grave
consequences.".
Advice that is pertinent for everyone, not just the Chinese military.
2.2 Live OneCare is Dead, Long Live Live OneCare (and Morro)
Microsoft is set to cancel the fee based Live OneCare for consumers
from mid-2009, replacing it with a free product, currently named
Morro. In a seemingly user-aware move, Microsoft have acknowledged
that the clear majority of users in both developed and developing
markets that do not maintain current security protection on their
systems.
Morro is being designed to address this problem, meant to provide
capability to address this protection gap. With Microsoft identifying
low-bandwidth and older systems as target installations, it will be
interesting to observe how they end up managing to deliver this
capability when many competing offerings are renown for being able to
bring high spec systems to an effective grinding halt.
From the published details, Morro will be a stripped down version of
the existing OneCare suite (which may remain as a fee-based full
service offering under another name), missing some of the printer
sharing / multi-PC / disk defragmentation features that OneCare
currently has.
A side benefit of the new suite will be that future Microsoft Security
Reporting will have a much larger number of sources from which to
gather data, and which hopefully will address some of the weaknesses
of their previous reports.
2.3 How to Survive the Economic Downturn (Discounts for All!)
Much has been written about the ongoing financial crisis that is
gripping the world, from Wall Street and Main Street, to High Street
and your street. Your company might be finding it more difficult to
attract external funding, you might be finding it difficult to attract
new customers or to retain those you already have. You might even be
finding it difficult to get your existing customers to pay their
accounts.
In all probability there have been job losses (maybe even yours) in
your company, and almost certainly there have been losses in your
industry.
So, how do you make sure that your company's Information Security
needs (and your own) continue to be met when budgets are being frozen
or cut and personnel are being stretched to do more with far less?
If you are running an internal security team, you can always use extra
resources from experts in the field - us! Join some of the biggest
global companies and government agencies and begin benefitting from
our special approach to Information Security.
If you are no longer running your own internal team (or if you are the
security team) then we are here to help you maintain the security
posture that you have been tasked to achieve. Sûnnet Beskerming is the
ultimate force multiplier. Make use of our advanced capabilities do
deliver results that will amaze and astound and make it look like you
have an army of experts at your command.
You do. Us.
We here at Sûnnet Beskerming recognise the difficulty that many now
find themselves in and so are offering 25% off all of our products and
services for as long as it takes for the economic downturn to be
turned around (even if it takes years). To claim this extremely
valuable offering, merely enter the coupon code 'DOWNTURNBUSTER' when
ordering any of our Premium Services.
Since it is also the start of the festive shopping season, we would
like to spread some festive cheer to all our valued clients and soon-
to-be clients, with 33% off all of our products and services. To claim
this even more valuable offering, merely enter the coupon code
'FESTIVE08' when ordering any of our Premium Services.
If the deep discounts on our already competitively-priced services
aren't enough for you, please contact us to see what we can do for you
inside your budgetary constraints. If you just have no available
budget, then our various free services are there to be an important
keystone for protecting and informing you.
Sûnnet Beskerming is there to help you and your company survive this
economic crisis with confidence that your Information Security needs
are being met.
The coupon codes, for easy reference:
FESTIVE08 - 33% off all services and products, valid until 31
December, 2008.
DOWNTURNBUSTER - 25% off all services and products, valid until such
time that there is consensus that the economic downturn has ended.
2.4 Time To Check For The Reds Under Your Bed
Reporting on a recent set of compromises to US military systems in
Afghanistan has identified different attackers, depending on who you
listen to.
On the one hand we have the attacks being tenuously linked to
attackers based in Russia, and on the other we have the attacks being
tenuously linked to attackers based in China. Aside from the poor
light it casts the military in (not being able to determine roughly
who is behind a network attack) it suggests that the bad old days of
the cold war haven't really gone away very far. If anything, the
location for confrontation has shifted into the information systems
and away from the proxy wars and world oceans.
Whether that is still the case is a topic for another time. It
certainly wouldn't hurt some military planners and leaders to have a
well-defined set of enemies again, nation states instead of the
stateless bodies that are the current enemy-du-jour. With this in mind
it doesn't take too much to see this as being something that is a lot
less than is being claimed by the military. Certainly, the network
compromises are embarrassing and potentially risky for national
security, but there may be too much being read into why the attacks
have taken place.
It is highly likely that whoever is carrying out these attacks is
using resources in Russia and China to achieve their goals, hence it
looking like the attacker might be coming from two places at once. It
is also highly likely that the attacks have been opportunistic and not
purely a result of targeted attacks. Targeted attacks are more likely
to show up as 0-day infections, such as the various Office
vulnerabilities that have been used over the years to compromise
government networks.
Sure, it might be possible that a targeted attack against military
systems was carried out using and AUTORUN infector that is not leading
edge and which had no guarantee of ever making it onto the military
systems (social engineering notwithstanding), but it is more likely
that a targeted attack isn't going to be as obvious. If you are a
conspiracy nut, then perhaps it is being used as misdirection, while
the real targeted attack is taking place through other channels...
There are plenty of people in Information Security who dismiss the
concept of each device on a network having its own protection against
other devices but it is a key part to a full defense in depth approach
to security. In cases like this, effective defences between systems on
the same network segments would have limited the ability of the
malware to spread and take hold within the military networks.
2.5 An Interesting Internet Explorer 0-day
News of what is the closest thing to a widespread 0-day attack against
Internet Explorer for some time has been spreading across the
Internet, complete with fully described exploits code, available from
a number of sources, such as the dependable milw0rm.
Microsoft's own notice on the vulnerability identifies that the
vulnerable platforms are Internet Explorer version 7 on Windows XP,
2003, Vista, and 2008. Microsoft have identified that setting the
Internet zone security setting to High blocks the current
implementations of the attack, and running Internet Explorer with Data
Execution Prevention (DEP) will limit attack options.
The biggest problem with the High setting on the Internet zone
security settings is that it effectively disables ActiveX and Active
Scripting for all sites that haven't previously been identified as
Trusted. For many users this particular step may lead to significant
usability difficulties when visiting their regular Internet sites,
and, as described below, the use of the attack in blended attacks
means that even a trusted site can become affected by this particular
vulnerability in a very short period of time.
Already several different versions are available, varying in how they
go about filling the arrays before launching the attack (and exactly
how the attack is launched). From the ISC writeup, it seems that many
of the sites currently using this vulnerability to target Windows XP,
Vista, and 2008 users, are using the version (or a derivative) that
the ISC initially received. The milw0rm version is slightly different
in makeup and is expected to become the dominant version once other
malware distributors pick up this distribution method.
The ISC write up also highlights the appearance in blended attacks,
making use of SQL injection as the delivery vector to implant an
infected link on a site which then silently loads the Internet
Explorer 0-day.
Until such time as detection has been included in the major
antimalware detection engines, and Microsoft has been able to release
an appropriate patch to address the issue, it is recommended that
users consider the use of alternate browsers for their Internet use
(the preferred solution), or to apply the non-patch mitigation steps
recommended by Microsoft (and listed above).
2.6 Another Interesting Microsoft 0-day Exploit
Earlier this week Microsoft published a Security Advisory dealing with
a remote code execution vulnerability in WordPad that is being
actively exploited, though only in a limited capacity at the time of
publishing.
How a basic text editor could be vulnerable to a remote code execution
flaw is an interesting case. It appears that the problem is with the
text converter used to convert Word 97 files to a format appropriate
for display in WordPad. This puts it in the same sort of league as
antivirus scanning engine vulnerabilities that can be targeted by the
very malware that it is trying to detect.
While detailed technical details have yet to be released describing
how the vulnerability specifically works, it is believed that there
are one or more weak conversion / filtering routines in the text
converter that can be targeted with specific Word 97 formatting and
from there allow the execution of code in the context of the current
user.
Users who are running Windows 2000, XP (Service Pack 2 and earlier),
and 2003 are vulnerable to this particular issue and the discovery
that there are active attacks targeting this flaw means that there is
greater importance in applying special handling to .wri filetypes,
filetypes that many had previously considered safe when associated
with WordPad.
2.7 PHP Project Updates, Then Rapidly Updates Again due to bug
PHP version 5.2.7 was only released earlier this week, but it
introduced a serious bug. Effectively magic_quotes was forced off,
irrespective of the local php.ini settings. While the feature is
deprecated and being removed with PHP 6.0, it is still available
within the PHP 5 branch.
Relying on magic_quotes became a crutch for many PHP developers when
it came to managing user input and any other input that was passed to
any particular script. It was the lazy developer's approach to
security and is undoubtedly present in many, many scripts in use
across the Internet (and many intranets). The forced disablement of
magic_quotes would have made many of these scripts extremely
vulnerable to exploitation.
Initial guidance for administrators and users who had updated and
applied 5.2.7 was to revert to 5.2.6 until the issue could be
addressed. Fortunately, this did not take long, and 5.2.8 is now
available. All of the security improvements that were originally with
5.2.7 have been included and now there is the fix for the magic_quotes
issue, as well. Administrators also had the option of recompiling
5.2.7 and disabling ext/filter, which is where the vulnerable code was.
2.8 National Internet Censorship Plans Attract Criticism
Plans to introduce a national ISP-level Internet censorship and
filtering system in Australia have attracted vocal criticism, with an
almost unanimous slamming of the proposed plan by users and industry
experts alike. With the Federal Communications Minister introducing a
consultation blog to attract public comments on the proposed filtering
(and other national level communications issues) it is likely that the
comments will be swamped with open criticism.
Despite the level of criticism and public demonstration planned to
highlight the problem, it seems that the Federal government is
resolutely proceeding with the plan.
While the tested systems have all fallen short of effectively
filtering the content they were meant to, and with serious network
speed problems encountered whenever the filters were activated, there
is still a broader test that is scheduled to take place on a closed
network. Use of a closed network raises concerns that the results are
going to be stage managed to a greater extent than they would be in a
live test - where users will be able to experience first hand exactly
how the systems are supposed to work (or not).
In the UK, a voluntary filtering system that is in use by almost all
ISPs has demonstrated the risks associated with arbitrarily blocking
sites. The Internet Watch Foundation (IWF) listed Wikipedia as a
blocked site due to the appearance of an image from an album cover
from the 1970s that they deemed to be child pornography. With the
effect that all traffic from affected ISP customers to Wikipedia now
appeared to source from the IWF, Wikipedia took steps to limit the
risk of vandalism and so limited the ability of visitors from those IP
addresses to modify Wikipedia. A matching announcement on Wikipedia
describing what had taken place did more to raise awareness and
complaints than the actual blocking did.
As with most attempts to block online content, there were multiple
means available to access the blocked content, which was readily
available on other sites (like Amazon), as well as different methods
for accessing the blocked content on Wikipedia itself. The actual
blocking appeared to many as a simple network error, but it wasn't
long before the real reason for the strange errors to become apparent.
The minor inconvenience of not being able to easily view the Scorpions
album cover has led to awareness that there is active filtering taking
place in an environment where many users had previously not considered
any filtering to be taking place. There are bound to be questions
asked in the future about just how much other content is being
surreptitiously filtered out for UK Internet users.
As some observers have pointed out, the censorship is very
inconsistently applied. If the Scorpions album was identified as
potentially being child pornography, then Nirvana's Nevermind, Blind
Faith's Blind Faith, Led Zeppelin's Houses of the Holy, and many other
albums should also be actively blocked or otherwise restricted.
This gives the impression that, even years after the first series of
internet filters appeared, that what makes it onto and off the filter
lists is being driven by a minority of outraged special interests that
aren't necessarily able to recognise that some of what they find
annoying is seen as acceptable by the silent majority.
While the IWF has since reversed their decision to block the image,
which in a case of the Streissand effect saw the image promoted far
more following the blocking than it was beforehand, they have not
acknowledged that their censorship approach may be fundamentally
flawed (something that a growing number of users believe), only that
it didn't work in this public instance.
The Great Firewall of China might have entered the vernacular of
Information Security specialists, but the idea of a Great Firewall of
Australia or the UK is not sitting comfortably with many, including
many of the strongest supporters of the censorship plans.
=======================================
Sincerely,
Sûnnet Beskerming Team
info at beskerming.com
Sûnnet Beskerming Pty. Ltd.
Adelaide, Australia
http://www.beskerming.com
Tel: +61 (0) 410 707 444
** Sûnnet Beskerming Pty. Ltd. **
Established in mid 2004, Sûnnet Beskerming Pty. Ltd. is the sister
company to Jongsma & Jongsma Pty. Ltd., and was formed to develop and
commercialise the research coming out of Jongsma & Jongsma Pty. Ltd..
Sûnnet Beskerming Pty. Ltd. is an Information Security specialist and,
in conjunction with the tools developed by Jongsma & Jongsma Pty.
Ltd., provides total security solutions and services, from the
perimeter to internal data stores, including web application security
and security testing and analysis.
More information about the Alertmailinglist
mailing list