[Sunnet Alert] Advisory #253 - Microsoft (Multiple), OS X (Multiple), Multiple News
Security and IT News Alerts
alertmailinglist at skiifwrald.com
Sun Feb 17 19:18:30 EST 2008
Sûnnet Beskerming Alert List Advisory #253
You are receiving this message because you have subscribed to our
Information Security Alert Mailing List, or have been selected for a
specific one-off copy. If you believe that you are receiving this
message in error, please contact info at beskerming.com to resolve the
error.
Why not upgrade to get same day notification on security threats?
Details and rates available online -
(http://www.beskerming.com/premium/generic_advisory.html).
Why not go the next step and get delivery tailored just for your
company?
(http://www.beskerming.com/premium/focussed_advisory.html)
Contents
--------------------------------------------------------------------
1. SECURITY
--------------------------------------------------------------------
1.1 Microsoft (Multiple)
- Remote Hacker Automatic Control
- Time Since Discovery - 5 Days
1.2 OS X (Multiple)
- Remote Hacker Automatic Control
- Time Since Discovery - 5 Days
=======================================
/*
- Remote or Local - Can it be achieved through a network or does it
require physical access?
- Hacker - The bad guy
- Manual or Automatic - Does the vulnerability need to be manually
performed, or can it be automated?
- Control, Denial of Service or Data Theft - Will the hacker get
control of your system / website, will they prevent you from using
it, or will they steal data.
*/
--------------------------------------------------------------------
2. NEWS
--------------------------------------------------------------------
2.1 Sometimes Things just Break
2.2 A thin line Between Challenge and Exploitation
2.3 What's Your Website Hiding?
2.4 Overreacting to Security Theatre is Harmful
=====================================
1. SECURITY
1.1 Microsoft (Multiple) - Remote Hacker Automatic Control
-- Products Affected --
Windows 2000, XP, 2003, Vista
-- Technical Description --
MS08-003 - Active Directory. Denial of Service. Replaces MS07-039.
Important
MS08-004 - Windows TCP/IP. Denial of Service. Replaces MS08-001.
Important
MS08-005 - IIS. Privilege Elevation. Important
MS08-006 - IIS. Remote code execution. Replaces MS06-034. Important
MS08-007 - WebDAV. Remote code execution. Critical
MS08-008 - Microsoft OLE. Remote code execution. Replaces MS07-043.
Critical
MS08-009 - Microsoft Word. Remote code execution. Replaces MS07-060
and MS07-024. Critical
MS08-010 - Internet Explorer. Remote code execution. Replaces
MS07-069. Critial
MS08-011 - Microsoft Works. Remote code execution. Important
MS08-012 - Microsoft Office. Remote code execution. Critical
MS08-013 - Microsoft Office. Remote code execution. Critical
-- Description --
Microsoft delivered eleven patches as part of the February Security
Update release earlier this week. Six patches have been rated as
Critical, with the remainder as Important. At this time, it is
believed that only the Internet Explorer cumulative patch has had
exploit code available ahead of patching.
-- Recommended Action --
All users and administrators should apply the updates at the
earliest opportunity.
-- Source --
http://www.microsoft.com/technet/security/bulletin/ms08-feb.mspx
http://www.beskerming.com/premium/patch_pack.html
http://store.eSellerate.net/s.asp?
s=STR3448907936&Cmd=CATALOG&CategoryID=9811
-- Updates Available --
http://www.microsoft.com/technet/security/bulletin/ms08-003.mspx
http://www.microsoft.com/technet/security/bulletin/ms08-004.mspx
http://www.microsoft.com/technet/security/bulletin/ms08-005.mspx
http://www.microsoft.com/technet/security/bulletin/ms08-006.mspx
http://www.microsoft.com/technet/security/bulletin/ms08-007.mspx
http://www.microsoft.com/technet/security/bulletin/ms08-008.mspx
http://www.microsoft.com/technet/security/bulletin/ms08-009.mspx
http://www.microsoft.com/technet/security/bulletin/ms08-010.mspx
http://www.microsoft.com/technet/security/bulletin/ms08-011.mspx
http://www.microsoft.com/technet/security/bulletin/ms08-012.mspx
http://www.microsoft.com/technet/security/bulletin/ms08-013.mspx
-- External Tracking Data --
Upgrade to view
-- Threat Matrix --
U O
Home User 10 10 (Highly Critical)
Corporate 10 10 (Highly Critical)
1.2 OS X (Multiple) - Remote hacker automatic control
-- Products Affected --
OS X 10.4.x
OS X 10.5.x
-- Technical Description --
Directory Services - Stack buffer overflow leading to local
arbitrary code execution - originally disclosed in January 2007.
Foundation - Arbitrary code execution or application denial of
service due to accessing malformed URLs. (10.5 only)
Launch Services - Applications removed from a system may still be
launched via the Time Machine backup version.
Mail - Accessing a file:// URL from within a message may lead to
arbitrary code execution. (10.4 only)
NFS - Arbitrary code execution opportunity if the system is being
used as either a NFS client or server due to poor handling of mbuf
chains.
Open Directory - NTLM authentication attempts may continuously fail,
even with accurate parameters. This is due to a race condition in the
service.
Parental Controls - Information disclosure when requesting to
unblock a website, as the machine will inadvertently contact
apple.com as part of the unblocking process.
Samba - Stack buffer overflow leading to arbitrary code execution.
Terminal - Arbitrary code execution when viewing malicious URLs in
Terminal.
X11 - Multiple vulnerabilities, leading to arbitrary code execution
in the worst case.
-- Description --
Apple Computer have released Security Update 2008-001 and OS X
10.5.2, addressing a number of serious security problems. OS X 10.4
is also vulnerable to the above issues - the update is presented as
Security Update 2008-001 for those users.
-- Recommended Action --
It is recommended that users apply the update, via the Software
Update option in the Apple Menu, or via the Apple Download link,
below. If installing via the Software Update option, it will only
download the applicable Update (Intel / PPC / !0.5 / 10.4).
-- Source --
http://docs.info.apple.com/article.html?artnum=61798
-- Updates Available --
http://www.apple.com/support/downloads/
-- External Tracking Data --
Upgrade to view
-- Threat Matrix --
U O
Home User 10 10 (Highly Critical)
Corporate 10 10 (Highly Critical)
=======================================
/*
Threat Matrix:
U - User
O - Operator
Harmless - 0 ----- 10 - Highly Critical
*/
=======================================
2. NEWS
2.1 Sometimes Things just Break
For the last several days it has almost been impossible to get away
from the news of numerous undersea telecommunications cables serving
the middle east and sub-continent regions having been cut in a
relatively short period of time.
Rather than just being passed off as a coincidence that four cables
had been cut through (two in the Mediterranean and two in the Persian
Gulf) via one means or another over several days, a lot of the
analysis and opinion being put forward was that there was some form
of secretive government conspiracy taking place and that the cable
cuts were a diversion. Naturally the secretive government activity
belongs to the United States and they are trying to tap sensitive
communications passing through the Middle East.
This particular flight of fancy fails to take into account the ease
with which communications can be tapped at the point that they enter
or leave the undersea cable (thank you CALEA), and the problem that
fixing a physical severance of an undersea line generally means that
the line segments need to be raised and physically rejoined, which
means that a physical tap on the line will be readily noticed (as
well as detectable using line quality monitoring tools).
At least, the cables should be repaired and functional within a week
or so. Although it is nice to think of the Internet as being a fault-
tolerant mesh-like network, capable of readily redirecting around
damage to one or more nodes, in reality there are a limited number of
key trunk lines that are responsible for making sure whole segments
of the Internet can talk to each other. When some of these lines
break, as with these undersea cables, it forces their network load
onto communication channels without sufficient bandwidth. This
network overload can also cause some connections to fail, which is
being suggested as the reason for at least some of the failures. At
no stage is communication completely cut, it just shrinks in
available bandwidth to the point that it is effectively cut for most
users. Information originating from The Economist, but commented on
over here indicates that there are only three cables providing most
of the network interaction for the whole region affected, and they
all pass very closely to each other at various geographic choke points.
The readiness of many Information Security "Professionals", as well
as many other armchair quarterbacks, to jump to the conclusion that
the breaks were a malicious attack is a poor reflection on the public
perception of Information Security Professionals. Of course, if they
said it was all a part of normal operations, then there would be no
need for undersea cable breaks to be splashed all over the news.
Internet users from within the affected region and conspiracy
theorists were more than happy to point to the planned Iranian Oil
Bourse as the reason for the cuts, but despite some claiming single
data points as authoritative, Iran never actually lost its internet
connectivity.
Claiming the cut cables is the result of malicious activity is as
valid as saying that the bungled Antivirus definitions file updates
from Symantec (and other vendors) that results in end user systems
being rendered unbootable are a malicious act.
Security Theater and overreaction is a topic that has been covered
before, but this is a case where a lack of knowledge was allowed to
develop into ignorance of facts and the public reporting is actually
more damaging than not reporting about the breaks. It is symptomatic
of the generally poor state of reporting on technical matters, and it
allows for the rapid deterioration of facts into conspiracy fodder.
Observing how information gleaned from a few sources (reports of
cable cut, non-response of a specific Iranian network device, and
excited bloggers, reporters and Internet users within the affected
countries) is allowed to spread and evolve is like watching the
world's biggest game of Chinese Whispers. In this case, poor
information was able to dominate over good information. With
Information Security, it is this challenge that is faced every day -
how to adequately extract accurate information and original sources
from a flood of data that may be tertiary reporting and more harmful
than beneficial. Some people have solved this problem better than
others.
2.2 A thin line Between Challenge and Exploitation
Yet another 'challenge' of the form of 'break into our website for
free, tell us exactly how you did it, and we might pay you a token
amount' has been found on the web, only this time there were quite a
number of serious holes found rather early in the process. Even
though the main challenge still stands, there are sufficient concerns
about the basic technological design to suggest that some of the
currently-found problems will not ever be completely fixed.
The team behind Flickr-competitor SmugMug have issued a challenge to
the wider web to break into their site and retrieve a specific image,
along with the album it came from, and who uploaded it.
The first few people to take a serious look at the challenge soon
discovered a couple of glaring problems:
* Firstly, the photo IDs are sequential, making it a relatively
simple proposition to retrieve every image that has been uploaded and
not protected correctly.
* Secondly, the system used to redirect direct requests for a
protected image to the correct album and uploader, which allowed the
early testers to grab a thumbnail version of the image (but not the
actual image).
SmugMug's CEO, the person behind the challenge, has already taken
steps to address the first couple of problems identified, though he
does admit that the first problem came about because they did not
understand GUIDs when they initially created the site. Retrofitting
the site to use GUIDs instead of sequential IDs will break links that
users have already passed on to others, unless the site silently
converts the sequential ID into an appropriate GUID - though this has
the net effect of no overall change. With this sort of design
decision being applied, what other critical weaknesses have been
designed into the system?
How does the site security actually work? That seems to be a closely
held secret by SmugMug's site owners, but there are enough clues that
a couple of simple requests can turn up. The image that SmugMug's
owners want you to try and recover is http://www.smugmug.com/photos/
248415594-O.jpg. Direct requests for this image will return an empty
page, which suggests that something is being done on the server side
to determine access rights for an image. Despite the claims of the
CEO that steps have been taken to rectify the sequential image
problem, it is still possible to access images and albums through
sequential guesstimation, through URLs of the following form:
http://www.smugmug.com/gallery/album_id
http://www.smugmug.com/photos/photo_id.jpg
for albums and images respectively. What the site seems to prefer,
though is the following form for accessing content:
http://user_name.smugmug.com/gallery/album_id#photo_id
This will load the SmugMug image and album viewer scripts, though
there is still the occasional URL where it is
gallery/album_id/1/photo_id
Once the site visitor accesses an image through the SmugMug site, it
applies a right-click prevention script that is meant to stop the
theft of images from users who don't want them taken. The easiest
method to bypass this step is to note the #photo_id URI component and
then plug that photo_id directly into one of the above URLs for
directly accessing content. A minor complication to this is the
suffix that is added to images that have been directly requested, but
that is simply decoded as follows:
photo-O.jpg - Original size
photo-M.jpg - Medium
photo-L.jpg - Large
photo-S.jpg - Small
A similar looking code is applied to images viewed through the main
site, but in this case the -LB addition indicates that the image is
being viewed through the site's LightBox feature.
Going back to the image that forms the core of the test, it is
discovered that images 248415594, 248415595, and 248415596 can not be
directly requested, though there are others before and after them
that can. This suggests that they belong to the same album, and have
been protected through the use of the password function in the user's
account.
Disturbingly, it is only through the use of the password that a user
can protect images from viewing. Any other choice of setting will
still allow direct request of both images and albums. It is also
apparent from random test selections that there is a loose
correlation between album ID and image ID. Basically, the newer an
album, the newer the images are that are in it. Using this approach,
it is possible to establish a bracket of likely album IDs that have
an image of interest, even if they are password protected and the
image can not be directly accessed.
It is here that another unexpected weakness arises. Despite all the
steps taken to protect the album name and user name, the page title
helpfully announces both of these details when a request is made for
a protected album.
Through simple testing, it is apparent that SmugMug sniffs for
authentication, even on direct requests for an image file (i.e. .../
blah.jpg), and it is the presence of an authentication token that
determines whether a file that is protected should be displayed. This
authentication token only really takes effect for images that are
otherwise password protected. Through the main site, this
authentication is backed up by the cookie that the site has set, but
when direct image requests fail it points to some server-side IP-
based filtering and authentication management taking place. This
could be leveraged if a number of users are accessing the site via a
single gateway, as an unauthenticated user could make successful
direct requests for images belonging to authenticated users behind
that gateway that otherwise would be password protected, though the
use of a different User-Agent seems to be enough to fail.
Leveraging already-existent XSS vulnerabilities could allow a
motivated attacker to create an attack that would extract all of the
password protected images belonging to a user (once a user has logged
in, direct requests for protected images are possible). The heavy
reliance on JavaScript for site functionality makes it impossible to
avoid through the disabling of JavaScript / Active Scripting.
To make matters worse, it is possible to spoof image origination,
which could be used by someone with a malicious anonymised account to
blackmail or harass legitimate account holders. By manipulating the
URL, it is possible to load any non-password protected image in any
non-password protected album. Passing a URL of the following form to
a victim will make it appear that they have a malicious image (what
sort of content that is is left to the reader) in their legitimate
album:
http://victim.smugmug.com/gallery/legit_album_id#malicious_photo_id
If this URL is passed to others, it would appear that the malicious
image has been placed there by the victim, while there is no way to
determine who placed the malicious image on the site in the first
place (though SmugMug should be able to work that one out). If such a
URL held referenced an image of illegal content, the implications for
the victim are significant, especially if it is passed to law
enforcement agencies or those with limited technical knowledge.
All this for $1000 USD, now $599.99 USD (thanks to taxes)?
Competitions might be fun, but this sort of weak reward borders on
exploitation, though it is voluntary exploitation. Considering the
above was found after a little bit of idle poking around, the
motivated individual is probably going to find a number of
vulnerabilities that promise greater reward.
If or when the SmugMug site owners read this, there are two options:
* Ignore the valuable advice you have received up to this point,
and gain security from the voluntary exploitation of the honourable
(the dishonourable will not have made it public).
* Make it right. Pay someone to sit down and conduct a thorough
review of your security, from both the design and implementation
perspectives, and retain them to provide ongoing services to protect
your site and its users.
2.3 What's Your Website Hiding?
As more companies are finding their way onto the Internet there has
been an increase in the number of websites that have been compromised
for theft of sensitive data and those that have been compromised for
the purpose of spreading malicious software to unwary visitors.
Groups such as Zone-h have been tracking and identifying websites
that have been defaced, but many of those that are being used in
phishing runs and malware attacks are not so openly defaced. That is
where other interest groups like PhishTank step in, identifying and
tracking sites that are being used to host phishing pages that are
actively being spammed or otherwise distributed. There are a number
of other sources that also maintain lists of sites that are
vulnerable to different attack vectors, such as XSS.
Some companies look to verification firms like Verisign and ScanAlert
to routinely validate that their sites are not hosting malware or
that they are vulnerable to known problems. Based on the number of
sites identified as being vulnerable to well known, but somewhat
difficult to completely mitigate against, attack vectors that also
display that they have been successfully scanned by one of these
companies, their effectiveness could be questionable.
The big problem with all of the above methods is that they are after
the fact, they can only identify that a site is being actively used
for phishing, or that it is protected against known problems.
Automated scanning systems also have the problem of not being able to
reliably detect all of the weaknesses (such as all of the XSS
weaknesses) even if the mechanism of attack is well understood. What
they can't protect against or identify is compromises that are low
profile and those using advanced techniques to gain access.
As being reported by The Register, security firm Sophos is claiming
that 6,000 new websites are being compromised on a daily basis for
the purpose of spreading malware to unsuspecting victims (more than 2
million new site compromises each year). They go on to claim that 80%
of those affected have no idea that their site has been compromised,
a figure which is probably on the low side. The figure of 2 million
new site compromises per year seems to be quite significant, but
could be explained by virtual hosting servers with many sites on the
one physical server being compromised, leading to the same vector
affecting multiple sites (in some cases thousands of sites).
Complementary reporting which has emerged over the last week or so
points to a number of embassies that have had their sites compromised
to deliver malware, at least according to eSafe as reported by The
Register. Further vulnerability and proof-of-concept disclosures from
researchers who have been responsible for the recent UPnP disclosures
(now being used in attacks) point to a problematic future for home
users with small local networks, particularly through blended attacks.
There are an increasing number of voices that are pointing out the
elephant-sized holes in the protective services that some companies
are providing. What this has resulted in is a split forming, between
these dissenting voices and some of the largest companies in the
Information Security industry, that are conveniently many of those
offering the protective services. When representatives of companies
like Symantec are on record as saying that while XSS vulnerabilities
are a serious risk, they have not really been used in actual attacks,
then the efficacy of their service needs to be questioned. Others
claim that XSS vulnerabilities can not be used to hack a server,
which seems to contradict the findings of Sophos presented earlier,
and also the claims of their own products.
Of course, many of those dissenting voices have a vested interest,
offering their own competing black-box services (while ScanAlert is
Nessus 2 - an open source application that anyone can run,
themselves). Even with that bias, it doesn't discount the value of
their arguments.
Note : Sûnnet Beskerming has a vested interest in the above
commentary, as we offer a range of blended protective services,
mixing the best of automated and manual testing and evaluation systems.
2.4 Overreacting to Security Theatre is Harmful
Security Theatre is a term that has been gaining acceptance as part
of the Information Security lexicon for some time and it has also
found acceptance in other security fields, being used to describe
actions or proposals that deliver more show than substance with
respect to a real or imagined threat.
In simple terms, it can be argued that Security Theatre is nothing
more than an overreaction to a real or perceived threat by those who
do not fully understand the risks that they are trying to mitigate.
There is little argument that Security Theatre is harmful to those
who are paying for it, as well as those who are notionally being
given greater protection as a result. With most of these projects
originating from various government agencies, it is the tax payers
who fall into both categories and also those who can have the
greatest difficulty determining whether a measure is appropriate or not.
Just as harmful is the immediate labelling of security initiatives as
Security Theatre, which is a risk when those doing the labelling do
not fully understand the risks that have been attempted to be
mitigated. Into this category, unfortunately, fall mainly Information
Security experts who have been encouraged to step beyond the limits
of their immediate practical knowledge and experience and assess
something which they have little understanding of.
One of the main proponents of this new term is the noted Information
Security specialist Bruce Schneier, who has been using his blog to
draw attention to egregious examples of Security Theatre. From time
to time, Bruce falls into the trap of being too dismissive of a
technology or effort, labelling it as Security Theatre when there may
actually be a viable reason for the implementation.
Comments on a blog should never be relied upon as authoritative, but
because Bruce writes with such authority and there is a distinct
trend of an emerging groupthink, it encourages readers to accept what
is presented without questioning the validity of what is being put
forward. Even Bruce argues that "Security is fundamentally a fear
sell, and so it doesn't sell very well."
In a recent case, the decision to fit commercial passenger aircraft
with anti-missile systems (three American Airlines jets on
unidentified routes) has been dismissed as "security theater[sic]
against a movie-plot threat". In amongst the significant number of
comments backing the argument of Security Theatre were a couple of
dissenting voices that pointed out it isn't a completely inane
suggestion, with more than 20 recorded airline crashes since 1975
that can be attributed to surface-to-air attacks.
There have been a number of recent attacks against airliners,
including an attack against El Al in Kenya (where the aircraft was
reported to have been fitted with anti-missile defences and the
missile missed), and an attack against a DHL freight aircraft in Iraq
(where the crew were able to land the aircraft despite significant
damage to the port wing). One of the most famous examples of a
civilian airliner being destroyed by a surface missile is the Iranian
airliner shot down by a US warship over the Persian Gulf a number of
years ago.
It isn't the first time that it has been suggested that civilian
airliners should be fitted with defensive systems like this, but the
main argument within the aviation world has been about the relative
costs and benefits of these systems, as well as the level of threat
faced by the airliners. It has long been rumoured that the Israeli
national air line, El Al, has fitted at least some of their aircraft
with defences, but it has never been officially confirmed. With a
fluid geopolitical environment some could argue that the threat to
civilian airliners around the world has increased, thus justifying
the expenditure and effort to fit the anti-missile systems. Perceived
American aggression in a number of countries and regions can also be
seen as a contributing factor to a perceived increased threat against
American airliners.
To the uninformed, it does appear that fitting aircraft with defences
is an inane suggestion, especially if the commentator is living in a
stable country or region that has not traditionally seen attacks
against civilian targets. In other words, the perceived risk is very
low and fitting aircraft with defences is a waste of resources. To
the informed, it still appears somewhat inane, but there are defined
cases where it would be prudent to ensure a civilian airliner is
protected against external attack while it is in flight. Flight
operations to regions that are politically unstable or where there is
lax law enforcement are cases where defence mechanisms may be
justified. It is somewhat ironic that US airlines are considering
fitting their aircraft with defences against US-built and sold missiles.
Using lasers against missiles could be considered inappropriate use
of technology as, on the surface, it seems impossible for a laser
defence system to disable missiles that are radar-guided, semi-
active, or even modern IR-guided weapons. One of the main theorised
approaches is to use the laser to provide localised heating of the
weapon such that it disables the guidance circuits or even
prematurely detonates the weapon. Using the laser also allows for
continuous tracking of trajectories and probable launch sites which
can be useful to determine if to take evasive action (not needed if
it is going to miss), and to aid in any law enforcement investigation
(providing an actual launch location). Other suggested modes of
operation include blinding IR seekers with blooms of light / heat.
Laser anti-missile defensive systems are still in their infancy
compared to the more traditional flares, chaff, and ECM.
There is also a quite well defined threat, with the basic launch
platform being the MANPAD (MAN Portable Air Defence), which includes
the SA-7, SA-14 and Stinger type of shoulder launched missiles,
though the RPG is also a viable unguided ground-air weapon. There are
many thousands of these class of weapons that have gone 'missing'
from official inventories around the world, and many more that have
been sold off the books to different organisations. For a weapon that
can be broken down into approximately 1-2 suitcases for transit, it
is something that can be shipped quickly and easily concealed -
almost the perfect weapon of terror.
=======================================
Sincerely,
Sûnnet Beskerming Team
info at beskerming.com
Sûnnet Beskerming Pty. Ltd.
Adelaide, Australia
http://www.beskerming.com
Tel: +61 (0) 410 707 444
** Sûnnet Beskerming Pty. Ltd. **
Established in mid 2004, Sûnnet Beskerming Pty. Ltd. is the sister
company to Jongsma & Jongsma Pty. Ltd., and was formed to develop and
commercialise the research coming out of Jongsma & Jongsma Pty. Ltd..
Sûnnet Beskerming Pty. Ltd. is an Information Security specialist
and, in conjunction with the tools developed by Jongsma & Jongsma
Pty. Ltd., provides total security solutions and services, from the
perimeter to internal data stores, including web application security
and security testing and analysis.
More information about the Alertmailinglist
mailing list