From alertmailinglist at skiifwrald.com Mon Nov 17 21:35:45 2008 From: alertmailinglist at skiifwrald.com (Security and IT News Alerts) Date: Mon, 17 Nov 2008 21:05:45 +0930 Subject: [Sunnet Alert] Advisory #261 - Microsoft (Multiple), Multiple News Message-ID: S?nnet Beskerming Alert List Advisory #261 You are receiving this message because you have subscribed to our Information Security Alert Mailing List, or have been selected for a specific one-off copy. If you believe that you are receiving this message in error,pleasecontactinfo at beskerming.com to resolve the error. Why not upgrade to get same day notification on security threats? Details and rates available online - (http://www.beskerming.com/premium/generic_advisory.html). Why not go the next step and get delivery tailored just for your company? (http://www.beskerming.com/premium/focussed_advisory.html) Contents -------------------------------------------------------------------- 1. SECURITY -------------------------------------------------------------------- 1.1 Microsoft (Multiple) - Remote Hacker Automatic Control - Time Since Discovery - 6 days ======================================= /* - Remote or Local - Can it be achieved through a network or does it require physical access? - Hacker - The bad guy - Manual or Automatic - Does the vulnerability need to be manually performed, or can it be automated? - Control, Denial of Service or Data Theft - Will the hacker get control of your system / website, will they prevent you from using it, or will they steal data. */ -------------------------------------------------------------------- 2. NEWS -------------------------------------------------------------------- 2.1 When Joke Emails Turn Real 2.2 Microsoft Issues Security Report for Jan-Jun 2008 2.3 Old Malware Tricks Still Work 2.4 Google Provides Details on how it Determines Unsafe Sites 2.5 20th Anniversary for Poorly Written Network Worms 2.6 This [FILTERED] is [FILTERED][FILTERED] 2.7 Critical Out-of-Cycle Patch from Microsoft (MS08-067) ===================================== 1. SECURITY 1.1 Microsoft (Multiple) - Remote Hacker Automatic Control -- Products Affected -- Windows Office -- Technical Description -- MS08-068 - Windows NTLM. Remote code execution. Important MS08-069 - XML Core Services. Remote code execution. Critical -- Description -- Last week Microsoft released two patches as part of the November Security Patch Release. Although both patches were for remote code execution possibilities, one was ranked Important, with the other ranked as Critical. Due to the Critical out of sequence patch released in late October (MS08-067), this month's first patch is MS08-069. Both patches released this month replace prior monthly patches from Microsoft. Exploit code and vulnerability data has been readily available for both patches and it is imperative that users and administrators apply the patches as soon as possible. -- Recommended Action -- All users and administrators should apply the updates at the earliest opportunity. -- Source -- http://www.microsoft.com/technet/security/bulletin/ms08-nov.mspx http://www.beskerming.com/premium/patch_pack.html http://store.eSellerate.net/s.asp?s=STR3448907936&Cmd=CATALOG&CategoryID=9811 -- Updates Available -- http://www.microsoft.com/technet/security/bulletin/ms08-068.mspx http://www.microsoft.com/technet/security/bulletin/ms08-069.mspx -- External Tracking Data -- CVE-ID: CVE-2008-4037 (MS08-068) CVE-ID: CVE-2007-0099 (MS08-069) CVE-ID: CVE-2008-4029 (MS08-069) CVE-ID: CVE-2008-4033 (MS08-069) -- Threat Matrix -- U O Home User 10 10 (Highly Critical) Corporate 10 10 (Highly Critical) ======================================= /* Threat Matrix: U - User O - Operator Harmless - 0 ----- 10 - Highly Critical */ ======================================= 2. NEWS 2.1 When Joke Emails Turn Real In the cyclical world of chain emails one of the earliest staples was an email claiming that Microsoft were able to track emails being sent and Bill Gates will pay you for each and every person who you forwarded the particular message to. In May of this year, Microsoft launched their Live Search Cashback program, designed to reward Internet users who used Microsoft Live to find and purchase goods online, but it didn't really garner much attention from anybody. The idea sounds almost exactly like the chain email of yesteryear - use a Microsoft product and they'll send you money (or at least get you a discount when you spend your money). Where the chain email was readily identifiable and somewhat of a nuisance, the Live Search Cashback program doesn't seem to have the mindshare that Microsoft would have hoped. Recent maneuvers from the software giant suggest that it is either pre-positioning for an aggressive online Christmas shopping season assault (Black Friday is only a fortnight away), or struggling to find people who are willing to use the service, even when paid. With the lack of widespread awareness of the service, both opinions could be considered valid. By increasing the number of conditions applied to any rebate, it severely limits the usefulness of the service to the majority of the Internet using world. The 25% rebate for eBay purchases is limited to $200, paid through PayPal, and only available in the United States (there are some jurisdictions internationally where the eBay / PayPal enforcement is not looked upon kindly). Why Microsoft see it as being necessary to pay people to use their search engine is not known. While the other major competitors (Google and Yahoo!) don't seem to have directly competing paid-to-use services, there are a number of fly-by-night companies that keep appearing (and mostly rapidly disappearing) who offer to pay users to search online in an effort to improve the SEO results for their clients. Perhaps the best commentary on the whole idea is a single word: Why? Surely there are better ways to attract online customers. If Microsoft's own financial reporting is anything to go by, then their Online Services division (which includes Live) is an ever-growing black hole, losing $480 million USD in the first quarter of 2008-2009, for a division that lost $1.23 billion USD in the entire previous financial year (07-08), double what it lost in 06-07 ($617 million USD). 2.2 Microsoft Issues Security Report for Jan-Jun 2008 Microsoft's Malware Protection Centre has released Volume 5 of their Security Intelligence Report (SIR), covering January to June 2008. While it may not have the independence of reporting from OWASP, ISC, US-CERT, or a number of other bodies, coming from the largest operating system and software vendor it is a very interesting point of view on the state of computer security, as observed by Microsoft. While the report doesn't cover threats and malware targeting non- Windows operating systems, it provides a very detailed look at the ecosystem of malware and threats that infects Microsoft systems across the globe, including detailed breakdown of per-country infection rates and types. This per-country reporting throws up some interesting statistics about the prevalence of different malware types in different countries. For countries like Brazil and South Korea, the relative distribution of malware types speaks volumes about how these countries have seen their local IT infrastructure and composition evolve. Some of the positive highlights from the report are the improvement (decrease) in the number of vulnerabilities reported, while at the same time seeing an increase in the overall number of serious vulnerabilities being reported. Perhaps Volume 6 of the report will show some different results, with October's large number of security patches, Kaminsky's DNS flaw, the unreleased TCP/IP vulnerability, and the Critical out of cycle patch for the RPC Service potentially skewing the next set of results. One statistic to keep an eye on in future reports is the relative global distribution and percentage of systems requiring cleaning every time the Microsoft security tools are run. As identified in Volume 5, there appears to be a clustering of systems requiring disinfection following tool use in countries that are otherwise considered to be "developing". Given the borderless nature of the Internet, it suggests alternative infection mechanisms for systems in those countries (such as sneakernet). It is also an interesting observation that countries traditionally seen as copyright infringement hotspots are not reporting as such a high risk as others. Perhaps systems using infringing copies of Microsoft software in those countries have been configured not to report back to Microsoft or just aren't running Microsoft's security tools in the first place. Given the depth of excellent data provided in the SIR, it is important to at least be aware of a possible self-selection bias in the reporting of problems detected and removed. It appears that most of the raw data used to compile the report came from Microsoft security tools that had been installed and operated on end user systems, as well as from selected online service providers. This means that systems and sites that use alternate security suites that detected and removed problems before the Microsoft tools will not have their data appearing in the report. Likewise, systems where the "Call Home" feature is disabled or blocked will not see their results appear, either. It does look like Microsoft made an attempt to source data from outside of their own networks and tools, using the datalossdb.org (and attrition.org) site to build statistics about the relative percentages of security breach incidents - data that Microsoft's own tools would not have been able to gather. It should be cautioned that, although it is probably the best online archive of data loss incidents, the information presented through datalossdb.org / attrition.org only identifies openly reported data loss cases. It isn't able to capture incidents that don't receive media coverage, or which aren't reported directly to the site. Despite lacking information on non-Microsoft operating systems and the Internet as a whole, the SIR justifiably takes its place alongside those from OWASP and ISC as being one of the key security reports that should be read and appreciated by the modern Information Security employee. 2.3 Old Malware Tricks Still Work When Didier Stevens stumbled across a zero-byte padded piece of malware a year ago he was somewhat surprised to see that many antivirus systems tested against it failed to identify the underlying malware despite the targeted application (Internet Explorer) being quite happy to strip the 0x00 content and run the malware. Didier has revisited his earlier work and happily found that successful detection for the original malware samples has increased markedly in the past twelve months (29/36 for unobfuscated samples). When he lengthened the 0x00 padding within the malware samples, however, the detection rates dropped off significantly. By only doubling the length of padding, the rate of detection dropped from 6 to 3 out of 36 command line scanners. It is still disturbing that by adding 255 bytes worth of 0x00 is enough to see the detection rate drop from 29 to 6 scanners, especially given that the obfuscation technique has been well known for a number of years. Even more interesting is the change in detection when the 0x00 bytes are added to the malware sample. For the engines that do detect the modified file, there is often a change in description of the malware between the unobfuscated sample and the obscured one. In almost all cases it is a move to a generic descriptor (0x00 padded) from a specific definition (original sample), so it doesn't appear that scanning engine developers are claiming a new and unique variant for each 0x00 padded file (which is a good thing). While the generic detection of the modified files points to at least partially-functioning heuristics in some engines, the lack of detection from the clear majority of command line scanners being used at VirusTotal shows that there is still some way to go for antimalware companies as they drag their products away from purely signature-based detection to a more flexible model. As Didier points out in his post, it could be that the command line versions of the scanning engines are lacking in some of the features that the GUI versions will have that could detect his malware samples. It would be better if those features were actually in the command line versions as it would provide a greater level of protection in a managed network environment, where it is more likely that network level scanning is being managed by a command line tool. 2.4 Google Provides Details on how it Determines Unsafe Sites A recent post at the Google Online Security Blog provides some background on how Google generates the "This site may harm your computer" warnings that appear from time to time in Google searches. It all boils down to automated scanners detecting the presence of malicious content. The article identifies that at least some of the scanners have been created by Google staff, though it is possible that commercial and freely available tools are also in use to generate the results. Although the results are defined as "accurate" there is no information about what level of false positives or false negatives manage to slip through the net. There are enough problems with similar available toolsets to suggest that Google's own approach is not the panacea that it might appear to the uninitiated. If you think that your site has been misidentified as having malicious content from the Google scanners, then they have provided a straight forward link to go to and check on exactly what it was that triggered the initial labelling. The basic site is http://www.google.com/safebrowsing/diagnostic , and it can be made site specific by adding ?site=site_name at the end of the link. For example, the result for S?nnet Beskerming is this. Google's Webmaster Tools will also provide added information about what was scanned and found, though not the complete list of URLs that have been identified as problematic. Once whatever problem that was discovered has been rectified, there are procedures available to request a review for your site from Google (Overview page in the Webmaster Tools part of the site). Since the review process is effectively the same as the original automated scan (i.e. it is another automated scan), the complete process to remove the unsafe indication should only take a few hours, a day at most. On the other hand, if you have found that your site has completely disappeared from the Google results, it may be due to it being a "spammy website", in which case a Request for reconsideration is the appropriate action to take. 2.5 20th Anniversary for Poorly Written Network Worms 20 years of poorly written havoc-causing network worms will come to pass on November 2, as it marks the 20th anniversary of the Morris Worm, considered the first major network attack on the Internet. Despite only reaching an estimated 6,000 systems, it still represents 10% of the available systems on the Internet at that time. There is some argument over the exact number of systems compromised and the overall percentage of Internet hosts affected, but the widespread impact of the worm is the most significant outcome. Not only was it one of the earliest examples of an automated denial of service attack (which came about because the detection routine to tell if another copy of the worm was present had a bug in it), but it also led to the creation of the CERT Coordination Center (CERT/CC), which preceded US-CERT by several years and is meant to be one of the key management centres for Internet related attacks and problems. Robert Morris, the worm's creator, was convicted under the Computer Fraud and Abuse Act and was eventually sentenced to probation (3 years), community service (400 hours) and a fine ($10,000). For Morris, he has now entered the academic staff as an Associate Professor at the institution he used to launch the attack, MIT, despite being at Cornell when the worm was originally released. Whether or not the worm was designed for malicious use, or, as Morris has claimed, to map the Internet, the fact remains that it ended up acting as a malicious worm. The use of vulnerabilities in sendmail, finger, rsh, weak passwords, and the attempt to hide the source of the attack (using a system at MIT rather than at Cornell where Morris was) would nowadays suggest motives that weren't completely pure. A problem with this line of thought is that it is extremely difficult to identify an outcome from the worm which could be considered beneficial for a malicious attacker. The mid 80s were an interesting time for Information Security. The first viruses and trojan horses appeared in 1986, so there was a lot of advancement in malicious activity taking place in a very short period of time and next year marks the 20th anniversary of ransomware - the particularly nasty type of malware that encrypts a victim's content and then demanding payment for a decryption key that will decrypt the content back to its original state. 2.6 This [FILTERED] is [FILTERED][FILTERED] In the lead up to last year's national election in Australia there were a range of promises made by the incumbent government, under the name NetAlert, which was reported to be for a range of projects including Internet blocking software at the user end, tracking down online predators, and filtering of traffic on the network. It seems that the new government has now taken the proposals one step further, moving to enforce the legislation that they pushed through at the start of this year. At the time of the NetAlert announcements, the opposition (now the government) were seen to be tacitly approving of the initial presentation and the Labor party had previously been ridiculed over their approaches to, and ideas of, online censorship. Although the Federal Government has promised to listen to "the best advice", it seems that they are only listening to the advice that validates and otherwise affirms their approach to online censorship. There have been accusations that the sudden rapid movement that has taken place is a result of appeasement of minor parties, particularly Family First, whose senator is key to the government being able to pass their bills through parliament smoothly and who had slammed the prior government's $89 million filtering program as being inadequate. There is also reporting that the government is pressuring the silencing of dissenting voices. With increasing reporting on this proposal, the chorus of dissenting voices grows louder by the day. Somewhat unsurprisingly, the technology being tested has demonstrated significant slowdowns for available network speed. The more that they try to filter, the greater the slowdown for end user, which could be up to 86% with one unnamed system. There can be no other way to put it other than to suggest that these efforts are being pushed through out of an ignorance of the structure and nature of the Internet, even when accurate information is readily available. It could be that those making the decisions can't differentiate between the arguments that the opposing sides are making (after all, both sides are talking about something the decision maker doesn't really understand) and so back the one that they feel is right (or best for their political ends). 2.7 Critical Out-of-Cycle Patch from Microsoft (MS08-067) From first alert on Tuesday, to patch release on Thursday, Microsoft has rushed an out-of-cycle patch out to Windows users, acting on a privately reported problem affecting the core Windows kernel. In some detail, the vulnerability is a problem with the way that Windows handles Remote Procedure Calls (RPC) and can result in a remote unauthenticated user (i.e. anyone on the Internet) being able to take complete control over your system. Microsoft acknowledges that the issue is being actively targeted by malicious code, though code samples have yet to appear publicly. It has been reported that Gimmiv.A is a worm which is using this particular vulnerability to attack vulnerable systems, though Microsoft's initial guidance was that it was only being used in targeted attacks. Already different groups have claimed to have reverse engineered the patch and there are fears that this vulnerability could lead to something like the Blaster worm from 2003, where a patch was available but attacks took down a significant number of systems anyway. In some of the open analysis that has taken place, there is enough information to point to the NetPathCanonicalize call as being the weakness currently being exploited. The available information also shows a fairly straight forward buffer overflow. Users who have enabled the builtin Windows firewall (default on systems after XP SP2) will be protected by default against this issue, though it is still urgent to apply the patch. However, if print or file sharing is enabled the system is vulnerable again. This means that many systems that would otherwise be secure are not going to be. Windows Vista and 2008 systems are vulnerable if the file / print sharing has been enabled for networks of type 'Public'. According to the Security Vulnerability Research & Defense team at Microsoft, ASLR and DEP should provide some added protection to Windows Vista and Windows 2008, though it is still considered possible that arbitrary code execution could take place. The UAC feature of Vista and 2008 will also limit anonymous attacks, however if "Password Protected Sharing" is disabled, anonymous attacks will be successful. If TCP ports 139 and 445 are blocked at the network perimeter it will mitigate against external attacks, however internal networked systems will remain vulnerable and some services might no longer work as expected, including: Applications that use SMB (CIFS) Applications that use mailslots or named pipes (RPC over SMB) Server (File and Print Sharing) Group Policy Net Logon Distributed File System (DFS) Terminal Server Licensing Print Spooler Computer Browser Remote Procedure Call Locator Fax Service Indexing Service Performance Logs and Alerts Systems Management Server License Logging Service Despite Microsoft providing non-patch mitigation options, the criticality of this particular vulnerability, and the fact that it is being targeted in the wild means that users and administrators should apply the patch as soon as possible. For Windows 2000, XP, and 2003, the vulnerability has been rated as Critical, with Windows Vista and 2008 attracting Important ratings. Microsoft have even acknowledged that the pre-beta versions of Windows 7 are also affected by this particular vulnerability. The ISC have rated their threat indicator to Yellow, as have Symantec. You can get MS08-067 direct from Microsoft, here. ======================================= Sincerely, S?nnet Beskerming Team info at beskerming.com S?nnet Beskerming Pty. Ltd. Adelaide, Australia http://www.beskerming.com Tel: +61 (0) 410 707 444 ** S?nnet Beskerming Pty. Ltd. ** Established in mid 2004, S?nnet Beskerming Pty. Ltd. is the sister company to Jongsma & Jongsma Pty. Ltd., and was formed to develop and commercialise the research coming out of Jongsma & Jongsma Pty. Ltd.. S?nnet Beskerming Pty. Ltd. is an Information Security specialist and, in conjunction with the tools developed by Jongsma & Jongsma Pty. Ltd., provides total security solutions and services, from the perimeter to internal data stores, including web application security and security testing and analysis.