[Sunnet Alert] Advisory #261 - Microsoft (Multiple), Multiple News
Security and IT News Alerts
alertmailinglist at skiifwrald.com
Mon Nov 17 21:35:45 EST 2008
Sûnnet Beskerming Alert List Advisory #261
You are receiving this message because you have subscribed to our
Information Security Alert Mailing List, or have been selected for a
specific one-off copy. If you believe that you are receiving this
message in error,pleasecontactinfo at beskerming.com to resolve the error.
Why not upgrade to get same day notification on security threats?
Details and rates available online -
(http://www.beskerming.com/premium/generic_advisory.html).
Why not go the next step and get delivery tailored just for your
company?
(http://www.beskerming.com/premium/focussed_advisory.html)
Contents
--------------------------------------------------------------------
1. SECURITY
--------------------------------------------------------------------
1.1 Microsoft (Multiple)
- Remote Hacker Automatic Control
- Time Since Discovery - 6 days
=======================================
/*
- Remote or Local - Can it be achieved through a network or does it
require physical access?
- Hacker - The bad guy
- Manual or Automatic - Does the vulnerability need to be manually
performed, or can it be automated?
- Control, Denial of Service or Data Theft - Will the hacker get
control of your system / website, will they prevent you from using it,
or will they steal data.
*/
--------------------------------------------------------------------
2. NEWS
--------------------------------------------------------------------
2.1 When Joke Emails Turn Real
2.2 Microsoft Issues Security Report for Jan-Jun 2008
2.3 Old Malware Tricks Still Work
2.4 Google Provides Details on how it Determines Unsafe Sites
2.5 20th Anniversary for Poorly Written Network Worms
2.6 This [FILTERED] is [FILTERED][FILTERED]
2.7 Critical Out-of-Cycle Patch from Microsoft (MS08-067)
=====================================
1. SECURITY
1.1 Microsoft (Multiple) - Remote Hacker Automatic Control
-- Products Affected --
Windows
Office
-- Technical Description --
MS08-068 - Windows NTLM. Remote code execution. Important
MS08-069 - XML Core Services. Remote code execution. Critical
-- Description --
Last week Microsoft released two patches as part of the November
Security Patch Release. Although both patches were for remote code
execution possibilities, one was ranked Important, with the other
ranked as Critical. Due to the Critical out of sequence patch
released in late October (MS08-067), this month's first patch is
MS08-069. Both patches released this month replace prior monthly
patches from Microsoft. Exploit code and vulnerability data has been
readily available for both patches and it is imperative that users and
administrators apply the patches as soon as possible.
-- Recommended Action --
All users and administrators should apply the updates at the earliest
opportunity.
-- Source --
http://www.microsoft.com/technet/security/bulletin/ms08-nov.mspx
http://www.beskerming.com/premium/patch_pack.html
http://store.eSellerate.net/s.asp?s=STR3448907936&Cmd=CATALOG&CategoryID=9811
-- Updates Available --
http://www.microsoft.com/technet/security/bulletin/ms08-068.mspx
http://www.microsoft.com/technet/security/bulletin/ms08-069.mspx
-- External Tracking Data --
CVE-ID: CVE-2008-4037 (MS08-068)
CVE-ID: CVE-2007-0099 (MS08-069)
CVE-ID: CVE-2008-4029 (MS08-069)
CVE-ID: CVE-2008-4033 (MS08-069)
-- Threat Matrix --
U O
Home User 10 10 (Highly Critical)
Corporate 10 10 (Highly Critical)
=======================================
/*
Threat Matrix:
U - User
O - Operator
Harmless - 0 ----- 10 - Highly Critical
*/
=======================================
2. NEWS
2.1 When Joke Emails Turn Real
In the cyclical world of chain emails one of the earliest staples was
an email claiming that Microsoft were able to track emails being sent
and Bill Gates will pay you for each and every person who you
forwarded the particular message to.
In May of this year, Microsoft launched their Live Search Cashback
program, designed to reward Internet users who used Microsoft Live to
find and purchase goods online, but it didn't really garner much
attention from anybody.
The idea sounds almost exactly like the chain email of yesteryear -
use a Microsoft product and they'll send you money (or at least get
you a discount when you spend your money). Where the chain email was
readily identifiable and somewhat of a nuisance, the Live Search
Cashback program doesn't seem to have the mindshare that Microsoft
would have hoped. Recent maneuvers from the software giant suggest
that it is either pre-positioning for an aggressive online Christmas
shopping season assault (Black Friday is only a fortnight away), or
struggling to find people who are willing to use the service, even
when paid. With the lack of widespread awareness of the service, both
opinions could be considered valid.
By increasing the number of conditions applied to any rebate, it
severely limits the usefulness of the service to the majority of the
Internet using world. The 25% rebate for eBay purchases is limited to
$200, paid through PayPal, and only available in the United States
(there are some jurisdictions internationally where the eBay / PayPal
enforcement is not looked upon kindly).
Why Microsoft see it as being necessary to pay people to use their
search engine is not known. While the other major competitors (Google
and Yahoo!) don't seem to have directly competing paid-to-use
services, there are a number of fly-by-night companies that keep
appearing (and mostly rapidly disappearing) who offer to pay users to
search online in an effort to improve the SEO results for their clients.
Perhaps the best commentary on the whole idea is a single word:
Why?
Surely there are better ways to attract online customers. If
Microsoft's own financial reporting is anything to go by, then their
Online Services division (which includes Live) is an ever-growing
black hole, losing $480 million USD in the first quarter of 2008-2009,
for a division that lost $1.23 billion USD in the entire previous
financial year (07-08), double what it lost in 06-07 ($617 million USD).
2.2 Microsoft Issues Security Report for Jan-Jun 2008
Microsoft's Malware Protection Centre has released Volume 5 of their
Security Intelligence Report (SIR), covering January to June 2008.
While it may not have the independence of reporting from OWASP, ISC,
US-CERT, or a number of other bodies, coming from the largest
operating system and software vendor it is a very interesting point of
view on the state of computer security, as observed by Microsoft.
While the report doesn't cover threats and malware targeting non-
Windows operating systems, it provides a very detailed look at the
ecosystem of malware and threats that infects Microsoft systems across
the globe, including detailed breakdown of per-country infection rates
and types. This per-country reporting throws up some interesting
statistics about the prevalence of different malware types in
different countries. For countries like Brazil and South Korea, the
relative distribution of malware types speaks volumes about how these
countries have seen their local IT infrastructure and composition
evolve.
Some of the positive highlights from the report are the improvement
(decrease) in the number of vulnerabilities reported, while at the
same time seeing an increase in the overall number of serious
vulnerabilities being reported. Perhaps Volume 6 of the report will
show some different results, with October's large number of security
patches, Kaminsky's DNS flaw, the unreleased TCP/IP vulnerability, and
the Critical out of cycle patch for the RPC Service potentially
skewing the next set of results.
One statistic to keep an eye on in future reports is the relative
global distribution and percentage of systems requiring cleaning every
time the Microsoft security tools are run. As identified in Volume 5,
there appears to be a clustering of systems requiring disinfection
following tool use in countries that are otherwise considered to be
"developing". Given the borderless nature of the Internet, it suggests
alternative infection mechanisms for systems in those countries (such
as sneakernet).
It is also an interesting observation that countries traditionally
seen as copyright infringement hotspots are not reporting as such a
high risk as others. Perhaps systems using infringing copies of
Microsoft software in those countries have been configured not to
report back to Microsoft or just aren't running Microsoft's security
tools in the first place.
Given the depth of excellent data provided in the SIR, it is important
to at least be aware of a possible self-selection bias in the
reporting of problems detected and removed. It appears that most of
the raw data used to compile the report came from Microsoft security
tools that had been installed and operated on end user systems, as
well as from selected online service providers. This means that
systems and sites that use alternate security suites that detected and
removed problems before the Microsoft tools will not have their data
appearing in the report. Likewise, systems where the "Call Home"
feature is disabled or blocked will not see their results appear,
either.
It does look like Microsoft made an attempt to source data from
outside of their own networks and tools, using the datalossdb.org (and
attrition.org) site to build statistics about the relative percentages
of security breach incidents - data that Microsoft's own tools would
not have been able to gather. It should be cautioned that, although it
is probably the best online archive of data loss incidents, the
information presented through datalossdb.org / attrition.org only
identifies openly reported data loss cases. It isn't able to capture
incidents that don't receive media coverage, or which aren't reported
directly to the site.
Despite lacking information on non-Microsoft operating systems and the
Internet as a whole, the SIR justifiably takes its place alongside
those from OWASP and ISC as being one of the key security reports that
should be read and appreciated by the modern Information Security
employee.
2.3 Old Malware Tricks Still Work
When Didier Stevens stumbled across a zero-byte padded piece of
malware a year ago he was somewhat surprised to see that many
antivirus systems tested against it failed to identify the underlying
malware despite the targeted application (Internet Explorer) being
quite happy to strip the 0x00 content and run the malware.
Didier has revisited his earlier work and happily found that
successful detection for the original malware samples has increased
markedly in the past twelve months (29/36 for unobfuscated samples).
When he lengthened the 0x00 padding within the malware samples,
however, the detection rates dropped off significantly. By only
doubling the length of padding, the rate of detection dropped from 6
to 3 out of 36 command line scanners. It is still disturbing that by
adding 255 bytes worth of 0x00 is enough to see the detection rate
drop from 29 to 6 scanners, especially given that the obfuscation
technique has been well known for a number of years.
Even more interesting is the change in detection when the 0x00 bytes
are added to the malware sample. For the engines that do detect the
modified file, there is often a change in description of the malware
between the unobfuscated sample and the obscured one. In almost all
cases it is a move to a generic descriptor (0x00 padded) from a
specific definition (original sample), so it doesn't appear that
scanning engine developers are claiming a new and unique variant for
each 0x00 padded file (which is a good thing).
While the generic detection of the modified files points to at least
partially-functioning heuristics in some engines, the lack of
detection from the clear majority of command line scanners being used
at VirusTotal shows that there is still some way to go for antimalware
companies as they drag their products away from purely signature-based
detection to a more flexible model.
As Didier points out in his post, it could be that the command line
versions of the scanning engines are lacking in some of the features
that the GUI versions will have that could detect his malware samples.
It would be better if those features were actually in the command line
versions as it would provide a greater level of protection in a
managed network environment, where it is more likely that network
level scanning is being managed by a command line tool.
2.4 Google Provides Details on how it Determines Unsafe Sites
A recent post at the Google Online Security Blog provides some
background on how Google generates the "This site may harm your
computer" warnings that appear from time to time in Google searches.
It all boils down to automated scanners detecting the presence of
malicious content. The article identifies that at least some of the
scanners have been created by Google staff, though it is possible that
commercial and freely available tools are also in use to generate the
results.
Although the results are defined as "accurate" there is no information
about what level of false positives or false negatives manage to slip
through the net. There are enough problems with similar available
toolsets to suggest that Google's own approach is not the panacea that
it might appear to the uninitiated.
If you think that your site has been misidentified as having malicious
content from the Google scanners, then they have provided a straight
forward link to go to and check on exactly what it was that triggered
the initial labelling. The basic site is http://www.google.com/safebrowsing/diagnostic
, and it can be made site specific by adding ?site=site_name at the
end of the link. For example, the result for Sûnnet Beskerming is
this. Google's Webmaster Tools will also provide added information
about what was scanned and found, though not the complete list of URLs
that have been identified as problematic.
Once whatever problem that was discovered has been rectified, there
are procedures available to request a review for your site from Google
(Overview page in the Webmaster Tools part of the site). Since the
review process is effectively the same as the original automated scan
(i.e. it is another automated scan), the complete process to remove
the unsafe indication should only take a few hours, a day at most.
On the other hand, if you have found that your site has completely
disappeared from the Google results, it may be due to it being a
"spammy website", in which case a Request for reconsideration is the
appropriate action to take.
2.5 20th Anniversary for Poorly Written Network Worms
20 years of poorly written havoc-causing network worms will come to
pass on November 2, as it marks the 20th anniversary of the Morris
Worm, considered the first major network attack on the Internet.
Despite only reaching an estimated 6,000 systems, it still represents
10% of the available systems on the Internet at that time. There is
some argument over the exact number of systems compromised and the
overall percentage of Internet hosts affected, but the widespread
impact of the worm is the most significant outcome.
Not only was it one of the earliest examples of an automated denial of
service attack (which came about because the detection routine to tell
if another copy of the worm was present had a bug in it), but it also
led to the creation of the CERT Coordination Center (CERT/CC), which
preceded US-CERT by several years and is meant to be one of the key
management centres for Internet related attacks and problems.
Robert Morris, the worm's creator, was convicted under the Computer
Fraud and Abuse Act and was eventually sentenced to probation (3
years), community service (400 hours) and a fine ($10,000). For
Morris, he has now entered the academic staff as an Associate
Professor at the institution he used to launch the attack, MIT,
despite being at Cornell when the worm was originally released.
Whether or not the worm was designed for malicious use, or, as Morris
has claimed, to map the Internet, the fact remains that it ended up
acting as a malicious worm. The use of vulnerabilities in sendmail,
finger, rsh, weak passwords, and the attempt to hide the source of the
attack (using a system at MIT rather than at Cornell where Morris was)
would nowadays suggest motives that weren't completely pure. A problem
with this line of thought is that it is extremely difficult to
identify an outcome from the worm which could be considered beneficial
for a malicious attacker.
The mid 80s were an interesting time for Information Security. The
first viruses and trojan horses appeared in 1986, so there was a lot
of advancement in malicious activity taking place in a very short
period of time and next year marks the 20th anniversary of ransomware
- the particularly nasty type of malware that encrypts a victim's
content and then demanding payment for a decryption key that will
decrypt the content back to its original state.
2.6 This [FILTERED] is [FILTERED][FILTERED]
In the lead up to last year's national election in Australia there
were a range of promises made by the incumbent government, under the
name NetAlert, which was reported to be for a range of projects
including Internet blocking software at the user end, tracking down
online predators, and filtering of traffic on the network.
It seems that the new government has now taken the proposals one step
further, moving to enforce the legislation that they pushed through at
the start of this year. At the time of the NetAlert announcements, the
opposition (now the government) were seen to be tacitly approving of
the initial presentation and the Labor party had previously been
ridiculed over their approaches to, and ideas of, online censorship.
Although the Federal Government has promised to listen to "the best
advice", it seems that they are only listening to the advice that
validates and otherwise affirms their approach to online censorship.
There have been accusations that the sudden rapid movement that has
taken place is a result of appeasement of minor parties, particularly
Family First, whose senator is key to the government being able to
pass their bills through parliament smoothly and who had slammed the
prior government's $89 million filtering program as being inadequate.
There is also reporting that the government is pressuring the
silencing of dissenting voices. With increasing reporting on this
proposal, the chorus of dissenting voices grows louder by the day.
Somewhat unsurprisingly, the technology being tested has demonstrated
significant slowdowns for available network speed. The more that they
try to filter, the greater the slowdown for end user, which could be
up to 86% with one unnamed system.
There can be no other way to put it other than to suggest that these
efforts are being pushed through out of an ignorance of the structure
and nature of the Internet, even when accurate information is readily
available.
It could be that those making the decisions can't differentiate
between the arguments that the opposing sides are making (after all,
both sides are talking about something the decision maker doesn't
really understand) and so back the one that they feel is right (or
best for their political ends).
2.7 Critical Out-of-Cycle Patch from Microsoft (MS08-067)
From first alert on Tuesday, to patch release on Thursday, Microsoft
has rushed an out-of-cycle patch out to Windows users, acting on a
privately reported problem affecting the core Windows kernel.
In some detail, the vulnerability is a problem with the way that
Windows handles Remote Procedure Calls (RPC) and can result in a
remote unauthenticated user (i.e. anyone on the Internet) being able
to take complete control over your system.
Microsoft acknowledges that the issue is being actively targeted by
malicious code, though code samples have yet to appear publicly. It
has been reported that Gimmiv.A is a worm which is using this
particular vulnerability to attack vulnerable systems, though
Microsoft's initial guidance was that it was only being used in
targeted attacks.
Already different groups have claimed to have reverse engineered the
patch and there are fears that this vulnerability could lead to
something like the Blaster worm from 2003, where a patch was available
but attacks took down a significant number of systems anyway.
In some of the open analysis that has taken place, there is enough
information to point to the NetPathCanonicalize call as being the
weakness currently being exploited. The available information also
shows a fairly straight forward buffer overflow.
Users who have enabled the builtin Windows firewall (default on
systems after XP SP2) will be protected by default against this issue,
though it is still urgent to apply the patch. However, if print or
file sharing is enabled the system is vulnerable again. This means
that many systems that would otherwise be secure are not going to be.
Windows Vista and 2008 systems are vulnerable if the file / print
sharing has been enabled for networks of type 'Public'.
According to the Security Vulnerability Research & Defense team at
Microsoft, ASLR and DEP should provide some added protection to
Windows Vista and Windows 2008, though it is still considered possible
that arbitrary code execution could take place. The UAC feature of
Vista and 2008 will also limit anonymous attacks, however if "Password
Protected Sharing" is disabled, anonymous attacks will be successful.
If TCP ports 139 and 445 are blocked at the network perimeter it will
mitigate against external attacks, however internal networked systems
will remain vulnerable and some services might no longer work as
expected, including:
Applications that use SMB (CIFS)
Applications that use mailslots or named pipes (RPC over SMB)
Server (File and Print Sharing)
Group Policy
Net Logon
Distributed File System (DFS)
Terminal Server Licensing
Print Spooler
Computer Browser
Remote Procedure Call Locator
Fax Service
Indexing Service
Performance Logs and Alerts
Systems Management Server
License Logging Service
Despite Microsoft providing non-patch mitigation options, the
criticality of this particular vulnerability, and the fact that it is
being targeted in the wild means that users and administrators should
apply the patch as soon as possible.
For Windows 2000, XP, and 2003, the vulnerability has been rated as
Critical, with Windows Vista and 2008 attracting Important ratings.
Microsoft have even acknowledged that the pre-beta versions of Windows
7 are also affected by this particular vulnerability. The ISC have
rated their threat indicator to Yellow, as have Symantec.
You can get MS08-067 direct from Microsoft, here.
=======================================
Sincerely,
Sûnnet Beskerming Team
info at beskerming.com
Sûnnet Beskerming Pty. Ltd.
Adelaide, Australia
http://www.beskerming.com
Tel: +61 (0) 410 707 444
** Sûnnet Beskerming Pty. Ltd. **
Established in mid 2004, Sûnnet Beskerming Pty. Ltd. is the sister
company to Jongsma & Jongsma Pty. Ltd., and was formed to develop and
commercialise the research coming out of Jongsma & Jongsma Pty. Ltd..
Sûnnet Beskerming Pty. Ltd. is an Information Security specialist and,
in conjunction with the tools developed by Jongsma & Jongsma Pty.
Ltd., provides total security solutions and services, from the
perimeter to internal data stores, including web application security
and security testing and analysis.
More information about the Alertmailinglist
mailing list