From alertmailinglist at skiifwrald.com Sat Sep 13 16:59:21 2008 From: alertmailinglist at skiifwrald.com (Security and IT News Alerts) Date: Sat, 13 Sep 2008 16:29:21 +0930 Subject: [Sunnet Alert] Advisory #259 - Microsoft (Multiple), Multiple News Message-ID: S?nnet Beskerming Alert List Advisory #259 You are receiving this message because you have subscribed to our Information Security Alert Mailing List, or have been selected for a specific one-off copy. If you believe that you are receiving this message in error, pleasecontactinfo at beskerming.com to resolve the error. Why not upgrade to get same day notification on security threats? Details and rates available online - (http://www.beskerming.com/premium/generic_advisory.html). Why not go the next step and get delivery tailored just for your company? (http://www.beskerming.com/premium/focussed_advisory.html) Contents -------------------------------------------------------------------- 1. SECURITY -------------------------------------------------------------------- 1.1 Microsoft (Multiple) - Remote Hacker Automatic Control - Time Since Discovery - 4 days ======================================= /* - Remote or Local - Can it be achieved through a network or does it require physical access? - Hacker - The bad guy - Manual or Automatic - Does the vulnerability need to be manually performed, or can it be automated? - Control, Denial of Service or Data Theft - Will the hacker get control of your system / website, will they prevent you from using it, or will they steal data. */ -------------------------------------------------------------------- 2. NEWS -------------------------------------------------------------------- 2.1 What Isn't Best Western Telling Us? 2.2 Hacking Security Researchers 2.3 An Exploit That Targets Developers ===================================== 1. SECURITY 1.1 Microsoft (Multiple) - Remote Hacker Automatic Control -- Products Affected -- Windows Windows Media Encoder SQL Server Windows Media Player Office Visual Studio -- Technical Description -- MS08-052 - Windows. Remote Code Execution. Replaces MS07-015, MS08-044, MS08-051, MS07-050, MS08-040, MS04-028. Critical MS08-053 - Windows Media Encoder. Remote Code Execution. Critical MS08-054 - Windows Media Player. Remote Code Execution. Critical MS08-055 - Office. Remote Code Execution. Replaces MS07-025, MS08-016. Critical -- Description -- With September?s Security Patch Release, Microsoft have provided the four patches that were identified in the advanced notice. All four of the patches are rated by Microsoft as Critical and there were no known public exploits prior to patch release. Since the patches have been released there has been a lot of information published about the vulnerabilities addressed and exploits should follow in a short period of time. -- Recommended Action -- All users and administrators should apply the updates at the earliest opportunity. -- Source -- http://www.microsoft.com/technet/security/bulletin/ms08-sep.mspx http://www.beskerming.com/premium/patch_pack.html http://store.eSellerate.net/s.asp?s=STR3448907936&Cmd=CATALOG&CategoryID=9811 -- Updates Available -- http://www.microsoft.com/technet/security/bulletin/ms08-052.mspx http://www.microsoft.com/technet/security/bulletin/ms08-053.mspx http://www.microsoft.com/technet/security/bulletin/ms08-054.mspx http://www.microsoft.com/technet/security/bulletin/ms08-055.mspx -- External Tracking Data -- CVE-ID: CVE-2007-5348 (MS08-052) CVE-ID: CVE-2008-3012 (MS08-052) CVE-ID: CVE-2008-3013 (MS08-052) CVE-ID: CVE-2008-3014 (MS08-052) CVE-ID: CVE-2008-3015 (MS08-052) CVE-ID: CVE-2008-3008 (MS08-053) CVE-ID: CVE-2008-2253 (MS08-054) CVE-ID: CVE-2008-3007 (MS08-055) -- Threat Matrix -- U O Home User 10 10 (Highly Critical) Corporate 10 10 (Highly Critical) ======================================= /* Threat Matrix: U - User O - Operator Harmless - 0 ----- 10 - Highly Critical */ ======================================= 2. NEWS 2.1 What Isn't Best Western Telling Us? Reports of a recent data breach at Best Western were vigorously refuted by the company, but is there something else going on in the background that is not being acknowledged by the company? From the initial reports, more than 8 million Best Western customers may have had their details captured following unauthorised system access. Best Western's assertions that only one hotel and 13 records being affected didn't attract many supporters, and their assertion that their adherence to PCI DSS requirements ensured customer safety was even less well received. At the moment all that is happening is that the Glasgow Sunday Herald (and their source at Prevx) and Best Western have made contrasting claims on the incident and neither has provided much more by way of evidence of their claims. Claims that it is the World's biggest cyber heist, when it isn't by a long way, would put the burden of proof on the Sunday Herald. The difference between 13 records and 8 million is significant, but is does raise the question as to how Best Western knew that it was only those few records that had been accessed. 13 just isn't the sort of number that people tend to make up when they are making vague claims about quantities. As reported by Best Western, it was antivirus software that managed to identify the trojan horse that had been installed to try and capture credentials at a single European Best Western hotel. There are questions being asked about Best Western's claims that recorded credit card details are destroyed after a period of time and whether this claimed breach indicates a failure to adhere to Level One PCI DSS requirements (assuming they are top level PCI DSS), particularly the requirements for a Data Security Assessment and Quarterly Network Scan. Perhaps the rapid discovery of the breach and limited account access claimed by Best Western was achieved through adherence to this requirement, but there are not many who place much faith in this idea, or in the PCI DSS auditing requirements. There is also the possibility that any breach was targeted at Identity Theft first, financial theft second, so the PCI DSS requirements aren't going to do much to stop that from happening. How can Best Western ease a lot of concerned observers fears? If they re-issued their press release (or even a new one) identifying when and how the compromised system was identified and taken offline, and then acknowledged that the PCI DSS is only one means to protect sensitive data and forms part of a layered defence strategy then it would go a long way to achieving this goal. It isn't often that the benefit of the doubt is given to a company involved in a data breach, but in this case it is leaning slightly towards Best Western. At the end of the day, Best Western has been tarnished by their response to this issue and if they can not adequately address the concerns identified above, then there is little else to do but assume that he worst outcome reported by the Sunday Herald is what happened. Of course, if the evidence of the attack is released by other means, then that, too, would validate the claims of one side. 2.2 Hacking Security Researchers When Alan Shimel (StillSecure) and Petko Petkov (GNUCitizen) had their online mail accounts hacked in the latest bout of Full-Disclosure posturing, including contents of select emails published to the list and, in Alan's case, objectionable content sent to various mailing lists that he was involved with, reactions ranged from ignoring the event through to blaming Alan and Petko for using webmail accounts for more than they really should have. The irony of security experts having their own security shortcomings exposed so publicly was not lost on the group claiming responsibility for the attacks, or on a number of observers. The incidents prove the adage that it is a matter of "when" not "if" you will be hacked. More importantly, they show that it only takes a single lapse in procedure for a critical weakness to be opened up in a security position. If there are multiple lapses that can then be chained together, then it only exacerbates the problems being faced. When a security expert is relying on their reputation to attract clients, being smeared like this doesn't help their case. How somebody recovers and responds to such an incident is key to their future reputation, and maybe even their future earning potential. Alan and Petko's responses to the breach of their security can be easily be found online and it is interesting to see the general posture being taken by both (and also some of the external parties affected when emails were published or malicious content was sent to them). The significant differences in approach may be due to American / European cultural differences, but blaming the service providers for a mistake on your behalf is probably not the best way to go about rebuilding after a compromise. An interesting sidepoint to Alan Shimel's experience is that he had his personal domain redirected at GoDaddy after the hackers were able to use his legitimate email account to direct GoDaddy to unlock the domain and make the requisite changes. Without a backup channel means of validating such directions (such as via phone) what else is a registrar to do - the email came from the correct account. With the level of control over the various accounts that Alan held, including full details of his credit cards, it wouldn't have taken much more for the hackers to completely transfer control of his sites and potentially severely restrict Alan's access to his own finances. While Alan was able to use his personal contacts to gain rapid access to in-person support at major service providers, this isn't necessarily something that many people will have easy access to, and even then it will take a measure of trust on the service provider's behalf to believe the caller is who they say they are and not the hackers making a last ditch social engineering attempt to regain control of the site(s). Taking the Turkish approach to solving this problem is not necessary, but it might be a fun fantasy for a while. 2.3 An Exploit That Targets Developers Towards the middle of August, a vulnerability affecting Microsoft's Visual Studio was identified in the wild, though it isn't known just how widespread the attacks are at this stage. While the mechanism of the vulnerability, an ActiveX control buffer overflow leading to remote code execution, isn't exactly new, it is the target (and the fact it is being actively targeted) that makes it somewhat interesting. In the past there have been proof of concept and limited release vulnerabilities targeting developers, reverse engineers, forensic analysts, and a range of other service providers. What hasn't really happened with any of the previous examples is a move to exploitation in the wild. Developers who are not able to separate their development environment from the Internet, and who use their development systems to surf the Internet, will be at greatest risk from this particular exploit. With the increasing levels of high quality online development libraries and code samples, it is becoming rarer that developers maintain a clear separation between the two and so the vulnerable userbase is actually quite a high proportion of the total number of Visual Studio installations. If you have Visual Studio 6 installed and you want to be protected against the vulnerability in the Msmask32.ocx ActiveX Control, either install version 6.0.84.18 (reported to be fixed in this version), or set the killbit for the following CLSID in the Registry : {C932BA85-4374-101B-A56C-00AA003668DC}. ======================================= Sincerely, S?nnet Beskerming Team info at beskerming.com S?nnet Beskerming Pty. Ltd. Adelaide, Australia http://www.beskerming.com Tel: +61 (0) 410 707 444 ** S?nnet Beskerming Pty. Ltd. ** Established in mid 2004, S?nnet Beskerming Pty. Ltd. is the sister company to Jongsma & Jongsma Pty. Ltd., and was formed to develop and commercialise the research coming out of Jongsma & Jongsma Pty. Ltd.. S?nnet Beskerming Pty. Ltd. is an Information Security specialist and, in conjunction with the tools developed by Jongsma & Jongsma Pty. Ltd., provides total security solutions and services, from the perimeter to internal data stores, including web application security and security testing and analysis.