[Sunnet Alert] Advisory #259 - Microsoft (Multiple), Multiple News
Security and IT News Alerts
alertmailinglist at skiifwrald.com
Sat Sep 13 16:59:21 EST 2008
Sûnnet Beskerming Alert List Advisory #259
You are receiving this message because you have subscribed to our
Information Security Alert Mailing List, or have been selected for a
specific one-off copy. If you believe that you are receiving this
message in error, pleasecontactinfo at beskerming.com to resolve the error.
Why not upgrade to get same day notification on security threats?
Details and rates available online -
(http://www.beskerming.com/premium/generic_advisory.html).
Why not go the next step and get delivery tailored just for your
company?
(http://www.beskerming.com/premium/focussed_advisory.html)
Contents
--------------------------------------------------------------------
1. SECURITY
--------------------------------------------------------------------
1.1 Microsoft (Multiple)
- Remote Hacker Automatic Control
- Time Since Discovery - 4 days
=======================================
/*
- Remote or Local - Can it be achieved through a network or does it
require physical access?
- Hacker - The bad guy
- Manual or Automatic - Does the vulnerability need to be manually
performed, or can it be automated?
- Control, Denial of Service or Data Theft - Will the hacker get
control of your system / website, will they prevent you from using it,
or will they steal data.
*/
--------------------------------------------------------------------
2. NEWS
--------------------------------------------------------------------
2.1 What Isn't Best Western Telling Us?
2.2 Hacking Security Researchers
2.3 An Exploit That Targets Developers
=====================================
1. SECURITY
1.1 Microsoft (Multiple) - Remote Hacker Automatic Control
-- Products Affected --
Windows
Windows Media Encoder
SQL Server
Windows Media Player
Office
Visual Studio
-- Technical Description --
MS08-052 - Windows. Remote Code Execution. Replaces MS07-015,
MS08-044, MS08-051, MS07-050, MS08-040, MS04-028. Critical
MS08-053 - Windows Media Encoder. Remote Code Execution. Critical
MS08-054 - Windows Media Player. Remote Code Execution. Critical
MS08-055 - Office. Remote Code Execution. Replaces MS07-025,
MS08-016. Critical
-- Description --
With September’s Security Patch Release, Microsoft have provided the
four patches that were identified in the advanced notice. All four of
the patches are rated by Microsoft as Critical and there were no known
public exploits prior to patch release. Since the patches have been
released there has been a lot of information published about the
vulnerabilities addressed and exploits should follow in a short period
of time.
-- Recommended Action --
All users and administrators should apply the updates at the earliest
opportunity.
-- Source --
http://www.microsoft.com/technet/security/bulletin/ms08-sep.mspx
http://www.beskerming.com/premium/patch_pack.html
http://store.eSellerate.net/s.asp?s=STR3448907936&Cmd=CATALOG&CategoryID=9811
-- Updates Available --
http://www.microsoft.com/technet/security/bulletin/ms08-052.mspx
http://www.microsoft.com/technet/security/bulletin/ms08-053.mspx
http://www.microsoft.com/technet/security/bulletin/ms08-054.mspx
http://www.microsoft.com/technet/security/bulletin/ms08-055.mspx
-- External Tracking Data --
CVE-ID: CVE-2007-5348 (MS08-052)
CVE-ID: CVE-2008-3012 (MS08-052)
CVE-ID: CVE-2008-3013 (MS08-052)
CVE-ID: CVE-2008-3014 (MS08-052)
CVE-ID: CVE-2008-3015 (MS08-052)
CVE-ID: CVE-2008-3008 (MS08-053)
CVE-ID: CVE-2008-2253 (MS08-054)
CVE-ID: CVE-2008-3007 (MS08-055)
-- Threat Matrix --
U O
Home User 10 10 (Highly Critical)
Corporate 10 10 (Highly Critical)
=======================================
/*
Threat Matrix:
U - User
O - Operator
Harmless - 0 ----- 10 - Highly Critical
*/
=======================================
2. NEWS
2.1 What Isn't Best Western Telling Us?
Reports of a recent data breach at Best Western were vigorously
refuted by the company, but is there something else going on in the
background that is not being acknowledged by the company?
From the initial reports, more than 8 million Best Western customers
may have had their details captured following unauthorised system
access. Best Western's assertions that only one hotel and 13 records
being affected didn't attract many supporters, and their assertion
that their adherence to PCI DSS requirements ensured customer safety
was even less well received.
At the moment all that is happening is that the Glasgow Sunday Herald
(and their source at Prevx) and Best Western have made contrasting
claims on the incident and neither has provided much more by way of
evidence of their claims. Claims that it is the World's biggest cyber
heist, when it isn't by a long way, would put the burden of proof on
the Sunday Herald.
The difference between 13 records and 8 million is significant, but is
does raise the question as to how Best Western knew that it was only
those few records that had been accessed. 13 just isn't the sort of
number that people tend to make up when they are making vague claims
about quantities. As reported by Best Western, it was antivirus
software that managed to identify the trojan horse that had been
installed to try and capture credentials at a single European Best
Western hotel.
There are questions being asked about Best Western's claims that
recorded credit card details are destroyed after a period of time and
whether this claimed breach indicates a failure to adhere to Level One
PCI DSS requirements (assuming they are top level PCI DSS),
particularly the requirements for a Data Security Assessment and
Quarterly Network Scan. Perhaps the rapid discovery of the breach and
limited account access claimed by Best Western was achieved through
adherence to this requirement, but there are not many who place much
faith in this idea, or in the PCI DSS auditing requirements.
There is also the possibility that any breach was targeted at Identity
Theft first, financial theft second, so the PCI DSS requirements
aren't going to do much to stop that from happening.
How can Best Western ease a lot of concerned observers fears? If they
re-issued their press release (or even a new one) identifying when and
how the compromised system was identified and taken offline, and then
acknowledged that the PCI DSS is only one means to protect sensitive
data and forms part of a layered defence strategy then it would go a
long way to achieving this goal.
It isn't often that the benefit of the doubt is given to a company
involved in a data breach, but in this case it is leaning slightly
towards Best Western. At the end of the day, Best Western has been
tarnished by their response to this issue and if they can not
adequately address the concerns identified above, then there is little
else to do but assume that he worst outcome reported by the Sunday
Herald is what happened. Of course, if the evidence of the attack is
released by other means, then that, too, would validate the claims of
one side.
2.2 Hacking Security Researchers
When Alan Shimel (StillSecure) and Petko Petkov (GNUCitizen) had their
online mail accounts hacked in the latest bout of Full-Disclosure
posturing, including contents of select emails published to the list
and, in Alan's case, objectionable content sent to various mailing
lists that he was involved with, reactions ranged from ignoring the
event through to blaming Alan and Petko for using webmail accounts for
more than they really should have.
The irony of security experts having their own security shortcomings
exposed so publicly was not lost on the group claiming responsibility
for the attacks, or on a number of observers. The incidents prove the
adage that it is a matter of "when" not "if" you will be hacked. More
importantly, they show that it only takes a single lapse in procedure
for a critical weakness to be opened up in a security position. If
there are multiple lapses that can then be chained together, then it
only exacerbates the problems being faced. When a security expert is
relying on their reputation to attract clients, being smeared like
this doesn't help their case. How somebody recovers and responds to
such an incident is key to their future reputation, and maybe even
their future earning potential.
Alan and Petko's responses to the breach of their security can be
easily be found online and it is interesting to see the general
posture being taken by both (and also some of the external parties
affected when emails were published or malicious content was sent to
them). The significant differences in approach may be due to
American / European cultural differences, but blaming the service
providers for a mistake on your behalf is probably not the best way to
go about rebuilding after a compromise.
An interesting sidepoint to Alan Shimel's experience is that he had
his personal domain redirected at GoDaddy after the hackers were able
to use his legitimate email account to direct GoDaddy to unlock the
domain and make the requisite changes. Without a backup channel means
of validating such directions (such as via phone) what else is a
registrar to do - the email came from the correct account. With the
level of control over the various accounts that Alan held, including
full details of his credit cards, it wouldn't have taken much more for
the hackers to completely transfer control of his sites and
potentially severely restrict Alan's access to his own finances.
While Alan was able to use his personal contacts to gain rapid access
to in-person support at major service providers, this isn't
necessarily something that many people will have easy access to, and
even then it will take a measure of trust on the service provider's
behalf to believe the caller is who they say they are and not the
hackers making a last ditch social engineering attempt to regain
control of the site(s).
Taking the Turkish approach to solving this problem is not necessary,
but it might be a fun fantasy for a while.
2.3 An Exploit That Targets Developers
Towards the middle of August, a vulnerability affecting Microsoft's
Visual Studio was identified in the wild, though it isn't known just
how widespread the attacks are at this stage.
While the mechanism of the vulnerability, an ActiveX control buffer
overflow leading to remote code execution, isn't exactly new, it is
the target (and the fact it is being actively targeted) that makes it
somewhat interesting.
In the past there have been proof of concept and limited release
vulnerabilities targeting developers, reverse engineers, forensic
analysts, and a range of other service providers. What hasn't really
happened with any of the previous examples is a move to exploitation
in the wild.
Developers who are not able to separate their development environment
from the Internet, and who use their development systems to surf the
Internet, will be at greatest risk from this particular exploit. With
the increasing levels of high quality online development libraries and
code samples, it is becoming rarer that developers maintain a clear
separation between the two and so the vulnerable userbase is actually
quite a high proportion of the total number of Visual Studio
installations.
If you have Visual Studio 6 installed and you want to be protected
against the vulnerability in the Msmask32.ocx ActiveX Control, either
install version 6.0.84.18 (reported to be fixed in this version), or
set the killbit for the following CLSID in the Registry :
{C932BA85-4374-101B-A56C-00AA003668DC}.
=======================================
Sincerely,
Sûnnet Beskerming Team
info at beskerming.com
Sûnnet Beskerming Pty. Ltd.
Adelaide, Australia
http://www.beskerming.com
Tel: +61 (0) 410 707 444
** Sûnnet Beskerming Pty. Ltd. **
Established in mid 2004, Sûnnet Beskerming Pty. Ltd. is the sister
company to Jongsma & Jongsma Pty. Ltd., and was formed to develop and
commercialise the research coming out of Jongsma & Jongsma Pty. Ltd..
Sûnnet Beskerming Pty. Ltd. is an Information Security specialist and,
in conjunction with the tools developed by Jongsma & Jongsma Pty.
Ltd., provides total security solutions and services, from the
perimeter to internal data stores, including web application security
and security testing and analysis.
More information about the Alertmailinglist
mailing list