From alertmailinglist at skiifwrald.com Mon Apr 20 00:34:08 2009 From: alertmailinglist at skiifwrald.com (Security and IT News Alerts) Date: Mon, 20 Apr 2009 00:04:08 +0930 Subject: [Sunnet Alert] Advisory #265 - Microsoft (Multiple), Multiple News Message-ID: S?nnet Beskerming Alert List Advisory #265 You are receiving this message because you have subscribed to our Information Security Alert Mailing List, or have been selected for a specific one-off copy. If you believe that you are receiving this message in error,pleasecontactinfo at beskerming.com to resolve the error. Why not upgrade to get same day notification on security threats? Details and rates available online - (http://www.beskerming.com/premium/generic_advisory.html). Why not go the next step and get delivery tailored just for your company? (http://www.beskerming.com/premium/focussed_advisory.html) Contents -------------------------------------------------------------------- 1. SECURITY -------------------------------------------------------------------- 1.1 Microsoft (Multiple) - Remote Hacker Automatic Control - Time Since Discovery - 5 days ====================================== /* - Remote or Local - Can it be achieved through a network or does it require physical access? - Hacker - The bad guy - Manual or Automatic - Does the vulnerability need to be manually performed, or can it be automated? - Control, Denial of Service or Data Theft - Will the hacker get control of your system / website, will they prevent you from using it, or will they steal data. */ -------------------------------------------------------------------- 2. NEWS -------------------------------------------------------------------- 2.1 OS X Coming Under Increased Researcher Scrutiny 2.2 Around the Frayed Edge of PCI DSS 2.3 Does Microsoft Gain From Exposing Collaborative Cloud Effort? 2.4 Information Distribution Being Shaken Up In More Than One Way 2.5 A PowerPoint 0-day and a Second Worm Targeting MS08-067 ===================================== 1. SECURITY 1.1 Microsoft (Multiple) - Remote Hacker Automatic Control -- Products Affected -- Windows, Excel, Wordpad, Internet Explorer, ISA Server -- Technical Description -- MS09-009 - Excel. Random code execution. Replaces MS08-074. Critical MS09-010 - Wordpad. Random code execution. Replaces MS04-027. Critical MS09-011 - DirectX. Random code execution. Replaces MS08-033. Critical MS09-012 - Windows. Multiple vulnerabilities, including code execution. Replaces MS07-022, MS08-002, MS08-064. Important MS09-013 - HTTP Services. Multiple vulnerabilities, including code execution. Critical MS09-014 - Internet Explorer. Multiple vulnerabilities, including code execution. Replaces MS08-073, MS08-078, MS09-002. Critical MS09-015 - Windows. API Update. Replaces MS07-035. Moderate MS09-016 - ISA Server. Multiple vulnerabilities including Denial of Service. Important -- Description -- Microsoft's patch release for April saw eight patches released, five Critical, two Moderate, and one Important. Most of the patches address code execution vulnerabilities, most of which have already had public exploit code readily available for them. Of note, one of the patches that doesn't address a code execution vulnerability, MS09-015, provides an updated system API to help mitigate the risk posed to systems by malware that tries to install fake system libraries. This API makes the system look for libraries in the system directory by default and also changes the order in which they are searched for (which closes a very old method of getting malicious code to load). -- Recommended Action -- All users and administrators should apply the updates at the earliest opportunity. -- Source -- http://www.microsoft.com/technet/security/bulletin/ms09-apr.mspx http://www.beskerming.com/premium/patch_pack.html http://store.eSellerate.net/s.asp?s=STR3448907936&Cmd=CATALOG&CategoryID=9811 -- Updates Available -- http://www.microsoft.com/technet/security/bulletin/ms09-009.mspx http://www.microsoft.com/technet/security/bulletin/ms09-010.mspx http://www.microsoft.com/technet/security/bulletin/ms09-011.mspx http://www.microsoft.com/technet/security/bulletin/ms09-012.mspx http://www.microsoft.com/technet/security/bulletin/ms09-013.mspx http://www.microsoft.com/technet/security/bulletin/ms09-014.mspx http://www.microsoft.com/technet/security/bulletin/ms09-015.mspx http://www.microsoft.com/technet/security/bulletin/ms09-016.mspx -- External Tracking Data -- CVE-ID: CVE-2009-0100 (MS09-009) CVE-ID: CVE-2009-0238 (MS09-009) CVE-ID: CVE-2008-4841 (MS09-010) CVE-ID: CVE-2009-0087 (MS09-010) CVE-ID: CVE-2009-0088 (MS09-010) CVE-ID: CVE-2009-0235 (MS09-010) CVE-ID: CVE-2009-0084 (MS09-011) CVE-ID: CVE-2008-1436 (MS09-012) CVE-ID: CVE-2009-0078 (MS09-012) CVE-ID: CVE-2009-0079 (MS09-012) CVE-ID: CVE-2009-0080 (MS09-012) CVE-ID: CVE-2009-0086 (MS09-013) CVE-ID: CVE-2009-0089 (MS09-013) CVE-ID: CVE-2009-0550 (MS09-013) CVE-ID: CVE-2008-2540 (MS09-014) CVE-ID: CVE-2009-0550 (MS09-014) CVE-ID: CVE-2009-0551 (MS09-014) CVE-ID: CVE-2009-0552 (MS09-014) CVE-ID: CVE-2009-0553 (MS09-014) CVE-ID: CVE-2009-0554 (MS09-014) CVE-ID: CVE-2008-2540 (MS09-015) CVE-ID: CVE-2009-0077 (MS09-016) CVE-ID: CVE-2009-0237 (MS09-016) -- Threat Matrix -- U O Home User 10 10 (Highly Critical) Corporate 10 10 (Highly Critical) ======================================= /* Threat Matrix: U - User O - Operator Harmless - 0 ----- 10 - Highly Critical */ ======================================= 2. NEWS 2.1 OS X Coming Under Increased Researcher Scrutiny While it is still a less-targeted platform, Apple's OS X operating system has seen some interesting Information Research published in recent months. In February, Vincenzo Iozzo presented at Black Hat 09 a method for injection of code directly into the memory of another application, while it is running. This takes place completely in memory (which separates it from previous vulnerabilities of this style) and disappearing when the application is terminated. It could be argued that this presents an epipyhtic rather than a parasitic attack route, given that there is no reliance on the host system to store any part of it (other than active memory), it attaches into an existing application, and disappears cleanly at the end. This method still has to rely upon somehow getting the code launched in the first place, but it means that once launched it is going to be hidden from sight and not show up as a running process. Getting the user to launch an arbitrary application is more of a social weakness than a technical one, as the mountains of malware and infected Windows systems can attest. More recently, Dino Dai Zovi demonstrated a heap overflow vulnerability (of which he claims there are several just waiting ready to find) which allowed him to take images with the iSight camera. Meanwhile, at the Pwn2Own contest at CanSecWest, last year's winner, Charlie Miller, walked away with the MacBook inside of ten seconds, on his first attempt. Using a Safari vulnerability, he was able to gain access at least to the privileges that Safari was running under and demonstrate code execution. Miller had been able to develop and test the exploit ahead of time and was confident that he would be able to take out the target system, even going so far as to claim ahead of the competition that Safari would be the first browser compromised. Critics would argue that by allowing the use of web browsers on the first day of the competition, it effectively moved the competition from an attack against the underlying systems to an attack against web browser security. With the constant barrage of critical patches for web browsers across all platforms, it shouldn't come as any surprise that the competition systems were compromised so quickly. With researchers having had months to prepare and develop their pet exploits, it comes down to a race as to who gets to try their exploit first, rather than a valid example of how long it takes a representative system to fall to attack. Critics would also point out that the more desirable laptop (at least for many the more desirable) would also be the first and most targeted. Critical arguments aside, it is getting harder to argue that OS X is a lesser targeted platform, especially with the recent work put into updating one of the most popular hacking toolkits, MetaSploit, with OS X specific capabilities and vulnerabilities. It should not come as any surprise that those most responsible for the increase in capability are Charlie Miller and Dino Dai Zovi. In the face of increasing attention and public exploit demonstration and release, is it time for Apple to move to a pre-ordained patch release schedule? Some would argue that it is long past the time when this should have happened, while others are content with the relatively random release cycle currently in use. At the least, Apple could do well by considering how Microsoft has engaged all aspects of the Information Security community and how they handle Information Security vulnerability data and patches. 2.2 Around the Frayed Edge of PCI DSS Following the breach of credit card processor, Heartland, there has been heated debate on both sides of the argument, as to the value of PCI and similar mechanisms for ensuring data safety (the new buzz word of the month being Data Loss Prevention) and system and network integrity. It doesn't really matter whether there is anything better available in the marketplace or not, PCI DSS has been seized upon as the 'best practice' which could lead to ostracisation (excommunication, maybe) if a business chooses not to follow it and still tries to carry out credit and debit card transaction handling. It only takes a single hole to undo a well-constructed set of defences, but if so many companies are touting their compliance and adherence to the PCI DSS, and no fully accredited company has had a breach, what really happened with the Heartland and RBS Worldpay cases? Is it really security theatre as some would argue, or is it merely the latest sticking point for people who don't want to go through the process of auditing and assessment to get accredited? Are companies claiming that they are compliant, but aren't, in order to retain or attract customers who are aware of the existence of PCI? Some of the most ardent advocates of PCI claim that, even if it were security theatre, then it has at least raised awareness of Information Security in general and still represents a great leap forward in that respect and helps force some basic best practices. The problem with this argument is that doing a really bad job at Information Security can be more dangerous than no effort at all. Did Sarbannes-Oxley prevent the financial meltdown? Did the presence of HIPAA and SB1386 stop the growth of information breaches (it has to be admitted that SB1386 really set the standard for information disclosure reporting and helped formalise the current requirements that exist)? No, and no. What would go a long way to helping assuage concerned observers would be complete transparency with reporting of breaches and the subsequent investigations. So you've had a breach and had to report it. The time for trying to save face has already passed, now it is important, if not essential, for complete and open honesty in order that others may learn from what happened to you (even if it is your mistake that led to the incident). Unfortunately, this will only happen in an ideal world - there is just too much at stake to expect people to be completely honest and open about what has happened or is happening. Besides, Denial is one of the stages of grief and a major security incident does attract a grief-like response. This is an area where the direct involvement of an Information Security professional is really what is needed, but it also seems to be the least likely to actually happen within the organisations that need it the most. Good security practices and awareness, even without the software and hardware elements to back them up are better than all the software, hardware, and industry best practices that are only backed by a laissez faire attitude. Just a little something to think about the next time you sit down to consider your Information Security needs and compliance to industry standards. 2.3 Does Microsoft Gain From Exposing Collaborative Cloud Effort? A group of competitors come together in secret to create a common approach to handling how different 'clouds' might interact and allow data to move between, setting out a community-based approach. Only, now it isn't so secret. Microsoft were recently invited to be part of this currently secretive group, comprised of unknown members, but believed to include at least IBM, Amazon, and Google, but decided not to be involved, choosing to publicly disclose the existence of the document that is being created in private at the moment. Microsoft's argument that openness and real community assistance in developing the 'Cloud Manifesto' is what is really important is true, though it does come as a surprise coming from Microsoft, a company that has traditionally fought against the methods and concepts used in Open Source. It seems that the intention has always been to open up the discussion on the effort once a common approach had been agreed upon, so the question then becomes at what point is it harmful to keep the development and structuring of the manifesto private? Does it really benefit the wider community to have input from the very beginning of the process, or is it best to wait until the major service providers have worked out a means to interact. The risk of the latter is that proprietary systems may be implemented that are mutually beneficent to the major players who have created the agreement, forcing everyone else to licence and pay for them, or result in the selection of a sub- optimal solution. The flipside is that allowing everyone to have input from the very beginning risks having the project bogged down in minutiae at every turn and could then be forked to a more private equivalent that is almost the same as what is in place at the moment. Sometimes projects need a strong leadership cabal who are capable of making decisions in private before putting them out for community input and decision. Even major Open Source projects and movements have figureheads and key decision makers who manage to retain veto powers. Cloud computing may be just the buzz word du jour, but with the resources being thrown at it and it being touted as the solution for everything, there is a lot riding on getting different vendor creations talking to each other and sharing data effectively. Rather than having cute fluffy clouds that build and share with each other we risk having massive towering cumulus and cumulonimbus clouds that smash into each other, releasing massive amounts of lightning and thunder, but not achieving much by way of sharing resources. One buzzword is being supported by another, with Microsoft pushing SOAP, XML, and REST as part of their approach to opening the data in the cloud. When Microsoft holds up Silverlight as an example of openness and standardisation it leaves a strange taste in the mouths of open source advocates, something which is further enhanced by the claim that the manifesto organisers were unwilling to accept Microsoft's 'enhancements to the document'. Microsoft's move to publicly announce in this light looks like a vindictive dummy spit, while the reluctance of the other companies looks like they have an awareness of recent decades of history, where Microsoft 'enhancements' often cripple or kill non-Microsoft technologies. Past history can be forgiven, but it isn't going to be forgotten so quickly. Microsoft may just have to accept that, for the next couple of years at least, they will encounter this sort of stonewalling when interacting with the long term companies in the sector. If their actions indicate that they will no longer use their 'enhancements' to neuter, then it may be accepted. The whole push to subjugate OpenDocument through the use of Open Office XML (OOXML) isn't going to leave many feeling willing to readily accept Microsoft and their enhancements. Statements such as "Cloud computing...[will] be driven in beneficial ways by a lot of innovation that we're dreaming up today" by Microsoft are a two edged sword. The benefits may be great, but it carries all the hallmarks of being a proprietary Microsoft-only approach that has been demonstrated all too many times before. We'll all just have to wait until the Cloud manifesto is released (said to be March 30) to see just what the hype is all about and what sort of ideas and processes have been implemented. Those who think the cloud is just another hype-filled waste of time might secretly be cheering for the manifesto to be a failure, or for Microsoft to really deliver on their 'enhancements' as they have in the past and kill it before it gets too big. Who is really behind it all? Links to groups and sites have sprung up all over the place, but with the dating on many being after Microsoft spilled the beans, it is hard to say where it originated, though here and here are two of the most likely sources behind the manifesto. Despite the open linkage after Microsoft's announcement, it does seem that Microsoft does have a minor point. From the available information, it does look like there are some biases present (a Google Code project - probably one of the sore points for Microsoft), but it is far more open than what has come before. Come the 30th, we will be able to see just what the bickering and hype is all about. What is almost certain is that the people and groups behind the manifesto have completely screwed up the handling of the public release of information and are scrambling to recover after Microsoft's announcement. Let's hope the standard for intercommunication and sharing of data put forward in the manifesto is better than what has been displayed so far. 2.4 Information Distribution Being Shaken Up In More Than One Way More and more pressure is being placed on traditional publishers as the economic crisis continues to bite. Recently there have been major newspaper publishers filing for bankruptcy protection, with the publisher of the Los Angeles Times and the Chicago Tribune, and the publisher of the Chicago Sun-Times filing within four months of each other. Within that timeframe, the Rocky Mountain News has completely closed down, and the Seattle Post-Intelligencer has given up print editions. It isn't just newspapers that are feeling the pressure. Microsoft has made the decision to shut down their Encarta encyclopedia website and software lines. In explaining why they have made the decision to close down this service, it appears that it is due to the changing way that people seek and obtain information. Ready access to a seemingly-limitless tap of free or low cost information is going to make charging for access to the same (or even slightly out-dated) information more difficult. Be it encyclopedia or print media, both faced the same problems from the way people obtain and consume information. Economic struggles in the wider marketplace are just a catalyst, the real struggle has been with maintaining relevancy and a paying client-base in the face of increasingly free and comparative quality services. The big risk is that it could see a decline in investigative journalism as fewer organisations are capable of providing the resources for journalists to spend weeks and months developing a story. There is also a fear that the quality of journalism is going to decline as the number of potential news sources rapidly increases online. Counter to this argument is the claim that much of what has passed for journalism in recent years has been poorly written and researched, with much content lifted from the online sources that are now moving in to take over the role that the print media once had held in those areas. No one will really miss this aspect of journalism. It doesn't help that circular reporting continues to take place (where one single source is the spawn for numerous articles that busily cite each other as proof of something happening), but at least with an online-primary means of reporting and distribution, this cycle will take place much quicker, though involve more articles of dubious quality re-reporting the same factoid. In the face of this news, it might be surprising, then, to find online information providers also cutting back on their capabilities and reach. Rather than having people find the same information from other sources, it seems that falling advertising revenues are making it difficult to retain all the writers on staff. The first to go in any downturn are the freelancers and contractors. Many who were in this position 12 months ago have found their services suddenly no longer needed (including some of our own staff who were writing freelance material in recent years). Content providers are struggling to find the balance between delivering quality content in the right quantity, with fewer people. The fewer articles that are published and the fewer number of site visitors, the lower the advertising revenue and the harder it is to retain writers. And so the vicious cycle continues. Long term Internet users like to argue that much of the advertising is overbearing and annoying, especially on sites where simple, short content is spread across several pages in order to maximise potential ad revenue and the number of ad impressions per article. There are numerous methods by which site visitors can block the advertisements that site operators try to get them to view. Some methods block the requests completely, saving the advertisers the cost of an impression that isn't seen. Other methods download the advertisement, but then discard the data once on the local system. This gives the site operator the impression revenue, but forces the advertiser to pay for marketing that is never seen. With advertising continuing to push in on the content of many sites, falling ad revenues, and increasing methods to fake impressions or click-through rates, it should come as little surprise that this is causing content providers who have built their business plans around advertising fees a lot of trouble and concern. It hasn't quite been an Internet 2.0 bubble, at least not yet, but the online environment and many global information collation and distribution networks are going through some fairly major changes at the moment. Changes that will set out how we seek and interact with information into the future. Some of the changes are going to be a step back from what we have now, but it is the unknown technological improvements that will come along that will really change the world. 2.5 A PowerPoint 0-day and a Second Worm Targeting MS08-067 Microsoft has in recent days identified a new PowerPoint vulnerability that has been attacked in the wild prior to detection, and have also announced the discovery of another malware family attacking the same MS08-067 vulnerability that Conficker initially did. For the PowerPoint vulnerability, use of the Microsoft Office Isolated Conversion Environment (MOICE) will help mitigate against attack, by converting existing binary office file formats into the XML format supported by recent versions of Office. Microsoft's write up (linked to above) demonstrates two examples of how the infected PowerPoint files might appear when first opened, as well as a description of some of the actions taken once an infected file is opened. Rather than using the MOICE, an alternative is to avoid PowerPoint files from untrusted sources or unexpected files from trusted sources. The new worm family attacking MS08-067's vulnerability appear to have evolved from an older code base that previously was attacking MS06-040 and earlier vulnerabilities. What is different about this particular strain detected by Microsoft, is that the worm appears to have integrated some of the features in use by Conficker. Apart from targeting the MS08-067 vulnerability, it also spreads via autorun, appearing very similar to how a Conficker infected device appears when connected to a system. Similar to Conficker, the worm downloads its worm payload via HTTP after initial infection, and uses a driver to patch the network layer to remove system outbound connection limits in Windows XP SP2. Although the described added features are fairly generic, the particular grouping of them in worms attacking the same vulnerability is an interesting coincidence that could be worth some increased investigation. By being able to attach itself to the system to be loaded even in Safe Boot mode, it is going to make it harder than the average piece of malware to get rid of. ======================================= Sincerely, S?nnet Beskerming Team info at beskerming.com S?nnet Beskerming Pty. Ltd. Adelaide, Australia http://www.beskerming.com Tel: +61 (0) 410 707 444 ** S?nnet Beskerming Pty. Ltd. ** Established in mid 2004, S?nnet Beskerming Pty. Ltd. is the sister company to Jongsma & Jongsma Pty. Ltd., and was formed to develop and commercialise the research coming out of Jongsma & Jongsma Pty. Ltd.. S?nnet Beskerming Pty. Ltd. is an Information Security specialist and, in conjunction with the tools developed by Jongsma & Jongsma Pty. Ltd., provides total security solutions and services, from the perimeter to internal data stores, including web application security and security testing and analysis.