[Sunnet Alert] Advisory #265 - Microsoft (Multiple), Multiple News
Security and IT News Alerts
alertmailinglist at skiifwrald.com
Mon Apr 20 00:34:08 EST 2009
Sûnnet Beskerming Alert List Advisory #265
You are receiving this message because you have subscribed to our
Information Security Alert Mailing List, or have been selected for a
specific one-off copy. If you believe that you are receiving this
message in error,pleasecontactinfo at beskerming.com to resolve the error.
Why not upgrade to get same day notification on security threats?
Details and rates available online -
(http://www.beskerming.com/premium/generic_advisory.html).
Why not go the next step and get delivery tailored just for your
company?
(http://www.beskerming.com/premium/focussed_advisory.html)
Contents
--------------------------------------------------------------------
1. SECURITY
--------------------------------------------------------------------
1.1 Microsoft (Multiple)
- Remote Hacker Automatic Control
- Time Since Discovery - 5 days
======================================
/*
- Remote or Local - Can it be achieved through a network or does it
require physical access?
- Hacker - The bad guy
- Manual or Automatic - Does the vulnerability need to be manually
performed, or can it be automated?
- Control, Denial of Service or Data Theft - Will the hacker get
control of your system / website, will they prevent you from using it,
or will they steal data.
*/
--------------------------------------------------------------------
2. NEWS
--------------------------------------------------------------------
2.1 OS X Coming Under Increased Researcher Scrutiny
2.2 Around the Frayed Edge of PCI DSS
2.3 Does Microsoft Gain From Exposing Collaborative Cloud Effort?
2.4 Information Distribution Being Shaken Up In More Than One Way
2.5 A PowerPoint 0-day and a Second Worm Targeting MS08-067
=====================================
1. SECURITY
1.1 Microsoft (Multiple) - Remote Hacker Automatic Control
-- Products Affected --
Windows, Excel, Wordpad, Internet Explorer, ISA Server
-- Technical Description --
MS09-009 - Excel. Random code execution. Replaces MS08-074. Critical
MS09-010 - Wordpad. Random code execution. Replaces MS04-027. Critical
MS09-011 - DirectX. Random code execution. Replaces MS08-033. Critical
MS09-012 - Windows. Multiple vulnerabilities, including code
execution. Replaces MS07-022, MS08-002, MS08-064. Important
MS09-013 - HTTP Services. Multiple vulnerabilities, including code
execution. Critical
MS09-014 - Internet Explorer. Multiple vulnerabilities, including
code execution. Replaces MS08-073, MS08-078, MS09-002. Critical
MS09-015 - Windows. API Update. Replaces MS07-035. Moderate
MS09-016 - ISA Server. Multiple vulnerabilities including Denial of
Service. Important
-- Description --
Microsoft's patch release for April saw eight patches released, five
Critical, two Moderate, and one Important. Most of the patches
address code execution vulnerabilities, most of which have already had
public exploit code readily available for them. Of note, one of the
patches that doesn't address a code execution vulnerability, MS09-015,
provides an updated system API to help mitigate the risk posed to
systems by malware that tries to install fake system libraries. This
API makes the system look for libraries in the system directory by
default and also changes the order in which they are searched for
(which closes a very old method of getting malicious code to load).
-- Recommended Action --
All users and administrators should apply the updates at the earliest
opportunity.
-- Source --
http://www.microsoft.com/technet/security/bulletin/ms09-apr.mspx
http://www.beskerming.com/premium/patch_pack.html
http://store.eSellerate.net/s.asp?s=STR3448907936&Cmd=CATALOG&CategoryID=9811
-- Updates Available --
http://www.microsoft.com/technet/security/bulletin/ms09-009.mspx
http://www.microsoft.com/technet/security/bulletin/ms09-010.mspx
http://www.microsoft.com/technet/security/bulletin/ms09-011.mspx
http://www.microsoft.com/technet/security/bulletin/ms09-012.mspx
http://www.microsoft.com/technet/security/bulletin/ms09-013.mspx
http://www.microsoft.com/technet/security/bulletin/ms09-014.mspx
http://www.microsoft.com/technet/security/bulletin/ms09-015.mspx
http://www.microsoft.com/technet/security/bulletin/ms09-016.mspx
-- External Tracking Data --
CVE-ID: CVE-2009-0100 (MS09-009)
CVE-ID: CVE-2009-0238 (MS09-009)
CVE-ID: CVE-2008-4841 (MS09-010)
CVE-ID: CVE-2009-0087 (MS09-010)
CVE-ID: CVE-2009-0088 (MS09-010)
CVE-ID: CVE-2009-0235 (MS09-010)
CVE-ID: CVE-2009-0084 (MS09-011)
CVE-ID: CVE-2008-1436 (MS09-012)
CVE-ID: CVE-2009-0078 (MS09-012)
CVE-ID: CVE-2009-0079 (MS09-012)
CVE-ID: CVE-2009-0080 (MS09-012)
CVE-ID: CVE-2009-0086 (MS09-013)
CVE-ID: CVE-2009-0089 (MS09-013)
CVE-ID: CVE-2009-0550 (MS09-013)
CVE-ID: CVE-2008-2540 (MS09-014)
CVE-ID: CVE-2009-0550 (MS09-014)
CVE-ID: CVE-2009-0551 (MS09-014)
CVE-ID: CVE-2009-0552 (MS09-014)
CVE-ID: CVE-2009-0553 (MS09-014)
CVE-ID: CVE-2009-0554 (MS09-014)
CVE-ID: CVE-2008-2540 (MS09-015)
CVE-ID: CVE-2009-0077 (MS09-016)
CVE-ID: CVE-2009-0237 (MS09-016)
-- Threat Matrix --
U O
Home User 10 10 (Highly Critical)
Corporate 10 10 (Highly Critical)
=======================================
/*
Threat Matrix:
U - User
O - Operator
Harmless - 0 ----- 10 - Highly Critical
*/
=======================================
2. NEWS
2.1 OS X Coming Under Increased Researcher Scrutiny
While it is still a less-targeted platform, Apple's OS X operating
system has seen some interesting Information Research published in
recent months.
In February, Vincenzo Iozzo presented at Black Hat 09 a method for
injection of code directly into the memory of another application,
while it is running. This takes place completely in memory (which
separates it from previous vulnerabilities of this style) and
disappearing when the application is terminated. It could be argued
that this presents an epipyhtic rather than a parasitic attack route,
given that there is no reliance on the host system to store any part
of it (other than active memory), it attaches into an existing
application, and disappears cleanly at the end.
This method still has to rely upon somehow getting the code launched
in the first place, but it means that once launched it is going to be
hidden from sight and not show up as a running process. Getting the
user to launch an arbitrary application is more of a social weakness
than a technical one, as the mountains of malware and infected Windows
systems can attest.
More recently, Dino Dai Zovi demonstrated a heap overflow
vulnerability (of which he claims there are several just waiting ready
to find) which allowed him to take images with the iSight camera.
Meanwhile, at the Pwn2Own contest at CanSecWest, last year's winner,
Charlie Miller, walked away with the MacBook inside of ten seconds, on
his first attempt. Using a Safari vulnerability, he was able to gain
access at least to the privileges that Safari was running under and
demonstrate code execution. Miller had been able to develop and test
the exploit ahead of time and was confident that he would be able to
take out the target system, even going so far as to claim ahead of the
competition that Safari would be the first browser compromised.
Critics would argue that by allowing the use of web browsers on the
first day of the competition, it effectively moved the competition
from an attack against the underlying systems to an attack against web
browser security. With the constant barrage of critical patches for
web browsers across all platforms, it shouldn't come as any surprise
that the competition systems were compromised so quickly. With
researchers having had months to prepare and develop their pet
exploits, it comes down to a race as to who gets to try their exploit
first, rather than a valid example of how long it takes a
representative system to fall to attack. Critics would also point out
that the more desirable laptop (at least for many the more desirable)
would also be the first and most targeted.
Critical arguments aside, it is getting harder to argue that OS X is a
lesser targeted platform, especially with the recent work put into
updating one of the most popular hacking toolkits, MetaSploit, with OS
X specific capabilities and vulnerabilities. It should not come as any
surprise that those most responsible for the increase in capability
are Charlie Miller and Dino Dai Zovi.
In the face of increasing attention and public exploit demonstration
and release, is it time for Apple to move to a pre-ordained patch
release schedule? Some would argue that it is long past the time when
this should have happened, while others are content with the
relatively random release cycle currently in use. At the least, Apple
could do well by considering how Microsoft has engaged all aspects of
the Information Security community and how they handle Information
Security vulnerability data and patches.
2.2 Around the Frayed Edge of PCI DSS
Following the breach of credit card processor, Heartland, there has
been heated debate on both sides of the argument, as to the value of
PCI and similar mechanisms for ensuring data safety (the new buzz word
of the month being Data Loss Prevention) and system and network
integrity. It doesn't really matter whether there is anything better
available in the marketplace or not, PCI DSS has been seized upon as
the 'best practice' which could lead to ostracisation
(excommunication, maybe) if a business chooses not to follow it and
still tries to carry out credit and debit card transaction handling.
It only takes a single hole to undo a well-constructed set of
defences, but if so many companies are touting their compliance and
adherence to the PCI DSS, and no fully accredited company has had a
breach, what really happened with the Heartland and RBS Worldpay
cases? Is it really security theatre as some would argue, or is it
merely the latest sticking point for people who don't want to go
through the process of auditing and assessment to get accredited? Are
companies claiming that they are compliant, but aren't, in order to
retain or attract customers who are aware of the existence of PCI?
Some of the most ardent advocates of PCI claim that, even if it were
security theatre, then it has at least raised awareness of Information
Security in general and still represents a great leap forward in that
respect and helps force some basic best practices. The problem with
this argument is that doing a really bad job at Information Security
can be more dangerous than no effort at all.
Did Sarbannes-Oxley prevent the financial meltdown? Did the presence
of HIPAA and SB1386 stop the growth of information breaches (it has to
be admitted that SB1386 really set the standard for information
disclosure reporting and helped formalise the current requirements
that exist)? No, and no.
What would go a long way to helping assuage concerned observers would
be complete transparency with reporting of breaches and the subsequent
investigations. So you've had a breach and had to report it. The time
for trying to save face has already passed, now it is important, if
not essential, for complete and open honesty in order that others may
learn from what happened to you (even if it is your mistake that led
to the incident). Unfortunately, this will only happen in an ideal
world - there is just too much at stake to expect people to be
completely honest and open about what has happened or is happening.
Besides, Denial is one of the stages of grief and a major security
incident does attract a grief-like response.
This is an area where the direct involvement of an Information
Security professional is really what is needed, but it also seems to
be the least likely to actually happen within the organisations that
need it the most. Good security practices and awareness, even without
the software and hardware elements to back them up are better than all
the software, hardware, and industry best practices that are only
backed by a laissez faire attitude.
Just a little something to think about the next time you sit down to
consider your Information Security needs and compliance to industry
standards.
2.3 Does Microsoft Gain From Exposing Collaborative Cloud Effort?
A group of competitors come together in secret to create a common
approach to handling how different 'clouds' might interact and allow
data to move between, setting out a community-based approach.
Only, now it isn't so secret.
Microsoft were recently invited to be part of this currently secretive
group, comprised of unknown members, but believed to include at least
IBM, Amazon, and Google, but decided not to be involved, choosing to
publicly disclose the existence of the document that is being created
in private at the moment.
Microsoft's argument that openness and real community assistance in
developing the 'Cloud Manifesto' is what is really important is true,
though it does come as a surprise coming from Microsoft, a company
that has traditionally fought against the methods and concepts used in
Open Source.
It seems that the intention has always been to open up the discussion
on the effort once a common approach had been agreed upon, so the
question then becomes at what point is it harmful to keep the
development and structuring of the manifesto private? Does it really
benefit the wider community to have input from the very beginning of
the process, or is it best to wait until the major service providers
have worked out a means to interact. The risk of the latter is that
proprietary systems may be implemented that are mutually beneficent to
the major players who have created the agreement, forcing everyone
else to licence and pay for them, or result in the selection of a sub-
optimal solution. The flipside is that allowing everyone to have input
from the very beginning risks having the project bogged down in
minutiae at every turn and could then be forked to a more private
equivalent that is almost the same as what is in place at the moment.
Sometimes projects need a strong leadership cabal who are capable of
making decisions in private before putting them out for community
input and decision. Even major Open Source projects and movements have
figureheads and key decision makers who manage to retain veto powers.
Cloud computing may be just the buzz word du jour, but with the
resources being thrown at it and it being touted as the solution for
everything, there is a lot riding on getting different vendor
creations talking to each other and sharing data effectively. Rather
than having cute fluffy clouds that build and share with each other we
risk having massive towering cumulus and cumulonimbus clouds that
smash into each other, releasing massive amounts of lightning and
thunder, but not achieving much by way of sharing resources. One
buzzword is being supported by another, with Microsoft pushing SOAP,
XML, and REST as part of their approach to opening the data in the
cloud.
When Microsoft holds up Silverlight as an example of openness and
standardisation it leaves a strange taste in the mouths of open source
advocates, something which is further enhanced by the claim that the
manifesto organisers were unwilling to accept Microsoft's
'enhancements to the document'.
Microsoft's move to publicly announce in this light looks like a
vindictive dummy spit, while the reluctance of the other companies
looks like they have an awareness of recent decades of history, where
Microsoft 'enhancements' often cripple or kill non-Microsoft
technologies. Past history can be forgiven, but it isn't going to be
forgotten so quickly. Microsoft may just have to accept that, for the
next couple of years at least, they will encounter this sort of
stonewalling when interacting with the long term companies in the
sector. If their actions indicate that they will no longer use their
'enhancements' to neuter, then it may be accepted. The whole push to
subjugate OpenDocument through the use of Open Office XML (OOXML)
isn't going to leave many feeling willing to readily accept Microsoft
and their enhancements.
Statements such as "Cloud computing...[will] be driven in beneficial
ways by a lot of innovation that we're dreaming up today" by Microsoft
are a two edged sword. The benefits may be great, but it carries all
the hallmarks of being a proprietary Microsoft-only approach that has
been demonstrated all too many times before.
We'll all just have to wait until the Cloud manifesto is released
(said to be March 30) to see just what the hype is all about and what
sort of ideas and processes have been implemented. Those who think the
cloud is just another hype-filled waste of time might secretly be
cheering for the manifesto to be a failure, or for Microsoft to really
deliver on their 'enhancements' as they have in the past and kill it
before it gets too big.
Who is really behind it all? Links to groups and sites have sprung up
all over the place, but with the dating on many being after Microsoft
spilled the beans, it is hard to say where it originated, though here
and here are two of the most likely sources behind the manifesto.
Despite the open linkage after Microsoft's announcement, it does seem
that Microsoft does have a minor point. From the available
information, it does look like there are some biases present (a Google
Code project - probably one of the sore points for Microsoft), but it
is far more open than what has come before.
Come the 30th, we will be able to see just what the bickering and hype
is all about. What is almost certain is that the people and groups
behind the manifesto have completely screwed up the handling of the
public release of information and are scrambling to recover after
Microsoft's announcement.
Let's hope the standard for intercommunication and sharing of data put
forward in the manifesto is better than what has been displayed so far.
2.4 Information Distribution Being Shaken Up In More Than One Way
More and more pressure is being placed on traditional publishers as
the economic crisis continues to bite. Recently there have been major
newspaper publishers filing for bankruptcy protection, with the
publisher of the Los Angeles Times and the Chicago Tribune, and the
publisher of the Chicago Sun-Times filing within four months of each
other. Within that timeframe, the Rocky Mountain News has completely
closed down, and the Seattle Post-Intelligencer has given up print
editions.
It isn't just newspapers that are feeling the pressure. Microsoft has
made the decision to shut down their Encarta encyclopedia website and
software lines. In explaining why they have made the decision to close
down this service, it appears that it is due to the changing way that
people seek and obtain information.
Ready access to a seemingly-limitless tap of free or low cost
information is going to make charging for access to the same (or even
slightly out-dated) information more difficult. Be it encyclopedia or
print media, both faced the same problems from the way people obtain
and consume information. Economic struggles in the wider marketplace
are just a catalyst, the real struggle has been with maintaining
relevancy and a paying client-base in the face of increasingly free
and comparative quality services.
The big risk is that it could see a decline in investigative
journalism as fewer organisations are capable of providing the
resources for journalists to spend weeks and months developing a
story. There is also a fear that the quality of journalism is going to
decline as the number of potential news sources rapidly increases
online.
Counter to this argument is the claim that much of what has passed for
journalism in recent years has been poorly written and researched,
with much content lifted from the online sources that are now moving
in to take over the role that the print media once had held in those
areas.
No one will really miss this aspect of journalism.
It doesn't help that circular reporting continues to take place (where
one single source is the spawn for numerous articles that busily cite
each other as proof of something happening), but at least with an
online-primary means of reporting and distribution, this cycle will
take place much quicker, though involve more articles of dubious
quality re-reporting the same factoid.
In the face of this news, it might be surprising, then, to find online
information providers also cutting back on their capabilities and
reach. Rather than having people find the same information from other
sources, it seems that falling advertising revenues are making it
difficult to retain all the writers on staff.
The first to go in any downturn are the freelancers and contractors.
Many who were in this position 12 months ago have found their services
suddenly no longer needed (including some of our own staff who were
writing freelance material in recent years).
Content providers are struggling to find the balance between
delivering quality content in the right quantity, with fewer people.
The fewer articles that are published and the fewer number of site
visitors, the lower the advertising revenue and the harder it is to
retain writers. And so the vicious cycle continues.
Long term Internet users like to argue that much of the advertising is
overbearing and annoying, especially on sites where simple, short
content is spread across several pages in order to maximise potential
ad revenue and the number of ad impressions per article. There are
numerous methods by which site visitors can block the advertisements
that site operators try to get them to view. Some methods block the
requests completely, saving the advertisers the cost of an impression
that isn't seen. Other methods download the advertisement, but then
discard the data once on the local system. This gives the site
operator the impression revenue, but forces the advertiser to pay for
marketing that is never seen.
With advertising continuing to push in on the content of many sites,
falling ad revenues, and increasing methods to fake impressions or
click-through rates, it should come as little surprise that this is
causing content providers who have built their business plans around
advertising fees a lot of trouble and concern.
It hasn't quite been an Internet 2.0 bubble, at least not yet, but the
online environment and many global information collation and
distribution networks are going through some fairly major changes at
the moment. Changes that will set out how we seek and interact with
information into the future. Some of the changes are going to be a
step back from what we have now, but it is the unknown technological
improvements that will come along that will really change the world.
2.5 A PowerPoint 0-day and a Second Worm Targeting MS08-067
Microsoft has in recent days identified a new PowerPoint vulnerability
that has been attacked in the wild prior to detection, and have also
announced the discovery of another malware family attacking the same
MS08-067 vulnerability that Conficker initially did.
For the PowerPoint vulnerability, use of the Microsoft Office Isolated
Conversion Environment (MOICE) will help mitigate against attack, by
converting existing binary office file formats into the XML format
supported by recent versions of Office. Microsoft's write up (linked
to above) demonstrates two examples of how the infected PowerPoint
files might appear when first opened, as well as a description of some
of the actions taken once an infected file is opened. Rather than
using the MOICE, an alternative is to avoid PowerPoint files from
untrusted sources or unexpected files from trusted sources.
The new worm family attacking MS08-067's vulnerability appear to have
evolved from an older code base that previously was attacking MS06-040
and earlier vulnerabilities. What is different about this particular
strain detected by Microsoft, is that the worm appears to have
integrated some of the features in use by Conficker.
Apart from targeting the MS08-067 vulnerability, it also spreads via
autorun, appearing very similar to how a Conficker infected device
appears when connected to a system. Similar to Conficker, the worm
downloads its worm payload via HTTP after initial infection, and uses
a driver to patch the network layer to remove system outbound
connection limits in Windows XP SP2.
Although the described added features are fairly generic, the
particular grouping of them in worms attacking the same vulnerability
is an interesting coincidence that could be worth some increased
investigation. By being able to attach itself to the system to be
loaded even in Safe Boot mode, it is going to make it harder than the
average piece of malware to get rid of.
=======================================
Sincerely,
Sûnnet Beskerming Team
info at beskerming.com
Sûnnet Beskerming Pty. Ltd.
Adelaide, Australia
http://www.beskerming.com
Tel: +61 (0) 410 707 444
** Sûnnet Beskerming Pty. Ltd. **
Established in mid 2004, Sûnnet Beskerming Pty. Ltd. is the sister
company to Jongsma & Jongsma Pty. Ltd., and was formed to develop and
commercialise the research coming out of Jongsma & Jongsma Pty. Ltd..
Sûnnet Beskerming Pty. Ltd. is an Information Security specialist and,
in conjunction with the tools developed by Jongsma & Jongsma Pty.
Ltd., provides total security solutions and services, from the
perimeter to internal data stores, including web application security
and security testing and analysis.
More information about the Alertmailinglist
mailing list