From alertmailinglist at skiifwrald.com Fri Mar 13 21:43:35 2009 From: alertmailinglist at skiifwrald.com (Security and IT News Alerts) Date: Fri, 13 Mar 2009 22:13:35 +1030 Subject: [Sunnet Alert] Advisory #264 - Microsoft (Multiple), Multiple News Message-ID: <4CFE0615-2606-47A0-A23A-E3CEE6057D25@beskerming.com> S?nnet Beskerming Alert List Advisory #264 You are receiving this message because you have subscribed to our Information Security Alert Mailing List, or have been selected for a specific one-off copy. If you believe that you are receiving this message in error,pleasecontactinfo at beskerming.com to resolve the error. Why not upgrade to get same day notification on security threats? Details and rates available online - (http://www.beskerming.com/premium/generic_advisory.html). Why not go the next step and get delivery tailored just for your company? (http://www.beskerming.com/premium/focussed_advisory.html) Contents -------------------------------------------------------------------- 1. SECURITY -------------------------------------------------------------------- 1.1 Microsoft (Multiple) - Remote Hacker Automatic Control - Time Since Discovery - 3 days ====================================== /* - Remote or Local - Can it be achieved through a network or does it require physical access? - Hacker - The bad guy - Manual or Automatic - Does the vulnerability need to be manually performed, or can it be automated? - Control, Denial of Service or Data Theft - Will the hacker get control of your system / website, will they prevent you from using it, or will they steal data. */ -------------------------------------------------------------------- 2. NEWS -------------------------------------------------------------------- 2.1 A Data Breach In The Tea Leaves, Or Tilting At Windmills? 2.2 Backup Policies Can Really Save Businesses 2.3 External RSS Management Migrations 2.4 Patching Cycles and the Adobe Vulnerability 2.5 JBIG2Decode Adobe PDF Vulnerability now Completely Hands Free ===================================== 1. SECURITY 1.1 Microsoft (Multiple) - Remote Hacker Automatic Control -- Products Affected -- Windows -- Technical Description -- MS09-006 - Windows. Remote code execution (GDI). Replaces MS08-061. Critical MS09-007 - Windows. Data Theft (SSL, TLS). Replaces MS07-031. Important MS09-008 - Windows. Multiple vulnerabilities including Data Theft. Replaces MS08-037, MS08-034, MS08-066. Important -- Description -- Microsoft's patch release for March has seen three updates issued, with only the first listed as Critical and the other two as Important. Unfortunately, it is for a problematic Windows component that has had several prior updates released for it (WMF, EMF support in GDI). All three patches replace prior patches, but only the first is regarded as being a risk for arbitrary code execution. There has not yet been a patch issued for the Excel vulnerability currently being targeted in careful attacks, and only MS09-008 had vulnerability data publicly available prior to patch release. MS08-52 (GDI+ related code execution) was also updated this month. -- Recommended Action -- All users and administrators should apply the updates at the earliest opportunity. -- Source -- http://www.microsoft.com/technet/security/bulletin/ms09-mar.mspx http://www.beskerming.com/premium/patch_pack.html http://store.eSellerate.net/s.asp?s=STR3448907936&Cmd=CATALOG&CategoryID=9811 -- Updates Available -- http://www.microsoft.com/technet/security/bulletin/ms09-006.mspx http://www.microsoft.com/technet/security/bulletin/ms09-007.mspx http://www.microsoft.com/technet/security/bulletin/ms09-008.mspx -- External Tracking Data -- CVE-ID: CVE-2009-0081 (MS09-006) CVE-ID: CVE-2009-0082 (MS09-006) CVE-ID: CVE-2009-0083 (MS09-006) CVE-ID: CVE-2009-0085 (MS09-007) CVE-ID: CVE-2009-0093 (MS09-008) CVE-ID: CVE-2009-0094 (MS09-008) CVE-ID: CVE-2009-0233 (MS09-008) CVE-ID: CVE-2009-0234 (MS09-008) -- Threat Matrix -- U O Home User 10 10 (Highly Critical) Corporate 10 10 (Highly Critical) ======================================= /* Threat Matrix: U - User O - Operator Harmless - 0 ----- 10 - Highly Critical */ ======================================= 2. NEWS 2.1 A Data Breach In The Tea Leaves, Or Tilting At Windmills? Intelligence analysts and operatives are expert at the collection and analysis of seemingly irrelevant snippets of data as they build and form a picture of what is going on. This sort of skill is beginning to find a home amongst some Information Security researchers and it has led an increasing number of researchers to claim that there is a major data loss incident (or set of incidents) that has yet to be made public. Increased frequency of reports of small to medium numbers of credit and debit cards being reissued at seemingly-unrelated institutions are just some of the clues that have led people to consider that a major breach disclosure is set to take place in the near future. A risk of this sort of approach, and it is one that the Intelligence community faces, is that it is possible to read too much into the information that has been collected and analysts end up jumping at shadows. While signs are growing stronger that there is a major breach disclosure coming up in the near future (weeks or months), it may just be that the breach is an independent occurrence as far as the data collected to-date is concerned. The uptick in breach reports may just be a sign of improved coverage of breaches, especially following the major Heartland Payment Systems breach, or it could just represent organic growth and merely mark the new baseline for data loss reporting. Anyone who has spent time observing how news is reported, how information spreads from source to source and how it varies in relevancy and reliability with time and source, would suggest that this reporting may just be echoes of the Heartland data breach being mixed with increasing reporting of a potential breach. It's too early to say at this stage which side of the argument is right, but whatever happens, more and more consumers are going to find themselves the victims of a data breach and eventual financial fraud. Just as knowing how to write a cheque used to be an essential skill for financial existence, the ability to manage and track finances with a forensic accountant's level of skill seems like what it is going to take in order to minimise the risk of financial fraud to the everyday individual. 2.2 Backup Policies Can Really Save Businesses At the end of January, social bookmarking site, Ma.gnolia suffered a significant data corruption and loss incident, resulting in what initially appeared to be a complete loss of user supplied data. In the fortnight since the initial loss of data, there have been several improvements that have been made to retrieve at least some of the user supplied content, primarily from web caches, however this has been limited to only public bookmarks that users supplied. When a site or service is dependent upon the whim of the masses to remain viable, such as with almost every social-anything site, the sudden and long term loss of data can be a fatal blow, much as it can also be for any business. Since people tend not to limit themselves to a single site to do things on, there are opportunities for users to recover bookmarks that they may have linked from ma.gnolia to other services. From the information being posted online by Larry Halff, it seems that there is ongoing trouble in trying to recover the data that has been lost and there is still no end in sight for when the service may be brought back online, or any of the stored data recovered. No information has been made public about whether there were any adequate data backup policies in place, but it is a lesson that data backup is more than just a chore - it can really save a business. Even if there were adequate backups, the data corruption may have extended back through enough of the backups to limit the usefulness of actually recovering the site. 2.3 External RSS Management Migrations From the time that Google acquired FeedBurner in 2007, there has been a slow but ongoing push to move services across to Google-hosted equivalents. As of this weekend, specifically February 28, it is expected that FeedBurner accounts will have been completely moved across to Google Accounts and that users of FeedBurner who have not yet established a Google account and moved their feeds across will find that they will no longer be able to access their FeedBurner accounts. While Google have stated that they intend to keep the feeds.feedburner.com/feedname link available for existing feeds ("for as long as this service exists"), it is recommended that feeds are updated where possible to reflect the new home for feeds - feedproxy.google.com/feedname. Users who have not created a Google Account or otherwise ensured that their feeds have been moved to their Google account (automatic for most users), then they will probably find their feeds returning 404 or 301 errors whenever the feeds are attempted to be accessed - starting from this weekend. Some feed operators will find that the loss of Site Stats (visitors) and FeedBurner Networks will have a detrimental effect on the level of service they get from the now fully Google-absorbed feed delivery system. Google has retired the FeedBurner Network feature due to poor usage rates, however FeedBurner Network operators have had a significant period of time to migrate their networks to other systems. Competition from standalone feed aggregators and feed readers, as well as flexible online management tools (including the powerful Yahoo! Pipes product) are possible reasons why FeedBurner Networks never really took off like it was hoped, though there were some high quality Networks that were created and actively used. S?nnet Beskerming will soon be updating the RSS feed address for the primary company feeds to reflect their new home at feedproxy.google.com, though we will continue to ensure that the old FeedBurner address is supported for several more days. Most reader applications and integration tools will automatically update to the new address, especially with the replication across to the old feedburner.com addresses, however it is more efficient to point to the actual hosting location and not a redirected or mirrored site. It will also mean that if and when Google shut down the FeedBurner domain that S?nnet Beskerming feeds will continue to be available without disruption. New feed locations are as follows: * Blended Feed (main feed) - http://feedproxy.google.com/beskermingcombined * Commentary Only Feed - http://feedproxy.google.com/beskermingcommentary 2.4 Patching Cycles and the Adobe Vulnerability Just how quickly a vendor should move to release patches for security vulnerabilities has been a point of contention for as long as there have been patches for software. Over time different vendors have settled into their own routines and patching cycles, providing end users and administrators with either a time-based releasing cycle or an opportunistic release cycle. Time based cycles, such as Microsoft's monthly patch release, or Oracle's quarterly patch releases, may provide users and administrators with the knowledge that there are defined times when patches will be made available, but it does mean that vulnerabilities may be exposed for significant periods of time before patching (though there is no guarantee that a patch for any vulnerability will be made available in the period following discovery or disclosure). Microsoft made their move to releasing patches on the second Tuesday of every month, with a pre-release notification released the previous Thursday, following pressure from administrators and end users that a seemingly random release cycle was making their jobs more difficult than they needed to be and that a regular release cycle would allow them to plan patch testing and rollout reliably. For Microsoft, the monthly release cycle seems to have hit a sweet spot for patch releases, helping to reduce the number of out-of-cycle patches that need releasing, while for a database vendor like Oracle, the quarterly release cycle seems to work well, although there are critics of this lengthy approach. Ad-hoc patch release cycles, such as adhered to by Apple, most Linux distributions, and a number of other software vendors means that patches can be released on an as-needed basis, but it does mean that administrators and users are left in the dark about the length of time before the next patch release. Even though the ad-hoc approach seems like it would provide the most rapid response to any publicised vulnerability, which is the case for many Linux distributions, it can still have inherent delays between vulnerability disclosure and patching - something that has been seen recently with a highly public disclosure of an Adobe Acrobat and Reader exploit. Public claims were made in mid February by Shadowserver of a previously undiscovered PDF-related vulnerability that was circulating in the wild, being used for targeted attacks. This was soon followed by the public release of exploit sample code which demonstrated a JBIG issue. Initially it was believed that JavaScript was required to exploit the issue and early mitigation advice was that disabling JavaScript support would be sufficient to protect against exploitation. When exploit sample code was freely available it was found that it was possible to exploit without the use of JavaScript Shadowserver are considered the first to publicly alert to the presence of the vulnerability under exploitation, but there are counterclaims that some security companies were aware of this as early as December 2008. With the different times of discovery being claimed, and the Adobe advisory not appearing until after Shadowserver issued their information, it raises the question as to whether Adobe were on top of the vulnerability at an earlier date than their Advisory, or whether they were pressured into releasing the information following the Shadowserver release. With no patch scheduled until March 11, there are community released patches, but it only provides limited protection for Windows XP users, leaving the other affected platforms unprotected. At the same time that information about the new vulnerability was being made public, there were cases of exploits against Internet users by way of poisoned ads hosted at Ziff-Davis that used an attack against older versions of Adobe Acrobat Reader (8.12 and earlier) to deliver their payload. 2.5 JBIG2Decode Adobe PDF Vulnerability now Completely Hands Free Adobe's expected patch for the JBIG2Decode exploitable vulnerability is expected in just a few days time. However, as the wider security community gets to spend more time playing around with the vulnerability, more interesting ways to trigger the vulnerability are found. After his recent documentation of three methods to trigger the vulnerability without actually double clicking and opening an affected file, Didier Stevens has gone one better and has documented a new exploitation method that activates the exploit with no user interaction, and which results in the exploit code running with Local System privileges. In order for a system to be vulnerable to this particular approach, it needs to have Acrobat Reader 9.0 installed, and the Windows Indexing Services started. As part of the installation process for Reader 9.0, it installs an assistant (IFilter) to allow Windows Explorer to interpret and index PDFs. This is called by Windows Explorer when it encounters a PDF and it subsequently calls the Acrobat Reader core interpreter, which is vulnerable to the JBIG2Decode vulnerability. In Specific technical terms, cidaemon.exe encounters a PDF and calls AcroRDIF.dll, which loads AcroRD32.dll, which is vulnerable to the exploit. This all takes place with Local System privileges. A positive aspect to the discovery is that the Indexing Service is not activated by default on Windows XP SP2, though it will be activated if the user answers yes to the offer to make future searches faster after they first carry out a local search in an administrator level account. The counter to this is that other software can also call the Acrobat IFilter, including Windows Desktop Search (also vulnerable, but to a lesser privileged Local Service account), SharePoint and SQL Server (which has interesting implications for DBAs and developers who elect to store binary data in their databases). Didier describes a blended attack where a system that has had the Indexing Service enabled, and also has a means to upload files can be remotely compromised to give a local system shell with absolutely no interaction from a local or logged in user. There is some lingering doubt as to when the affected dlls are loaded by Windows Explorer, but it is guaranteed that once the user has tried to carry out a "word or phrase in the file" type search, the dlls are loaded and present until the next time Windows Explorer is restarted. Even with the options of just killing and restarting the process, or just logging the active user off and back on, it isn't obvious at this stage just how likely it is that the affected dlls have been properly unloaded from memory. A full system shut down and restart is about the only guaranteed way to make sure. It has also been found by commenters to Didier's blog that even uninstalling Acrobat Reader leaves behind the vulnerable dlls that hook into Windows Explorer, something that can be simply verified by looking for them in the Process Explorer after attempting "a word or phrase in the file" type search after uninstalling Reader. Depending on how alternative desktop search solutions (such as Google Desktop Search [doesn't use IFilters unless third party add on has been included], Yahoo! Desktop Search, and a number of commercial solutions) implement search within a file options, they could also be vulnerable to this particular exploitation method. Similarly, indexing of attachments within PST files could present an exploitable problem when the right conditions are encountered. ======================================= Sincerely, S?nnet Beskerming Team info at beskerming.com S?nnet Beskerming Pty. Ltd. Adelaide, Australia http://www.beskerming.com Tel: +61 (0) 410 707 444 ** S?nnet Beskerming Pty. Ltd. ** Established in mid 2004, S?nnet Beskerming Pty. Ltd. is the sister company to Jongsma & Jongsma Pty. Ltd., and was formed to develop and commercialise the research coming out of Jongsma & Jongsma Pty. Ltd.. S?nnet Beskerming Pty. Ltd. is an Information Security specialist and, in conjunction with the tools developed by Jongsma & Jongsma Pty. Ltd., provides total security solutions and services, from the perimeter to internal data stores, including web application security and security testing and analysis.