[Sunnet Alert] Advisory #264 - Microsoft (Multiple), Multiple News
Security and IT News Alerts
alertmailinglist at skiifwrald.com
Fri Mar 13 21:43:35 EST 2009
Sûnnet Beskerming Alert List Advisory #264
You are receiving this message because you have subscribed to our
Information Security Alert Mailing List, or have been selected for a
specific one-off copy. If you believe that you are receiving this
message in error,pleasecontactinfo at beskerming.com to resolve the error.
Why not upgrade to get same day notification on security threats?
Details and rates available online -
(http://www.beskerming.com/premium/generic_advisory.html).
Why not go the next step and get delivery tailored just for your
company?
(http://www.beskerming.com/premium/focussed_advisory.html)
Contents
--------------------------------------------------------------------
1. SECURITY
--------------------------------------------------------------------
1.1 Microsoft (Multiple)
- Remote Hacker Automatic Control
- Time Since Discovery - 3 days
======================================
/*
- Remote or Local - Can it be achieved through a network or does it
require physical access?
- Hacker - The bad guy
- Manual or Automatic - Does the vulnerability need to be manually
performed, or can it be automated?
- Control, Denial of Service or Data Theft - Will the hacker get
control of your system / website, will they prevent you from using it,
or will they steal data.
*/
--------------------------------------------------------------------
2. NEWS
--------------------------------------------------------------------
2.1 A Data Breach In The Tea Leaves, Or Tilting At Windmills?
2.2 Backup Policies Can Really Save Businesses
2.3 External RSS Management Migrations
2.4 Patching Cycles and the Adobe Vulnerability
2.5 JBIG2Decode Adobe PDF Vulnerability now Completely Hands Free
=====================================
1. SECURITY
1.1 Microsoft (Multiple) - Remote Hacker Automatic Control
-- Products Affected --
Windows
-- Technical Description --
MS09-006 - Windows. Remote code execution (GDI). Replaces MS08-061.
Critical
MS09-007 - Windows. Data Theft (SSL, TLS). Replaces MS07-031. Important
MS09-008 - Windows. Multiple vulnerabilities including Data Theft.
Replaces MS08-037, MS08-034, MS08-066. Important
-- Description --
Microsoft's patch release for March has seen three updates issued,
with only the first listed as Critical and the other two as
Important. Unfortunately, it is for a problematic Windows component
that has had several prior updates released for it (WMF, EMF support
in GDI). All three patches replace prior patches, but only the first
is regarded as being a risk for arbitrary code execution. There has
not yet been a patch issued for the Excel vulnerability currently
being targeted in careful attacks, and only MS09-008 had vulnerability
data publicly available prior to patch release. MS08-52 (GDI+ related
code execution) was also updated this month.
-- Recommended Action --
All users and administrators should apply the updates at the earliest
opportunity.
-- Source --
http://www.microsoft.com/technet/security/bulletin/ms09-mar.mspx
http://www.beskerming.com/premium/patch_pack.html
http://store.eSellerate.net/s.asp?s=STR3448907936&Cmd=CATALOG&CategoryID=9811
-- Updates Available --
http://www.microsoft.com/technet/security/bulletin/ms09-006.mspx
http://www.microsoft.com/technet/security/bulletin/ms09-007.mspx
http://www.microsoft.com/technet/security/bulletin/ms09-008.mspx
-- External Tracking Data --
CVE-ID: CVE-2009-0081 (MS09-006)
CVE-ID: CVE-2009-0082 (MS09-006)
CVE-ID: CVE-2009-0083 (MS09-006)
CVE-ID: CVE-2009-0085 (MS09-007)
CVE-ID: CVE-2009-0093 (MS09-008)
CVE-ID: CVE-2009-0094 (MS09-008)
CVE-ID: CVE-2009-0233 (MS09-008)
CVE-ID: CVE-2009-0234 (MS09-008)
-- Threat Matrix --
U O
Home User 10 10 (Highly Critical)
Corporate 10 10 (Highly Critical)
=======================================
/*
Threat Matrix:
U - User
O - Operator
Harmless - 0 ----- 10 - Highly Critical
*/
=======================================
2. NEWS
2.1 A Data Breach In The Tea Leaves, Or Tilting At Windmills?
Intelligence analysts and operatives are expert at the collection and
analysis of seemingly irrelevant snippets of data as they build and
form a picture of what is going on.
This sort of skill is beginning to find a home amongst some
Information Security researchers and it has led an increasing number
of researchers to claim that there is a major data loss incident (or
set of incidents) that has yet to be made public. Increased frequency
of reports of small to medium numbers of credit and debit cards being
reissued at seemingly-unrelated institutions are just some of the
clues that have led people to consider that a major breach disclosure
is set to take place in the near future.
A risk of this sort of approach, and it is one that the Intelligence
community faces, is that it is possible to read too much into the
information that has been collected and analysts end up jumping at
shadows. While signs are growing stronger that there is a major breach
disclosure coming up in the near future (weeks or months), it may just
be that the breach is an independent occurrence as far as the data
collected to-date is concerned. The uptick in breach reports may just
be a sign of improved coverage of breaches, especially following the
major Heartland Payment Systems breach, or it could just represent
organic growth and merely mark the new baseline for data loss reporting.
Anyone who has spent time observing how news is reported, how
information spreads from source to source and how it varies in
relevancy and reliability with time and source, would suggest that
this reporting may just be echoes of the Heartland data breach being
mixed with increasing reporting of a potential breach.
It's too early to say at this stage which side of the argument is
right, but whatever happens, more and more consumers are going to find
themselves the victims of a data breach and eventual financial fraud.
Just as knowing how to write a cheque used to be an essential skill
for financial existence, the ability to manage and track finances with
a forensic accountant's level of skill seems like what it is going to
take in order to minimise the risk of financial fraud to the everyday
individual.
2.2 Backup Policies Can Really Save Businesses
At the end of January, social bookmarking site, Ma.gnolia suffered a
significant data corruption and loss incident, resulting in what
initially appeared to be a complete loss of user supplied data.
In the fortnight since the initial loss of data, there have been
several improvements that have been made to retrieve at least some of
the user supplied content, primarily from web caches, however this has
been limited to only public bookmarks that users supplied.
When a site or service is dependent upon the whim of the masses to
remain viable, such as with almost every social-anything site, the
sudden and long term loss of data can be a fatal blow, much as it can
also be for any business.
Since people tend not to limit themselves to a single site to do
things on, there are opportunities for users to recover bookmarks that
they may have linked from ma.gnolia to other services.
From the information being posted online by Larry Halff, it seems
that there is ongoing trouble in trying to recover the data that has
been lost and there is still no end in sight for when the service may
be brought back online, or any of the stored data recovered.
No information has been made public about whether there were any
adequate data backup policies in place, but it is a lesson that data
backup is more than just a chore - it can really save a business. Even
if there were adequate backups, the data corruption may have extended
back through enough of the backups to limit the usefulness of actually
recovering the site.
2.3 External RSS Management Migrations
From the time that Google acquired FeedBurner in 2007, there has been
a slow but ongoing push to move services across to Google-hosted
equivalents. As of this weekend, specifically February 28, it is
expected that FeedBurner accounts will have been completely moved
across to Google Accounts and that users of FeedBurner who have not
yet established a Google account and moved their feeds across will
find that they will no longer be able to access their FeedBurner
accounts.
While Google have stated that they intend to keep the
feeds.feedburner.com/feedname link available for existing feeds ("for
as long as this service exists"), it is recommended that feeds are
updated where possible to reflect the new home for feeds -
feedproxy.google.com/feedname. Users who have not created a Google
Account or otherwise ensured that their feeds have been moved to their
Google account (automatic for most users), then they will probably
find their feeds returning 404 or 301 errors whenever the feeds are
attempted to be accessed - starting from this weekend.
Some feed operators will find that the loss of Site Stats (visitors)
and FeedBurner Networks will have a detrimental effect on the level of
service they get from the now fully Google-absorbed feed delivery
system. Google has retired the FeedBurner Network feature due to poor
usage rates, however FeedBurner Network operators have had a
significant period of time to migrate their networks to other systems.
Competition from standalone feed aggregators and feed readers, as well
as flexible online management tools (including the powerful Yahoo!
Pipes product) are possible reasons why FeedBurner Networks never
really took off like it was hoped, though there were some high quality
Networks that were created and actively used.
Sûnnet Beskerming will soon be updating the RSS feed address for the
primary company feeds to reflect their new home at
feedproxy.google.com, though we will continue to ensure that the old
FeedBurner address is supported for several more days. Most reader
applications and integration tools will automatically update to the
new address, especially with the replication across to the old
feedburner.com addresses, however it is more efficient to point to the
actual hosting location and not a redirected or mirrored site. It will
also mean that if and when Google shut down the FeedBurner domain that
Sûnnet Beskerming feeds will continue to be available without
disruption.
New feed locations are as follows:
* Blended Feed (main feed) - http://feedproxy.google.com/beskermingcombined
* Commentary Only Feed - http://feedproxy.google.com/beskermingcommentary
2.4 Patching Cycles and the Adobe Vulnerability
Just how quickly a vendor should move to release patches for security
vulnerabilities has been a point of contention for as long as there
have been patches for software. Over time different vendors have
settled into their own routines and patching cycles, providing end
users and administrators with either a time-based releasing cycle or
an opportunistic release cycle.
Time based cycles, such as Microsoft's monthly patch release, or
Oracle's quarterly patch releases, may provide users and
administrators with the knowledge that there are defined times when
patches will be made available, but it does mean that vulnerabilities
may be exposed for significant periods of time before patching (though
there is no guarantee that a patch for any vulnerability will be made
available in the period following discovery or disclosure). Microsoft
made their move to releasing patches on the second Tuesday of every
month, with a pre-release notification released the previous Thursday,
following pressure from administrators and end users that a seemingly
random release cycle was making their jobs more difficult than they
needed to be and that a regular release cycle would allow them to plan
patch testing and rollout reliably.
For Microsoft, the monthly release cycle seems to have hit a sweet
spot for patch releases, helping to reduce the number of out-of-cycle
patches that need releasing, while for a database vendor like Oracle,
the quarterly release cycle seems to work well, although there are
critics of this lengthy approach.
Ad-hoc patch release cycles, such as adhered to by Apple, most Linux
distributions, and a number of other software vendors means that
patches can be released on an as-needed basis, but it does mean that
administrators and users are left in the dark about the length of time
before the next patch release. Even though the ad-hoc approach seems
like it would provide the most rapid response to any publicised
vulnerability, which is the case for many Linux distributions, it can
still have inherent delays between vulnerability disclosure and
patching - something that has been seen recently with a highly public
disclosure of an Adobe Acrobat and Reader exploit.
Public claims were made in mid February by Shadowserver of a
previously undiscovered PDF-related vulnerability that was circulating
in the wild, being used for targeted attacks. This was soon followed
by the public release of exploit sample code which demonstrated a JBIG
issue. Initially it was believed that JavaScript was required to
exploit the issue and early mitigation advice was that disabling
JavaScript support would be sufficient to protect against
exploitation. When exploit sample code was freely available it was
found that it was possible to exploit without the use of JavaScript
Shadowserver are considered the first to publicly alert to the
presence of the vulnerability under exploitation, but there are
counterclaims that some security companies were aware of this as early
as December 2008. With the different times of discovery being claimed,
and the Adobe advisory not appearing until after Shadowserver issued
their information, it raises the question as to whether Adobe were on
top of the vulnerability at an earlier date than their Advisory, or
whether they were pressured into releasing the information following
the Shadowserver release.
With no patch scheduled until March 11, there are community released
patches, but it only provides limited protection for Windows XP users,
leaving the other affected platforms unprotected.
At the same time that information about the new vulnerability was
being made public, there were cases of exploits against Internet users
by way of poisoned ads hosted at Ziff-Davis that used an attack
against older versions of Adobe Acrobat Reader (8.12 and earlier) to
deliver their payload.
2.5 JBIG2Decode Adobe PDF Vulnerability now Completely Hands Free
Adobe's expected patch for the JBIG2Decode exploitable vulnerability
is expected in just a few days time. However, as the wider security
community gets to spend more time playing around with the
vulnerability, more interesting ways to trigger the vulnerability are
found.
After his recent documentation of three methods to trigger the
vulnerability without actually double clicking and opening an affected
file, Didier Stevens has gone one better and has documented a new
exploitation method that activates the exploit with no user
interaction, and which results in the exploit code running with Local
System privileges.
In order for a system to be vulnerable to this particular approach, it
needs to have Acrobat Reader 9.0 installed, and the Windows Indexing
Services started. As part of the installation process for Reader 9.0,
it installs an assistant (IFilter) to allow Windows Explorer to
interpret and index PDFs. This is called by Windows Explorer when it
encounters a PDF and it subsequently calls the Acrobat Reader core
interpreter, which is vulnerable to the JBIG2Decode vulnerability.
In Specific technical terms, cidaemon.exe encounters a PDF and calls
AcroRDIF.dll, which loads AcroRD32.dll, which is vulnerable to the
exploit. This all takes place with Local System privileges.
A positive aspect to the discovery is that the Indexing Service is not
activated by default on Windows XP SP2, though it will be activated if
the user answers yes to the offer to make future searches faster after
they first carry out a local search in an administrator level account.
The counter to this is that other software can also call the Acrobat
IFilter, including Windows Desktop Search (also vulnerable, but to a
lesser privileged Local Service account), SharePoint and SQL Server
(which has interesting implications for DBAs and developers who elect
to store binary data in their databases).
Didier describes a blended attack where a system that has had the
Indexing Service enabled, and also has a means to upload files can be
remotely compromised to give a local system shell with absolutely no
interaction from a local or logged in user.
There is some lingering doubt as to when the affected dlls are loaded
by Windows Explorer, but it is guaranteed that once the user has tried
to carry out a "word or phrase in the file" type search, the dlls are
loaded and present until the next time Windows Explorer is restarted.
Even with the options of just killing and restarting the process, or
just logging the active user off and back on, it isn't obvious at this
stage just how likely it is that the affected dlls have been properly
unloaded from memory. A full system shut down and restart is about the
only guaranteed way to make sure.
It has also been found by commenters to Didier's blog that even
uninstalling Acrobat Reader leaves behind the vulnerable dlls that
hook into Windows Explorer, something that can be simply verified by
looking for them in the Process Explorer after attempting "a word or
phrase in the file" type search after uninstalling Reader.
Depending on how alternative desktop search solutions (such as Google
Desktop Search [doesn't use IFilters unless third party add on has
been included], Yahoo! Desktop Search, and a number of commercial
solutions) implement search within a file options, they could also be
vulnerable to this particular exploitation method. Similarly, indexing
of attachments within PST files could present an exploitable problem
when the right conditions are encountered.
=======================================
Sincerely,
Sûnnet Beskerming Team
info at beskerming.com
Sûnnet Beskerming Pty. Ltd.
Adelaide, Australia
http://www.beskerming.com
Tel: +61 (0) 410 707 444
** Sûnnet Beskerming Pty. Ltd. **
Established in mid 2004, Sûnnet Beskerming Pty. Ltd. is the sister
company to Jongsma & Jongsma Pty. Ltd., and was formed to develop and
commercialise the research coming out of Jongsma & Jongsma Pty. Ltd..
Sûnnet Beskerming Pty. Ltd. is an Information Security specialist and,
in conjunction with the tools developed by Jongsma & Jongsma Pty.
Ltd., provides total security solutions and services, from the
perimeter to internal data stores, including web application security
and security testing and analysis.
More information about the Alertmailinglist
mailing list