From alertmailinglist at skiifwrald.com Thu May 13 23:54:34 2010 From: alertmailinglist at skiifwrald.com (Security and IT News Alerts) Date: Thu, 13 May 2010 23:24:34 +0930 Subject: [Sunnet Alert] Advisory #278 - Microsoft (Multiple), Multiple News Message-ID: S?nnet Beskerming Alert List Advisory #278 You are receiving this message because you have subscribed to our Information Security Alert Mailing List, or have been selected for a specific one-off copy. If you believe that you are receiving this message in error,pleasecontactinfo at beskerming.com to resolve the error. Why not upgrade to get same day notification on security threats? Details and rates available online - (http://www.beskerming.com/premium/generic_advisory.html). Why not go the next step and get delivery tailored just for your company? (http://www.beskerming.com/premium/focussed_advisory.html) Once you've had a chance to read through this advisory, come back and answer the following question. Did you like the timeliness of the advisory? Our premium subscribers get this sort of service on every advisory - same day coverage of security discoveries and full details on all external tracking data that we have discovered, to help keep you informed and form a well-rounded opinion and assessment of the risk to you, your systems, and your data. Contents -------------------------------------------------------------------- 1. SECURITY -------------------------------------------------------------------- 1.1 Microsoft (Multiple) - Remote Hacker Automatic Control - Time Since Discovery - 2 Days ======================================= /* - Remote or Local - Can it be achieved through a network or does it require physical access? - Hacker - The bad guy - Manual or Automatic - Does the vulnerability need to be manually performed, or can it be automated? - Control, Denial of Service or Data Theft - Will the hacker get control of your system / website, will they prevent you from using it, or will they steal data. */ -------------------------------------------------------------------- 2. NEWS -------------------------------------------------------------------- 2.1 New Top Level Domains Open a Broader Internet for All 2.2 Microsoft Pulls MS10-025, Will Re-release Later 2.3 McAfee Update Takes Out Windows Systems 2.4 Internet Explorer XSS Filter Can Result in XSS Attack Against Immune Sites ===================================== 1. SECURITY 1.1 Microsoft Windows - Remote Hacker Automatic Control -- Products Affected -- Windows, Office -- Technical Description -- MS10-030 - Outlook Express. Remote code execution. Replaces MS09-037, MS08-048. Critical. MS10-031 - Visual Basic for Applications. Remote code execution. Replaces MS08-013, MS06-047. Critical. -- Description -- Microsoft have released two advisories with the May Security Bulletin release, matching what was identified in the Advance notification. Both advisories are for remote code execution vulnerabilities, with the vulnerability targeted by MS10-030 having proof of concept code publicly available ahead of patch release. -- Recommended Action -- All users and administrators should apply the updates at the earliest opportunity. -- Source -- http://www.microsoft.com/technet/security/bulletin/ms10-may.mspx http://www.beskerming.com/services/176/Patch_Briefing http://store.eSellerate.net/s.asp?s=STR3448907936&Cmd=CATALOG&CategoryID=9811 -- Updates Available -- http://www.microsoft.com/technet/security/bulletin/ms10-030.mspx http://www.microsoft.com/technet/security/bulletin/ms10-031.mspx -- External Tracking Data -- CVE-ID: CVE-2010-0816 (MS10-030) CVE-ID: CVE 2010-0815 (MS10-031) -- Threat Matrix -- U O Home User 10 10 (Highly Critical) Corporate 10 10 (Highly Critical) ======================================= /* Threat Matrix: U - User O - Operator Harmless - 0 ----- 10 - Highly Critical */ ======================================= 2. NEWS 2.1 New Top Level Domains Open a Broader Internet for All Until very recently, all domains on the Internet were described through some form of Latin script. That has all changed, with ICANN enabling support for non-Latin language support in domains. Egypt, Saudi Arabia, and the UAE have been the first countries to take advantage of this new ability to describe website addresses in their native tongue, rather than through romanised equivalents, or in non-native script. This advancement is significant, as it allows for languages written right-to-left to have full support and entire addresses to be described using native scripting. Even with this support, there needs to be some form of correlation between the underlying networking systems and hardware, which still operate based on raw numerical IPs and latin scripted databases, and the newly introduced non-Latin script support. As such, the new Arabic suffix for Egypt maps to the .masr CCTLD (Country Code Top Level Domain), which is Arabic for Egypt. On computers without the appropriate font or browser support for non-latin scripts, the new domains will look like a nonsensical mishmash of characters, but on systems with the appropriate fonts and browsers, the new domains open up a whole new world of viability on the Internet. Arabic isn't the only non-latin script that support is being demanded for, with support for a number of asian scripts and Russian (expected to then support all cyrillic languages) being requested from ICANN. This support, and the forthcoming other languages to be added, is a wonderful step to improve availability and accessibility across the globe, with an ever increasing number of non-latin script users getting access to the Internet on a daily basis. A risk, which isn't immediately obvious, is that this opens up a new world of opportunity for scammers and phishers to register domains that will visually appear very similar to legitimate sites in the address bar, but which will have a base address significantly different, thanks to being registered in a non-Latin script. By relying on alternate character rendering, this could cause problems for users who may not be able to determine the slight differences between otherwise similar looking characters. It also means that software and tools designed to help detect phishing or XSS attacks will have to expand their repertoire significantly to interpret and assess a much broader range of character and rendering sets. Ultimately, the introduction of this new support is a wonderful thing for the Internet as a whole and anything that encourages more people to interact with the Internet is to be welcomed. 2.2 Microsoft Pulls MS10-025, Will Re-release Later Microsoft, via the Microsoft Security Response Center (MSRC) has reported that MS10-025 is to be withdrawn and reissued when it properly addresses the vulnerability it attempted to patch. A followup post identifies that not all known attack vectors were adequately closed off via the original version of the update and the patch was being pulled for that reason, to prevent users and administrators from going through an unnecessary restart cycle and to ensure clients were properly protected from known attack vectors. While a date has not been set for the bulletin's re-release, it is expected to be this coming week. 2.3 McAfee Update Takes Out Windows Systems McAfee recently encountered one of the worst things an antivirus software vendor could face - an update to their antivirus tools led to Windows XP systems losing critical system files (specifically the svchost.exe file) and leading to system crashing. It might have only been available for a short period of time, but the error-containing DAT (5958) was enough to cause significant problems for McAfee customers. McAfee have published their own Corporate KnowledgeBase entry which details what happened and what users could do to try and avoid having an unbootable system following application of the 5958 DAT. It all comes down to a false positive for the w32/wecorl.a malware, but it is one of the most significant false positive errors to make. The particular malware that was falsely identified tries to leave a corrupted version of svchost.exe in place of the real one, so triggering on legitimate versions of the file can at least be understood, even if it is something that should have shown up early in testing of the update (by both McAfee and end users / administrators). Customers across the globe were affected, but one of the strangest outages was with the Australian supermarket giant, Coles. According to media reports over 1,000 supermarket checkouts were forced to close after the corrupted DAT was applied to store systems. It seems odd that a point of sale register needs to run an antivirus, when it should be no more than a dumb terminal with a limited scope and feature set. It can be argued that if it has the sort of access that allows antivirus updates then it needs them, but maybe the register is over-specced for what it needs to be - similar to ongoing arguments about the need for SCADA systems to talk to the wider Internet. With two states affected, the question turns to how much money the major supermarket lost due to the outage. The damage in Australia didn't stop there, with the Commonwealth Bank and Virgin Mobile also affected to a reasonable extent. The corrupted update didn't affect all systems equally, with Windows XP SP3 the most likely to be affected, though McAfee believed that less than 0.5% of their customer base were affected by this particular problem. That figure is now being disputed, with claims that a far larger percentage of users encountered the problem. Reading comments posted across the Internet regarding this outage, it seems that there are a lot of very disaffected users who have been significantly affected by this incident. Many security-aware businesses have evolved processes to test and evaluate system updates before deploying them across their networks, perhaps it is something that should be applied to any software update, as well. Such an approach seems prudent, given historic cases of antivirus vendors occasionally screwing up their updates, but when updates come daily and a major corporation is under constant attack and threat of breach, it can be difficult to resist the temptation to roll out the update straight away. After all, it's just a definitions file, it shouldn't take a system down (in theory, at least). The worse outcome is that this may scare users and administrators away from applying the DAT files as regularly as they are released (and not just from McAfee), fearful of being left without alternate Internet or system access, again, to remediate any problems that occur in the future thanks to a corrupted update. Turning to alternative antivirus / antimalware vendors isn't going to prevent this incident happening again, with another vendor - most have had similar issues at least once in the past. Moving from one provider to another may require full system reinstallation given the deep system hooks that antivirus applications tend to use, both for added ability to remove malware, and to prevent disablement by malware that targets it. 2.4 Internet Explorer XSS Filter Can Result in XSS Attack Against Immune Sites Information Security can sometimes be a damned if you do, damned if you don't environment, where inaction is the wrong course, and any action taken also turns out to be the wrong course (or something very similar to it). The development and inclusion of Cross Site Scripting (XSS) filters into browsers initially seemed like a great thing. Surely they would cut down on the number and type of attacks against users resulting in a safer Internet for all. The filters didn't need to necessarily be continually updated to address the latest in XSS attacks, though updating and maintenance is critical. Provided that they addressed the most common and basic methods of attack, then they would neutralise many of the attacks doing the rounds. If the history of antivirus software, in particular, and software in general identifies anything, it is that a great idea and good intentions will eventually be let down by poor or substandard implementation, and that security tools do need to be updated to remain relevant. Recently disclosed research has identified a flaw with the XSS filter included with Internet Explorer 8 that allows for XSS attacks against sites that would otherwise not be vulnerable to that particular attack. Microsoft has responded that the issue isn't as severe as it seems, and that they are continually updating the filter to address the changing nature of XSS attack vectors. Whether it is a severe problem or not, Microsoft is scheduled to release an update for this particular issue in June, but that has raised questions from some as to why Microsoft are waiting for so long to fix it now that it has been made public, given that one of the reasons Microsoft cited for delaying the fix was a lack of real world attacks using this particular vector, something that is likely to change with the public availability of the information. ======================================= Sincerely, S?nnet Beskerming Team info at beskerming.com S?nnet Beskerming Pty. Ltd. Adelaide, Australia http://www.beskerming.com Tel: +61 (0) 410 707 444 ** S?nnet Beskerming Pty. Ltd. ** Established in mid 2004, S?nnet Beskerming Pty. Ltd. is the sister company to Jongsma & Jongsma Pty. Ltd., and was formed to develop and commercialise the research coming out of Jongsma & Jongsma Pty. Ltd.. S?nnet Beskerming Pty. Ltd. is an Information Security specialist and, in conjunction with the tools developed by Jongsma & Jongsma Pty. Ltd., provides total security solutions and services, from the perimeter to internal data stores, including web application security and security testing and analysis.