« Return to Thread: Advisory #251 - Microsoft (Multiple), Multiple News
Advisory #251 - Microsoft (Multiple), Multiple News
by Sunnet Beskerming Alert mailing list
::
Rate this Message:
Sûnnet Beskerming Alert List Advisory #251
You are receiving this message because you have subscribed to our
Information Security Alert Mailing List, or have been selected for a
specific one-off copy. If you believe that you are receiving this
message in error, please contact info@... to resolve the
error.
Why not upgrade to get same day notification on security threats?
Details and rates available online -
(http://www.beskerming.com/premium/generic_advisory.html).
Why not go the next step and get delivery tailored just for your
company?
(http://www.beskerming.com/premium/focussed_advisory.html)
Contents
--------------------------------------------------------------------
1. SECURITY
--------------------------------------------------------------------
1.1 Microsoft (Multiple)
- Remote Hacker Automatic Control
- Time Since Discovery - 1 Day
=======================================
/*
- Remote or Local - Can it be achieved through a network or does it
require physical access?
- Hacker - The bad guy
- Manual or Automatic - Does the vulnerability need to be manually
performed, or can it be automated?
- Control, Denial of Service or Data Theft - Will the hacker get
control of your system / website, will they prevent you from using
it, or will they steal data.
*/
--------------------------------------------------------------------
2. NEWS
--------------------------------------------------------------------
2.1 Effective Communication is the key
2.2 Advertising and risk
2.3 Flipping bits at ASLR
2.4 QuickTime flaw Could be next Menace for Users
=====================================
1. SECURITY
1.1 Microsoft (Multiple) - Remote Hacker Automatic Control
-- Products Affected --
Windows 2000, XP, 2003, Vista
Crystal Reports
Windows Services for Unix
Messenger
-- Technical Description --
MS07-063 - Vista SMBv2 support. Remote code execution due to
modification of signed network traffic. Important
MS07-064 - DirectX. Input validation errors in DirectShow allow
arbitrary code execution. Replaces MS05-050. Critical
MS07-065 - Windows Message Queuing (MSMQ). Buffer overflow leading
to code execution with system privileges. Replaces MS05-017. Important
MS07-066 - Vista Kernel. Privilege escalation due to Advanced Local
Procedure Call (ALPC) request handling vulnerability. Important
MS07-067 - Secdrv.sys (Macrovision). Privilege escalation due to
poor handling of configuration parameters. Important
MS07-068 - Windows Media Format. Arbitrary code execution faults
affecting ASF, WMV, and WMA formats. Replaces MS06-078. Critical
MS07-069 - Internet Explorer cumulative update. Numerous remote
code execution faults, actively exploited. Replaces MS07-057. Critical
-- Description --
Microsoft delivered seven patches as part of the December Security
Update release earlier this week. Three of the patches have been
rated as Critical, including a cumulative Internet Explorer update,
with the remaining four patches rated as Important. Exploit code has
been readily available for a number of the vulnerabilities patched in
this patch cycle.
-- Recommended Action --
All users and administrators should apply the updates at the
earliest opportunity.
-- Source --
http://www.microsoft.com/technet/security/bulletin/ms07-dec.mspx
http://www.beskerming.com/premium/patch_pack.html
http://store.eSellerate.net/s.asp?
s=STR3448907936&Cmd=CATALOG&CategoryID=9811
-- Updates Available --
http://www.microsoft.com/technet/security/bulletin/ms07-063.mspx
http://www.microsoft.com/technet/security/bulletin/ms07-064.mspx
http://www.microsoft.com/technet/security/bulletin/ms07-065.mspx
http://www.microsoft.com/technet/security/bulletin/ms07-066.mspx
http://www.microsoft.com/technet/security/bulletin/ms07-067.mspx
http://www.microsoft.com/technet/security/bulletin/ms07-068.mspx
http://www.microsoft.com/technet/security/bulletin/ms07-069.mspx
-- External Tracking Data --
CVE-ID: CVE-2007-5351 (MS07-063)
CVE-ID: CVE-2007-3895 (MS07-064)
CVE-ID: CVE-2007-3901 (MS07-064)
CVE-ID: CVE-2007-3039 (MS07-065)
CVE-ID: CVE-2007-5350 (MS07-066)
CVE-ID: CVE-2007-5587 (MS07-067)
CVE-ID: CVE-2007-0064 (MS07-068)
CVE-ID: CVE-2007-3902 (MS07-069)
CVE-ID: CVE-2007-3903 (MS07-069)
CVE-ID: CVE-2007-5344 (MS07-069)
CVE-ID: CVE-2007-5347 (MS07-069)
-- Threat Matrix --
U O
Home User 10 10 (Highly Critical)
Corporate 10 10 (Highly Critical)
=======================================
/*
Threat Matrix:
U - User
O - Operator
Harmless - 0 ----- 10 - Highly Critical
*/
=======================================
2. NEWS
2.1 Effective Communication is the key
Effective communication is a cornerstone for all professional and
interpersonal interaction. People who can not communicate their ideas
and intentions effectively will find greater difficulty in achieving
tasks and desired results.
In one instance that company staff recently had the benefit of
observing, people that were highly effective at communicating and
managing personnel and professional tasks allowed a situation to
develop where a serious incident resulted from a total breakdown in
communication. Parallel sets of operating procedures had been allowed
to emerge that, while largely aligned with each other, contained
critical differences that trapped an unwary team and led to the
incident. In addition to the problem of parallel operating
procedures, the key underlying fault was that there was a lack of
effective communication between the managers who owned the respective
operating procedures and groups, and that lack of effective
communication cascaded down to the point that the affected team had a
very poor idea of the overall management responsibility in the
affected area. The team that caused the incident had identified a
potential problem and attempted all reasonable measures to resolve
the cause of the difference that they had identified, only to find
that having made a decision based on the information provided to
them, a different set of managers had overruled the information used
to make the decision (the fact that they also owned the competing set
of operating procedures was not lost on those observing).
The above incident could be written off as merely internal politics
amongst workers, but it highlights how poor information flow can lead
to serious incidents taking place. It took nothing more than one or
two managers failing to disseminate and communicate their decisions
(and make effective decisions based on available information) for an
incident to take place, even with seemingly appropriate 'checks and
balances' in place.
Within Information Security, being able to effectively identify and
describe what a problem is, how it came about, and how to mitigate
the effects that the problem causes, is a critical skill that is
always in short supply. Generally people find that those who can
communicate effectively do not have the breadth of experience or
knowledge to package the relevant information, and those who do know
the relevant information have difficulty in communicating that
information in an appropriate format.
This is not a new problem, and it is not a problem that is faced by
Information Security practitioners, alone (as the opening paragraphs
identified). Within the field of Information Technology the problem
had been well identified as early as the mid-seventies, with
Frederick Brooks discussing it in his seminal 'The Mythical Man
Month', where he identified the problem faced by 'expert systems'
developers. To generate an effective 'expert system', not only do you
need an expert of the system that is going to be recreated in
software, but you also require an expert who understands how to
implement the various components of the original system. Even more
rare is being able to have one person who can fill both roles
effectively.
Unfortunately for most developers and companies, people like that are
in short supply, and making do with what they have is where potential
security and functionality shortfalls can enter the system. If you
are able to identify where your experience or knowledgebase is
lacking, and can communicate that fact effectively, then you can
begin to identify potential problem areas.
2.2 Advertising and risk
Regular and first time readers will note that there are very few ads
served with Sûnnet Beskerming content. The only advertising shown is
a small image linking to one of our pre-configured products, tucked
away halfway down the right column, or occasional text ads that are
inserted into the primary FeedBurner feed for this site. Not everyone
who operates a busy site chooses to operate in such a manner, and
site owners that have accepted advertising from major online
advertising firms are giving away some of their security to earn some
money for their site. It isn't often that this risk has been
highlighted in a public manner.
In essence, Google's recent advertising acquisition, DoubleClick, was
found to be serving malware through its advertisements across a whole
range of otherwise trustworthy sites, including The Economist and
MLB.com. Visitors to these sites would not expect to be at
significant risk of compromise - and this is something that the
Information Security industry puts forward as a major point - only
allow scripting and other interactive content support for "trusted"
sites.
Risks introduced by including third party scripts and code on
websites is a topic that is gaining increased awareness amongst
Information Security professionals, with a recent BugTraq discussion
focussing on problems that can be introduced by third party
JavaScript code. This is a problem particularly pertinent for
financial sites, where any external code is a potential vector for
attack. While critical for financial sites, it is a problem for any
site that accepts third party elements or data. The core problem is
that externally hosted scripts have full access to the DOM for the
trusted site, and so can modify any element on the trusted site.
Rather than attempting to break through the main financial site, why
not spend the relatively less effort required to break into the
services offered by the third party vendor (and also gain access to
other interesting sites)? Before complaining that this is not as
viable as breaking into the main target site, consider that there
have been several published and unpublished vulnerabilities affecting
VeriSign's services that are provided in just such a manner, with
many of the vulnerabilities remaining viable for months.
If anybody thought that the online trust model wasn't completely
broken, these examples should reinforce it for them.
2.3 Flipping bits at ASLR
Didier Stevens points out quite an interesting discovery about
Windows Vista and ASLR. With just the right touch of bit flipping
(only one needed), it is possible to enable or disable ASLR support
for an application.
While this might provide a valuable stepping off point for attacking
applications that otherwise utilise ASLR to protect against memory
overflow attacks, what is more interesting is that Windows File
Protection (Windows Resource Protection on Vista) apparently doesn't
check to see if this setting has changed on critical system software.
Windows File Protection is one of those unique system components that
checks core Windows software for signs of modification or damage when
they are accessed and replaces them / repairs them with known good
copies from system repositories. This is the reason why deleted
system files in XP reappear within a matter of seconds. With Vista's
Windows Resource Protection, apparently it only identifies that
something is wrong and doesn't automatically regenerate the damaged
resource.
Either way, Windows apparently can't identify that this key
protective mechanism has been modified on key applications. Of
course, if an attacker had the free reign to change key system
software in such a manner, they already control the system and
there's little reason to open new holes for others to walk in through.
For the technically inclined, setting or unsetting the 0x4000 bit in
the DLL Characteristics field of the PE header is what is required.
2.4 QuickTime flaw Could be next Menace for Users
In the United States, the fourth Friday in November is commonly
referred to as "Black Friday" and traditionally marks the start of
the Christmas shopping season, coming the day after Thanksgiving and
forming part of an informal four or five day weekend. Windows
QuickTime users might be marking Black Friday for another reason this
year, with the emergence of a new threat to QuickTime, just two weeks
after the latest version (7.3) was released.
A proof-of-concept exploit for a remote code execution vulnerability
with the way that QuickTime interprets RTSP (Real Time Streaming
Protocol) responses was posted on Black Friday, marking one of the
first public disclosures of this vulnerability affecting the latest
QuickTime versions. Normally there is some delay between proof-of-
concept and public exploit code being published, with many proof-of-
concept releases going no further than the initial publication. With
this particular vulnerability, two exploit samples were released
within 24 hours of the initial proof-of-concept.
At this stage, Apple have yet to release any information about the
vulnerability, but there is mitigation advice available for concerned
users and administrators.
There has also been no confirmation that the vulnerability affects
the OS X version of QuickTime, but there is the possibility that it
is also vulnerable given historical problems with QuickTime's RTSP
support on OS X.
With the widespread coverage of OS X-specific malware earlier this
month, and the ease with which this new exploit could be integrated
with a malicious media stream, users and administrators of both OS X
and Windows systems, who also have QuickTime installed, need to be
cautious about their risk exposure and mitigate as appropriate
against this new threat.
=======================================
Sincerely,
Sûnnet Beskerming Team
info@...
Sûnnet Beskerming Pty. Ltd.
Adelaide, Australia
http://www.beskerming.com
Tel: +61 (0) 410 707 444
** Sûnnet Beskerming Pty. Ltd. **
Established in mid 2004, Sûnnet Beskerming Pty. Ltd. is the sister
company to Jongsma & Jongsma Pty. Ltd., and was formed to develop and
commercialise the research coming out of Jongsma & Jongsma Pty. Ltd..
Sûnnet Beskerming Pty. Ltd. is an Information Security specialist
and, in conjunction with the tools developed by Jongsma & Jongsma
Pty. Ltd., provides total security solutions and services, from the
perimeter to internal data stores, including web application security
and security testing and analysis.
_______________________________________________
Alertmailinglist mailing list
Alertmailinglist@...
http://skiifwrald.com/mailman/listinfo/alertmailinglist_skiifwrald.com
You are receiving this message because you have subscribed to our
Information Security Alert Mailing List, or have been selected for a
specific one-off copy. If you believe that you are receiving this
message in error, please contact info@... to resolve the
error.
Why not upgrade to get same day notification on security threats?
Details and rates available online -
(http://www.beskerming.com/premium/generic_advisory.html).
Why not go the next step and get delivery tailored just for your
company?
(http://www.beskerming.com/premium/focussed_advisory.html)
Contents
--------------------------------------------------------------------
1. SECURITY
--------------------------------------------------------------------
1.1 Microsoft (Multiple)
- Remote Hacker Automatic Control
- Time Since Discovery - 1 Day
=======================================
/*
- Remote or Local - Can it be achieved through a network or does it
require physical access?
- Hacker - The bad guy
- Manual or Automatic - Does the vulnerability need to be manually
performed, or can it be automated?
- Control, Denial of Service or Data Theft - Will the hacker get
control of your system / website, will they prevent you from using
it, or will they steal data.
*/
--------------------------------------------------------------------
2. NEWS
--------------------------------------------------------------------
2.1 Effective Communication is the key
2.2 Advertising and risk
2.3 Flipping bits at ASLR
2.4 QuickTime flaw Could be next Menace for Users
=====================================
1. SECURITY
1.1 Microsoft (Multiple) - Remote Hacker Automatic Control
-- Products Affected --
Windows 2000, XP, 2003, Vista
Crystal Reports
Windows Services for Unix
Messenger
-- Technical Description --
MS07-063 - Vista SMBv2 support. Remote code execution due to
modification of signed network traffic. Important
MS07-064 - DirectX. Input validation errors in DirectShow allow
arbitrary code execution. Replaces MS05-050. Critical
MS07-065 - Windows Message Queuing (MSMQ). Buffer overflow leading
to code execution with system privileges. Replaces MS05-017. Important
MS07-066 - Vista Kernel. Privilege escalation due to Advanced Local
Procedure Call (ALPC) request handling vulnerability. Important
MS07-067 - Secdrv.sys (Macrovision). Privilege escalation due to
poor handling of configuration parameters. Important
MS07-068 - Windows Media Format. Arbitrary code execution faults
affecting ASF, WMV, and WMA formats. Replaces MS06-078. Critical
MS07-069 - Internet Explorer cumulative update. Numerous remote
code execution faults, actively exploited. Replaces MS07-057. Critical
-- Description --
Microsoft delivered seven patches as part of the December Security
Update release earlier this week. Three of the patches have been
rated as Critical, including a cumulative Internet Explorer update,
with the remaining four patches rated as Important. Exploit code has
been readily available for a number of the vulnerabilities patched in
this patch cycle.
-- Recommended Action --
All users and administrators should apply the updates at the
earliest opportunity.
-- Source --
http://www.microsoft.com/technet/security/bulletin/ms07-dec.mspx
http://www.beskerming.com/premium/patch_pack.html
http://store.eSellerate.net/s.asp?
s=STR3448907936&Cmd=CATALOG&CategoryID=9811
-- Updates Available --
http://www.microsoft.com/technet/security/bulletin/ms07-063.mspx
http://www.microsoft.com/technet/security/bulletin/ms07-064.mspx
http://www.microsoft.com/technet/security/bulletin/ms07-065.mspx
http://www.microsoft.com/technet/security/bulletin/ms07-066.mspx
http://www.microsoft.com/technet/security/bulletin/ms07-067.mspx
http://www.microsoft.com/technet/security/bulletin/ms07-068.mspx
http://www.microsoft.com/technet/security/bulletin/ms07-069.mspx
-- External Tracking Data --
CVE-ID: CVE-2007-5351 (MS07-063)
CVE-ID: CVE-2007-3895 (MS07-064)
CVE-ID: CVE-2007-3901 (MS07-064)
CVE-ID: CVE-2007-3039 (MS07-065)
CVE-ID: CVE-2007-5350 (MS07-066)
CVE-ID: CVE-2007-5587 (MS07-067)
CVE-ID: CVE-2007-0064 (MS07-068)
CVE-ID: CVE-2007-3902 (MS07-069)
CVE-ID: CVE-2007-3903 (MS07-069)
CVE-ID: CVE-2007-5344 (MS07-069)
CVE-ID: CVE-2007-5347 (MS07-069)
-- Threat Matrix --
U O
Home User 10 10 (Highly Critical)
Corporate 10 10 (Highly Critical)
=======================================
/*
Threat Matrix:
U - User
O - Operator
Harmless - 0 ----- 10 - Highly Critical
*/
=======================================
2. NEWS
2.1 Effective Communication is the key
Effective communication is a cornerstone for all professional and
interpersonal interaction. People who can not communicate their ideas
and intentions effectively will find greater difficulty in achieving
tasks and desired results.
In one instance that company staff recently had the benefit of
observing, people that were highly effective at communicating and
managing personnel and professional tasks allowed a situation to
develop where a serious incident resulted from a total breakdown in
communication. Parallel sets of operating procedures had been allowed
to emerge that, while largely aligned with each other, contained
critical differences that trapped an unwary team and led to the
incident. In addition to the problem of parallel operating
procedures, the key underlying fault was that there was a lack of
effective communication between the managers who owned the respective
operating procedures and groups, and that lack of effective
communication cascaded down to the point that the affected team had a
very poor idea of the overall management responsibility in the
affected area. The team that caused the incident had identified a
potential problem and attempted all reasonable measures to resolve
the cause of the difference that they had identified, only to find
that having made a decision based on the information provided to
them, a different set of managers had overruled the information used
to make the decision (the fact that they also owned the competing set
of operating procedures was not lost on those observing).
The above incident could be written off as merely internal politics
amongst workers, but it highlights how poor information flow can lead
to serious incidents taking place. It took nothing more than one or
two managers failing to disseminate and communicate their decisions
(and make effective decisions based on available information) for an
incident to take place, even with seemingly appropriate 'checks and
balances' in place.
Within Information Security, being able to effectively identify and
describe what a problem is, how it came about, and how to mitigate
the effects that the problem causes, is a critical skill that is
always in short supply. Generally people find that those who can
communicate effectively do not have the breadth of experience or
knowledge to package the relevant information, and those who do know
the relevant information have difficulty in communicating that
information in an appropriate format.
This is not a new problem, and it is not a problem that is faced by
Information Security practitioners, alone (as the opening paragraphs
identified). Within the field of Information Technology the problem
had been well identified as early as the mid-seventies, with
Frederick Brooks discussing it in his seminal 'The Mythical Man
Month', where he identified the problem faced by 'expert systems'
developers. To generate an effective 'expert system', not only do you
need an expert of the system that is going to be recreated in
software, but you also require an expert who understands how to
implement the various components of the original system. Even more
rare is being able to have one person who can fill both roles
effectively.
Unfortunately for most developers and companies, people like that are
in short supply, and making do with what they have is where potential
security and functionality shortfalls can enter the system. If you
are able to identify where your experience or knowledgebase is
lacking, and can communicate that fact effectively, then you can
begin to identify potential problem areas.
2.2 Advertising and risk
Regular and first time readers will note that there are very few ads
served with Sûnnet Beskerming content. The only advertising shown is
a small image linking to one of our pre-configured products, tucked
away halfway down the right column, or occasional text ads that are
inserted into the primary FeedBurner feed for this site. Not everyone
who operates a busy site chooses to operate in such a manner, and
site owners that have accepted advertising from major online
advertising firms are giving away some of their security to earn some
money for their site. It isn't often that this risk has been
highlighted in a public manner.
In essence, Google's recent advertising acquisition, DoubleClick, was
found to be serving malware through its advertisements across a whole
range of otherwise trustworthy sites, including The Economist and
MLB.com. Visitors to these sites would not expect to be at
significant risk of compromise - and this is something that the
Information Security industry puts forward as a major point - only
allow scripting and other interactive content support for "trusted"
sites.
Risks introduced by including third party scripts and code on
websites is a topic that is gaining increased awareness amongst
Information Security professionals, with a recent BugTraq discussion
focussing on problems that can be introduced by third party
JavaScript code. This is a problem particularly pertinent for
financial sites, where any external code is a potential vector for
attack. While critical for financial sites, it is a problem for any
site that accepts third party elements or data. The core problem is
that externally hosted scripts have full access to the DOM for the
trusted site, and so can modify any element on the trusted site.
Rather than attempting to break through the main financial site, why
not spend the relatively less effort required to break into the
services offered by the third party vendor (and also gain access to
other interesting sites)? Before complaining that this is not as
viable as breaking into the main target site, consider that there
have been several published and unpublished vulnerabilities affecting
VeriSign's services that are provided in just such a manner, with
many of the vulnerabilities remaining viable for months.
If anybody thought that the online trust model wasn't completely
broken, these examples should reinforce it for them.
2.3 Flipping bits at ASLR
Didier Stevens points out quite an interesting discovery about
Windows Vista and ASLR. With just the right touch of bit flipping
(only one needed), it is possible to enable or disable ASLR support
for an application.
While this might provide a valuable stepping off point for attacking
applications that otherwise utilise ASLR to protect against memory
overflow attacks, what is more interesting is that Windows File
Protection (Windows Resource Protection on Vista) apparently doesn't
check to see if this setting has changed on critical system software.
Windows File Protection is one of those unique system components that
checks core Windows software for signs of modification or damage when
they are accessed and replaces them / repairs them with known good
copies from system repositories. This is the reason why deleted
system files in XP reappear within a matter of seconds. With Vista's
Windows Resource Protection, apparently it only identifies that
something is wrong and doesn't automatically regenerate the damaged
resource.
Either way, Windows apparently can't identify that this key
protective mechanism has been modified on key applications. Of
course, if an attacker had the free reign to change key system
software in such a manner, they already control the system and
there's little reason to open new holes for others to walk in through.
For the technically inclined, setting or unsetting the 0x4000 bit in
the DLL Characteristics field of the PE header is what is required.
2.4 QuickTime flaw Could be next Menace for Users
In the United States, the fourth Friday in November is commonly
referred to as "Black Friday" and traditionally marks the start of
the Christmas shopping season, coming the day after Thanksgiving and
forming part of an informal four or five day weekend. Windows
QuickTime users might be marking Black Friday for another reason this
year, with the emergence of a new threat to QuickTime, just two weeks
after the latest version (7.3) was released.
A proof-of-concept exploit for a remote code execution vulnerability
with the way that QuickTime interprets RTSP (Real Time Streaming
Protocol) responses was posted on Black Friday, marking one of the
first public disclosures of this vulnerability affecting the latest
QuickTime versions. Normally there is some delay between proof-of-
concept and public exploit code being published, with many proof-of-
concept releases going no further than the initial publication. With
this particular vulnerability, two exploit samples were released
within 24 hours of the initial proof-of-concept.
At this stage, Apple have yet to release any information about the
vulnerability, but there is mitigation advice available for concerned
users and administrators.
There has also been no confirmation that the vulnerability affects
the OS X version of QuickTime, but there is the possibility that it
is also vulnerable given historical problems with QuickTime's RTSP
support on OS X.
With the widespread coverage of OS X-specific malware earlier this
month, and the ease with which this new exploit could be integrated
with a malicious media stream, users and administrators of both OS X
and Windows systems, who also have QuickTime installed, need to be
cautious about their risk exposure and mitigate as appropriate
against this new threat.
=======================================
Sincerely,
Sûnnet Beskerming Team
info@...
Sûnnet Beskerming Pty. Ltd.
Adelaide, Australia
http://www.beskerming.com
Tel: +61 (0) 410 707 444
** Sûnnet Beskerming Pty. Ltd. **
Established in mid 2004, Sûnnet Beskerming Pty. Ltd. is the sister
company to Jongsma & Jongsma Pty. Ltd., and was formed to develop and
commercialise the research coming out of Jongsma & Jongsma Pty. Ltd..
Sûnnet Beskerming Pty. Ltd. is an Information Security specialist
and, in conjunction with the tools developed by Jongsma & Jongsma
Pty. Ltd., provides total security solutions and services, from the
perimeter to internal data stores, including web application security
and security testing and analysis.
_______________________________________________
Alertmailinglist mailing list
Alertmailinglist@...
http://skiifwrald.com/mailman/listinfo/alertmailinglist_skiifwrald.com
« Return to Thread: Advisory #251 - Microsoft (Multiple), Multiple News
| Free Forum Powered by Nabble | Forum Help |
