Advisory #251 - Microsoft (Multiple), Multiple News

Sûnnet Beskerming Alert List Advisory #251

You are receiving this message because you have subscribed to our  
Information Security Alert Mailing List, or have been selected for a  
specific one-off copy.  If you believe that you are receiving this  
message in error, please contact info@... to resolve the  
error.

Why not upgrade to get same day notification on security threats?  
Details and rates available online -
(http://www.beskerming.com/premium/generic_advisory.html).

Why not go the next step and get delivery tailored just for your  
company?
(http://www.beskerming.com/premium/focussed_advisory.html)


Contents
--------------------------------------------------------------------
1. SECURITY
--------------------------------------------------------------------
1.1 Microsoft (Multiple)
        - Remote Hacker Automatic Control
        - Time Since Discovery - 1 Day
=======================================
/*
        - Remote or Local - Can it be achieved through a network or does it  
require physical access?
        - Hacker - The bad guy
        - Manual or Automatic  - Does the vulnerability need to be manually  
performed, or can it be automated?
        - Control, Denial of Service or Data Theft - Will the hacker get  
control of your system / website, will they prevent you from using  
it, or will they steal data.
*/
--------------------------------------------------------------------
2.    NEWS
--------------------------------------------------------------------
2.1 Effective Communication is the key
2.2 Advertising and risk
2.3 Flipping bits at ASLR
2.4 QuickTime flaw Could be next Menace for Users
=====================================

1. SECURITY

1.1 Microsoft (Multiple) - Remote Hacker Automatic Control

        -- Products Affected --
        Windows 2000, XP, 2003, Vista
        Crystal Reports
        Windows Services for Unix
        Messenger

        -- Technical Description --
        MS07-063 - Vista SMBv2 support.  Remote code execution due to  
modification of signed network traffic.  Important
        MS07-064 - DirectX.  Input validation errors in DirectShow allow  
arbitrary code execution.  Replaces MS05-050.  Critical
        MS07-065 - Windows Message Queuing (MSMQ).  Buffer overflow leading  
to code execution with system privileges.  Replaces MS05-017.  Important
        MS07-066 - Vista Kernel.  Privilege escalation due to Advanced Local  
Procedure Call (ALPC) request handling vulnerability.  Important
        MS07-067 - Secdrv.sys (Macrovision).  Privilege escalation due to  
poor handling of configuration parameters.  Important
        MS07-068 - Windows Media Format.  Arbitrary code execution faults  
affecting ASF, WMV, and WMA formats.  Replaces MS06-078.  Critical
        MS07-069 - Internet Explorer cumulative update.  Numerous remote  
code execution faults, actively exploited.  Replaces MS07-057.  Critical

        -- Description --
        Microsoft delivered seven patches as part of the December Security  
Update release earlier this week.  Three of the patches have been  
rated as Critical, including a cumulative Internet Explorer update,  
with the remaining four patches rated as Important.  Exploit code has  
been readily available for a number of the vulnerabilities patched in  
this patch cycle.

        -- Recommended Action --
        All users and administrators should apply the updates at the  
earliest opportunity.

        -- Source --
        http://www.microsoft.com/technet/security/bulletin/ms07-dec.mspx
        http://www.beskerming.com/premium/patch_pack.html
        http://store.eSellerate.net/s.asp?
s=STR3448907936&Cmd=CATALOG&CategoryID=9811
       
        -- Updates Available --
        http://www.microsoft.com/technet/security/bulletin/ms07-063.mspx
        http://www.microsoft.com/technet/security/bulletin/ms07-064.mspx
        http://www.microsoft.com/technet/security/bulletin/ms07-065.mspx
        http://www.microsoft.com/technet/security/bulletin/ms07-066.mspx
        http://www.microsoft.com/technet/security/bulletin/ms07-067.mspx
        http://www.microsoft.com/technet/security/bulletin/ms07-068.mspx
        http://www.microsoft.com/technet/security/bulletin/ms07-069.mspx


        -- External Tracking Data --
        CVE-ID: CVE-2007-5351 (MS07-063)
        CVE-ID: CVE-2007-3895 (MS07-064)
        CVE-ID: CVE-2007-3901 (MS07-064)
        CVE-ID: CVE-2007-3039 (MS07-065)
        CVE-ID: CVE-2007-5350 (MS07-066)
        CVE-ID: CVE-2007-5587 (MS07-067)
        CVE-ID: CVE-2007-0064 (MS07-068)
        CVE-ID: CVE-2007-3902 (MS07-069)
        CVE-ID: CVE-2007-3903 (MS07-069)
        CVE-ID: CVE-2007-5344 (MS07-069)
        CVE-ID: CVE-2007-5347 (MS07-069)


        -- Threat Matrix --
                        U O
        Home User 10 10 (Highly Critical)
        Corporate 10 10 (Highly Critical)


=======================================
/*
Threat Matrix:
        U - User
        O - Operator
        Harmless - 0 ----- 10 - Highly Critical
*/
=======================================

2. NEWS

2.1 Effective Communication is the key

Effective communication is a cornerstone for all professional and  
interpersonal interaction. People who can not communicate their ideas  
and intentions effectively will find greater difficulty in achieving  
tasks and desired results.

In one instance that company staff recently had the benefit of  
observing, people that were highly effective at communicating and  
managing personnel and professional tasks allowed a situation to  
develop where a serious incident resulted from a total breakdown in  
communication. Parallel sets of operating procedures had been allowed  
to emerge that, while largely aligned with each other, contained  
critical differences that trapped an unwary team and led to the  
incident. In addition to the problem of parallel operating  
procedures, the key underlying fault was that there was a lack of  
effective communication between the managers who owned the respective  
operating procedures and groups, and that lack of effective  
communication cascaded down to the point that the affected team had a  
very poor idea of the overall management responsibility in the  
affected area. The team that caused the incident had identified a  
potential problem and attempted all reasonable measures to resolve  
the cause of the difference that they had identified, only to find  
that having made a decision based on the information provided to  
them, a different set of managers had overruled the information used  
to make the decision (the fact that they also owned the competing set  
of operating procedures was not lost on those observing).

The above incident could be written off as merely internal politics  
amongst workers, but it highlights how poor information flow can lead  
to serious incidents taking place. It took nothing more than one or  
two managers failing to disseminate and communicate their decisions  
(and make effective decisions based on available information) for an  
incident to take place, even with seemingly appropriate 'checks and  
balances' in place.

Within Information Security, being able to effectively identify and  
describe what a problem is, how it came about, and how to mitigate  
the effects that the problem causes, is a critical skill that is  
always in short supply. Generally people find that those who can  
communicate effectively do not have the breadth of experience or  
knowledge to package the relevant information, and those who do know  
the relevant information have difficulty in communicating that  
information in an appropriate format.

This is not a new problem, and it is not a problem that is faced by  
Information Security practitioners, alone (as the opening paragraphs  
identified). Within the field of Information Technology the problem  
had been well identified as early as the mid-seventies, with  
Frederick Brooks discussing it in his seminal 'The Mythical Man  
Month', where he identified the problem faced by 'expert systems'  
developers. To generate an effective 'expert system', not only do you  
need an expert of the system that is going to be recreated in  
software, but you also require an expert who understands how to  
implement the various components of the original system. Even more  
rare is being able to have one person who can fill both roles  
effectively.

Unfortunately for most developers and companies, people like that are  
in short supply, and making do with what they have is where potential  
security and functionality shortfalls can enter the system. If you  
are able to identify where your experience or knowledgebase is  
lacking, and can communicate that fact effectively, then you can  
begin to identify potential problem areas.


2.2 Advertising and risk

Regular and first time readers will note that there are very few ads  
served with Sûnnet Beskerming content. The only advertising shown is  
a small image linking to one of our pre-configured products, tucked  
away halfway down the right column, or occasional text ads that are  
inserted into the primary FeedBurner feed for this site. Not everyone  
who operates a busy site chooses to operate in such a manner, and  
site owners that have accepted advertising from major online  
advertising firms are giving away some of their security to earn some  
money for their site. It isn't often that this risk has been  
highlighted in a public manner.

In essence, Google's recent advertising acquisition, DoubleClick, was  
found to be serving malware through its advertisements across a whole  
range of otherwise trustworthy sites, including The Economist and  
MLB.com. Visitors to these sites would not expect to be at  
significant risk of compromise - and this is something that the  
Information Security industry puts forward as a major point - only  
allow scripting and other interactive content support for "trusted"  
sites.

Risks introduced by including third party scripts and code on  
websites is a topic that is gaining increased awareness amongst  
Information Security professionals, with a recent BugTraq discussion  
focussing on problems that can be introduced by third party  
JavaScript code. This is a problem particularly pertinent for  
financial sites, where any external code is a potential vector for  
attack. While critical for financial sites, it is a problem for any  
site that accepts third party elements or data. The core problem is  
that externally hosted scripts have full access to the DOM for the  
trusted site, and so can modify any element on the trusted site.

Rather than attempting to break through the main financial site, why  
not spend the relatively less effort required to break into the  
services offered by the third party vendor (and also gain access to  
other interesting sites)? Before complaining that this is not as  
viable as breaking into the main target site, consider that there  
have been several published and unpublished vulnerabilities affecting  
VeriSign's services that are provided in just such a manner, with  
many of the vulnerabilities remaining viable for months.

If anybody thought that the online trust model wasn't completely  
broken, these examples should reinforce it for them.


2.3 Flipping bits at ASLR

Didier Stevens points out quite an interesting discovery about  
Windows Vista and ASLR. With just the right touch of bit flipping  
(only one needed), it is possible to enable or disable ASLR support  
for an application.

While this might provide a valuable stepping off point for attacking  
applications that otherwise utilise ASLR to protect against memory  
overflow attacks, what is more interesting is that Windows File  
Protection (Windows Resource Protection on Vista) apparently doesn't  
check to see if this setting has changed on critical system software.

Windows File Protection is one of those unique system components that  
checks core Windows software for signs of modification or damage when  
they are accessed and replaces them / repairs them with known good  
copies from system repositories. This is the reason why deleted  
system files in XP reappear within a matter of seconds. With Vista's  
Windows Resource Protection, apparently it only identifies that  
something is wrong and doesn't automatically regenerate the damaged  
resource.

Either way, Windows apparently can't identify that this key  
protective mechanism has been modified on key applications. Of  
course, if an attacker had the free reign to change key system  
software in such a manner, they already control the system and  
there's little reason to open new holes for others to walk in through.

For the technically inclined, setting or unsetting the 0x4000 bit in  
the DLL Characteristics field of the PE header is what is required.


2.4 QuickTime flaw Could be next Menace for Users

In the United States, the fourth Friday in November is commonly  
referred to as "Black Friday" and traditionally marks the start of  
the Christmas shopping season, coming the day after Thanksgiving and  
forming part of an informal four or five day weekend. Windows  
QuickTime users might be marking Black Friday for another reason this  
year, with the emergence of a new threat to QuickTime, just two weeks  
after the latest version (7.3) was released.

A proof-of-concept exploit for a remote code execution vulnerability  
with the way that QuickTime interprets RTSP (Real Time Streaming  
Protocol) responses was posted on Black Friday, marking one of the  
first public disclosures of this vulnerability affecting the latest  
QuickTime versions. Normally there is some delay between proof-of-
concept and public exploit code being published, with many proof-of-
concept releases going no further than the initial publication. With  
this particular vulnerability, two exploit samples were released  
within 24 hours of the initial proof-of-concept.

At this stage, Apple have yet to release any information about the  
vulnerability, but there is mitigation advice available for concerned  
users and administrators.

There has also been no confirmation that the vulnerability affects  
the OS X version of QuickTime, but there is the possibility that it  
is also vulnerable given historical problems with QuickTime's RTSP  
support on OS X.

With the widespread coverage of OS X-specific malware earlier this  
month, and the ease with which this new exploit could be integrated  
with a malicious media stream, users and administrators of both OS X  
and Windows systems, who also have QuickTime installed, need to be  
cautious about their risk exposure and mitigate as appropriate  
against this new threat.

=======================================

Sincerely,

Sûnnet Beskerming Team
info@...
Sûnnet Beskerming Pty. Ltd.
Adelaide, Australia
http://www.beskerming.com
Tel: +61 (0) 410 707 444

** Sûnnet Beskerming Pty. Ltd. **

Established in mid 2004, Sûnnet Beskerming Pty. Ltd. is the sister  
company to Jongsma & Jongsma Pty. Ltd., and was formed to develop and  
commercialise the research coming out of Jongsma & Jongsma Pty. Ltd..  
Sûnnet Beskerming Pty. Ltd. is an Information Security specialist  
and, in conjunction with the tools developed by Jongsma & Jongsma  
Pty. Ltd., provides total security solutions and services, from the  
perimeter to internal data stores, including web application security  
and security testing and analysis.
_______________________________________________
Alertmailinglist mailing list
Alertmailinglist@...
http://skiifwrald.com/mailman/listinfo/alertmailinglist_skiifwrald.com