Advisory #253 - Microsoft (Multiple), OS X (Multiple), Multiple News
|
View:
New views
1 Messages
—
Rating Filter:
Alert me
|
 |
Advisory #253 - Microsoft (Multiple), OS X (Multiple), Multiple News
by Sunnet Beskerming Alert mailing list
::
Rate this Message:
Sûnnet Beskerming Alert List Advisory #253
You are receiving this message because you have subscribed to our Information Security Alert Mailing List, or have been selected for a specific one-off copy. If you believe that you are receiving this message in error, please contact info@... to resolve the error. Why not upgrade to get same day notification on security threats? Details and rates available online - (http://www.beskerming.com/premium/generic_advisory.html). Why not go the next step and get delivery tailored just for your company? (http://www.beskerming.com/premium/focussed_advisory.html) Contents -------------------------------------------------------------------- 1. SECURITY -------------------------------------------------------------------- 1.1 Microsoft (Multiple) - Remote Hacker Automatic Control - Time Since Discovery - 5 Days 1.2 OS X (Multiple) - Remote Hacker Automatic Control - Time Since Discovery - 5 Days ======================================= /* - Remote or Local - Can it be achieved through a network or does it require physical access? - Hacker - The bad guy - Manual or Automatic - Does the vulnerability need to be manually performed, or can it be automated? - Control, Denial of Service or Data Theft - Will the hacker get control of your system / website, will they prevent you from using it, or will they steal data. */ -------------------------------------------------------------------- 2. NEWS -------------------------------------------------------------------- 2.1 Sometimes Things just Break 2.2 A thin line Between Challenge and Exploitation 2.3 What's Your Website Hiding? 2.4 Overreacting to Security Theatre is Harmful ===================================== 1. SECURITY 1.1 Microsoft (Multiple) - Remote Hacker Automatic Control -- Products Affected -- Windows 2000, XP, 2003, Vista -- Technical Description -- MS08-003 - Active Directory. Denial of Service. Replaces MS07-039. Important MS08-004 - Windows TCP/IP. Denial of Service. Replaces MS08-001. Important MS08-005 - IIS. Privilege Elevation. Important MS08-006 - IIS. Remote code execution. Replaces MS06-034. Important MS08-007 - WebDAV. Remote code execution. Critical MS08-008 - Microsoft OLE. Remote code execution. Replaces MS07-043. Critical MS08-009 - Microsoft Word. Remote code execution. Replaces MS07-060 and MS07-024. Critical MS08-010 - Internet Explorer. Remote code execution. Replaces MS07-069. Critial MS08-011 - Microsoft Works. Remote code execution. Important MS08-012 - Microsoft Office. Remote code execution. Critical MS08-013 - Microsoft Office. Remote code execution. Critical -- Description -- Microsoft delivered eleven patches as part of the February Security Update release earlier this week. Six patches have been rated as Critical, with the remainder as Important. At this time, it is believed that only the Internet Explorer cumulative patch has had exploit code available ahead of patching. -- Recommended Action -- All users and administrators should apply the updates at the earliest opportunity. -- Source -- http://www.microsoft.com/technet/security/bulletin/ms08-feb.mspx http://www.beskerming.com/premium/patch_pack.html http://store.eSellerate.net/s.asp? s=STR3448907936&Cmd=CATALOG&CategoryID=9811 -- Updates Available -- http://www.microsoft.com/technet/security/bulletin/ms08-003.mspx http://www.microsoft.com/technet/security/bulletin/ms08-004.mspx http://www.microsoft.com/technet/security/bulletin/ms08-005.mspx http://www.microsoft.com/technet/security/bulletin/ms08-006.mspx http://www.microsoft.com/technet/security/bulletin/ms08-007.mspx http://www.microsoft.com/technet/security/bulletin/ms08-008.mspx http://www.microsoft.com/technet/security/bulletin/ms08-009.mspx http://www.microsoft.com/technet/security/bulletin/ms08-010.mspx http://www.microsoft.com/technet/security/bulletin/ms08-011.mspx http://www.microsoft.com/technet/security/bulletin/ms08-012.mspx http://www.microsoft.com/technet/security/bulletin/ms08-013.mspx -- External Tracking Data -- Upgrade to view -- Threat Matrix -- U O Home User 10 10 (Highly Critical) Corporate 10 10 (Highly Critical) 1.2 OS X (Multiple) - Remote hacker automatic control -- Products Affected -- OS X 10.4.x OS X 10.5.x -- Technical Description -- Directory Services - Stack buffer overflow leading to local arbitrary code execution - originally disclosed in January 2007. Foundation - Arbitrary code execution or application denial of service due to accessing malformed URLs. (10.5 only) Launch Services - Applications removed from a system may still be launched via the Time Machine backup version. Mail - Accessing a file:// URL from within a message may lead to arbitrary code execution. (10.4 only) NFS - Arbitrary code execution opportunity if the system is being used as either a NFS client or server due to poor handling of mbuf chains. Open Directory - NTLM authentication attempts may continuously fail, even with accurate parameters. This is due to a race condition in the service. Parental Controls - Information disclosure when requesting to unblock a website, as the machine will inadvertently contact apple.com as part of the unblocking process. Samba - Stack buffer overflow leading to arbitrary code execution. Terminal - Arbitrary code execution when viewing malicious URLs in Terminal. X11 - Multiple vulnerabilities, leading to arbitrary code execution in the worst case. -- Description -- Apple Computer have released Security Update 2008-001 and OS X 10.5.2, addressing a number of serious security problems. OS X 10.4 is also vulnerable to the above issues - the update is presented as Security Update 2008-001 for those users. -- Recommended Action -- It is recommended that users apply the update, via the Software Update option in the Apple Menu, or via the Apple Download link, below. If installing via the Software Update option, it will only download the applicable Update (Intel / PPC / !0.5 / 10.4). -- Source -- http://docs.info.apple.com/article.html?artnum=61798 -- Updates Available -- http://www.apple.com/support/downloads/ -- External Tracking Data -- Upgrade to view -- Threat Matrix -- U O Home User 10 10 (Highly Critical) Corporate 10 10 (Highly Critical) ======================================= /* Threat Matrix: U - User O - Operator Harmless - 0 ----- 10 - Highly Critical */ ======================================= 2. NEWS 2.1 Sometimes Things just Break For the last several days it has almost been impossible to get away from the news of numerous undersea telecommunications cables serving the middle east and sub-continent regions having been cut in a relatively short period of time. Rather than just being passed off as a coincidence that four cables had been cut through (two in the Mediterranean and two in the Persian Gulf) via one means or another over several days, a lot of the analysis and opinion being put forward was that there was some form of secretive government conspiracy taking place and that the cable cuts were a diversion. Naturally the secretive government activity belongs to the United States and they are trying to tap sensitive communications passing through the Middle East. This particular flight of fancy fails to take into account the ease with which communications can be tapped at the point that they enter or leave the undersea cable (thank you CALEA), and the problem that fixing a physical severance of an undersea line generally means that the line segments need to be raised and physically rejoined, which means that a physical tap on the line will be readily noticed (as well as detectable using line quality monitoring tools). At least, the cables should be repaired and functional within a week or so. Although it is nice to think of the Internet as being a fault- tolerant mesh-like network, capable of readily redirecting around damage to one or more nodes, in reality there are a limited number of key trunk lines that are responsible for making sure whole segments of the Internet can talk to each other. When some of these lines break, as with these undersea cables, it forces their network load onto communication channels without sufficient bandwidth. This network overload can also cause some connections to fail, which is being suggested as the reason for at least some of the failures. At no stage is communication completely cut, it just shrinks in available bandwidth to the point that it is effectively cut for most users. Information originating from The Economist, but commented on over here indicates that there are only three cables providing most of the network interaction for the whole region affected, and they all pass very closely to each other at various geographic choke points. The readiness of many Information Security "Professionals", as well as many other armchair quarterbacks, to jump to the conclusion that the breaks were a malicious attack is a poor reflection on the public perception of Information Security Professionals. Of course, if they said it was all a part of normal operations, then there would be no need for undersea cable breaks to be splashed all over the news. Internet users from within the affected region and conspiracy theorists were more than happy to point to the planned Iranian Oil Bourse as the reason for the cuts, but despite some claiming single data points as authoritative, Iran never actually lost its internet connectivity. Claiming the cut cables is the result of malicious activity is as valid as saying that the bungled Antivirus definitions file updates from Symantec (and other vendors) that results in end user systems being rendered unbootable are a malicious act. Security Theater and overreaction is a topic that has been covered before, but this is a case where a lack of knowledge was allowed to develop into ignorance of facts and the public reporting is actually more damaging than not reporting about the breaks. It is symptomatic of the generally poor state of reporting on technical matters, and it allows for the rapid deterioration of facts into conspiracy fodder. Observing how information gleaned from a few sources (reports of cable cut, non-response of a specific Iranian network device, and excited bloggers, reporters and Internet users within the affected countries) is allowed to spread and evolve is like watching the world's biggest game of Chinese Whispers. In this case, poor information was able to dominate over good information. With Information Security, it is this challenge that is faced every day - how to adequately extract accurate information and original sources from a flood of data that may be tertiary reporting and more harmful than beneficial. Some people have solved this problem better than others. 2.2 A thin line Between Challenge and Exploitation Yet another 'challenge' of the form of 'break into our website for free, tell us exactly how you did it, and we might pay you a token amount' has been found on the web, only this time there were quite a number of serious holes found rather early in the process. Even though the main challenge still stands, there are sufficient concerns about the basic technological design to suggest that some of the currently-found problems will not ever be completely fixed. The team behind Flickr-competitor SmugMug have issued a challenge to the wider web to break into their site and retrieve a specific image, along with the album it came from, and who uploaded it. The first few people to take a serious look at the challenge soon discovered a couple of glaring problems: * Firstly, the photo IDs are sequential, making it a relatively simple proposition to retrieve every image that has been uploaded and not protected correctly. * Secondly, the system used to redirect direct requests for a protected image to the correct album and uploader, which allowed the early testers to grab a thumbnail version of the image (but not the actual image). SmugMug's CEO, the person behind the challenge, has already taken steps to address the first couple of problems identified, though he does admit that the first problem came about because they did not understand GUIDs when they initially created the site. Retrofitting the site to use GUIDs instead of sequential IDs will break links that users have already passed on to others, unless the site silently converts the sequential ID into an appropriate GUID - though this has the net effect of no overall change. With this sort of design decision being applied, what other critical weaknesses have been designed into the system? How does the site security actually work? That seems to be a closely held secret by SmugMug's site owners, but there are enough clues that a couple of simple requests can turn up. The image that SmugMug's owners want you to try and recover is http://www.smugmug.com/photos/ 248415594-O.jpg. Direct requests for this image will return an empty page, which suggests that something is being done on the server side to determine access rights for an image. Despite the claims of the CEO that steps have been taken to rectify the sequential image problem, it is still possible to access images and albums through sequential guesstimation, through URLs of the following form: http://www.smugmug.com/gallery/album_id http://www.smugmug.com/photos/photo_id.jpg for albums and images respectively. What the site seems to prefer, though is the following form for accessing content: http://user_name.smugmug.com/gallery/album_id#photo_id This will load the SmugMug image and album viewer scripts, though there is still the occasional URL where it is gallery/album_id/1/photo_id Once the site visitor accesses an image through the SmugMug site, it applies a right-click prevention script that is meant to stop the theft of images from users who don't want them taken. The easiest method to bypass this step is to note the #photo_id URI component and then plug that photo_id directly into one of the above URLs for directly accessing content. A minor complication to this is the suffix that is added to images that have been directly requested, but that is simply decoded as follows: photo-O.jpg - Original size photo-M.jpg - Medium photo-L.jpg - Large photo-S.jpg - Small A similar looking code is applied to images viewed through the main site, but in this case the -LB addition indicates that the image is being viewed through the site's LightBox feature. Going back to the image that forms the core of the test, it is discovered that images 248415594, 248415595, and 248415596 can not be directly requested, though there are others before and after them that can. This suggests that they belong to the same album, and have been protected through the use of the password function in the user's account. Disturbingly, it is only through the use of the password that a user can protect images from viewing. Any other choice of setting will still allow direct request of both images and albums. It is also apparent from random test selections that there is a loose correlation between album ID and image ID. Basically, the newer an album, the newer the images are that are in it. Using this approach, it is possible to establish a bracket of likely album IDs that have an image of interest, even if they are password protected and the image can not be directly accessed. It is here that another unexpected weakness arises. Despite all the steps taken to protect the album name and user name, the page title helpfully announces both of these details when a request is made for a protected album. Through simple testing, it is apparent that SmugMug sniffs for authentication, even on direct requests for an image file (i.e. .../ blah.jpg), and it is the presence of an authentication token that determines whether a file that is protected should be displayed. This authentication token only really takes effect for images that are otherwise password protected. Through the main site, this authentication is backed up by the cookie that the site has set, but when direct image requests fail it points to some server-side IP- based filtering and authentication management taking place. This could be leveraged if a number of users are accessing the site via a single gateway, as an unauthenticated user could make successful direct requests for images belonging to authenticated users behind that gateway that otherwise would be password protected, though the use of a different User-Agent seems to be enough to fail. Leveraging already-existent XSS vulnerabilities could allow a motivated attacker to create an attack that would extract all of the password protected images belonging to a user (once a user has logged in, direct requests for protected images are possible). The heavy reliance on JavaScript for site functionality makes it impossible to avoid through the disabling of JavaScript / Active Scripting. To make matters worse, it is possible to spoof image origination, which could be used by someone with a malicious anonymised account to blackmail or harass legitimate account holders. By manipulating the URL, it is possible to load any non-password protected image in any non-password protected album. Passing a URL of the following form to a victim will make it appear that they have a malicious image (what sort of content that is is left to the reader) in their legitimate album: http://victim.smugmug.com/gallery/legit_album_id#malicious_photo_id If this URL is passed to others, it would appear that the malicious image has been placed there by the victim, while there is no way to determine who placed the malicious image on the site in the first place (though SmugMug should be able to work that one out). If such a URL held referenced an image of illegal content, the implications for the victim are significant, especially if it is passed to law enforcement agencies or those with limited technical knowledge. All this for $1000 USD, now $599.99 USD (thanks to taxes)? Competitions might be fun, but this sort of weak reward borders on exploitation, though it is voluntary exploitation. Considering the above was found after a little bit of idle poking around, the motivated individual is probably going to find a number of vulnerabilities that promise greater reward. If or when the SmugMug site owners read this, there are two options: * Ignore the valuable advice you have received up to this point, and gain security from the voluntary exploitation of the honourable (the dishonourable will not have made it public). * Make it right. Pay someone to sit down and conduct a thorough review of your security, from both the design and implementation perspectives, and retain them to provide ongoing services to protect your site and its users. 2.3 What's Your Website Hiding? As more companies are finding their way onto the Internet there has been an increase in the number of websites that have been compromised for theft of sensitive data and those that have been compromised for the purpose of spreading malicious software to unwary visitors. Groups such as Zone-h have been tracking and identifying websites that have been defaced, but many of those that are being used in phishing runs and malware attacks are not so openly defaced. That is where other interest groups like PhishTank step in, identifying and tracking sites that are being used to host phishing pages that are actively being spammed or otherwise distributed. There are a number of other sources that also maintain lists of sites that are vulnerable to different attack vectors, such as XSS. Some companies look to verification firms like Verisign and ScanAlert to routinely validate that their sites are not hosting malware or that they are vulnerable to known problems. Based on the number of sites identified as being vulnerable to well known, but somewhat difficult to completely mitigate against, attack vectors that also display that they have been successfully scanned by one of these companies, their effectiveness could be questionable. The big problem with all of the above methods is that they are after the fact, they can only identify that a site is being actively used for phishing, or that it is protected against known problems. Automated scanning systems also have the problem of not being able to reliably detect all of the weaknesses (such as all of the XSS weaknesses) even if the mechanism of attack is well understood. What they can't protect against or identify is compromises that are low profile and those using advanced techniques to gain access. As being reported by The Register, security firm Sophos is claiming that 6,000 new websites are being compromised on a daily basis for the purpose of spreading malware to unsuspecting victims (more than 2 million new site compromises each year). They go on to claim that 80% of those affected have no idea that their site has been compromised, a figure which is probably on the low side. The figure of 2 million new site compromises per year seems to be quite significant, but could be explained by virtual hosting servers with many sites on the one physical server being compromised, leading to the same vector affecting multiple sites (in some cases thousands of sites). Complementary reporting which has emerged over the last week or so points to a number of embassies that have had their sites compromised to deliver malware, at least according to eSafe as reported by The Register. Further vulnerability and proof-of-concept disclosures from researchers who have been responsible for the recent UPnP disclosures (now being used in attacks) point to a problematic future for home users with small local networks, particularly through blended attacks. There are an increasing number of voices that are pointing out the elephant-sized holes in the protective services that some companies are providing. What this has resulted in is a split forming, between these dissenting voices and some of the largest companies in the Information Security industry, that are conveniently many of those offering the protective services. When representatives of companies like Symantec are on record as saying that while XSS vulnerabilities are a serious risk, they have not really been used in actual attacks, then the efficacy of their service needs to be questioned. Others claim that XSS vulnerabilities can not be used to hack a server, which seems to contradict the findings of Sophos presented earlier, and also the claims of their own products. Of course, many of those dissenting voices have a vested interest, offering their own competing black-box services (while ScanAlert is Nessus 2 - an open source application that anyone can run, themselves). Even with that bias, it doesn't discount the value of their arguments. Note : Sûnnet Beskerming has a vested interest in the above commentary, as we offer a range of blended protective services, mixing the best of automated and manual testing and evaluation systems. 2.4 Overreacting to Security Theatre is Harmful Security Theatre is a term that has been gaining acceptance as part of the Information Security lexicon for some time and it has also found acceptance in other security fields, being used to describe actions or proposals that deliver more show than substance with respect to a real or imagined threat. In simple terms, it can be argued that Security Theatre is nothing more than an overreaction to a real or perceived threat by those who do not fully understand the risks that they are trying to mitigate. There is little argument that Security Theatre is harmful to those who are paying for it, as well as those who are notionally being given greater protection as a result. With most of these projects originating from various government agencies, it is the tax payers who fall into both categories and also those who can have the greatest difficulty determining whether a measure is appropriate or not. Just as harmful is the immediate labelling of security initiatives as Security Theatre, which is a risk when those doing the labelling do not fully understand the risks that have been attempted to be mitigated. Into this category, unfortunately, fall mainly Information Security experts who have been encouraged to step beyond the limits of their immediate practical knowledge and experience and assess something which they have little understanding of. One of the main proponents of this new term is the noted Information Security specialist Bruce Schneier, who has been using his blog to draw attention to egregious examples of Security Theatre. From time to time, Bruce falls into the trap of being too dismissive of a technology or effort, labelling it as Security Theatre when there may actually be a viable reason for the implementation. Comments on a blog should never be relied upon as authoritative, but because Bruce writes with such authority and there is a distinct trend of an emerging groupthink, it encourages readers to accept what is presented without questioning the validity of what is being put forward. Even Bruce argues that "Security is fundamentally a fear sell, and so it doesn't sell very well." In a recent case, the decision to fit commercial passenger aircraft with anti-missile systems (three American Airlines jets on unidentified routes) has been dismissed as "security theater[sic] against a movie-plot threat". In amongst the significant number of comments backing the argument of Security Theatre were a couple of dissenting voices that pointed out it isn't a completely inane suggestion, with more than 20 recorded airline crashes since 1975 that can be attributed to surface-to-air attacks. There have been a number of recent attacks against airliners, including an attack against El Al in Kenya (where the aircraft was reported to have been fitted with anti-missile defences and the missile missed), and an attack against a DHL freight aircraft in Iraq (where the crew were able to land the aircraft despite significant damage to the port wing). One of the most famous examples of a civilian airliner being destroyed by a surface missile is the Iranian airliner shot down by a US warship over the Persian Gulf a number of years ago. It isn't the first time that it has been suggested that civilian airliners should be fitted with defensive systems like this, but the main argument within the aviation world has been about the relative costs and benefits of these systems, as well as the level of threat faced by the airliners. It has long been rumoured that the Israeli national air line, El Al, has fitted at least some of their aircraft with defences, but it has never been officially confirmed. With a fluid geopolitical environment some could argue that the threat to civilian airliners around the world has increased, thus justifying the expenditure and effort to fit the anti-missile systems. Perceived American aggression in a number of countries and regions can also be seen as a contributing factor to a perceived increased threat against American airliners. To the uninformed, it does appear that fitting aircraft with defences is an inane suggestion, especially if the commentator is living in a stable country or region that has not traditionally seen attacks against civilian targets. In other words, the perceived risk is very low and fitting aircraft with defences is a waste of resources. To the informed, it still appears somewhat inane, but there are defined cases where it would be prudent to ensure a civilian airliner is protected against external attack while it is in flight. Flight operations to regions that are politically unstable or where there is lax law enforcement are cases where defence mechanisms may be justified. It is somewhat ironic that US airlines are considering fitting their aircraft with defences against US-built and sold missiles. Using lasers against missiles could be considered inappropriate use of technology as, on the surface, it seems impossible for a laser defence system to disable missiles that are radar-guided, semi- active, or even modern IR-guided weapons. One of the main theorised approaches is to use the laser to provide localised heating of the weapon such that it disables the guidance circuits or even prematurely detonates the weapon. Using the laser also allows for continuous tracking of trajectories and probable launch sites which can be useful to determine if to take evasive action (not needed if it is going to miss), and to aid in any law enforcement investigation (providing an actual launch location). Other suggested modes of operation include blinding IR seekers with blooms of light / heat. Laser anti-missile defensive systems are still in their infancy compared to the more traditional flares, chaff, and ECM. There is also a quite well defined threat, with the basic launch platform being the MANPAD (MAN Portable Air Defence), which includes the SA-7, SA-14 and Stinger type of shoulder launched missiles, though the RPG is also a viable unguided ground-air weapon. There are many thousands of these class of weapons that have gone 'missing' from official inventories around the world, and many more that have been sold off the books to different organisations. For a weapon that can be broken down into approximately 1-2 suitcases for transit, it is something that can be shipped quickly and easily concealed - almost the perfect weapon of terror. ======================================= Sincerely, Sûnnet Beskerming Team info@... Sûnnet Beskerming Pty. Ltd. Adelaide, Australia http://www.beskerming.com Tel: +61 (0) 410 707 444 ** Sûnnet Beskerming Pty. Ltd. ** Established in mid 2004, Sûnnet Beskerming Pty. Ltd. is the sister company to Jongsma & Jongsma Pty. Ltd., and was formed to develop and commercialise the research coming out of Jongsma & Jongsma Pty. Ltd.. Sûnnet Beskerming Pty. Ltd. is an Information Security specialist and, in conjunction with the tools developed by Jongsma & Jongsma Pty. Ltd., provides total security solutions and services, from the perimeter to internal data stores, including web application security and security testing and analysis. _______________________________________________ Alertmailinglist mailing list Alertmailinglist@... http://skiifwrald.com/mailman/listinfo/alertmailinglist_skiifwrald.com |
| Free Forum Powered by Nabble | Forum Help |