Threat Level: green Handler on Duty: Rob VandenBrink

SANS ISC InfoSec Handlers Diary Blog


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

MS04-028 Proof of Concept Rumors; Beyond Patching; Mailbag

Published: 2004-09-17
Last Updated: 2004-09-18 03:21:49 UTC
by Marcus Sachs (Version: 1)
0 comment(s)
MS04-028 Proof of Concept Rumors. At least two examples of concept code exploiting the recently announced MS04-028, Buffer Overrun in JPEG Processing (GDI+), were released in the past 24 hours. This should serve as a warning to those who are ignoring a potentially explosive vulnerability that there are individuals and groups actively at work trying to build a working exploit.

We have seen this same pattern in the past - a significant vulnerability is announced, followed in a few days by POC code that usually causes a system crash or denial of service condition, followed by a hunt to get a reliable and simple buffer overflow to work using universal stack pointer offsets. Once an attack mechanism is perfected, then it's just a matter of hours or days before worm code is launched. With the growth in popularity of the Metasploit Framework project, simple point-n-click access to vulnerable systems follows quickly, allowing anybody from script kiddies to nation states to gain unauthorized access to insecure systems.

So here we are at roughly day three. POC code is circulating. Working exploit code is probably going to find its way into the public domain within a few days or a week. Then it's up to the whims of somebody or some group to build and launch a malware attack using the newly developed exploits. Crystal ball says to look for a worm or mass-mailer by the end of September.
Beyond Patching. You've got an enterprise that is nearly 100% Microsoft, with thousands of desktop computers that need patching, not to mention all of the servers, and of course those pesky laptops that your road warriors and management use but won't keep updated. Now you are faced with an issue as devious as the MS04-028 vulnerability in JPEG processing. Of course it could be another significant vulnerability in Microsoft systems, or in other popular products including Cisco, Juniper, Oracle, Linux, or AIM. Regardless, you are faced with reality of a whole lot of machines that are now vulnerable to a known security problem, and the clock is ticking.

Before you call all of your staff in and start working them overtime, consider some of the below options that can be done quickly while you start deploying patches. In fact, many of these steps should be done regardless of any published vulnerabilities. Yes, they may cause some squealing from your users, but take that as an opportunity to help them understand the risks your organization faces by being connected to the public Internet.

1. Set your gateway devices (routers, firewalls, etc.) to a "deny all" setting as the default for inbound traffic, then explicitly allow the ports needed to support your business or operational processes.

2. Use egress filtering to block all outbound traffic not sourced from the subnet behind a particular edge router. This is just good common sense, but so many network administrators do not take this simple step.

2. Disable HTML rendering in your email clients. Some email clients have a feature that blocks inline images. If so, turn it on. (Blocking .jpg or .jpeg file attachments is a waste of time. Don't do it.)

3. Likewise, disable the preview panel in Outlook and Outlook Express.

4. Do not use Word as your email editor. Use Outlook's built-in editor.

Once you do start patching for MS04-028, do not forget to patch twice - once for Microsoft Windows and once for Microsoft Office. Microsoft's statement about WindowsXP SP2 being not vulnerable is a bit misleading. If you are running Office products, you need to patch them too regardless of your SP level.
Mailbag. Chris sent us a note that he received an email from "security@microsoft.com" with an attachment - patch.exe. As most of our readers know, Microsoft does not send patches by email.

Matthias pointed us to an article in Germany concerning WindowsXP SP2 opening local shares to the dialup networking interface. We have not validated the claim. Details are at http://www.pcwelt.de/know-how/extras/103039/

Steve told us about a physical security issue with a popular brand of bicycle and laptop locks. Details are on Slashdot at http://slashdot.org/article.pl?sid=04/08/09/0218225&tid=172

Thanks to the many people who wrote in supporting Cory's missive on ASCII graphics a couple of days ago. For those who thought it was inappropriate, our apologies. Perhaps we should use ASCII emoticons to warn readers when we are just joking. :)
Marcus H. Sachs

Handler on Duty


See everybody in Las Vegas - I'm teaching E-Warfare on September 28th and would really like to meet some of our readers!
Keywords:
0 comment(s)
Diary Archives