Threat Level: green Handler on Duty: Pedro Bueno

SANS ISC InfoSec Handlers Diary Blog


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

Apple Security Update 2010-001

Published: 2010-01-19
Last Updated: 2010-01-19 21:57:15 UTC
by Jim Clausing (Version: 1)
0 comment(s)

In an effort not to be left out, Apple has released Security Update 2010-001 which patches a dozen vulnerabilities in CoreAudio (code execution via crafted MP4), CUPS (remote DoS), Flash Player Plug-in (multiple including arbitrary code execution), ImageIO (code execution via crafted TIFF file), Image Raw (code execution via crafted DNG image), and OpenSSL (the renegotiation exploit).  Details can be found here: http://support.apple.com/kb/HT4004

---------------
Jim Clausing, jclausing --at-- isc [dot] sans (dot) org

Keywords: Apple OpenSSL
0 comment(s)

Unpatched Microsoft Windows (all versions) Privilege Escalation Vulnerability Released

Published: 2010-01-19
Last Updated: 2010-01-19 21:47:39 UTC
by Johannes Ullrich (Version: 1)
3 comment(s)

In a posting to a public mailing list, Tavis Ormandy disclosed a zero day privilege escalation vulnerability in the Windows kernel. All versions of Windows, starting with Windows NT 3.1 up to including Windows 7, are affected.

The vulnerability affects support for 16 bit applications. In most cases, it is safe to turn off support for 16 bit applications.

Here are the mitigation instructions (copied from the advisory):

Temporarily disabling the MSDOS and WOWEXEC subsystems will prevent the attack  from functioning, as without a process with VdmAllowed, it is not possible to access NtVdmControl() (without SeTcbPrivilege, of course).

The policy template "Windows ComponentsApplication CompatibilityPrevent access to 16-bit applications" may be used within the group policy editor to prevent unprivileged users from executing 16-bit applications. I'm informed this is an officially supported machine configuration.

Administrators unfamiliar with group policy may find the videos below instructive. Further information is available from the Windows Server Group Policy Home

http://technet.microsoft.com/en-us/windowsserver/grouppolicy/default.aspx.

To watch a demonstration of this policy being applied to a Windows Server 2003 domain controller, see the link below.

http://www.youtube.com/watch?v=XRVI4iQ2Nug

To watch a demonstration of this policy being applied to a Windows Server 2008 domain controller, see the link below.

http://www.youtube.com/watch?v=u8pfXW7crEQ

To watch a demonstration of this policy being applied to a shared but unjoined Windows XP Professional machine, see the link below.

http://www.youtube.com/watch?v=u7Y6d-BVwxk

On Windows NT4, the following knowledgebase article explains how to disable the NTVDM and WOWEXEC subsystems.

http://support.microsoft.com/kb/220159

Applying these configuration changes will temporarily prevent users from accessing legacy 16-bit MS-DOS and Windows 3.1 applications, however, few users
require this functionality.

If you do not require this feature and depend on NT security, consider permanently disabling it in order to reduce kernel attack surface.

This is not a good month for Microsoft. Tavis disclosed the vulnerability to Microsoft about 6 months ago. Microsoft's monthly bulletin's credited Tavis numerous times in the past for disclosing vulnerabilities.

------
Johannes B. Ullrich, Ph.D.
SANS Technology Institute
Twitter

Keywords: exploit Microsoft
3 comment(s)

The IE saga continues, out-of-cycle patch coming soon

Published: 2010-01-19
Last Updated: 2010-01-19 20:10:13 UTC
by Jim Clausing (Version: 1)
0 comment(s)

 No, there still isn't a patch, but there will be one before the regular Microsoft patch day in February.  The MSRC has posted a note on their blog saying the timing will be announced tomorrow.  In the meantime, we are hearing that the folks at VUPEN have found a way to bypass DEP as long as javascript is enabled (no, this doesn't appear to be the .NET ones from last year) which would make even IE8 vulnerable, we don't have the details at present, but if true this is a major development.  This is a concern since Microsoft's advice is for those using IE6 and IE7 to move to IE8 where DEP is on by default.  In any event, we continue to monitor the situation.

---------------
Jim Clausing, jclausing --at-- isc [dot] sans (dot) org

Keywords: CVE20100249 IE
0 comment(s)

49Gbps DDoS, IPv4 exhaustion, and DNSSEC, oh my!

Published: 2010-01-19
Last Updated: 2010-01-19 15:54:56 UTC
by Jim Clausing (Version: 1)
0 comment(s)

Arbor has released their 2009 Worldwide Infrastructure Security Report and it is an interesting read.  The largest DDoS increased nearly 5-fold from 2004 to 2008 (and doubled from 2006 to 2008) to 49Gbps.  At that size, you definitely need the assistance of your upstream service provider to mitigate.  The report also shows the continuing trend of not reporting/referring attacks to law enforcement.

The report can be found at http://staging.arbornetworks.com/dmdocuments/ISR2009_EN.pdf

---------------
Jim Clausing, jclausing --at-- isc [dot] sans (dot) org

Keywords: DDoS DNSSEC IPv4 IPv6
0 comment(s)

Forensic challenges

Published: 2010-01-19
Last Updated: 2010-01-19 15:30:20 UTC
by Jim Clausing (Version: 1)
0 comment(s)

Even when I am doing some of it as part of my day job, I still enjoy participating in, and seeing the results of, the forensic/packet contests/challenges that can be found periodically being run by folks I respect.  Currently there are at least 2 challenges that look interesting.  The first is put together by the authors of the SANS 558 - Network Forensics course.  Info on that one can be found at http://forensicscontest.com/2009/12/28/anns-appletv.  Their first two contests have been kind of fun, (in the interest of full disclosure, I'll be posting my solution to #2 on my handlers page over the weekend (talking to Jonathon and Sherry last week at SANS Security East, I decided I want to make one more minor addition to my scripts)).  The other is from the Honeynet Project and can be found at https://honeynet.org/node/504.  Both run until 1 Feb, so if you've got some time, give them a look.

---------------
Jim Clausing, jclausing --at-- isc [dot] sans (dot) org

0 comment(s)
Diary Archives