Threat Level: green Handler on Duty: Pedro Bueno

SANS ISC InfoSec Handlers Diary Blog


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

September 2008 Black Tuesday Overview

Published: 2008-09-09
Last Updated: 2008-09-09 22:48:01 UTC
by Swa Frantzen (Version: 1)
2 comment(s)

Overview of the September 2008 Microsoft patches and their status.

# Affected Contra Indications Known Exploits Microsoft rating ISC rating(*)
clients servers
MS08-052 Multiple vulnerabilities in GDI+: VML heap buffer overflow, EMF memory corruption, GIF parsing, WMF buffer overflow, BMP header overflow. Impact is code execution. GDI+ is used by -among many others- Internet Explorer and Office to draw images.
Replaces MS08-040 and MS04-028.
GDI+

CVE-2007-5348
CVE-2008-3012
CVE-2008-3013
CVE-2008-3014
CVE-2008-3015

KB 954593

No publicly known exploits

Critical Critical Important
MS08-053 Windows media encoder installs an ActiveX control maked safe for scripting, but it was never intended to be used by Internet Explorer.
Windows media encoder

CVE-2008-3008
KB 954156 No publicly known exploits Critical Critical Important
MS08-054 Windows media Player 11 input validation error in handling server side playlists. impact: code execution.
Windows media player 11

CVE-2008-2253
KB 954154 No publicly known exploits Critical Critical Important
MS08-055 Lack of input validation in the URL validator for the OneNote protocol. The impact is code execution.
Replaces MS07-025 and MS08-016. Email and web based attack vectors exist.

Office

CVE-2008-3007

KB 955047
No publicly known exploits Critical Critical Important
We will update issues on this page for about a week or so as they evolve.
We appreciate updates
US based customers can call Microsoft for free patch related support on 1-866-PCSAFETY
(*): ISC rating
  • We use 4 levels:
    • PATCH NOW: Typically used where we see immediate danger of exploitation. Typical environments will want to deploy these patches ASAP. Workarounds are typically not accepted by users or are not possible. This rating is often used when typical deployments make it vulnerable and exploits are being used or easy to obtain or make.
    • Critical: Anything that needs little to become "interesting" for the dark side. Best approach is to test and deploy ASAP. Workarounds can give more time to test.
    • Important: Things where more testing and other measures can help.
    • Less Urgent: Typically we expect the impact if left unpatched to be not that big a deal in the short term. Do not forget them however.
  • The difference between the client and server rating is based on how you use the affected machine. We take into account the typical client and server deployment in the usage of the machine and the common measures people typically have in place already. Measures we presume are simple best practices for servers such as not using outlook, MSIE, word etc. to do traditional office or leisure work.
  • The rating is not a risk analysis as such. It is a rating of importance of the vulnerability and the perceived or even predicted threat for affected systems. The rating does not account for the number of affected systems there are. It is for an affected system in a typical worst-case role.
  • Only the organization itself is in a position to do a full risk analysis involving the presence (or lack of) affected systems, the actually implemented measures, the impact on their operation and the value of the assets involved.
  • All patches released by a vendor are important enough to have a close look if you use the affected systems. There is little incentive for vendors to publicize patches that do not have some form of risk to them.

--
Swa Frantzen -- Section 66

2 comment(s)

Apple updates iTunes+QuickTime

Published: 2008-09-09
Last Updated: 2008-09-09 20:28:34 UTC
by Swa Frantzen (Version: 1)
0 comment(s)

Following the media event announcing new gadgets, predictably, iTunes and QuickTime got updated. A bit of a surprise is that those upgrades also have a number of security fixes incorporated.

The QuickTime update to 7.5.5 refers to following CVE names:  CVE-2008-3615, CVE-2008-3635, CVE-2008-3624, CVE-2008-3625, CVE-2008-3614, CVE-2008-3626, CVE-2008-3627, CVE-2008-3628, CVE-2008-3629

When apple is ready the description of the security part should end up here: http://www.info.apple.com/kbnum/n61798

All of them are relating to opening "crafted" media files. Read: it's the typical list of input validation failures leading to code execution. You want this one if you have QuickTime installed.

The iTunes 8.0 update references following CVE names: CVE-2008-3634, CVE-2008-3636.

The first one is interesting: it deals with an update of the text to not say that changing firewall settings doesn't affect security. The second allows local privilege escalation in the windows version. Compared to the QuickTime upgrade, this is less urgent in most environments.

--
Swa Frantzen -- Section 66

0 comment(s)

wordpress upgrade

Published: 2008-09-09
Last Updated: 2008-09-09 18:18:55 UTC
by Swa Frantzen (Version: 1)
0 comment(s)

Roseman pointed out that the popular blog software wordpress is in need of an upgrade.

Wordpress 2.6.2 fixes an interesting combination of bugs:

  • A security bug allowing a user to reset another user's password to a random value (nasty, DoS, etc. but not the end of the world).
  • A vulnerability in the mt_rand() function of PHP allowing the attacker to predict the random password that will be chosen on a password reset.
    Sefan Esser's latest version of Suhosin does protect against this.

Lack of randomness will come back over and over till we get it right (16bit IDs in DNS, the Debian debacle with the lack of entropy in their implementation OpenSSL, random session IDs, ... )

Equally important remains the proper follow up of tools we use. Are you sure you'll note any tool you have on your machine(s) or servers will let you know it's in need of upgrading ? Are you subscribed to their means of letting you know (email, blog, ...).

--
Swa Frantzen -- Section 66

0 comment(s)

Evil side economy: $1 for breaking 1000 CAPTCHAs

Published: 2008-09-09
Last Updated: 2008-09-09 13:21:52 UTC
by Swa Frantzen (Version: 1)
0 comment(s)

You see CAPTCHAs everywhere you turn. Create a gmail account, do a whois that's to yield useful information of a .eu domain, comment on a blog, sign up for a forum, ...

CAPTCHA is an acronym for "Completely Automated Public Turing test to tell Computers and Humans Apart". It's mostly used to prevent automated registration or activity where we would like humans to participate, but keep the excesses away.

Dancho Danchev blogged about it over at zdnet. It's interesting to read it if you are or are using or are planning to use CAPTCHAs to protect something.

Once they start to employ sweatshops that break these for $ 0.001 a piece, the protection offered by this quickly dwindles to next to nothing. Also the capacity claimed to be available is tremendous. 200,000 CAPTCHAs per day seems something expected by those offering this "service".

Aside of causing the living standard to improve in those places that are cheap enough to have this kind of economy possible, what are you considering to replace your CAPTCHAs with once it gets overrun by this ?

Tell us and we'll summarize.

--
Swa Frantzen -- Section 66

Keywords: CAPTCHA economy
0 comment(s)

Google Chrome being polished

Published: 2008-09-09
Last Updated: 2008-09-09 12:29:51 UTC
by Swa Frantzen (Version: 1)
0 comment(s)

Juha-Matti was the first (of undoubtedly many if I didn't post this) to warn us that Google Chrome did get a security update.

Remember it's "only" beta release software. Match your expectations (and usage) to the status. Google actually already released it on September 5th.

Links:

--
Swa Frantzen -- Section 66

Keywords: chrome patch
0 comment(s)

The complaint that's an attack

Published: 2008-09-09
Last Updated: 2008-09-09 10:28:12 UTC
by Swa Frantzen (Version: 2)
0 comment(s)

Stephane wrote in with an email received on an administrative role email address that read like it came from an inexperienced spam target barking up the wrong tree.

From: [suppressed to protect the innocent]
To: [suppressed to protect the innocent]
Subject: I am wait your reply

To Whom It May Concern:

I am tired of receiving messages containing malicious computer programs (viruses) from your e-mail address!!!
If within 1-2 days you do not stop sending messages to my e-mail address, I will have to address this issue to the Police!...
Today I received a hard copy of your data logs from my Internet service provider. The copy contains your IP address, logs of sending malicious programs and your e-mail address details...
I am sending you the copy of the document containing your data and logs of sending malicious programs as the proof of your fault!!!!!!
You must print the document containing the list of your data and logs of sending malicious programs and pass it on to your Internet service  provider with, so that they could find out why the viruses are sent from your computer to my e-mail address!!!!
Ask your Internet service provider to resolve this problem!!!!

Do this now!!!
Once again!!! If you don't stop sending the letters, I will address to the Police and file a lawsuit against you!!!

With an attachment called IPLOGS.zip, that contains:

$ unzip -v IPLOGS.zip
Archive:  IPLOGS.zip
 Length   Method    Size  Ratio   Date   Time   CRC-32    Name
--------  ------  ------- -----   ----   ----   ------    ----
   81408  Defl:N    58399  28%  09-08-08 00:01  8b1aedc6  IPLOGS.exe
--------          -------  ---                            -------
   81408            58399  28%                            1 file

 

Sending it over to Virustotal yielded following result:

AhnLab-V3 -
AntiVir -
Authentium W32/Malware!OC-based
Avast -
AVG PSW.Generic6.ABAB
BitDefender -
CAT-QuickHeal -
ClamAV Trojan.Zbot-2110
DrWeb -
eSafe -
eTrust-Vet -
Ewido -
F-Prot W32/Malware!OC-based
F-Secure Trojan.Win32.FraudPack.gen
Fortinet PossibleThreat
GData Trojan.Win32.FraudPack.gen
Ikarus Trojan.Win32.FraudPack
K7AntiVirus -
Kaspersky Trojan.Win32.FraudPack.gen
McAfee -
Microsoft PWS:Win32/Zbot.gen!B
NOD32v2 -
Norman -
Panda -
PCTools -
Prevx1 -
Rising -
Sophos Troj/PWS-ATH
Sunbelt -
Symantec Infostealer.Banker.C
TheHacker -
TrendMicro -
VBA32 -
ViRobot -
VirusBuster -
Webwasher-Gateway -

The zbot trend seems to be forming among the AV vendors.

The most tricky about this will be to convince some out there that our real complaints are real, but that's perhaps the goal of these scam artists.

--
Swa Frantzen -- Section 66

Keywords: spam zbot
0 comment(s)
Diary Archives