Threat Level: green Handler on Duty: Rob VandenBrink

SANS ISC InfoSec Handlers Diary Blog


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

Exploit code available for CVE-2010-0249

Published: 2010-01-15
Last Updated: 2010-01-15 21:35:51 UTC
by Kevin Liston (Version: 1)
2 comment(s)

The details for CVE-2010-0249 aka Microsoft Security Advisory 979352 (http://www.microsoft.com/technet/security/advisory/979352.mspx) aka the Aurora exploit has been made public.  It is a vulnerability in mshtml.dll that works as advertised on IE6 but if DEP is enabled on IE7 or IE8 the exploit does not execute code.

I expect Microsoft will have a patch available for the standard February patch day.  There will not likely be an out-of-band patch for this unless a 3rd party makes their own available.
 

Keywords: CVE20100249
2 comment(s)

Clearing some things up about Adobe

Published: 2010-01-15
Last Updated: 2010-01-15 20:10:11 UTC
by Kevin Liston (Version: 1)
2 comment(s)

The word “Adobe” conjures up a number of meanings here.  When we get an email that mentions just “Adobe,” we fill in the blank with one of the following:

  • Adobe the Company
  • Adobe Acrobat
  • Adobe Acrobat Reader
  • Etc.


This invariably leads to confusion.

A similar confusion exists surrounding the recently reported Google incident (http://isc.sans.org/diary.html?storyid=7969) especially when Adobe released a similarly worded announcement: http://blogs.adobe.com/conversations/2010/01/adobe_investigates_corporate_n.html
This led some folks (including me) to the conjecture that the attack involved the use of a malicious PDF file.  I’ve seen examples where this group used malicious PDFs, but nobody provided an example of the PDF file used in THIS attack.  Adobe’s (the company) ASSET security team released additional details yesterday (http://blogs.adobe.com/asset/2010/01/further_details_regarding_atta.html) where they assert that Adobe Acrobat Reader was not involved in the incident, that instead it was an IE vulnerability detailed here: http://siblog.mcafee.com/cto/operation-%E2%80%9Caurora%E2%80%9D-hit-google-others/

So, to recap: Adobe (the company) was attacked, but it wasn’t by leveraging an Adobe product.

So let’s look instead at how their products ARE being used to compromise systems…

The folks over at FireEye have a nice blog entry on PDF malware obfuscation and how it’s being used by the Neosploit exploit kit to distribute Mebroot: http://blog.fireeye.com/research/2010/01/pdf-obfuscation.html

Fortunately CVE-2009-4324 has been patched.

A little unsolicited feature request from Adobe for Acrobat Reader: take a gander at that little no-script add-on to Firefox.  I understand that when I download an interactive PDF-form that it’s going to need some javascript to run.  I just want to have an opportunity to click “no” when I get an unexpected PDF while browsing blogs.
 


Kevin Liston

kliston@isc.sans.org

Keywords: PDF
2 comment(s)

Doing the Right Thing

Published: 2010-01-15
Last Updated: 2010-01-15 02:40:13 UTC
by Kevin Liston (Version: 1)
0 comment(s)

Disclaimer: the author speaks from his experience both responding to national disasters with the American Red Cross post-9/11 pre-Katrina and as a volunteer Incident Handler.  His opinions are his own, and not those of the American Red Cross or SANS.

I have been both the “boots on the ground” and the “remote support” in a small number of national and international disasters.  I’ve been in your shoes: wanting to do something to help.  I’d like to share a bit of my experience to help you help others (and possibly yourself.)

First Rule of Disaster Response

The first rule of responding to a disaster situation is: “Don’t become a victim.”  You’re not helping the situation if you rent a truck, fill it full of donations and drive into a scene that isn’t ready to receive you.  You’ll likely run out of fuel, have no shelter, and may have to eat those canned goods that you were hoping to distribute.  Not-becoming-a-victim also applies to being aware and wary of donation-scams that will come at you from a number of channels (see other recent diary entries for current examples.)

There’s a second rule of: “Don’t try to profit from a disaster,” but the people who need to hear that aren’t reading this.

Giving 100%

Anyone that promises to pass on 100% of your donation to the “Victims of X-event” is not telling you the truth.  Either they’re consciously lying to you, or they don’t understand what they’re doing.  In either case, it’s not a good idea to give them your money.

If you donate via SMS, the telco carrier takes their cut.  If you send by PayPal, they have their fees.  If you send a check via Parcel Post, the US Postal Service charges postage.  I’m not saying that any of these organizations are greedy or guilty of violating the 2nd rule of disaster response.  I’m saying that overhead will always be present, and when an organization responsibly reports their operations overhead, that’s a good sign.

Why Earmarking is Bad

When you make a donation to an organization, resist the urge to check that “apply these funds to X-event” box.  The organization receiving your money has already invested many thousands of dollars prepping for the next disaster, and those batteries, and cell phones, bottles of water, blankets, etc. that are now being distributed wasn’t paid for out of the X-event fund.  After X-event is over, they’re going to need to replenish the supplies and gear to prepare for the next disaster.

Forcing the organization to spend money on a given operation leads to irrational spending and waste.

What’s the Good News?

I certainly don’t want to scare anyone away from reaching out to help, in fact I’d like to encourage you to donate if you can, and volunteer if you can.  There is a lot that dedicated individuals and small groups can accomplish when they're organized.

Who do You Trust?

When donating in response to a disaster in another country, it’s best to stick with well-established organizations and ideally those that already have an operating presence in the stricken area.  If you don’t know where to start I’d like to humbly suggest one of the following:
 

  • CARE: http://www.care.org/
  • International Red Cross:  http://www.icrc.org/
  • Medecins Sans Frontieres/Doctors Without Borders: http://doctorswithoutborders.org/
     

Kevin Liston
kliston@isc.sans.org
 

Keywords:
0 comment(s)
Diary Archives