Threat Level: green Handler on Duty: Rob VandenBrink

SANS ISC InfoSec Handlers Diary Blog


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

IE Zero Day is "For Real"

Published: 2012-09-17
Last Updated: 2012-09-17 15:51:11 UTC
by Rob VandenBrink (Version: 1)
15 comment(s)

We've had numerous readers write in about an IE8 zero day, most pointed us here for more info on it ==> http://eromang.zataz.com/2012/09/16/zero-day-season-is-really-not-over-yet/

Since I'm not a "Malware Analysis Guy" (at least until I take Lenny's Forensics 610 class), I hunted around for some confirmation before I posted. 

I guess a Metasploit module that exploits it counts as confirmation !
http://dev.metasploit.com/redmine/projects/framework/repository/revisions/aac41e91fd38f99238971892d61ead4cfbedabb4/entry/modules/exploits/windows/browser/ie_execcommand_uaf.rb

Also more info here:  http://blog.vulnhunt.com/index.php/2012/09/17/ie-execcommand-fuction-use-after-free-vulnerability-0day

And yes, there is code in the wild that exploits this (since Sept14th).  And no, there is no patch for it yet

If you're still running IE7,8 or 9, today is a good day to think about switching browsers for a couple of weeks. 

(thanks to our readers, who corrected my original post - this zero day affects not just IE8, but also IE7 and IE9)

===============
Rob VandenBrink
Metafore

 

Keywords: ie ie7 ie8 ie9zero day
15 comment(s)

What's on your iPad?

Published: 2012-09-17
Last Updated: 2012-09-17 15:46:06 UTC
by Rob VandenBrink (Version: 1)
6 comment(s)


In a recent story (see the bottom of this article), there's been some discussion about a prominent NMS (Network Management System) with an iPad interface that uses a simple to duplicate algorithm for it's password.  

Do we care? Isn't the resulting password more secure than most passwords we ourselves would have picked?  Not so much if it's simple to derive, but in my opinion, the real story here is that we are trusting our mobile devices and apps way more than we should.  We buy low cost or free simple apps to do things that really matter, without checking doing our homework on security.  In this case, the app is using cleartext authentication and xmpp (the jabber protocol) to remotely access and control their NMS.  The "password math" doesn't help either.  The NMS in turn has access to the full device configurations, as well as the ability to send email directly to network admins (great spearphishing target!), and most importantly, in many cases has admin access to all the network routers, switches, firewalls and even servers.

People just as blithely (blindly?) use tablets and phones to access their bank accounts and control their cars (what could go wrong with that?) 

In the case of an NMS I can certainly see the attraction, now that tablet screens are just as good as many laptops, running your NMS from a tablet can be much easier from a tablet than a traditional laptop - especially if you're not at work.

I gotta admit that it still bothers me when I see the bank adds on TV, encouraging people to access their bank accounts using their phone (you know, the one without a screensaver or keyboard lock) - you know, so that their bank account is even *less* protected when the phone is stolen.

Mind you, some folks would likely be more upset if their social media accounts could be accessed this way ... umm, wait a second!  A favourite highschool prank is to steal a phone from your classmate for 10 minutes to put a bogus (and embarassing) facebook or twitter post up.

When did we stop using VPNs - the classic solution to encapsulating and encrypting sensitive traffic?  The VPN that encrypts both the data, the destination IP address and the authentication?

My worry here isn't really that the datastream could be MITM'd to steal credentials or hijack sessions, though that's certainly possible in this case.  The worry should really be that if your phone or tablet is stolen, big parts of our modern life go with it - banks accounts, facebook and twitter, ebay, your car keys.   And in this case control of your network.  If all we protect this stuff with is a simple keyboard password (my 11 yr old shoulder surfed mine - https://isc.sans.edu/diary.html?storyid=13084), then if your phone is lost, all is lost - you BETTER have a remote wipe function ready to go!

More here:
http://www.h-online.com/security/news/item/WhatsApp-takes-the-lazy-route-to-authentication-1703628.html

http://www.h-online.com/security/news/item/WhatsApp-allegedly-creates-overly-simple-passwords-under-iOS-too-1704972.html

 

===============
Rob VandenBrink
Metafore

6 comment(s)
ISC StormCast for Monday, September 17th 2012 http://isc.sans.edu/podcastdetail.html?id=2809
Diary Archives