[SecurityRatty] tag: administrative

News Report on Non Vulnerability in Windows Vista

Thu, 20 Nov 2008 15:41:16 +0000

Are editors so excited to use the headline “Vulnerability in Windows Vista” in their SEO URLs that they will have their reporters write a story on a non-issue?

IDG News has published a news report titled, “Researchers find vulnerability in Windows Vista“. The report says:

An Austrian security vendor has found a vulnerability in Windows Vista that it says could possibly allow an attacker to run unauthorized code on a PC.

The problem is rooted in the Device IO Control, which handles internal device communication. Researchers at Phion have found two different ways to cause a buffer overflow that could corrupt the memory of the operating system’s kernel.

In one of the scenarios, a person would already have to have administrative rights to the PC. In general, vulnerabilities that require that level of access somewhat undermine the risk since the attacker already has permission to use to the PC.

Somewhat undermine the risk? If you need admin rights to exercise a bug it is not a security issue since you could already run any code with whatever privilege you wanted. Microsoft is not issuing a patch, but creating a bug fix in a service pack, yet this is newsworthy? This story has no comment from anyone but the finder of the bug. Let’s see if other news outlets pick up on this one.

6 Months And Counting For Microsoft On CVE-2008-1436

Thu, 16 Oct 2008 11:24:58 +0000

In April of this year Microsoft issued what seemed to be a rather serious security advisory: Vulnerability in Windows Could Allow Elevation of Privilege (951306). Microsoft never provides gory details to vulnerabilities even after they've been patched, but by following the CVE entry from it you can get links to sites like IBM's ISS which are willing to say more, or even to get proof-of-concept exploit code from SecurityFocus. The vulnerability allows authenticated attackers potentially to elevate privileges to LocalSystem. Here we are, 6 months later, and Microsoft still has not patched this vulnerability. What's up with that? "Dustin" from the Microsoft Security Response Center recently addressed the question in a blog on Technet, following an update to the advisory to note the availability of the proof-of-concept code. It's worth noting that this vulnerability isn't really near the top of the scare list. Most of those 3rd parties you see linked on the CVE page rank it down a few notches. Even the usually hyperbolic Secunia calls it "Less Critical" (2 out of 5, 1 step up from "Not Critical"). Furthermore, back in April Microsoft provided workarounds which it says are effective against the proof-of-concept, at the cost of some administrative burden. They also say that they are unaware of any real-world attacks on this vector. You can find more details from Microsoft on the bug in Nazim's IIS Security Blog and the Security Vulnerability Research & Defense blog. Still, 6 months! What Dustin said was "...we began our investigation and immediately realized it would not be trivial to address this issue without introducing new risks." They're still testing and developing a fix. 6 months later. It would seem that the obvious fixes all cause some serious problem, perhaps breaking 3rd party code. Is this inherently unreasonable? It's getting there. The list of affected software includes most of the important versions of Windows. It may be that some of the time this has taken has gone to working with my speculative 3rd parties to update their own software, so that the fix won't have the same impact. But let's not forget that this is not an easily exploitable bug. It's not wormable in any way and by the time it's invoked other serious breaches of security have to have happened. So I guess it's worth it for Microsoft to take their time doing it right.

Researcher finds evidence of massive site compromise

Thu, 02 Oct 2008 20:00:00 +0000

Several criminal gangs have acquired administrative log-in credentials for more than 200,000 Web sites -- including the one used by the U.S. Postal Service -- and have used the compromised domains to attack unsuspecting users' PCs with a notorious hacker exploit kit, a researcher said today.

3PAR Thin Copy Desktop: A VDI-Optimized Storage Solution

Thu, 04 Sep 2008 09:00:00 +0000

(Source: 3PAR) The advent of Virtual Desktop Infrastructure (VDI) holds great promise in corporate, government, and service provider environments. Virtual Desktop Infrastructure, such as VMware VDI, enables end users or their hosting providers to provision and manage hundreds of individual, virtual desktops from a set of centrally administered, consolidated servers. This approach delivers a number of potential benefits, including lower administrative and maintenance costs, higher levels of security, and increased user mobility and flexibility. 3PAR has introduced Thin Copy Desktop for VMware VDI, a storage solution designed for virtualized desktop infrastructures. This offering meets all the requirements for a VDI Optimized Storage solution, which we have outlined in this document. 3PAR Thin Copy Desktop significantly decreases physical disk space requirements for virtual desktop images and enables the rapid, simultaneous booting of hundreds or even thousands of virtual machines (VMs).

3PAR Thin Copy Desktop: A VDI-Optimized Storage Solution

Thu, 04 Sep 2008 09:00:00 +0000

Storm Worm's Lazy Summer Campaigns

Thu, 31 Jul 2008 02:39:35 +0000

The Storm Worm-ers seem to be lacking their usual creativity in respect to the usual social engineering attacks taking advantage of the momentum we're used to seeing. These days they're not piggybacking on real news items, they're starting to come up with new ones.

Storm's latest "FBI vs Facebook" campaign is an example of very badly executed one, lacking their usual fast-flux, any kind of social engineering common sense, as well as client side exploits next to centralizing all the participating domains on a single nameserver.

Domains used :
wapdailynews .com
smartnewsradio .com
bestvaluenews .com
toplessnewsradio .com
companynewsnetwork .com
goodnewsgames .com
marketgoodnews .com
fednewsworld .com
toplessdailynews .com
stocklownews .com

DNS servers :
NS.BRPRBGOK6 .COM
NS2.BRPRBGOK6 .COM
NS3.BRPRBGOK6 .COM
NS4.BRPRBGOK6 .COM
NS5.BRPRBGOK6 .COM
NS6.BRPRBGOK6 .COM

Strangely, the domain has been registered using an email hosted on a known Storm fast-flux node used in the recent 4th of July campaign and the U.S's invasion of Iran :

Administrative Contact:
Lee Chung lee@likethisone1.com
+13205897845 fax:
1743, 34
Los-Angeles CA 321458
us

This Storm Worm sample is also "phoning back home" over HTTP next to the P2P traffic, and trying to obtain the rootkit from the now down, policy-studies.cn /getbackup.php using already known Storm nameservers :

ns2.verynicebank .com
ns3.verynicebank .com
ns.likethisone1 .com
ns2.likethisone1 .com
ns3.lollypopycandy .com
ns4.lollypopycandy .com

Someone's bored, definitely, making it look like it's almost someone else managing a Storm Worm campaign on behalf of them.

One risky point

Sun, 27 Jul 2008 20:00:00 +0000

Single point of failure. That's the right term for talking about the mess in San Francisco, where last week the city government finally regained control of its backbone network. Terry Childs, the net admin jailed for locking down administrative access, turned over the passwords during a secret visit from Mayor Gavin Newsom.

San Francisco's mayor gets back keys to the network

Tue, 22 Jul 2008 20:00:00 +0000

San Francisco Mayor Gavin Newsom met with jailed IT administrator Terry Childs Monday, convincing him to hand over the administrative passwords to the city's multimillion-dollar wide area network.

Questions abound as San Francisco tries to repair network

Mon, 21 Jul 2008 20:00:00 +0000

IT managers and analysts are expressing surprise at the amount of time it appears to be taking officials at the City of San Francisco to regain full control of the city's FiberWAN network after a disgruntled network administrator allegedly locked access to it by resetting administrative passwords to its switches and routers.

Opinion: How to protect your network from rogue IT employees

Mon, 21 Jul 2008 09:00:00 +0000

Several basic network security principles appear to have been ignored in the city of San Francisco's IT department, resulting in a rogue network admin creating a "superpassword" that blocked everyone else's administrative functions -- and his arrest.