[SecurityRatty] tag: securityfocus

6 Months And Counting For Microsoft On CVE-2008-1436

Thu, 16 Oct 2008 11:24:58 +0000

In April of this year Microsoft issued what seemed to be a rather serious security advisory: Vulnerability in Windows Could Allow Elevation of Privilege (951306). Microsoft never provides gory details to vulnerabilities even after they've been patched, but by following the CVE entry from it you can get links to sites like IBM's ISS which are willing to say more, or even to get proof-of-concept exploit code from SecurityFocus. The vulnerability allows authenticated attackers potentially to elevate privileges to LocalSystem. Here we are, 6 months later, and Microsoft still has not patched this vulnerability. What's up with that? "Dustin" from the Microsoft Security Response Center recently addressed the question in a blog on Technet, following an update to the advisory to note the availability of the proof-of-concept code. It's worth noting that this vulnerability isn't really near the top of the scare list. Most of those 3rd parties you see linked on the CVE page rank it down a few notches. Even the usually hyperbolic Secunia calls it "Less Critical" (2 out of 5, 1 step up from "Not Critical"). Furthermore, back in April Microsoft provided workarounds which it says are effective against the proof-of-concept, at the cost of some administrative burden. They also say that they are unaware of any real-world attacks on this vector. You can find more details from Microsoft on the bug in Nazim's IIS Security Blog and the Security Vulnerability Research & Defense blog. Still, 6 months! What Dustin said was "...we began our investigation and immediately realized it would not be trivial to address this issue without introducing new risks." They're still testing and developing a fix. 6 months later. It would seem that the obvious fixes all cause some serious problem, perhaps breaking 3rd party code. Is this inherently unreasonable? It's getting there. The list of affected software includes most of the important versions of Windows. It may be that some of the time this has taken has gone to working with my speculative 3rd parties to update their own software, so that the fix won't have the same impact. But let's not forget that this is not an easily exploitable bug. It's not wormable in any way and by the time it's invoked other serious breaches of security have to have happened. So I guess it's worth it for Microsoft to take their time doing it right.

Zero-day Microsoft Windows NSlookup.exe Vulnerability Exploited In The Wild

Fri, 15 Aug 2008 19:07:46 +0000

According to SecurityFocus, a new public zero-day Windows vulnerability is being exploited in the wild. Microsoft Windows is prone to a remote code-execution vulnerability due to an unspecified error in ‘NSlookup.exe’. Successfully exploiting this issue would allow the attacker to execute arbitrary code on an affected computer. Failed attacks will cause denial-of-service conditions. Microsoft Windows [...]

Apple Patches for Apache, Flash and More

Fri, 30 May 2008 06:20:00 +0000

Yesterday I blogged a Windows flaw for Adobe Flash player. Today I came across another advisory about a patch Apple just put out earlier this week for Adobe Flash. The security update also covers other software too. From SecurityFocus:

The update patches eight vulnerabilities in the open-source Apache Web server and seven vulnerabilities in Adobe’s Flash Player plug-in. While the Apache flaws amount to, at most, cross-site scripting attacks, the Flash Player flaws could allow a malicious Flash file (SWF) to execute on the victim’s system, Apple stated in its security advisory.

The company also fixed five vulnerabilities in its ImageIO component that could allow denial-of-service attacks, information leakage, and in one case, possible code execution. The update also patches two flaws in the kernel that allow both local and remote users the ability to shutdown the system. A flaw in the way that the Mac’s Mail program handles the Internet’s next-generation addressing scheme, IP version 6, could allow remote code execution, Apple stated.

SQL Server - Fact Checking Recent Vulnerability History

Wed, 05 Mar 2008 19:53:36 +0000

Last week a web-based news story comes to my attention - Microsoft's glasnost on interoperability means more bugs. The article poses an interesting question of whether Microsoft's recent changes to expand interoperability will make it easier for researchers to find new vulnerabilities. I don't personally agree with the theory that sharing APIs will cause an influx of new bug discoveries, but it is an interesting read...

... except for one little quote, which asserted that last year SQL Server had "...most vulnerabilities last year of any commercial database..." That is a big error, though it may be a misquote or a miscommunication. Certainly, if you go look at the current version of the original article, the incorrect statement has been removed.

However, given that as of today, some versions of the article containing the original (incorrect) quote are still available, I thought it worth documenting the real (really good) story of SQL vulnerabilities and what commercial database had the most vulnerabilities last year.

Microsoft Security Bulletin search tool shows 0 bulletins for SQL Server 2005 over the life of the product, which shipped about 2.5 years ago.
- Secunia Page for SQL Server 2005 affirms this, showing 0 advisories over the life of the product
Microsoft Security Bulletin search tool shows that SQL Server 2000 has not had a Security Bulletin for over 4 years (January 2004)
- Secunia Page for SQL Server 2000 affirms this, showing the most recent Secunia advisory in January 2004
I did a scan of the National Vulnerability Database (NVD) http://nvd.nist.gov for "Microsoft" and "SQL" and found only three issues disclosed since July 2003 (only 3 in the 4.5 years). It turns out only one of them may be attributed to SQL and even then, it is a client side control:
- CVE-2004-1560. This one was disclosed in Sep-04 and only affected SQL Server 7
- CVE-2007-5090. This one was disclosed in Sep-07 and is actually a vulnerability in IBM Rational ClearQuest
- CVE-2007-4814. Disclosed in Sep-07, this is a vuln in client side control sqldmo.dll 2000.085.2004.00. I can't tell for sure, but this looks like a SQL 2000 component based upon the versioning.
Finally, I thought I'd check the Symantec-owned www.securityfocus.com web site and searched on their vulnerability search page.
- A search on "SQL Server", the latest it identified the Sep-04 vulnerability that affected SQL 7
- A search on "SQL Server 2005" identifies the client side CVE-2007-4814 as the latest issue plus 2 issues in 2006 that affect Xml Core Services
- A search on "SQL Server 2000" identifies a 2002 issue as the latest since the page was modified in 2007. Before that, the Xml Core Services issues of 2006

In contrast, I can briefly look at Oracle Critical Patch Updates (CPU) for 2007:

Critical Patch Update - January 2007 17 db vulns, 13 for 10g

Critical Patch Update - April 2007 16 db vulns, 13 for 10g

Critical Patch Update - July 2007 18 db vulns, 16 for 10g

Critical Patch Update - October 2007 30 db vulns, 16 for 10g

So. One thing is clear from the rudimentary investigation I've performed here - SQL Server was not even close to having the most vulnerabilities last year of any commercial database.

In fact, though SQL 2000 Server may have had a rough track record up through 2003, the SQL team has certainly turned a corner since then and SQL Server 2005 has had one of the best security track records of any commercial database ever.

Let me close be re-quoting something I highlighted in a post a little over a year ago from David Litchfield in his paper Which database is more secure? Oracle vs. Microsoft:

Why have there been so little bugs found in SQL Server since 2002?
Three words: Security Development Lifecycle – SDL. SDL is far and above the most
important factor. A key benefit of employing SDL means that knowledge learnt after finding and fixing screw ups is not lost; instead it is ploughed back into to the cycle. This means rather than remaking the same mistakes elsewhere you can guarantee that new code, whilst not necessarily completely secure, is at least more secure than the old code.

I’m not claiming SQL Server is utterly vulnerability free, and I most certainly would never claim SQL Server is unbreakable, but the SQL Server team has made huge progress securing their customers.

Share this post :

Unprofessionally Piggybacking on my Research

Wed, 05 Mar 2008 10:32:05 +0000

Why did I bother to send this message to Full-Disclosure last night, despite that I already posted it here? Because I knew that this would happen, it's happened before, and it will happen in the future, so having dates and hours to prove what you see on the top of each and every blog post here, namely the real-time situational awareness objective, is what I wanted to achieve. And I did. Thankfully, there're Sophos, TrendMicro, McAfee and Commtouch realizing that corporate blogging evolved from hard selling and the basics of marketing, to a complex PR platform, and therefore quote and link to my blog, to have me link back, so that a conversation emerges. Redefining the process of rephrasing so that my creative commons license per post is not violated? Find the ten differences between my post yesterday, its title, and today's statements:

"Continuing, Chia says that: “Leveraging on the fact that the site is, legitimate, and has high page ranks, the popular search engines are returning some of these iFRAME-ed results in the first few pages of the search results. And the objective? To get the unsuspicious user to click on the link”."

So, my original post went online yesterday, TeMerc reposted it, so did Paul, I sent it to Full-Disclosure, and as it looks like F-Secure's Wing Fei Chia seems to read, either Full-Disclosure, or my blog to come up this post, 24 hours later. Anyway, SecurityFocus, again covers the incident in an article entitled "Fraudsters piggyback on search engines", quoting me, this time professionally.

'Critical' Linux kernel bugs discovered

Tue, 26 Feb 2008 11:00:00 +0000

Three bugs allow unauthorized users to read or write to kernel memory locations or to access certain resources in certain servers, according to a SecurityFocus advisory.

Encryption defeated, still an advocate?

Fri, 22 Feb 2008 13:15:15 +0000

Technorati Tag: Encryption

Originally I was not going to write about this because it is not a breach (incident), but...

Yesterday, researchers from Princeton University, the Electronic Frontier Foundation, and Wind River Systems released an eye-opening report labeled "Lest We Remember: Cold Boot Attacks on Encryption Keys" in which they "present a suite of attacks that exploit DRAM remanence [sic] effects to recover cryptographic keys held in memory".

OK. What does this mean to the non-geek? It means that there are now successful attacks against many encryption implementations, including those most commonly used on mobile devices (laptop, thumb drive, etc.). Here at The Breach Blog I have advocated the use of hard drive encryption in many posts and pointed out the fact that storing confidential information on unencrypted laptops is bad security and poor business. So, what does this all mean?

From Princeton University's Center for Information Technology Policy FAQs:

Q. What encryption software is vulnerable to these attacks?
A. We have demonstrated practical attacks against several popular disk encryption systems: BitLocker (a feature of Windows Vista), FileVault (a feature of Mac OS X), dm-crypt (a feature of Linux), and TrueCrypt (a third-party application for Windows, Linux, and Mac OS X). Since these problems result from common design limitations of these systems rather than specific bugs, most similar disk encryption applications, including many running on servers, are probably also vulnerable.

Q. What can users do to protect themselves?
A. The most effective way for users to protect themselves is to fully shut down their computers several minutes before any situation in which the computers’ physical security could be compromised. On most systems, locking the screen or switching to “suspend” or “hibernate” mode does not provide adequate protection. (Exceptions exist; some systems may not be protected even when powered off. Check with the developer of your disk encryption software for further guidance.)

Q. Isn’t your attack difficult to carry out? Don’t you need materials like liquid nitrogen?
A. We found that information in most computers’ RAMs will persist from several seconds to a minute even at room temperature. We also found a cheap and widely available product — “canned air” spray dusters — can be used to produce temperatures cold enough to make RAM contents last for a long time even when the memory chips are physically removed from the computer. The other components of our attack are easy to automate and require nothing more unusual than a laptop and an Ethernet cable, or a USB Flash drive. With only these supplies, someone could carry out our attacks against a target computer in a matter of minutes.

And from "Lest We Remember: Cold Boot Attacks on Encryption Keys" Conclusion:
"There seems to be no easy remedy for these vulnerabilities. Simple software changes are likely to be ineffective; hardware changes are possible but will require time and expense; and today’s Trusted Computing technologies appear to be of little help because they cannot protect keys that are already in memory. The risk seems highest for laptops, which are often taken out in public in states that are vulnerable to our attacks. These risks imply that disk encryption on laptops may do less good than widely believed."

[Evan] Well, if this ain't a shot to the gut! On the surface I am miffed by research that leaves me wondering what in the world am I supposed to do now? When I think about it more, I am extremely grateful for the work these people do and I'm not really surprised by the findings. People that have been in the information security field for a while, understand some of the concepts that (we think) make us effective in what we do. Nobody can rightfully claim that full disk encryption or any other single technology is the one that protects against everything. We are never 100% secure will all technologies, let alone one. Security is a holistic discipline that is about defense in depth, continual analysis and improvement, systems and backup systems, threats, countermeasures, etc. etc. This is just another attack vector that wasn't widely known or accepted until now.

I am still an advocate for using full disk encryption (and encryption in general) as good information security practice. It is another essential cog in the bigger information security machine. Recognize the technology for what it is and understand that it's use does reduce risk when compared to the alternative of using clear-text. Obtaining the encryption keys is obviously very possible, but obtaining clear text information is completely trivial. Long-term this is a great problem to have. I have seen many, many good "out of the box" ideas being kicked around by information security professionals, debating possible solutions. It's the out of the box thinking that spurs creative solutions.

Other News Sources:
CNET.com News story
The New York Times story
SecurityFocus story
InformationWeek story

Oak Ridge National Laboratory visitor information exposed

Tue, 11 Dec 2007 10:45:21 +0000

Technorati Tag: Security Breach

Date Reported:
12/3/07

Organization:
UT-Battelle, LLC

Contractor/Consultant/Branch:
Oak Ridge National Laboratory (ORNL)*

*Oak Ridge National Laboratory (ORNL) is the Department of Energy's largest science and energy laboratory. ORNL was established in 1943 as a part of the secret Manhattan Project to pioneer a method for producing and separating plutonium. Today, ORNL is home to the world's largest civilian science project, the $1.4 billion Spallation Neutron Source, and has been selected to build the fastest unclassified scientific computer in the world. - Source State Science and Technology Institute

Victims:
"visitors to the lab between 1990 and 2004"

Number Affected:
"about 12,000"

Types of Data:
Personal information including names, addresses, Social Security numbers and dates of birth.

Breach Description:
More than a dozen Oak Ridge National Laboratory employees were duped into installing unauthorized software consisting of keyloggers and other malicious software through a targeted phishing attack ("spear phishing"). The targeted phishing attack consisted of roughly 1,100 emails and resulted in the compromise of personal information pertaining to lab visitors over a 14 year period.

Reference URL:
eWeek.com Story
SecurityFocus.com Story
MyEyeWitnessNews.com Story
Oak Ridge National Laboratory Potential Identity Theft Page

Report Credit:
Oak Ridge National Laboratory

Response:
From the official breach notification site and sources cited above:

Oak Ridge National Laboratory has been bombarded by a coordinated phishing attack aimed at multiple national labs and may have unwittingly handed over to attackers the personal information of anybody who visited the lab over a 14-year span, including Social Security numbers.

"Oak Ridge National Laboratory (ORNL) recently experienced a sophisticated cyber attack that appears to be part of a coordinated attempt to gain access to computer networks at numerous laboratories and other institutions across the country." - Laboratory Director Thom Mason on December 3rd.

"When the employees opened the attachment or accessed an embedded link, the hacker planted a program on the employees' computers that enabled the hacker to copy and retrieve information. The original e-mail and first potential corruption occurred on October 29, 2007. We have reason to believe that data was stolen from a database used for visitors to the Laboratory." - Laboratory Director Thom Mason

The attack comprised approximately 1,100 targeted phishing attempts.

The attackers cooked up seven phishing variations, one of which purportedly advertised a scientific conference, another of which posed as a notification about a complaint on behalf of the Federal Trade Commission.

"No classified information was lost"

"If you visited ORNL between the years 1990 and 2004 your name and other personal information such as your social security number or date of birth may have been part of the stolen information. While there is no evidence that the stolen information has been used, the Laboratory deeply regrets the inconvenience caused by this event."

Mason said reconstructing the crime is tedious and time-consuming and will likely take weeks, if not longer. ORNL is attempting to send letters to every visitor potentially affected but may have difficulties due to out-of-date addresses, management said in its advisory.
[Comfyllama] If the reports about this attack originating (or proxying through) China are true, then it is unlikely that a full "reconstructing" will ever be complete.

"every security system at ORNL was in place and in compliance."
[Comfyllama] Compliant DOES NOT MEAN Secure! Although we all need to be compliant, this doesn't mean that efforts should stop at that. Do you want to trust the security of your information to a Senator or other lawmaker?

"If you think you're going to prevent all phishing attempts from [succeeding] in an enterprise, that's probably false. And if you think that with training, not a single employee will [click on phishing attempts and let an attacker] get through, that's probably false," - Application Security Vice President of Marketing and Strategy Ted Julian

"There's a million [conduits to data theft], and now that the attackers have gotten much more professional and focused, they only need one to get at the information. You only need one unsecured avenue and they're off and running."

it's likely that employee training about phishing attempts will be given renewed emphasis in the future in order to attempt to close down this particular avenue of data theft.

"While our hope is that no one would fall for these kinds of tricks from hackers, we believe there is an ongoing benefit to re-emphasizing staff awareness about cyber-security issues," "We must not click on e-mail attachments if we are not absolutely sure who the e-mail is from and we must not click on [URLs] embedded in e-mails unless we are certain of the source." - Laboratory Director Thom Mason

The lab has sent letters to about 12,000 potential victims.

"We continue to put in place new and more sophisticated security systems in an attempt to stop thieves who are equally determined to break into the cyber network." - Laboratory Director Thom Mason

Commentary:
Scary! Supposedly, there is evidence that points to these attacks originating from servers in China and thus these attacks were sponsored by the Chinese government. I like a conspiracy theory as much as anyone else, but I don't subscribe to this theory. IF the Chinese government were attacking ORNL, I think the attacks would be much more covert.

Think about this for a minute. If I were going to attack a system in the United States without getting caught. Why wouldn't I use (proxy through) an insecure server located in a country that will not cooperate with U.S. authorities? In order to find my true location, investigators will need some level of access to the (proxy) server to look through the evidence. Do you think China (or Iran, North Korea, Russia, etc.) will allow investigators the access they need? Highly unlikely. If I were to guess, I would say that this is a sophisticated attack aimed at gathering information for money and probably orginated by one of the more educated "phishing gangs".

I certainly agree with ORNL Application Security Vice President of Marketing and Strategy Ted Julian in the fact that there is likely no way to prevent all avenues of attack, but the risk of this type of attack can be significantly reduced through regular information security training and awareness. People will be people, no matter what.

Final note, I am curious why ORNL needs to store Social Security numbers in the first place.

Past Breaches:
Unknown

Blue Box #67: Contest for listeners, discussion about status, some VoIP security news, listener comments

Sat, 27 Oct 2007 10:33:13 +0000

Synopsis:Blue Box #67: Contest for listeners, discussion about status, some VoIP security news, listener comments

Welcome to Blue Box: The VoIP Security Podcast #67, a 20-minute podcast from Dan York and Jonathan Zar covering VoIP security news, comments and opinions.

Download the show here (MP3, 21MB) or subscribe to the RSS feed to download the show automatically.

You may also listen to this podcast right now:

Show Content:

00:20 - Intro to the show, contact information and how to provide comments. Welcome to all the new listeners - and to all those listeners who have been here for so long!

- Discussion of:
- reasons for break in shows having to do with Dan no longer working for Mitel
- two-year anniversary of the show coming up on October 24th
- listener contest for copies of Peter Thermos and Ari Takanen's new book "Securing VoIP Networks"
- ZDNet: "Jericho Forum voices concerns over VoIP Security"
- Telappliant: "VoIP 'more secure than traditional phone systems'" (note the last paragraph about VOIPSA)
- SecurityFocus: "VoIP Hopping: A Method of Testing VoIP Security or Voice VLANs and Release of "VoIP Hopper tool"
- SIP Hacking Workshop in November in Vienna
- Upcoming shows:
- Oct 29-Nov 1, Boston, USA, Fall 2007 VON

- Comment (email) from Craig Bowser (about VoIP Hopping article)
- Comment (email) from Doug Simar about iPhone
- Review of the last week's traffic on the VOIPSEC public mailing list

- Wrap-up of the show

20:46 - End of show

Comments, suggestions and feedback are welcome either as replies to this post or via e-mail to blueboxpodcast@gmail.com. Audio comments sent as attached MP3 files are definitely welcome and will be played in future shows. You may also call the listener comment line at either +1-206-350-2583 or via SIP to 'bluebox@voipuser.org' to leave a comment there.

Thank you for listening and please do let us know what you think of the show.

Critical Patch Update - January 2007	17 db vulns, 13 for 10g
Critical Patch Update - April 2007	16 db vulns, 13 for 10g
Critical Patch Update - July 2007	18 db vulns, 16 for 10g
Critical Patch Update - October 2007	30 db vulns, 16 for 10g