Metasploit has proof of concept code for exploiting MS06-040. The countdown to the worm begins.

Exploit Module: netapi_ms06_040 [MetaSploit.com]

The guys at Black Hat are demonstrating some interesting attacks against the device drivers for the wireless card in a MacBook Pro:

The video shows Ellch and Maynor targeting a specific security flaw in the Macbook’s wireless “device driver,” the software that allows the internal wireless card to communicate with the underlying OS X operating system.

This highlights an emerging trend of attacks against device drivers. Should attacks like this become a trend I suspect we’ll see the following:

• Wireless Cards Hit First: Many attacks focused on Wireless cards, and not just because they are remotely accessible. The fact that there’s only a couple of chipset manufacturers will make attacks easier. Especially considering this:
  

  After the demo, Ellch … will talk about a new tool he’s developing that can remotely scan and figure out the chipset and driver version of a wireless device on a target computer. So far, Ellch said the tool currently recognizes 13 different wireless device drivers, breaking them down by operating system and firmware version.

  “I’m getting this tool to the point where it can tell you not only how many people in a room are running, say, Centrino or Broadcom devices, but that ‘x’ number are running them on a Windows box with a specific version of the driver,” Ellch said. “The userful thing for that information is that if you have a device driver exploit and it’s version-specific, you could tweak [the exploit] before you launch it.”

• Homogenous Environments Hit Hardest: As demonstrated Macs will be easier targets, But think about other homogenous environments: Corporate networks whole use all the same PCs (or maybe just all the same nibs), ISPs that use all the same kind of DSL/Cable Modems, etc…
• Mitigates Slow to Come: There won’t be patches coming out of Windows Update for many of these. Expect longer windows of vulnerability and traditional mitigations like firewalls to prove ineffective.

So what do we do? Assuming the attack involves over running a buffer, some sort of kernel-level buffer overflow protection in a Host Intrusion Prevention-type product seems to be in order. The whole article is worth a read. Share your thoughts by leaving a comment below.

Hijacking a Macbook in 60 Seconds or Less [Security Fix]

Internet Explorer 7 will be a huge win for web security, and Microsoft has announced how they will be distributing it:

AU will notify you when IE7 is ready to install. Alternately, you will be able to visit the Windows Update or Microsoft Update sites and obtain IE7 by performing an “Express” scan for high-priority updates. Either way, you will see the welcome screen that allows you to choose whether to install it.

Enterprises will have some ability to control this:

We are also providing a Blocker Toolkit for our enterprise customers who may want to block automatic delivery of IE7 in their organizations; this blocker has no expiration date.

IE7 to be distributed via Automatic Updates [IE Blog on MSDN]

McAfee claims to have “accidentally” patched a major vulnerability in their EPO management server agents.

“We did not realize that we had fixed a security vulnerability until eEye alerted us to the problem last week,” Viega said. “We were optimizing the system, not looking for security vulnerabilities.” The optimization included changing from storing data in files to storing it in memory, which removed the flaw, he said.

It’s bad enough when security vendors have vulnerabilities in their product. It’s even worse when they don’t realize there were fixing a flaw.

Of course the real irony is that eEye is a McAfee competitor. If only McAfee had a division that discovers vulnerabilities in applications… Oh wait, they do.

McAfee fixes flaw–without realizing it [ZDnet]

July brings fixes for 18 vulnerabilities bundled in 7 patches. July also makes the official end of security support for all Windows 9x products. Let us pause and take a moment of silence for our fallen friends of old…

Now back to our regularly scheduled patch announcement:

• MS06-033 .NET 2.0 Application Folder Information Disclosure Vulnerability - “could allow an attacker to bypass ASP.Net security and gain unauthorized access to objects in the Application folders explicitly by name.” Yawn.
• MS06-034 Vulnerability in Microsoft Internet Information Services using Active Server Pages Could Lead To Remote Code Execution - - The only people who can exploit this are ones that already can upload ASP files to and IIS server. This basically makes it a privilege escalation attack, even though it uses a buffer overflow to accomplish it. Not to serious, and if you have untrusted people uploading ASP files to your web server, you have bigger problems.
• MS06-035 Vulnerability in Server Service Could Allow Remote Code Execution - This is the grand daddy of the patches, and Microsoft should create a ubber critical category for patches like this. It’s wormable, and makes a good cases for personal firewalls. Get this one out fast.
• MS06-036 Vulnerability in DHCP Client Service Could Allow Remote Code Execution - This one’s pretty critical, too. But the attacker has to be on the subnet as the victim (same switch?).
• MS06-037 Vulnerability in Microsoft Excel Could Allow Remote Code Execution - Open a malicious Excel doc and you are owned. In Office 2000, just visiting a website could do it. Already exploits in the wild.
• MS06-038 Vulnerability in Microsoft Office Could Allow Remote Code Execution - Same as 06-037, except it applies to any office doc and there’s no known exploits yet.
• MS06-039 Vulnerability in Microsoft Office Could Allow Remote Code Execution - Same as 06-038.

Get ‘um done.

Security Bulletin Summary [Microsoft]

Microsoft Patches 18 Security Flaws in Windows, Office [Security Fix]

There’s reports that there’s publically available exploit code for the following Microsoft vulnerabilities:

• MS06-024: Windows Media Player.
• MS06-025: RRAS
• MS06-027: Word remote code execution
• MS06-030: SMB Priviledge Escalation.
• MS06-032: IP Source Routing Exploit.

Let’s get ‘em patched.

More Windows Exploits Out; Hacker Wins $10K Challenge [Security Fix]

Exploits for most recent Microsoft Patches [SANS ISC]

Looks like June will be a big Microsoft patch month:

- Nine security bulletins for Microsoft Windows, the highest maximum severity rating for these is “critical.”
- One security bulletin affecting Microsoft Exchange. The highest maximum severity rating for this is “important.”
- Two security bulletins affecting Microsoft Office. The highest maximum severity rating for these is “critical.” [emphasis added]

Included in the office patches will be fixes for the Word 0-Day Vulnerability.

June 2006 Advance Notification [Microsoft Security Response Center Blog]

If you organization is like most, there are a few Macs floating around. SANS says us that it’s one of the 20 biggest things we should be worried about. At the same time Apple has commercials touting their security over PCs. So it begs the question, “How much should you be worried about Macs?”

Let’s start with some facts:

• OS X has many great security features built in, like a Personal Firewall, Auto Updates, and File/Folder Encryption.
• OS X comes out of the box with most unnecessary services turned off and users usually don’t run as a admin level account.
• OS X is vulnerable to viruses and worms.
• People in your organization probably do store critical information on a Mac.
• Lots of vulnerabilities come out for Macs.

What should be you be doing about it? Some. Macs probably aren’t your biggest risk, but they need to be on your radar. I agree with SANS that the risk is increasing, although it’s nowhere near the top 20 things I worry about.

What should you be doing:

• Educating users that they are not immune from security issues.
• Ensuring the are configured securely with Auto Updates, Desktop FW, and Unnessary Services turned off. Just because it came out of the box this way doesn’t mean it’s still this way.

Most Mac users I know have an independent streak to them and will probably resist any “big brothering” by security group. With a little diplomacy and reasonableness you should be able to win them over.

Friday brought us yet another zero-day attack. Word has a previously unannounced hole in it that is being exploited by an email propogating worm that plants a trojan. Word 2003 and XP are definately vulnerable, there seems to be conflicting info on Word 2000. Since there’s no patch, everyone has some ideas about what you might do. Potential mitigation I’ve seen suggested include:

• Switch from MS Word to OpenOffice. (SANS ISC)
• Quarantine all attachments for 6-12 hours. (SANS ISC)
• Don’t let anyone be an admistrator on there box. (SANS ISC and Microsoft)
• Force people to run Word in “Safe Mode” (Microsoft)
• Don’t allow users to store important data on the desktop. (SANS ISC)

If you can do any of these, great. But for those of us who live in the real world, here some things you might try:

• Block Outbound traffic to the site the trojan phones home to: localhosts dot 3322 dot org. SANS says the owner has changed the IP several times, so using your DNS servers to blackhole the name may be the most effective.
• Block Word Attachments through email. People will complain and it only works until exploit changes and starts to zip word doc first.
• Latest AV signatures. Most of the vendors are calling the exploits low, so they are not turning out sigs very fast but it’s better than nothing.
• User education about not opening Word Docs from untrusted sources.
• Use advanced AV features or Host-Based IPS to block the writing of the trojan files to specific directories.
• IDS/IPS signatures to the phone-home site: localhosts dot 3322 dot org.

Link RoundUp:

News.com article
eWeek Article
Microsoft Advisory Bulletin
fSecure: Info on the Exloit, Some Background
SecurityFocus Summary

Updates:

SecuriTeam Has a Registry Hack Work Around
We’ve had (untested) reports from McAfee that the Buffer Overflow Protection in the 8.0i AV client will protect against any exploit to this vulnerability, regardless of DAT version.

This is genius:

A top Microsoft engineer on Friday set out a weekend challenge to the Windows Vista development team: Find and fix a bug in the current code and earn US$100.

The employee who squashed the most bugs before Monday in the US was promised a US$500 prize.

It’s about time. I had a conversation with a MS security leader about this years ago, and he gave me all kinds of reasons why they couldn’t do it. Of course my proposal was to pay them something like $10,000/bug (like iDefense), although more like $10 million/bug is more representive of what each significant bug costs MS.

It looks like this is just a temporary program, although I don’t know why the couldn’t make it permanent.

Bounty for Vista coders who squish bugs at home [zdnet australia] [via Microsoft-Watch]

Looks like some proof-of-concept code may already be coming out for yesterday’s Exchange Patch:

“Immunity [Security] has released an iCal fuzzer to their product partners,” read the Symantec warning. “Although it is not known if this fuzzer is capable of triggering the bug addressed by this alert, there is a possibility it will in the future, or may find other unreported vulnerabilities. The fuzzer has been distributed as a module for the CANVAS exploit framework. Given the rapid development of this tool, it is likely that an exploit for this issue will be developed in the near future.”

Since it’s wormable, if your organization runs Exchange you should be seriously concerned about this one. If you can’t get it patched soon, you may consider using your spam filters to block the iCal and vCal messages from ever getting to your Exchange server.

Hackers Expected To Target Exchange [InformationWeek]

We will have at least one critical patch next Tuesday from Microsoft. Windows will have two patches and Exchange just 1.

Security Bulletin Advance Notification [Microsoft.com]

Update: Details of the Patches [Microsoft.com]

USA Today has a surprisingly in-depth article about the increasing prevence and impact of BotNets. For those people who aren’t convinced they are a real threat to society, they offer this ancedote:

They ran into a problem in January 2005 when a copy of the bot they were using inadvertently found its way onto a vulnerable PC at Seattle’s Northwest Hospital. Once inside the hospital’s network, it swiftly infected 150 of the hospital’s 1,100 PCs and would have compromised many more. But the simultaneous scanning of 150 PCs looking for other machines to infect overwhelmed the local network, according to an account in court records.

Computers in the intensive care unit shut down. Lab tests and administrative tasks were interrupted, forcing the hospital into manual procedures.

Mothers hide you children, the Bot Herders are coming.

USA Today: Malicious-software spreaders get sneakier, more prevalent

Our favorite holes are always those that come from the same security vendors that are supposed to be protecting us from holes in software. Today’s entry into the Product Hall of Shame is Symantec’s Scan Engine. Seems they forgot to build in authentication:

The security software uses a client-side Java applet to authenticate users, but the Scan Engine server itself never checks to make sure that users have been authenticated, meaning that intruders could gain control of the server by sending their own XML (Extensible Markup Language) requests using the server’s proprietary protocol.

“It’s totally a fake authentication scheme,” said Chad Loder, Rapid7’s engineering director. “This vulnerability, as far as we can tell, has been built into the application from day one. We were just the first people to come and look into the protocol.”

This is pitiful. Our first clue should have been from their own marketing:

Easily integrates with third-party software and hardware via version 1.0 of the ICRAP protocol or the native API.

Okay, that was a cheap shot. But still, they forgot to build in authetication!

Network World: Bad Authentication Breaks Symantec Scanner

Rapid7 Advisory R7-0023: Symantec Scan Engine File Disclosure Vulnerability

When your security adivisory needs multiple apendices, it might be time to issue them more often… And maybe with a little detial in them so we lowly security professionals can analyze them.

In typical fashion, Oracle dropped a gazillion fixes into one security advisory. Enjoy.

Oracle April 2006 Security Advisory