From Erik\\\\\\\\\\\\\\\'s IT-Security notes
Jump to: navigation, search

EZSecurity Bulletin for June of 2010

Intro

Summer is finally here, although an old joke claims that the summer in Sweden is just the sunniest day of the year. It seems like it’s just a joke this year, as we have had a lot of sunny days so far.

So what’s up in pre-apocalyptica today? So far the Internet has not gone under despite the fact that we have no shortage of exploits and attacks going on. And it’s not likely to happen any day soon, I believe.

Microsoft gives us 12 bulletins this month. One of the exploits being fixed is a bit interesting: Dutch security researcher Peter Vreugdenhil used it to win TippingPoint’s content “Pwn2Own” contest. He demonstrated that he could take over a Windows 7-based PC by using the exploit against a fully patched Internet Explorer 8. IE is protected by a memory randomization technique called “ASLR”. It and all the other protections offered by Windows 7 failed to stop him, which is good news if you think about it. We all need to be reminded that there are no foolproof solutions.

Just so you should know: Microsoft is investigating a zero day vulnerability in the Help and support center, that could be used to take over a system running Windows XP or Windows 2003:
http://www.microsoft.com/technet/security/advisory/2219475.mspx

I’m trying to get a user community off the ground on Tieto DF. If you have the time and interest, have a look:
http://df.tieto.com/usercommunities/it-Security/Pages/default.aspx


Microsoft Security Bulletin Summary for June of 2010

As per usual, Microsoft release their security bulletins the second Tuesday every month. This month comes along with 10 bulletins.

Our recommendations are that all patches EXCEPT MS10-039 should be applied on the next patching window. MS10-039 must be separately applied, as it requires a very specific installation procedure, which is true for most SharePoint patches. Installing normal patches on a SharePoint server is generally ok, but patches that fix problems in SharePoint must be manually installed according to Microsoft best practices. This is very important! Our BigFix baseline omits this patch.

 CRITICAL
 MS10-033 - Vulnerabilities in Media Decompression Could Allow Remote Code Execution (979902)
 MS10-034 - Cumulative Security Update of ActiveX Kill Bits (980195)
 MS10-035 - Cumulative Security Update for Internet Explorer (982381)
 IMPORTANT
 MS10-032 - Vulnerabilities in Windows Kernel-Mode Drivers Could Allow Elevation of Privilege (979559)
 MS10-036 - Vulnerability in COM Validation in Microsoft Office Could Allow Remote Code Execution (983235)
 MS10-037 - Vulnerability in the OpenType Compact Font Format (CFF) Driver Could Allow Elevation of Privilege (980218)
 MS10-038 - Vulnerabilities in Microsoft Office Excel Could Allow Remote Code Execution (2027452)
 MS10-039 - Vulnerabilities in Microsoft SharePoint Could Allow Elevation of Privilege (2028554)
 MS10-040 - Vulnerability in Internet Information Services Could Allow Remote Code Execution (982666)
 MS10-041 - Vulnerability in Microsoft .NET Framework Could Allow Tampering (981343)

Technology: good, evil or neutral?

A few years ago, I was invited to a department get-together by the company I was working for. We would go out and bowl while getting some free food and beverages. When I got to the place I had an idea: let’s see if I can walk right in without ever mentioning the name of the department, my identity, the name of the company or anyone else. This way I would act like I was a freeloader just trying to get a free meal. So I did. There were a lot of people inside the building and I was never challenged to prove my identity. Had they done so, I would have had no problems proving I was actually invited. They did not check me of a list or anything. I just strolled in.

This is pretty much the mind-set of a security conscious person like me… and of course this is the mind-set of a malicious hacker. The difference is the color of the hat. If you’ve seen enough western movies, you’ll probably recognize the metaphor. The good guys wear white hats and the bad guys look good (or is it evil?) in black. This metaphor is very common in the security field. White hats and blacks hats are commonly used terms for security professionals and hackers respectively. Grey hats are people that move around in a legal and moral “grey zone”. And yes I use the term hacker for a person with malicious intent. I know this is not the original meaning of the word “hacker”.

Many of the tools that can be used to check for security vulnerabilities can and are used to break into systems as well. So if the color of the hat is the big difference between good and bad, why is the technology not seen as neutral? It depends on who you’re asking. If you ask me, I say that technology is indeed neutral. This implies that you must allow full disclosure. If I have found vulnerability in a program, how should I handle it? Assuming that I want to be a good person and help others to be secure, should I just tell the company, organization or the creator of the program or should I go public? A quite common solution is to send all the information about the vulnerability to the owner of the program and inform them that they have 30 days to create a patch. After that, you will publish the information about the vulnerability to the world. This compromise has a big problem: what if someone else finds it and decides to create an exploit? Then we will have a zero day exploit on our hands.

If you were to go public with the vulnerability directly, everyone would get an equal opportunity to protect against it or to exploit it to attack others. It would mean that intrusion protection systems, anti-virus software and other defensive measures could be updated and stop the attack dead in its track. I’ll leave it to you to decide if you prefer full disclosure now or if the owner should get a chance to fix the code first.

In conclusion, this is how I see it: White hat or black hat, you will think the same way and use the same kind of tools and methods. You will both benefit from the same security information and most importantly you will both be responsible for what you do. The technology is never to blame.

Bruce Schneier is for Full Disclosure:
http://www.schneier.com/essay-146.html

The opposite of “Full disclosure” is “Security by Obscurity”:
http://en.wikipedia.org/wiki/Security_through_obscurity

Jay Beale defends “Security by Obscurity” to a certain extent:
http://web.archive.org/web/20070202151534/http://www.bastille-linux.org/jay/obscurity-revisited.html


Links and tricks

The official bulletins from Microsoft:
http://www.microsoft.com/technet/security/bulletin/ms10-jun.mspx

ISC Sans's monthly Microsoft-analysis is always a good read:
http://isc.sans.edu/diary.html?storyid=8929

All back-issues of this newsletter can be found here:
https://secure.ericade.net/security/index.php/SECBulletins

And on the EZSecurity blog at Tieto DF:
http://df.tieto.com/Blogs/EZSecurity/

Bruce Schneier’s excellent news letter:
http://www.schneier.com/crypto-gram.html

A collection of useful security links:
https://secure.ericade.net/security/index.php/Security_links

A good site to check for known vulnerabilities for your favorite programs:
http://secunia.com/

What's the general state of the Internet?:
http://isc.sans.org/

OWASP Sweden's email list archive:
https://lists.owasp.org/pipermail/owasp-sweden/

Recommended for you developers out there:
http://www.owasp.org/index.php/Main_Page

My own, random knowledge base:
https://secure.ericade.net/security/index.php/portal:Kb

Regards
Erik Zalitis
System Specialist
CISSP
Certified Ethical Hacker
MCITP:EA
MCSE:Security 2003
MCSE:Messaging 2003
Citrix Certified Administrator for PS4.
VMware Certified Professional on VI3
ITIL Foundations
Mobile: + 46 (0)70 673 07 54