From Erik\\\\\\\\\\\\\\\'s IT-Security notes
Jump to: navigation, search

EZSecurity Bulletin for September of 2010

INTRO

September is here and there’s absolutely no dancing, but as expected, there’s much work to be done.

Two of this month’s vulnerabilities are already being targeted by exploits. They are the print spooler vulnerability (MS10-061) and the IIS vulnerability (MS10-065). The latter is mainly a denial of service vulnerability unless you have installed FastCGI, when it also becomes a remote code execution vulnerability. FastCGI is not enabled by default, so it doesn’t look like we have a big problem here. IIS does have a modular design where most components are disabled and must be enabled before being able to function. This is a good thing, since one of the other vulnerabilities lies within the asp-engine, which is not enabled by default.

MS10-61 on the other hand is bad news for Windows XP clients, since they are especially vulnerable. But only if they share their local printers, which most users don’t. All other operating systems are a bit trickier to attack, so Microsoft has set the severity rating to “important”.

Don’t forget that “Windows 2000 workstation” and “Windows 2000 server” now both have gone off the list of supported operating systems. Any such servers must be upgraded or replaced. No more patches from Microsoft – ever! (unless you pay Microsoft to create them for you. Not cheap, folks! Not cheap…)

By the way, do you live in Sweden? If so, don’t forget to vote!

MICROSOFT SECURITY BULLETIN SUMMARY FOR JUNE OF 2010

As per usual, Microsoft release their security bulletins the second Tuesday every month. This month comes along with 9 bulletins. Recommendation: patching should be done as soon as possible, but can wait until this month’s regular patch window.

Critical
MS10-061 - Vulnerability in Print Spooler Service Could Allow Remote Code Execution (2347290) 
MS10-062 - Vulnerability in MPEG-4 Codec Could Allow Remote Code Execution (975558) 
MS10-063 - Vulnerability in Unicode Scripts Processor Could Allow Remote Code Execution (2320113) 
MS10-064 - Vulnerability in Microsoft Outlook Could Allow Remote Code Execution (2315011) 
Important
MS10-065 - Vulnerabilities in Microsoft Internet Information Services (IIS) Could Allow Remote Code Execution (2267960) 
MS10-066 - Vulnerability in Remote Procedure Call Could Allow Remote Code Execution (982802) 
MS10-067 - Vulnerability in WordPad Text Converters Could Allow Remote Code Execution (2259922) 
MS10-068 - Vulnerability in Local Security Authority Subsystem Service Could Allow Elevation of Privilege (983539) 
MS10-069 - Vulnerability in Windows Client/Server Runtime Subsystem Could Allow Elevation

THE SELECTIVITY OF THE MIND

Never in history has so much information been available to us as today. Never before have we created so much for so many. It’s all thanks to the “information super highway” we call the Internet.

Do you hear the sound of open doors being knocked in? I sure do. The sentences above sound like what everyone wrote back in 1997. It’s been 10-15 years since most of us caught wind of the “Internet” and what a ride it has been. But still, some of the old prophesies are today’s reality. Just think what AltaVista, Yahoo, Google, Live journal, MySpace, YouTube, Face Book and Twitter have changed in our society.

In 1999, and as a hobby, I worked at a small community radio station here in Stockholm. We were recording and broadcasting popular science programming and in the last days of 1999 we made a two hour program about the future. On the show we tried to predict how technology and science would affect us in the coming years. Listening to it now may be hilarious for the more cynical among us. We did some seriously bad guesses and some of the things we talked about still have to happen. But we did get a few things right. One of those predictions was correct because it was already something of an emerging trend back then: how free access to information won’t make us more open to new influences. There are forums for almost everything out there, and as surfers we quickly find the places where we can talk with others sharing our interests or read up on theories we already believe in. The fact that we can also read about things we don’t believe in or learn something from people that we see as fundamentally wrong does not seem to make a difference. Instead, we stick to the people, things and world views that do not offend or challenge us. A little bit of food for thought: go to YouTube and search for a song that is quite old and look at the comments. Note people writing stuff like:

- “We miss x. Music today is not as good as x ever was.” and my favorite: - “I wasn’t even born when they made their music and I still think it’s better than anything the play on the radio today”.

Search for a newly released song and top it off by searching for music that was considered ridiculous 15 years ago. Surprise, it’s the same type of comments everywhere. Not much of a scientific experiment, but it’s a fun thing to spend a slow Sunday on. And don’t think that you and I are better than the rest. I hold it that the Beatles made music that is better than almost anything you hear today. One word to describe today’s music: auto tune. Hell, it can’t get worse! You think? Just wait 20 years and smile when everyone misses the golden years of auto tuning. My god… What a thought.

Remember that political ideologies, ideas and theories are like tastes. We all have them. For us everything else tastes bad and we believe ourselves to be a select group of people “getting it”. My advice: take a look around and try to understand why others like what they like. It can only be interesting as long as you remember to keep an open mind but not so open that your brains fall out.

Next month I intend write about something of a more technical nature. Until then…

LINKS

The official bulletins from Microsoft:
http://www.microsoft.com/technet/security/bulletin/ms10-sep.mspx

ISC Sans's monthly Microsoft-analysis is always a good read:
http://isc.sans.edu/diary.html?storyid=9547

All back-issues of this newsletter can be found here:
https://secure.ericade.net/security/index.php/SECBulletins

And on the EZSecurity blog at Tieto DF:
http://df.tieto.com/Blogs/EZSecurity/

My private blog:
http://erik.zalitis.se/

Bruce Schneier’s excellent news letter:
http://www.schneier.com/crypto-gram.html

A collection of useful security links:
https://secure.ericade.net/security/index.php/Security_links

A good site to check for known vulnerabilities for your favorite programs:
http://secunia.com/

What's the general state of the Internet?:
http://isc.sans.org/

OWASP Sweden's email list archive:
https://lists.owasp.org/pipermail/owasp-sweden/

Recommended for you developers out there:
http://www.owasp.org/index.php/Main_Page

My own, random knowledge base:
https://secure.ericade.net/security/index.php/portal:Kb

Regards
Erik Zalitis
System Specialist
CISSP
Certified Ethical Hacker
MCITP:EA
MCSE:Security 2003
MCSE:Messaging 2003
Citrix Certified Administrator for PS4.
VMware Certified Professional on VI3
ITIL Foundations
Mobile: + 46 (0)70 673 07 54