From Erik\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\'s IT-Security notes
Jump to: navigation, search



2014-03-27 I've dug out the last year of my Tieto news letter. Here you go!

2014-03-27 EZSecurity News Bulletin for September of 2011 / Goodbye Tieto! / 5 patches /
2014-03-27 EZSecurity for July 2011: 4 bulletins and Mother Nature as your sysadmin /
2014-03-27 EZSecurity for June 2011: 16 bulletins and logging the IT forest
2014-03-27 EZSecurity for May 2011: two bulletins and a lesson in troubleshooting /
2014-03-27 EZSecurity Bulletin for April of 2011 / 17 new bulletins from Microsoft / What's what in a bulletin? /
2014-03-27 EZSecurity Bulletin for February of 2011 / 12 new bulletins from Microsoft / It's a server, darn it! /
2014-03-27 EZSecurity Bulletin for November of 2010 / 3 new bulletins from Microsoft / The power of inference /
2014-03-27 EZSecurity Bulletin for September of 2010 / 9 new bulletins from Microsoft / Selectivity of the mind /
2014-03-27 EZSecurity Bulletin for August of 2010 / 14 new bulletins from Microsoft / Dissection of an SQL attack /
2014-03-27 EZSecurity Bulletin for July of 2010 / 4 new bulletins from Microsoft / It's not fair! /
2014-03-27 EZSecurity Bulletin for June of 2010 / 10 new bulletins from Microsoft / Good, evil or neutral? /

2013-10-17 New article in the random knowledge base

How to run Explorer as an admin (=no more take ownership on your fileserver)

2012-01-21 A bit of an update...

Please visit my blog, which is regularly updated as opposed to this site. :)

I do intend to update this wiki as well, but my time is a bit limited...

2010-05-12 EZSecurity Bulletin for May of 2010 / 2 new bulletins from Microsoft / Walk the less common path /

Hot off the presses, a new edition of: EZSecurity Bulletin for May of 2010 / 2 new bulletins from Microsoft / Walk the less common path /

2010-04-15 EZSecurity Bulletin for April of 2010 / 11 new bulletins from Microsoft / The futility of it all (A somewhat positive outlook) /

Hot off the presses, a new edition of: EZSecurity Bulletin for April of 2010 / 11 new bulletins from Microsoft / The futility of it all (A somewhat positive outlook) /

2010-03-30 New Zero-day for Internet Explorer

New Zero-day for Internet Explorer

2010-03-11 EZSecurity Bulletin for March of 2010 / 2 new bulletins from Microsoft / Where did February go / Balmer's browser bash

Hot off the presses, a new edition of: EZSecurity Bulletin for March of 2010 / 2 new bulletins from Microsoft / Where did February go / Balmer's browser bash

2010-01-14 EZSecurity Bulletin for January of 2010 / One new bulletin from Microsoft / Brave new decade / The future of anonymizers

New year, new issue of my news letter: 2010-01-14 EZSecurity Bulletin for January of 2010 / One new bulletin from Microsoft / Brave new decade / The future of anonymizers

2009-12-09 EZSecurity Bulletin for December of 2009 / 6 new bulletins from Microsoft / Chasing waterfalls / IE zero day patched /

EZSecurity Bulletin for December of 2009 / 6 new bulletins from Microsoft / Chasing waterfalls / IE zero day patched /

2009-11-25 Zero day for Internet Explorer

Internet Explorer new zero day exploit

2009-11-16 Zero day for Windows 2008 R2 / W7

Heads up about a brand new zero day exploit

2009-11-11 EZSecurity Bulletin for November of 2009 / Six new bulletins from Microsoft / The Science of Fear - a book review / Business like usual? /

Not so many patches as last month, but even so there's enough for you to read in this newsletter.

Here's the latest edition:
EZSecurity Bulletin for November 2009

2009-10-14 EZSecurity Bulletin for October of 2009 / 13 new bulletins from Microsoft / The patch that breaks OCS and LCS / Windows 2008 R2 - A mini review /

13 patches in one batch... Don't worry that it won't be enough to do at your work. :)

Here's the latest edition of the newsletter:
EZSecurity Bulletin for October 2009

2009-09-09 EZSecurity Bulletin for September of 2009 / Zero day party!!! / 5 new bulletins from Microsoft / "Error not found" /

The second EZSecurity bulletin is ready for your attention. Go get it: EZSecurity Bulletin for September 2009

2009-08-13 EZSecurity Bulletin for August of 2009 / Now in English / 9 new bulletins from Microsoft / Microsoft Exploitability index

For the first time ever, the security bulletin is now in English. Go get it: EZSecurity Bulletin for August 2009

2009-07-31 My Swedish security bulletin for July 2009 is out

It's in Swedish, which shouldn't surprise anyone by now...

Månadens säkerhetsbulletin för juli 2009

2009-07-30 Notes on the Microsoft Out of band bulletins MS09-034/35

What? MS09-034 Cumulative Security Update for Internet Explorer (972260)

This vulnerability allows remote code execution if the user browses a web site that presents exploit code to the user. This vulnerability is rated critical by Microsoft on Windows 2000 and Windows XP because they lack the "Enhanced Security Configuration" like Windows 2003/8 server and "Internet Explorer Protected mode" like Windows Vista/2008. It's rated moderate by Microsoft on Windows 2003, Vista and 2008. This does not mean that those operating systems are immune to it.

The way I see it, Windows clients are the primary concerns whereas servers are less of a problem. On a server you're not supposed to browse the web or stay logged on when you're not administering it. Windows 2003 and 2008 also have had Internet Explorer locked down by default.

HOWEVER - Terminal Servers and Citrix servers may pose a really big problem. It's not uncommon that Internet Explorer is accessible or published as a mean to reach internal web sites. In order for Internet Explorer to work properly in those configurations, the "Enhanced Security Configuration" lock down is removed. And worse, the browser is often allowed to access sites on the Internet. In those cases, the servers are even more vulnerable than any client since many users may use the server at the same time.

I believe publishing Internet Explorer through Citrix/TS should be avoided. If necessary, strict lock downs and restrictions must be in place and outside access must be closed or restricted to a white list.

Recommendation? This is my personal recommendation: Servers can generally wait until the next patch window, if you can't patch now, EXCEPT if they publish Internet Explorer to clients (e.g. through Citrix and/or Windows Terminal servers). If they do, patching should be done immediately!

What you must know

- MS09-034 not only patches the vulnerabilities, it also employs a few improvements to mitigate risk with components created with the vulnerable versions of the ATL library.
- MS09-035 should be installed on the appropriate Windows machines as well. It patches the development tools rather than Internet Explorer.
- As of the time of this email (2009-07-30 3PM CET) I have no information of exploit code being in the wild.

More information:

2009-05-19 Microsoft IIS 6.0 vulnerability discovered

If you use the WebDav component on your IIS 6.0, you should know that a vulnerability has just been discovered that can let attackers bypass page restrictions on your server. E.g. if you have a file called /files/ that is restricted by asking for authentication, the attacker can send this request to download it:

GET /..%c0%af/files/ HTTP/1.1
Translate: f
Connection: close

%c0%af is / encoded as unicode. This looks like the infamous attack about 8 years ago on IIS 5 that spawned the Nimda menace.

Good news:
IIS 6 doesn't install the WebDav component by itself. You have to select it...
File permissions are not compromised.
The access will be done with the permissions of the anonymous user.
By default this user get no write permissions.
ASP-scripts cannot be downloaded (Unless you allow "Script source access")

Bad news:
This assumes you did NOT relax the default security.
It's still bad since you can get files that you normally have to authenticate to get.
I've not verified this, but this could mean that administrative scripts relying on web server authentication could be accessed!
Many websites have scripts that allow administrators to update things like news items on the front page.

This is a good time to review the settings on your site!

Read more here:

Microsofts advisory:

2009-05-13 [Swedish only] Monthly security bulletin

The security bulletin for May 2009 discusses the MS09-017 bulletin and its impact. Now that is a patch you should keep an eye on! It contains almost a dozen fixes some of which are exploited in the wild right now! Powerpoint is the target, but remember it also affects Powerpoint viewer and Microsoft Works.

The latest edition of my Swedish security bulletin is now available:

2009-04-15 [Swedish only] Monthly security bulletin

The April edition of the security bulletin is out... Månadens säkerhetsbulletin för april 2009

2009-04-07 New portal: the random knowledge base

I've added a simple scratchpad-style knowledge base where I note settings, troubleshooting tips and links to other articles. This part of the site is not as security-related as the other rest. So far you'll find two articles related to troubleshooting performance problems on Windows TCP/IP. Here's the portal

2009-03-12 17:48 April's fool the Conficker editon

The Internet ends on the 1st of April 2009, when the hordes of infected PCs will bring the whole world to its knees. Conficker will not even need raw sockets to send us back to the 18th century. It's the truth! Repent! And accept my security expert status without me showing any credentials. Umm.. Umm.. Sorry, just my bad sense of humour here.

Conficker will change its tactics on the 1st of April. If you have Windows, make sure to patch, check your firewall and update your antivirus and it'll be just fine. I really don't think the worm will be that much of a problem, since it will only change the way it updates itself. Ah well. The patch you must apply is called MS08-067.

Microsoft's official Conficker-site:
Comment: Isn't it wonderful for a virusprogrammer to have Microsoft handling your "PR-Drive" ? :-)

ISC SANS has a good summary:

F-Secure has a tool for the unfortunate that get their PCs infected:

My own notes on Conficker (In Swedish):

2009-03-12 17:48 Microsoft drops support for Windows 2003 Server without Service Pack 2

This is just a heads up to you Windows System Administrators out there: get your 2003 servers up to Service Pack 2 as soon as possible.

More information here (Swedish Only)

2009-03-12 17:48 Back on track?

Ok, it's been a few really busy months for me, but I'm back on track now I hope.

I've just competed taking Microsoft's latest weird acronym-laden certification MCITP:EA. It stands for Microsoft Certified Information Professional : Enterprise Admin. I'm not kidding you, try saying it 10 times fast! It's basically the new name for MCSE, the (in)famous Microsoft Certified Systens Engineer certification. So in a way I can say that MCITPS:EA is the new name instead of "MCSE 2008". Good one for my every growing letter soup.

The latest edition of my Swedish security bulletin is now available:

2009-01-13 23:02 MS09-001: Microsoft's first patch for 2009

Microsoft just released bulletin MS09-001 which fixes two vulnerabilities in the SMB protocol. The bad part is that those vulnerabilities can be accessed anonymously and there are a number of services that could be attacked.

This is worm bait, since it opens up for anonymous attacks against things like the Windows file sharing. Thankfully most people does not have their file sharing ports open from the Internet, instead it will probably play out like the standard worm-scenario: someone gets his laptop infected and then connects it to the internal network of his work place. The worm proceeds to attack other clients and servers. In other words in a worst case scenario this could another MS08-067, except this one is not a zero day... According to ISC Sans, Microsoft seems to believe that a working exploit is unlikely, so it might not be so bad. Anyway, ladies and gentlemen start your patching.

Read more from Microsoft:


Microsoft Research:

2008-12-17 22:43 Notes from the Microsoft December Out-of-Band Security Bulletin meeting

Bulletin is called: MS08-078.

- It's listed as "Security Update for Internet Explorer" KB960714
- Size is 2.4 MB 
- Update is not cumulative, but rather a pointfix. It only fixes this vulnerability.
- It does not replace MS08-073. You have to install MS08-073 first to fix previous vulnerabilities.
- All currently supported operating systems and versions of Internet Explorer except 2008 Core.
- May or may not need a reboot.
- Impact: can run code as logged in user.
- Attack vectors: Html-code in an email or a webpage.
- Requires user to navigate to site with corrupted content.
- Attacks are currently targetting IE 7.
- The fix will also be included in the next cumulative update (January?)
- Microsoft has to date found 4 different malwares attacking this vulnerability. They will be caught by Windows Defender.
- Function affected by the patch: databinding through OLE.
- Wormability: No. It'must be initiated by someone logged into the computer.
- Vista's protected mode in Internet Explorer WILL mitigate the attack. 
- At least one of the known malwares will not even try to attack Vista.

Affected file: (x86)



"Microsoft offers workaround for IE7 flaw":

2008-12-17 12:17 Internet Explorer bulletin

Microsoft releases out-of-band security patch for Internet Explorer today. It seems like the vulnerability affects IE5, 6 and 7 and not just 7 as we believed.

2008-12-17 10:36 SQL Server vuln

New vulnerability found in SQL Server 2005.

Original bulletin:


ISC Sans writeup::

How to mitigate the risk:

2008-12-10 22:28 Two zero day exploits for Windows in the wild!

One for wordpad:

And one for IE7:
There are no patches for either of those vulnerabilities yet.

2008-12-10 16:04 [Swedish Only] Time for the montly security newsletter

2008-11-11 20:45 [Swedish Only] Spamalytics.

Spamalytics. I noticed an interesting article on the economics of spamming

2008-11-11 20:43 Two patches in today's Microsoft bulletin

Critical MS08-069 - Vulnerabilities in Microsoft XML Core Services Could Allow Remote Code Execution

Important MS08-068 - Vulnerability in SMB Could Allow Remote Code Execution

2008-10-23 21:25 Microsoft bulletin MS08-067

I did attend the webinar "TechNet Webcast: Information Regarding an Out-of-Band Security Bulletin Release" Microsoft held where they told us the details of the vulnerability. Here are some short notes I took while listening.

About the vulnerability
It's being exploited actively, but at this time only towards targeted systems. Mostly XP.
Uses RPC over port 445/139.
Can be used for worms. No worms active at this time.
The patch affects a very small portion of the file, so it should not cause problems.
"Malware" is on the field.
Microsoft have created "definitions" for all the malware they know about and made it available for its partners. 1)
Its bulletin number is MS08-067.

Notes and recommendations
Update your antivirus software.
Microsoft has detailed information on their "research and defense blog"
SDL site is updated (Security Design lifecycle)
All patch tools from Microsoft except the old SMSSUSFP can detect and/or distribute this patch.
Shutting down the computer browser service AND then the server service will work as a mitigation. It will have functionality impact on your machine! (e.g. no file sharing)
Hostsvc-crashes may be signs of attacks.

Questions asked:
Should servers on the DMZ be patched as soon as possible? Yes
Are there any trojans known?: Yes, TrojanSpy:Win32/Gimmiv.A and TrojanSpy:Win32/Gimmiv.A.dll.
Is this a buffer overflow? See 2)
Is there a new cab-file released? Yes, but it can take time to replicate. This cab is used with MBSA
Can XP and 2003 be configured to require authentication for some mitigation? No.
Reboot really needed? Yes!
Does it affect RPC over HTTP/S? Answer: No
Can it attack an unpatched ISA Server? Speakers did not know. (My guess: not unless you actually allow or publish TCP 445/139 to the server!)

Links 1)

2) Much more technical overview:

The latest information is here:


An additional webcast will be held tomorrow at 8pm CET.

2008-10-23 19:20 update

Here's a much better rundown:

I've applied the patch and checked what it does through comparation of filehashes. It seems to update netapi.dll.

Operating system: Windows 2003 x86 Enterprise English R2 Service Pack 2
Created: den 17 oktober 2008, 00:18:43
Modified: den 17 oktober 2008, 00:18:43

File version: 5.2.3790.4392
File version: 5.2.3790.4392 (srv03_sp2_gdr.081016-1620)
Description: Net Win32 API DLL

CRC32 31464bdd
MD5 9a111fb993492cbceb0ac73cc181573e
SHA-1 4cc87ad4b0fbd36285163e4aaedbbdcc105609df
SHA-224 3ef5cf9eedac4b32484cf285610696c9fa18ba8f18b1225c953d429f
SHA-256 6d8ee272aa084707cc1983c5c7ea45f8b32bcd90e4d09f1f6b1db6e6c98f0fee
SHA-384 fdaf0a925977fa1767ada294b57e9f800841ef033205d741d8691bdd10aa289c371c62c5d7b0bd72ede4b642ea543800
SHA-512 073c85da81261ea713bc1ab0d56a7f124c0c6d76ebd10cb11d49efb47a24799abb371163aa049d01f5df5ac1adc02f39da03329ab966e3850d9aeb810420cbfa
RIPEMD-160 075d2753a80e32f8db93643186ab047336083b3a
WHIRLPOOL-1 b114dc7f49fccc3828a4c7317bd339c845410c0f6d63c1a810cbf52cb2a81ecfb5a6c0b4469ac19c385658f4ba52a623ddc7942fecae2b84d0e00737fb33d84a
Tiger-192 d8e10777ddaf139d8457784341dafb6dd1da74618ff88068

Here the CRC of the older, vulnerable file for Windows 2003: EBF43742.

2008-10-23 Out of band security bulletin

Microsoft will release one Windows security bulletin with a maximum severity of Critical today at 10 am PDT (7 pm CET). A webcast will be held at 1 pm PDT (10 pm CET). Windows XP, 2000 and 2003 are the main targets and marked "Critical". Vista and Windows 2008 server are marked as "Important".

I don't have any further information at this time, but my guess is that this is a zero-day exploit. That is a vulnerability being actively exploited. Stay tuned! ISC Sans:

IDG in Swedish:

Microsoft's official bulletin:

Newscast today:

My Swedish security news letter:

Wighsnews 20 oktober 2008

2008-10-20 Wighsnews defaced

Update 2008-10-21 seems I was wrong about one thing. The defacement picture was not the one the hackers had created. 
It WAS a message from the owner. 
Everything seems to be back to normal, and the "hackers" got nothing out of it but bad karma.

Lurking on Flashback can be interesting. Seems like Swedish news site "Wighsnews" was hacked and defaced. The message says that site was hacked and that all files have been erased. Hard to say if it, or parts of it, was written by the system administrators or the hackers. It looks like a notice from the webmaster until you see that it also has a copied thread discussing it from This thread was started today at 21:09 by someone called tonyigen. Seems like he who found the vulnerability left it wide open for others to mess around with.

The thread about the hack that is also referenced by it:

The thread that publicized the vulnerability and the exploit code in the first place:

Note that it less than 2 hours between the post about the vulnerability and the post about the hack.

The "Efterlyst" defacement got so much media coverage that others want to jump onto the bandwagon. If you succeed hacking a site, please don't deface it! Mail the system administrator and tell him/her about the vulnerability instead. It's a cheap trick to destroy other people's work for 15 minutes of fame. Defacers are not very high up on the "hacker's ranking", so you're not going to get that much "bragging rights" anyway. Here's a full resolution version of the picture.

Update: 2008-10-21 Ulf Wigh, owner of the site, thanks Flashback for the negative response towards the "hackers" who did the defacement.

TTFN, Erik

2008-10-20 Grabbing one attack out of the bag

If you have a web server out on the Intertubes... ehhrm... Internet, attacks come flying at you like rain from the sky. Here is one random that hit us, leaving only an entry in the log:<ip-adress>/babycaleb/index.htm?

So lets see what it does. It tries to put in a url into our newsscript with no success whatsoever. If you follow the address, you come access a site selling webhosting. What did they try to accomplish? My guess is that they hoped the like would get the link stored and shown to the next unsuspecting Joe Schmoo coming along. This is often done on guestbooks and unprotected forums. A more insidious thing to do once you find a target, is to embed the links in an IFrame. This can cause serious problems. However this chump was out of luck and probably went on to the next target. I'm a bit disappointed how easily he/she gave up though.

2008-10-17 Swedish security bulletins are up!

I'm distributing a monthly newsletter for Microsoft patches. I've put up an archive of those under SECBulletins.

Efterlyst 15 oktober 2008

2008-10-16 Another hack noted.

This time Swedish site "Efterlyst" was defaced. The defaced page has a message threatening "snitches" that their addresses will be given to the "brothers". I doubt that they really were able to obtain any addresses to informants. Efterlyst is a TV-program trying to solve crimes by letting the viewers call in with information. Note that "Efterlyst" translates to "Wanted".

Lets try to translate the text into English:

"Title: WANTED - The hunt for the snitches continues.

SNITCHES - Now you're WANTed!

Thanks for all the names, telephone numbers and all other information about the snitches and the crimes committed stored by the Wanted-editors. The information is on it's way to all the brothers that have been affected.

"Fools always want to keep the wheels from turning. Screw up the sun that shines so it becames cloudy" "

Funny note: The quote on the page "dårar vill alltid sätta käppar i hjulet sabbar solen som skiner så de blir mulet" is from "Cashen dom tas" by "Latin Kings". They seem to have change "tårar" (Tears) to "dårar" (Fools)

News site IDG covers the basics (In Swedish):

Screendump of the site provided by a user on flashback:

Flashback-users discussing this (In Swedish)

Efterlyst's official site:

2008-09-16 Setup of this page is now complete.

There's a lot of designwork to be done...