September 29, 2009
· Filed under Current Threats and Vulnerabilities · Tagged The More You Know...
SANS has an interesting blog posting regarding recent activity regarding the Conficker worm. Oh yes, the worm has been and still is active. Conficker has lost a lot of media attention lately because the worm has not delivered a payload to systems.
It has been almost one year since Microsoft announced an out-of-band patch in regards to a nasty software vulnerability affecting their Operating Systems. The software vulnerability was exploited months later by the Conficker worm. It is amazing how many people are still being affected by this vulnerability. A lot of media attention goes to the latest and most current threats, but old software vulnerabilities still warrant Administrator’s attention. When patching, be sure to look for all vulnerabilities, not just the current threats announced by software vendors. It is important to keep your AV definitions up to date as well. Patching is a proactive security method as it will prevent viruses from exploiting your machines. Although anti-virus programs are a reactive security measure, Administrators should ensure they have the latest viruses definitions at all times. Nobody likes to spend their day cleaning up from a virus outbreak.
September 23, 2009
· Filed under Patch Management · Tagged Apple
For those of you who have deployed Apple iTunes 9 or Apple QuickTime 7.6.4 and received the “Please Install Apple Application Support”, we have found a workaround that fixes this. Installing the Apple Application Support part of the product on affected machines will result in a working program. (AppleApplicationSupport.msi)
You can get the AppleApplicationSupport.msi by either:
a) Run a compression program such as WinRAR against the installer, extract AppleApplicationSupport.msi
-or-
b) Run the install application and leave the program idle at its menus. Navigate to your temporary director and look for a folder named IXPxxx.tmp (xxx is a random number). The MSI program will be located in that folder. Please note: You must leave the installer running. If you close the installer, it will delete the temporary directory.
Holding out hope that Apple addresses this issue is getting slim. Apple released iTunes version 9.0.1 yesterday. This version also fails for the same reason when using a silent deployment switch.
Oh, and we had a follow up conversation with Apple. They are now claiming that installing via a silent switch is not supported. It does, and it did.
At least they did not hang up on us this time.
September 22, 2009
· Filed under Current Threats and Vulnerabilities · Tagged Apple
A few weeks ago, Apple released a new version of iTunes, version 9. We noticed an error message when launching iTunes 9 after upgrading from a previous version. Upon launching the program, the message “Please Install Apple Application Support” appears. If you install iTunes 9 by simply double clicking the install package, the program will install and launch without errors.
If you are a home user, yes, you will simply double click the installer. But what if you are an administrator on a corporate network that needs to install this application/patch to hundreds of machines? You will want to script the install (or use patch management software) to install silently on desktops. This requires the use of command line switches on the installer, such as quiet installation switches to silently deploy the package. The use of deployment switches in patch management is not uncommon in large corporate networks.
After extensive research, we found the problem exists with this specific switch. The silent switch breaks the installer. Although the main iTunes application will be installed silently, the Apple Application Support program fails to install. Apparently, iTunes will not run without this application installed. Apple has bundled Apple Updater with their products for a while and that did not cause any installation issues. Apple Application Support is now a third program they are bundling with their products.
We have not yet figured out just exactly what this new program is or its intended purpose. Apple has updated their iTunes deployment guide with this warning:
Important: iTunes requires QuickTime and Apple Application Support. Apple Application Support must be installed before installing iTunes. Apple Mobile Device Services (AMDS) is necessary to use an iPod touch or iPhone with iTunes.
Now, we are getting reports that Apple QuickTime 7.6.4 is having the same issue.
Apple has obviously changed their install packages and for the worse. Want to use silent switches? You can’t… Is this an accidental mistake by Apple in their install packages? I certainly hope so. All of the Apple forum postings from their users have gone unanswered. We attempted to call Apple support on this to work through the issue. They walked us through uninstalling the application and reinstalling. We told them we wanted to install silently with the quiet switch. They hung up on us.
Apple has software with critical vulnerabilities and they need to stop focusing bundling products and start focusing on the vulnerabilities.
-Jason
September 18, 2009
· Filed under Current Threats and Vulnerabilities, Microsoft Security and Systems Management · Tagged Security Advisory
Mark Wodrich and Jonathan Ness from Microsoft’s Security Research and Defense team have provided updates regarding the SMBv2 zero-day vulnerability (Security Advisory 975497).
Some highlights:
- The exploit can be detected by intrusion detection systems (IDS) and firewalls that have signatures for the vulnerability being targeted (CVE-2009-3103).
- This exploit code from Immunity is only available to a small group of companies and organizations who will use it to determine the risk to their own networks and systems, or those of their customers. (We are aware that other groups are actively working on exploit code which is likely to be made public when it is completed).
- Even with the above mitigations, we’re not slowing down our investigation, and are working on an update that can be delivered for all customers. The product team has built packages and are hard-at-work testing now to ensure quality. It takes more testing than you might think to release a quality update. For this update, the product team has so far already completed over 10,000 separate test cases in their regression testing. They are now in stress testing, 3rd-party application testing, and fuzzing. We’d sure like to complete all that testing before the update needs to be released. We are keeping a close eye on the changing landscape and balancing this against the remaining test actions to determine the best ship schedule to bring a quality update to customers.
I am sure everyone is eagerly waiting for the patch from Microsoft. Everything that is coded needs to be tested, and that takes time. Imagine if Microsoft released a patch that adversely affected SMBv2 instead of fixing the vulnerability. The pain would be immense. Not to mention, imagine fixing a vulnerability and not properly testing the fix, consequently introducing a completely new vulnerability. The biggest key here is there are no reports of worms or viruses taking advantage of this software vulnerability. Of course if one does come about, we may see additional urgency from Microsoft on this patch.
Sheer panic is not any type of solution when dealing with software vulnerabilities without patches available. Staying informed of the situation is more powerful.
You can find the full blog posting here.
-Jason Miller
September 17, 2009
· Filed under Current Threats and Vulnerabilities · Tagged Security Advisory
Microsoft has updated the Microsoft Security Advisory 975497. The article has been updated to provide more details around what exactly SMBv2 does on a Windows Vista or 2008 computer.
In addition, Microsoft has released a Microsoft Fix It tool. This tool is an executable that will provide the manual workaround for the software vulnerability. The tool will disable SMBv2 on target systems. There is also a tool that will undo the workaround. Microsoft usually advises consumers to un-apply the workaround when a security patch is released for the vulnerability.
If you choose to deploy the workaround, be forewarned. You could break critical functionality on your target system. The following Windows services require SMBv2 on Windows Vista and 2008:
- Applications that use SMB (CIFS)
- Applications that use mailslots or named pipes (RPC over SMB)
- Server (File and Print Sharing)
- Group Policy
- Net Logon
- Distributed File System (DFS)
- Terminal Server Licensing
- Print Spooler
- Computer Browser
- Remote Procedure Call Locator
- Fax Service
- Indexing Service
- Performance Logs and Alerts
- Systems Management Server
- License Logging Service
The software vulnerability (MS09-067) the Conficker worms exploited also relied on similar services. Please, do some deep researching before blindly applying this workaround.
There were also some reports today of a penetration testing company that has successfully implemented reliable working exploit code for this vulnerability. Other security researchers are getting close to also producing this code. It can be found on Ryan Naraine’s blog.
September 10, 2009
· Filed under Patch Management · Tagged Apple, Mozilla, Patch
Mozilla and Apple have released new versions of their products.
Firefox 3.5.3: addresses 3 Critical and 1 Low software vulnerabilities
Firefox 3.0.14: addresses 3 Critical, 1 Moderate and 1 Low software vulnerabilities
Just a reminder, Mozilla will continue to support Firefox version 3.0.x until January of 2010. After that time, you should upgrade to the 3.5.x line to receive critical updates.
Apple has released iTunes version 9.0. It does not appear this release of iTunes addresses any security vulnerabilities. Although, Apple can be a little slow on updating this information.
- Jason Miller
September 10, 2009
· Filed under Microsoft Security and Systems Management, Patch Management · Tagged Patch
It has only been a few days since patch Tuesday, but Microsoft has already revised security bulletin MS09-048.
Microsoft has added Windows XP SP2, SP3 and Windows XP x64 SP2 as affected products for this bulletin. Although, Microsoft is not issuing patches for these systems. They have also updated the security bulletin to add more details on why they are not supplying patches for these operating systems.
“The denial of service attacks require a sustained flood of specially crafted TCP packets, and the system will recover once the flood ceases. This makes the severity rating Low for Windows XP.”
As they stated before on patch Tuesday, these versions of Windows do not have a listening service configured by default. Without this, the operating system is not vulnerable to attack. On the flip side, you can make changes to your system to have a listening service present and make changes to your firewall to allow traffic to it. This would make your system vulnerable to attack.
Windows 2000 SP4 was announced as a vulnerable system, but Microsoft did not release a patch. We can now add these operating systems to this list. If you have already completed your patch Tuesday routine, there are no updates to apply.
- Jason Miller
September 9, 2009
· Filed under Current Threats and Vulnerabilities, Microsoft Security and Systems Management · Tagged Security Advisory
Microsoft has just announced a new security advisory regarding the SMB flaw reported today in Security Advisory 975497.
There is indeed an issue with SMB 2.0 that can result in remote code execution on a targeted system. The vulnerability affects Windows Vista and Windows 2008. Important note: Windows 7 and Windows 2008 R2 are not affected by this vulnerability. The reports earlier today had droves of people unofficially confirming that Windows 7 was affected. The version of Windows 7 they were able to reproduce the vulnerability on was Windows 7 RC (release candidate). Microsoft has posted workarounds on the security advisory page.
- Disable SMB v2
- Block TCP ports 139 and 445 at the firewall
If you have affected machines on your network, you should review the workarounds and apply where possible.
September 8, 2009
· Filed under Microsoft Security and Systems Management, Patch Management · Tagged Patch, Patch Tuesday
In case you may have missed it, Microsoft also re-released Security Bulletin MS09-037. This bulletin was released last month to addres the Microsoft ATL vulnerability in their products. Microsoft Windows Media Center 2005 and all Windows Vista editions have been added as an affected product. When going through this months patch cycle, be sure to look for this patch missing as well.
Re-releasing a bulletin is not uncommon for Microsoft on a scheduled patch Tuesdays. These re-releases are typically unannounced and can slip by your radar when focused on the burden of patch Tuesday.
September 8, 2009
· Filed under Current Threats and Vulnerabilities · Tagged Vulnerability
There were reports this morning of a new potential vulnerability in Windows Vista, Windows 2008 and Windows 7. Specifically, the reported flaw exists in the SMB2 networking component. There are claims that packets can be sent to target machines that can crash the computer. This vulnerability was reported to Microsoft, but the researcher posted the exploit code on the Internet. It is important to note that it has not been proven that the exploit can lead to remote code execution. Although, it is a safe bet that researchers will be exploring this route next.
In order for the vulnerability to exist on a system, this following must be true:
- File sharing must be turned on
- The firewall must not be blocking port 445
If this exploit code and reporting is correct, Microsoft should be posting a security advisory for this shortly. With no official response from Microsoft, there are some actions that you can take in case this code becomes publically exploited:
- Turn off file sharing if possible
- Have client firewalls block port 445
Let the debate begin. What is the right thing to do when researchers find new software vulnerabilities?
People shouldn’t disclose vulnerabilities to Microsoft and not post exploit code. That only gives hackers the ability to do damage while vendors work on patches.
-or-
People have all the right in the world to disclose their findings and the exploit code. Give credit where credit is due. Vendors like Microsoft sit on this code and do not publish patches in a timely manner.
What do you think?
