Archive for Patch Tuesday

Patch Tuesday Smorgasbord

Microsoft has released 9 bulletins today, 5 of them Critical, 4 of them Important.  The bulletins cover a gamut of affected products – almost everything in your enterprise will need to be patched today with the exception of Internet Explorer.  No IE patches this month!

The majority of bulletin releases these days relate to client-side vulnerabilities – visit an evil website, open an evil document, or read an evil email and you’ll get hacked.  These vulns are of greatest concern on the desktop where end users are filling time between Mafia Wars power-ups and Facebook updates by visiting websites that may be hosting content of questionable repute.  This month, there are 5 bulletins addressing these types of issues.

The remaining 4 bulletins address server-side vulnerabilities.  These are the ones that keep network administrators up at night.  The attacker simply needs network access to the system in question and they can run code of their choice on the server.  This month, there is one flaw that lets anyone with network access own a WINS server, two flaws that let authenticated users own any system, and one flaw that let’s unauthenticated users create a denial of service against some IIS7 webservers. 

I always encourage patching the server-side issues as soon as possible.  Maybe best to form two teams and patch server-side and client-side issues simultaneously.

Now, on to the bulletins.  Starting with the more interesting ones…

MS09-036 is a bulletin that will impact folks running websites on IIS7.  Attackers can send some packets to your webserver and cause it to stop functioning (Denial of Service).  Microsoft has already had some reports that this attack has been spotted on the Internet.  IIS7 websites are safe if they are running in ‘Classic’ mode.  IIS7 sites running in ‘Integrated’ (non-classic) mode are vulnerable.  I’m not exactly sure what the default mode is when setting up an IIS7 website.  The patch for this IIS issue is really a patch .Net Framework versions 2 and 3.  If you’re running IIS7 (classic or otherwise), I’d recommend patching this one soon, unless you want you .asp and .aspx pages to stop functioning.

MS09-037 is a really ugly collection of ActiveX controls that have been patched for the ATL vulnerabilities described in the out of band bulletin MS09-035 from earlier this month.  Microsoft identified 5 ActiveX controls that were using a vulnerable version of the ATL templates.  These ActiveX controls could be executed when visiting evil websites – causing them to execute evil code on your system.  Although Microsoft references a Video Control fix in this bulletin, this is NOT the same ActiveX control that was kill-bitted in MS09-032.

MS09-042 is a Telnet bulletin that is really a throwback to the credential reflection vulnerabilities discussed in MS08-068 (and originally identified back in 201).  This is a variant on the http attack vector discussed in 08-068.  In this instance, the attacker encourages a user to click on a hyperlink where the link is an evil Telnet server.  The evil Telnet server obtains a form of your Windows username and password – they can replay this set of credentials back against your box to login to your system as you – without every knowing your password!  This attack has been publicly known for a long time – so best to patch all of your desktops for this issue before the bad guys start standing up evil Telnet servers. (you may be safe from this attack if you’re on a corporate network that’s blocking inbound NetBIOS ports 139 and 445 – as those are the ports the attacker will most likely try and use to login to your system with the captured credentials).  See http://ericsblog.shavlik.com/2008/11/11/reflections-on-the-november-2008-microsoft-patch-release/ for more information on credential reflection attacks.  (IE7 and IE8 disable telnet:// links)

MS09-039 is a Critical issue for network admins managing WINS servers on their Microsoft networks (and every MS network has at least one of these).  This is an unauthenticated server-side attack – the bad guy simply points and shoots some packets at the WINS server and they can execute code of their choice on that server.  This attack is most likely to come from inside your network as the necessary ports to execute the attack are usually blocked at the Internet firewall.  Patch this right away on your WINS servers.

Speaking of the internal network, MS09-041 can be enjoyed internally.  This is a privilege escalation attack against Microsoft systems.  Attackers who have user-level access to machines in the organization (their own machine, file servers, domain controllers, etc) can point some evil packets to their target of choice and execute code.  This vulnerability results from a flaw in the ‘Workstation’ service which is on every machine (and can’t really be disabled without impacting operations on the network).  Patch this one while patching your WINS servers – keep idle internal miscreants from owning your machines.

A less prevalent attack surface in MS09-040 – similar to 09-041 above – but limited to those systems who have installed the MSMQ services (not installed by default).  Attacker can point and shoot packets at the MSMQ service and execute code of their choice.  Like with 09-041, the attacker needs to have valid credentials to the system they’d like to 0wn.

MS09-044 is the last super interesting bulletin this month.  Vulnerabilities in the Remote Desktop Protocol (RDP – formerly known as Terminal Services) can allow attackers to execute code on your desktop should you visit their evil website or visit their evil TermServer.  Two flaws exist, one in the TermServices ActiveX control (which can be launched by visiting an evil website), and one in the RDP console application.  Using the RDP console and visiting an evil TermServer can let the attacker run code on your box.  It’s not a vulnerability in Terminal Services – your remote servers that you access via RDP are safe.  It’s a vulnerability in the client you use to access terminal services.  Patch this one before you go browsing around to evil websites (or trying to break into unknown Terminal Servers).

The last few issues include a bulletin for Office Web Components (09-043) that were being actively exploited since June (visit the evil website and get hacked), and a bulletin for Windows Media Player (MS09-038) where visiting an evil website hosting malformed AVI files could execute code on your system.

Leave a comment »

July Out of Band Security Release

Microsoft released two out of band security bulletins today – one Internet Explorer bulletin and one Visual Studio bulletin.  The IE issue is rated Critical and the Visual Studio patch is rated Moderate.

Shavlik recommends installing the IE patch as soon as possible as it helps protect against a flaw being demonstrated at Blackhat tomorrow (Wednesday) that might allow an attacker to bypass the killbits that were set to protect a machine against unsafe ActiveX controls.  Failing to patch for this issue is like purposely uninstalling 8 prior IE patches – not something you want to do.  Patch this one right away.

Details:

Some years ago, a flaw was introduced in the development tools maintained by Microsoft.  This flaw was in a ‘template’ that helps developers create ActiveX controls.  Any control built using this flawed template might be exposed to the security vulnerabilities discussed in today’s bulletins.

To address these flaws, Microsoft has released two types of patches – one for IE and one for Visual Studio.  The Visual  Studio patch (MS09-035) corrects the flawed template (active template library or ATL) so that any controls built from this template going forward will be safe.  The Internet Explorer patch (MS09-034) monitors all calls to ActiveX controls and prevents controls from executing that are found to have been developed with the flawed template and that are attempting to execute vulnerabilities in that template.

One such example of a vulnerable control built from the flawed template was the Video control issue discussed earlier this month and addressed in MS09-032.  The Video control had been built from the flawed template library – it was this vulnerability that was being exploited in the wild that lead to the security advisory, MS09-032, and eventually the death of this control.

Killing a control typically means setting a ‘killbit’ on the control.  When the killbit is set, it means IE won’t launch the control – thus keeping your machine safe. To date, Microsoft has issued 175 killbits via their cumulative killbit patches. (for more information on these 175 killbits, see my analysis at http://ericsblog.shavlik.com/2009/07/27/activex-killbits/).  However, some security researchers found that they were able to bypass the killbit function and still execute certain controls.  A presentation on how this is done is slated for tomorrow afternoon (Wed, July 29th 2009) at the Blackhat Conference.  The researchers found that the same ATL flaws we were talking about earlier allowed them to bypass the killbit on controls that were built with the flawed templates.  IOW, if you installed MS09-032 to protect yourself from the Video control exploit, there is a chance that someone could still execute this attack against you because they bypassed the killbits set in the 09-032 patch.

The MS09-034 patch protects against the killbit bypass problem.  The 09-035 patch also addresses the killbit issue plus two other issues in the template library: one was an information disclosure issue and the other was a remote code execution flaw.

The MS09-034 patch also includes fixes for three other remote code execution vulnerabilities in Internet Explorer.  These fixes were already coded and were slated to be released in the August patch cycle – however, due to the expedited IE patch for the ATL-Killbit issue, these three fixes were included in the out of band release.

The IE patch includes severity ratings for the three remote code execution flaws – rated as Critical on some versions of IE and Moderate on others.  The 09-034 IE patch does NOT include severity ratings for the defense in depth changes that Microsoft implemented to protect against the vulnerable ActiveX controls.  Even though some systems may only be rated as Moderate wrt the IE patch, Microsoft encourages customers to install the IE patch as soon as possible as it does include the protections for the ATL and killbit bypass issues discussed above.

Comments (2) »

Reflections on July 2009 Patch Day

6 security bulletins released today – 3 Critical and 3 Important. Two of the issues are being actively exploited on the Internet and four of the issues are client-side vulnerabilities, which means the exploit can only occur if a user visits an evil website or opens a malformed document.

Today’s release is important because patches were released for two recent 0-day attacks – a QuickTime file parsing vulnerability and the recently announced Directshow vulnerability. Both vulnerabilities are reported as being actively exploited on the Internet.

While Microsoft has announced workarounds and/or provided Fixit tools for each of these issues, today’s patches will be welcomed by network administrators who have been tasked with remediating these issues. Shavlik recommends that network administrators download and install the patches for these two bulletins as soon as possible (MS09-032 and MS09-028)

Two of Microsoft’s other releases this month apply to products that you don’t see patched very often – ISA Server 2006 and Virtual PC. Although these two products are associated with security functions, neither flaw is as bad as it seems and Microsoft has rated the severity for each of these as Important.

Of the two remaining bulletins, one applies to Publisher (Important) and one applies to the Operating System (Critical). Neither of these issues were publicly known prior to release, though Shavlik recommends reviewing and installing each of these patches as appropriate on your networks. The Operating System patch (MS09-029) is particularly nasty and can execute when a user views an evil web page, email, or Office document.

Shavlik recommends installing MS09-028, 29, and 32 patches first (DirectShow, OS Font patch, and Video Control). These are the three Critical patches – which goes to show that Microsoft got the Severity ratings spot-on this month.

Details for MS09-032 and MS09-028:
MS09-032 is the bulletin for the QuickTime file parsing vulnerability. Clicking on an evil hyperlink or even hovering your mouse over a malformed QuickTime file could allow the attacker to execute code on your system. The attacker’s code would have the same level of permission to your computer as the person who is logged on to the computer. If you’re logged on as admin, the exploit could add or remove users and administrators from your machine, delete files, reformat your hard drive, or embed trojans or worms that could be used in future attacks.

It’s important to note for this issue that the presence or absence of Apple QuickTime is not relevant to whether or not your computer is vulnerable to this issue. The flaw resides in the Microsoft components that parse QuickTime files – so don’t believe that you’re safe just because you don’t have QuickTime installed. Also, the recent QuickTime patch from Apple (7.6.2) is not related to this issue.

MS09-032 is rated as Critical for all Operating Systems.

MS09-028 is the bulletin for the recently announced Microsoft DirectShow vulnerability. Viewing a malformed media file from a Windows XP or Windows Server 2003 system can enable the attacker to execute code on your system. Similar to MS09-032, the evil code will run in the context of the currently logged on user and can take any action on that system that the logged on user can take.

Microsoft released a FixIt tool that sets the browser killbits for this vulnerable section of code. The MS09-032 patch is a cumulative killbit patch that includes the killbits from the FixIt tool as well as all previously released ActiveX killbits. Users who installed the ActiveX cumulative patch from June 2009 and also ran the FixIt tool for the DirectShow have already implemented the complete set of killbits reprented by the MS09-028 patch. If you ran the FixIt tool or otherwise implemented the Microsoft suggested workaround you are safe – there’s no need to revert changes that you made.

While the public exploit only impacts XP and 2003 systems, Microsoft recommends installing this patch on all Operating Systems as it includes killbits for all previously known bad ActiveX controls.

Details for the remaining four:
MS09-029 applies to all Operating Systems and could be a particularly nasty issue if left unpatched. The flaw resides in the way that Microsoft parses embedded fonts on web pages, emails, and Office documents. (in this case, embedded opentype fonts. EOT fonts ensure that everyone viewing the text sees it formatted the same way.) Viewing an evil web page, email, or Office doc could allow the attacker to execute code on your system. Workarounds are available, but it requires two separate changes to be made – one to protect from web content and the other to protect from evil emails and documents.

MS09-030 is a vulnerability in Microsoft Publisher documents. Viewing a malformed document could allow the attacker to run code on your system. This seems like the hundredth vulnerability in Publisher this year, and the millionth ‘open an evil document and get hacked’ vulnerability in the past two years.

MS09-031 discusses an issue with ISA Server 2006. If the ISA Server is specifically configured to use Radius one-time-passwords AND to use Kerberos for authentication AND to fallback to basic http authentication when asked, the attacker may be able to access servers protected by the firewall if they know the username of those target systems. It sounds scary, but it’s probably a very small number of systems in the world that are configured exactly this way. An edge case at best. If you have an ISA Server 2006 and you’re concerned that you might meet all three criteria above, it’s best to patch your system.

MS09-033 relates to Guest Operating Systems that are hosted on Microsoft Virtual PC or Virtual Server. These virtualized systems are subject to a privilege escalation attack. (Non-virtualized systems are not vulnerable.) Users who can execute code on the virtual systems can run an exploit and become administrator on the virtual images. At no time can this flaw lead to compromise of the underlying Virtual PC or Virtual Server. IOW, it’s not the much-hyped but yet-to-be-seen exploit that crosses the virtualization barrier.

Leave a comment »

Reflections on June 2009 Patch Day

Microsoft released 10 security bulletins this month. Eight of the ten were assigned exploitability indices of ‘1 – Consistent Exploit Code Likely’. This means hackers could have access to exploit code fairly soon – which means the patches should be installed sooner rather than later. Five of the ten security bulletins discuss ‘server-side’ vulnerabilities (vs. client-side vulnerabilities). More on server-side vs. client-side in a future post.

See the end of this post for recommendations on which to install first.

MS09-018: Vulnerabilities in Active Directory Could Allow Remote Code Execution (971055)
MS09-018 is a Critical server-side vulnerability in the Active Directory services of Windows 2000 and Windows Server 2003 domain controllers (or Active Directory Application Mode on XP and WS03 servers). By submitting a specially formatted LDAP request to the AD server, the attacker can execute code of their code on Windows 2000 AD servers (what I call a true ‘remote code execution’ vulnerability). On Windows Server 2003, the attacker can cause a Denial of Service condition and otherwise make a mess of an ordinarily pleasant day.

For the attack to be successful against Windows 2000 DCs, the attacker simply needs to target their attack against LDAP ports (tcp 389, 636, 3268, or 3269). While these ports are traditionally blocked at Internet firewalls, these ports are wide open for attack on most internal networks. The attacker doesn’t need any special authentication to attack Windows 2000 servers. Once they launch the code, they can take any action they wish against the domain controller. If I were the attacker, I’d go after the SAM database that contains all of the Domain User’s password hashes.

For Windows Server 2003, the attack is somewhat mitigated in that the attacker must have some level of credentials to the domain controller. In most instances, this means the attacker must be a member of the domain which he or she is attacking. The vulnerability is rated Important in WS03 as it doesn’t allow code execution – it just jams up the server from doing what it should.

I’d recommend patching Windows 2000 AD servers as soon as possible. I’d also patch Windows Server 2003 systems quickly, as you don’t want disgruntled employees launching the tool of the week to down your domain controllers.

MS09-019: Cumulative Security Update for Internet Explorer (969897)
Another month, another Critical IE cumulative patch. This particular patch corrects a flaw uncovered at the recent CanSecWest conference that enabled someone to hack a Vista machine via IE8. It also corrects a handful of other issues identified in all versions of Internet Explorer.

The IE8 issue impacts Windows XP systems when browsing evil Internet websites. Vista and WS08 systems are protected against evil Internet sites because of DEP and ASLR built-in protections. Vista systems can be vulnerable to evil Intranet sites if other security configs on the Vista box have been weakened. In any event, it’s nice that this zero-day flaw in IE8 has been corrected. Go apply the patch.

The remaining issues addressed in the bulletin impact IE versions 5, 6 and 7. Exploitation can range from information disclosure to what Microsoft calls remote code execution (and I call local code execution). Workaround: don’t visit evil websites.

This is a client-side collection of vulnerabilities as they require someone at the target system to take an action on the machine in order to allow the vulnerabilities to execute. Therefore, this attack is more likely to impact your end-user workstations than your datacenter servers.

MS09-020: Vulnerabilities in Internet Information Services (IIS) Could Allow Elevation of Privilege (970483)
Another patch for a zero-day vulnerability, this bulletin addresses the IIS WebDAV issue announced by Microsoft last month. This vulnerability allows remote attackers to bypass the WebDAV authentication settings on an IIS server, potentially allowing them to read files on the webserver. The issue is somewhat mitigated, however, because the file system ACLs are still observed.

While this vulnerability doesn’t allow the attacker to write files to or execute code on the server, it might allow them to read enough information from the server that they can exploit other services on the box (think SQL server). See my prior post, New Microsoft IIS Zero-Day Vulnerability, on this issue for more information.

MS09-021: Vulnerabilities in Microsoft Office Excel Could Allow Remote Code Execution (969462)
In the fifth Excel patch we’ve seen since last August, Microsoft is hoping they’ve nailed the door shut on malicious file parsing bugs. Multiple vulnerabilities with Excel file parsing were addressed in the 09-021 patch.

The Excel 2000 platform is rated as Critical, whereas Excel 2002-2007, SharePoint, and Excel converters are rated Important. Excel 2000 is rated Critical because it lacks the open dialog confirmation window that exists in later releases. This means if you have Excel 2000 installed and you visit an evil web page, the web page can open Excel and launch the evil document without your knowledge. You’re hacked. In Excel 2002 and later, the evil document wouldn’t open automatically; rather, it would prompt you if you wish to open the file. If the evil file does execute, it runs under the context of the currently logged on user (typical of a client-side vulnerability).

MS09-022: Vulnerabilities in Windows Print Spooler Could Allow Remote Code Execution (961501)
MS09-022 is a server-side vulnerability that can be exploited by sending RPC packets to the print spooler on the target system. RPC is the same mechanism used in the Blaster\Sasser\Conficker worms. Remote RPC uses tcp ports 139 and/or 445.

In this instance, the attacker can execute code on Windows 2000 systems remotely; however, the attacker must first install a print server on their own machine, then send RPC packets to the target system, instructing the target to connect to the rogue print server. When the target system enumerates the sharename of the rogue server, the attacker’s code can execute on the remote system.

Windows XP and later systems aren’t vulnerable to this attack; however, they are vulnerable to several other attacks. In the first, a locally logged on user can read or print any file on the system, even if they don’t have access to the file. The local attacker can specify the file they want to read as a separator page – thus allowing it to be viewed. The second attack is a privilege escalation attack. The attacker can send RPC packets to the target system, convincing it to load an evil printdriver dll. Once this happens, the attacker can execute code on the system. In order for this to happen the attacker must have the ‘manage printers’ capability (which is granted to locally logged on users).

For Windows 2000, this is a Critical issue. For Vista and WS08, this is Important. For XP and WS03 systems, this is rated Moderate.

MS09-023: Vulnerability in Windows Search Could Allow Information Disclosure (963093)
If a user running Windows XP or Windows Server 2003 performs a Windows Search on their machine, the search results could cause malicious scripts to execute that would display information from the target system. This attack requires that the target system be running Windows Search. It also requires that the attacker place a specially crafted file on the target user’s computer.

If this evil file is indexed by the search engine (whether it be an email message, document, or data file) AND appears at the top of a search result (performed by the user) html script embedded in the evil file can execute on the target system. The attacker’s script could access data on the system and forward this back to the attacker. Alternatively, if the evil file is not returned at the top search result, the script will still execute if the user selects and previews the search result for the evil file.

The above scenario is seemingly complex – probably what helped to get it rated Moderate rather than Important. Also, Windows Search is not installed on these platforms by default. If you’re a hacker looking to read data on a system, I’d look to other exploits before attempting this one. Windows Search has had two prior security updates: MS09-015 and MS08-075.

MS09-024: Vulnerability in Microsoft Works Converters Could Allow Remote Code Execution (957632)
This is a client-side vulnerability that could allow an attacker to execute on a user’s computer should they open a malformed Works document (.wps). As with other Office vulnerabilities, Office 2000 is rated Critical as the malformed document could open automatically and without warning when the user visits an evil website. For Office 2002, Office 2003, Office 2007 SP1, and users running Works 8.5 or 9, the malformed Works file wouldn’t open automatically, but would present an open confirmation dialog box before opening. The attacker could also email the malformed document to other users. When the unsuspecting users (and those not trained to not open unusual files from unknown individuals) open the Works document, it will execute code on their system.

The code will execute with the same level of permissions as the currently logged on user (administrator, in many cases) and can do anything the logged on user can do. This patch replaces MS08-072 for Works 8.5.

MS09-025: Vulnerabilities in Windows Kernel Could Allow Elevation of Privilege (968537)
Microsoft refers to MS09-025 as a local code execution vulnerability. In other words, the attacker must be logged on to the local machine and execute code locally in order for the vulnerability to be exploited. Once the attackers code has been initiated, it will run as LocalSystem and can grant the attacker administrative access.

While this exploit might be most beneficial to (the few) computer users who don’t have admin permissions to their local systems, the exploit can also be leveraged by folks who do terminal services to remote computers, and in some cases, to users who have code upload capabilities to hosted web servers.

Because it requires that the user have some level of access to execute code on the target system, Microsoft has rated this Important. Microsoft also says that proof of concept code has been released for several of the vulnerabilities addressed by this patch. This patch replaces MS09-006 (which was Critical).

MS09-026: Vulnerability in RPC Could Allow Elevation of Privilege (970238)
RPC vulnerabilities usually scare the pants off of me. In this instance though, it’s not so bad. Microsoft assures us that their Operating Systems are not vulnerable to this attack by default – none of their RPC services suffer from this issue. They mention that third party products could be vulnerable as they leverage an RPC runtime file that could be susceptible to this issue.

In order to pull off this attack, a remote attacker would need to send carefully constructed packets to a vulnerable RPC service on the target machine. Third party apps can choose any tcp or udp ports to use for their services – it’s not as easy as saying tcp 139 or 445. Third party services that implement tight authentication and security over their RPC services are less likely to be susceptible to exploitation. To be sure that you’re safe, install this patch and ask your vendors if they include any code that looks like the examples here: http://tinyurl.com/nsoqn6.

MS09-027: Vulnerabilities in Microsoft Office Word Could Allow Remote Code Execution (969514)
Same type of issue as MS09-021. Open a malformed Word document and it hacks your system. I’m tired of these. ‘Nuff said.

Recommended order of deployment:

First: MS09-018 (Win2K), MS09-019 (IE), MS09-020 (IIS)

After: all the rest

Disclaimer: adjust these recommendations for the assets on your network

Leave a comment »

April 2009 Patch Day – Spring Cleaning

A slew of Microsoft updates this month – Eight bulletins released: 5 Critical, 2 Important, and 1 Moderate. While eight patches is a larger number than in recent months, this month’s release includes fixes for a number of issues that Microsoft previously identified as too laborious\complex to fix. This includes fixes for the Safari Carpet Bombing and SearchPath issues, additional enhancements for credential reflection (ala SMBRelay fix in MS08-068), and Service Isolation issues as called out at a 2008 security conference.

Microsoft had previously stated that each of these issues were either too complex to solve or didn’t represent actual vulnerabilities. It’s enlightening to see that they’ve taken a second look at each of these topics and have found solutions to address each. In probably their most ambitious patch to date, Microsoft even pulled developers off of Windows 7 to assist with the creation of the MS09-012 patch (discussed below). We can only hope that Microsoft continues in this vein and re-examines other parts of the Operating System that were thought too complex to fix. Gory details below…

Microsoft knocked off patches MS09-009 and MS09-010 for several outstanding 0-day issues, including fixes for Excel (advisory 968272 from February 09) and WordPad\Office (advisory 960906 from December 08). Users should install these patches right away because exploits for these issues have been circulating on the Internet for several months.

On to the good stuff:

1. Starting with the Carpet Bombing fixes: Microsoft has released two patches to deal with this issue – an IE patch and an OS patch. MS09-014 is a cumulative IE patch that addresses 6 vulnerabilities – one of these being the carpet bomb fix. In this scenario, an attacker would force an evil file down to a user’s desktop (through the initial release of the Apple Safari web browser). The evil file would be assigned a specific name – one that happened to match a normal Operating System file. When the user later opened Internet Explorer, IE would execute the evil ‘system’ file from the desktop rather than the similarly named (legitimate) file from system directory.

MS09-014 solves this issue by removing the current working directory (in this case, the desktop) from the search path. When IE is launched, it will now look in the system path for the proper file rather than loading the illegitimate file from the desktop.

The IE fix was accomplished by modifying two of the IE DLLs so that they don’t look in the current working directory first (when loading other app DLLs). While this fix only modifies Internet Explorer, Microsoft exposed a registry key that users can modify if they want to make all of their applications ignore the current working directory: [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\ Internet Explorer\Main\FeatureControl\ [FEATURE_ENABLESEARCHPATH_KB963027] “iexplore.exe”=dword:00000000 (spaces added in front of ‘Internet’ and ‘FEATURE’ to make for easier display – remove these spaces before setting this registry key)

The second fix for the carpet bombing issue was released in MS09-015, an OS patch for XP and later systems. This patch does two things: 1. It modifies one system DLL (secur32.dll) that incorrectly searched for schannel.dll in the current working directory, and 2. It introduces a new API function that application developers can use in their code to use safe search functions. Those APIs are SetDllDirectory which removes current working directory from DLL loading, and SetSearchPathMode, which moves current working directory to the end of the directories searched by the SearchPath API.

2. The second issue addressed this month (and also requiring installation of two patches) address more avenues for credential reflection. Credential reflection was first addressed in MS08-068. That bulletin addressed a scenario where opening a malicious email or document, or viewing an evil website would send encrypted versions of your credentials (username and password) to the attacker. The attacker could then turn these around and ‘replay’ the encrypted credentials to gain access to your computer. The MS08-068 patch addressed this issue when the attack vector was using the SMB protocol. MS09-013 is an Operating System patch that solves the same problem but is specific for the winhttp connection engine (using http protocol). MS09-014 is the Internet Explorer patch (previously referenced re: the carpet bombing fix) that also includes a fix for the credentials reflection issue, but this time when using wininet (http protocol) as the underlying connection engine when IE is used for establishing authentication.

In both credential reflection attacks, the attacker needs to have SMB access to the target system. The SMB access enables them to mount the registry and file system. Since the SMB protocol (tcp 139 ot tcp 445) is usually blocked at the Internet gateway/firewall, these attacks are more prone to execution on an internal corporate network. The MS09-014 wininet attack vector is worrisome in this environment, as Internet Explorer is configured by default to present credentials to remote systems when browsing in the Intranet zone.

To prevent your machine from being mounted via a credential reflection attack, install MS08-068, MS09-013, and MS09-014. (This will prevent attack when your system was the one that originally sent credentials to the attacker. This will NOT prevent exploitation if matching credentials gathered from another system are reflected from that system to your system.)

3. The last, and most interesting patch, that I’ll mention is MS09-012. This patch addresses ‘Token Kidnapping’. Essentially, it helps prevent applications running as NetworkService or LocalService from escaping their sandboxes and running as LocalSystem. In short, it means ‘better protection for your web and SQL servers’.

Token Kidnapping is detailed in a new whitepaper by Cesar Cerrudo (http://www.argeniss.com/research/TokenKidnapping.pdf) and presented at last year’s Hack in the Box conference (April 2008). By using impersonation functions, these services can execute code under a different context – where LocalSystem is the preferred context (as this has super-admin permissions). As a result, code can be executed with administrative rights.

Any application that uses NetworkService or LocalService (and SeImpersonate) is susceptible to this attack. The most common attack vectors include IIS servers and SQL Servers. IIS 6 and 7 servers run under the NetworkService context and enable FullTrust to .NET applications by default, making it an ideal candidate for this kind of attack.

This becomes a concern when we look at web servers where users are allowed to upload code to the server. The most common scenario is a multi-tenant webserver where an ISP is running websites for multiple customers on the same Server. Each customer is allowed to upload their web pages to their own website. If the customer uploads a specially crafted .aspx page, when that page is viewed – the .aspx page executes code as LocalSystem on the server. This can give the customer administrative access to the entire webserver – for example: allowing them access to all the websites on that server – not just their own site. From here, the customer (hacker) can access backend SQL databases or sensitive information, upload backdoors to the server, connect to other servers on the inside of ISP network, etc. Not good.

Microsoft expended a great deal of effort in correcting this issue – even pulling developers off of Windows 7 to assist with this patch. Certain parts of the fix were backported from Vista and Windows Server 2008 (tokens) while brand new code had to be written for all Operating Systems (XP through 2008). As a result of the effort, the MS09-012 patch provides Service Isolation that mitigates the attacks identified by Cesar Cerrudo.

Shavlik’s recommended order of installation:
Client systems:

  1. MS09-009
  2. MS09-010
  3. MS09-014
  4. MS09-011
  5. MS09-013
  6. MS09-012 (if running IIS or SQL)
  7. MS09-015

Server Systems:

  1. Follow recommendations for client systems, plus
  2. if hosting SQL Services or IIS web services where users can upload code to these systems, install MS09-012 as soon as possible
  3. install MS09-016 as soon as possible for ISA servers

Leave a comment »

Reflections on March 2009 Patch Day

Three new security bulletins released today. All three of today’s bulletins apply to the Operating System, though some apply to a smaller subset of machines, and each has a completely different impact on the end user experience (or lack of experience if you aren’t exploited).

The most Critical of today’s patches is MS09-006 which could allow an attacker to take complete control of your computer if you view a website, email, or document that contains an evil graphic or picture. Also Critical (in my mind, though Microsoft rates it Important), is a set of patches for Windows DNS Servers. Attackers can leverage this flaw to redirect Internet traffic to look-alike websites in hopes of gathering sensitive user information. Lastly, Microsoft issued a patch to correct an issue where attackers can access restricted websites that require certificates, even though they don’t have this certificate.

I recommend installing MS09-006 and MS09-008 right away – and while you’re at it, go ahead and install MS09-007 – that way you can install patches for all three vulnerabilities at the same time and leverage the same system reboot to complete the patch installation. Being OS patches, they should all be should be relatively simple to install.

Microsoft did NOT release a patch for the Excel zero day vulnerability. Maybe we can expect this as an out of band patch later this month?

Also, Adobe has just released a new version of Adobe Reader 9 to correct a zero day vulnerability that was previously announced.

DETAILS
MS09-006
follows a long line of vulnerabilities that can be exploited when viewing maliciously created graphic images. This time, the flaw exists in the way that the Operating System parses and displays WMF and EMF formatted images. The flaw actually resides in the Windows kernel – but is only exploited when managing the malformed pictures. All that the attacker needs do is encourage a victim to view a specially formatted image and the attacker can run code on the victim’s system. The evil code will execute with system privileges – even if the user wasn’t logged on as an administrator. With system privileges, the evil code can access, copy, or delete any files on the system, create or delete user accounts, change passwords, or install backdoors. IOW, nasty stuff.

While the common attack vector may be via images hosted on a website of questionable repute, the attack can also be spawned by viewing emails or documents with embedded images. Once again, don’t open documents or emails from people you don’t know. Don’t rule out hacks spawned from evil images hosted on Facebook.

This patch should be very safe to deploy and requires a reboot. Best to patch this first on machines where end-users exist – laptops, desktops, etc., then deploy to servers (where users are less likely to be reading emails, opening documents, or surfing the web.)

This patch applies to all Operating Systems and replaces MS08-061 (a kernel patch), which itself replaces MS08-025 (an earlier kernel patch).

MS09-007 is a seemingly innocuous spoofing vulnerability that can actually post great concern for certain types of users. This vulnerability can be used to connect to a website or resource that requires certificate-based authentication. Usually, this means that only users with the required certificate can access the site. However, in this scenario, an attacker could access the restricted site even though they don’t have the necessary certificate. In order to pull this off, the attacker needs to have a copy of the site’s public authentication certificate – which is something that is most easily obtained if the attacker has full access to the victim’s computer (and if this is the case, far worse things can happen).

Many users don’t ever do anything with certificate-based authentication for secure sites. Those that do probably use an Active Directory based certificate store, which thwarts this attack. Those that do use local accounts and certificates are most at risk from this vulnerability and should install the patch right away. All others can roll it out as they see fit – though if you’re rolling out MS09-006, just go ahead and roll this out at the same time and leverage the shared reboot.

This vulnerability impacts all Operating Systems. The Patch supersedes the one released for MS07-031, which also addressed an schannel vulnerability.

MS09-008 addresses a vulnerability in DNS and WINS services that could allow an attacker to insert bad data into a DNS (or WINS) Server, thereby redirecting people’s traffic to potentially evil websites. The security bulletin doesn’t list any workarounds, nor does it imply any pre-requisites on the part of the attacker, meaning it could be possible for a remote, unauthenticated attacker to modify a vulnerable DNS Server and redirect their site’s users. Assuming this knowledge is correct, that would make this a Critical issue, rather than a severity if Important, in my eyes.

The sole purpose of a DNS Server is to direct individuals to the proper end-location. If an unauthenticated remote attacker can modify these instructions and redirect people to bogus websites then the DNS Server isn’t doing its job and should be considered compromised. That’s a pretty serious situation – attackers can setup look-a-like websites hoping to entice users to enter sensitive information (though the redirection attack is thwarted by using SSL).

Any way I look at it, this should be a Critical patch to install on all DNS Servers right away. (Maybe Microsoft rated this Important as the level of effort to pull of this attack is so great that the likelihood of exploitation is minimal? However, exploit code was released for an earlier, similar exploit.) A similar patch was released for WINS servers to handle a similar type of attack, though limited to the internal WINS Server and its network.

This patch supersedes MS08-037 (a prior DNS Spoofing issue) and requires a reboot.

Leave a comment »

Reflections on February 2009 Patch Day

A seemingly light batch of patches this month, trailing an even lighter, single patch release in January. Two Critical items released – including patches for Internet Explorer 7 and Microsoft Exchange Server. Additionally, two Important items released – for Microsoft SQL Server and Visio.

MS09-002 is a typical IE patch – purported to protect a user if surfing to an evil website. What’s unusual this month is that the vulnerability is only present in Internet Explorer 7. This leads to the question “what did Microsoft put in IE7 that they didn’t put in earlier versions that leads to this exploit, and why didn’t their new security testing program catch this vulnerability?” Microsoft says that it’s easy for hackers to create an evil webpage to exploit this issue.

MS09-003 is a Critical patch for Exchange Server (versions 2000, 2003, 2007) that could lead to code execution and/or Denial of Service. The attacker can send a malformed winmail.dat file to an Exchange Server in hopes of having that server execute code of their choosing. (winmail.dat files are configuration files that instruct the email client how to render and display Rich Text Formatted documents.) Alternatively, the attacker can send a series of packets to the Exchange Server in an attempt to take down the mail services – creating a denial of service attack. Microsoft says that inconsistent exploit code is likely to be released.

MS09-004 is probably the most interesting patch this month. This patch addresses the zero-day SQL Server flaw reported by Sec-Consult on December 9th, 2008. This flaw enables attackers to execute code of their choice on the affected SQL Server. The bar for exploitation is raised slightly in that the attacker must already have authenticated access to the SQL Server in order to pull of this exploit. However, unauthenticated attackers (since when you do authenticate your attacker anyway?) can still leverage this flaw if they can plant their code using SQL Server injection techniques via poorly coded websites. Proof of concept code has been published on the Internet, however, Microsoft says they have not seen proof of exploitation (maybe they aren’t looking hard enough?). I’d probably rate this patch as Critical – given the end result capable. I’m guessing Microsoft has downgraded this severity because of the “authentication” requirement. (Although they give this a ‘1’ in the exploitability index – saying that consistent exploit code is likely.)

MS09-005 is an Important patch for Visio. Open a malformed Visio document and the evildoer can run code on your system in the context of your currently logged on account. Microsoft says this was privately reported and they’ve seen no reports of exploitation. They recommend not opening Visio documents from untrusted sources.

I recommend a two pronged approach to patching this month. Two patches are for Server issues (09-003 and 09-004 – Exchange and SQL) and two are for client side applications (09-002 and 09-005 – IE7 and Visio). Give the two server patches to the Server maintenance team and ask that they install these two as soon as possible – given what I believe is the severity of these issues. Give the two client side patches to the desktop team and have them install these patches in the next update cycle or as they see fit – but no need to burn the weekend candle for these.

Leave a comment »