7 is still better than 8, but passphrases are best

I wrote up the below in response to a question on a newsgroup about the best password length. It’s an old topic, but still very relevant. See my original piece here: http://www.securityfocus.com/infocus/1319

For Windows minimum password length, the difference between 7 and 8 is computationally negligible these days. 8 characters creates two halves of a LanMan hash (which is still created by default, both on servers and workstations). Enforcing an eight character complex password means users will typically put the special character (*&^%$) as the last character. (And many users will only create the minimal length password.) That leaves the first seven characters as alpha-numeric – which can be cracked with a small character set in a password cracker. The eighth character is then the special character, which is the first character in the second LanMan hash – so it will crack instantly in password cracker. You’ve then compromised a complex password of 8 characters in a matter of minutes.

If the password minimum length is seven, most users will make theirs seven, which means the special character is within the first 7 (probably last, but that doesn’t matter) which means in order to crack the LanMan hash, you’d need to run the cracker with the entire character set (not just alphanumeric) over the entire 7 character range – which will take a long time. Using this analogy, a seven character complex password will usually be tougher to crack than an 8-12 character complex password.

If you insist upon using 8, then make sure to set the registry key on all desktops, servers, and domain controllers to not create the LanMan hash. Then, run some of the freeware tools available to delete all existing LanMan hashes from the password history (as they can be used to help guess what the current password is).

Better yet, enforce a minimum of 15 characters. You should still run a tool to delete all the old password hashes just to be safe. With a 15 character password, it won’t save the LM hash, so it will be much tougher to crack.

I’ve done an experiment in the classroom on password length (before Steve Riley wrote an article on this – no offense Steve!). I ask each person on one side of the classroom to pick a password. They think up a password – one they would typically use at work. Don’t say it, just think of it. Then I ask people on the other side of the classroom to think of a passphrase. Don’t say it out loud- just think of it. I ask the first side of the room (password) to count the length of the password they thought of – and I ask the others (passphrase) to count the length of their passphrase. The first side of the room is usually sitting between 7 and 13 characters long. The second side of the classroom is anywhere from 20 to 60 characters long (rarely shorter than 15).

Asking users to think of passwords as ‘passphrases’ is a really good way to encourage long password length. It’s usually easier for a user to remember their passphrase, and it’s easy for them to change it next month (they can simply change a word or value in their phrase.) A good passphrase usually includes one or more spaces in the phrase – that helps with the special character (how many people put spaces in their passwords? not many…)

Therefore, if you want to go with a minimum less than 15, use 7, else do 15+ and educate folks about the coolness of the passphrase. Just don’t use 8. (See my article here – why 7 is better than 8: http://www.securityfocus.com/infocus/1319)


Leave a comment »

New Microsoft IIS Zero-Day Vulnerability

Today (May 19, 2009) Microsoft released a security advisory for Microsoft IIS Servers. This flaw can enable attackers to read sensitive files on the webserver by submitting a specially crafted URL to the IIS server.

This is only the third vulnerability we’ve seen in IIS since October of 2004 (last issues were Feb 2008 and July 2006) – IIS has been pretty secure over the last few years (unlike the years 2000-2004 where we saw numerous bulletins, patches, and exploitations such as code red and nimda).

This flaw appears to me much more serious for customers running IIS 5 (Windows 2000) because the vulnerable WebDAV services are running by default. IIS6 (Windows Server 2003) doesn’t enable WebDAV by default.

It is unclear what level of access may be granted to an attacker via this exploit as it all depends on how the webserver has been configured and how the file system security has been applied to the data on the webserver. In a default configuration (and I would gather most installations), this flaw might allow the attacker to read certain files on the webserver, but would not allow them to write any files. If the attacker us unable to write any files to the webserver, it’s far less likely that the attacker can upload or execute any malicious code on the server or gain additional levels of access to the server. One note of caution – this flaw could enable attackers to read code pages on the webserver, where these pages might include usernames or passwords for applications or databases controlled by the webserver.

Shavlik recommends people running IIS5 or IIS6 run the IIS Lockdown and URLScan tools from Microsoft. Both of these tools disable WebDAV and will protect your system from this latest zero day.

Leave a comment »

Microsoft releases patch for Powerpoint 0-day flaw

Microsoft patched all Windows versions of Powerpoint today – addressing both a 0-day flaw and 13 other privately reported security vulnerabilities. The 0-day vulnerability enabled attackers to take over client machines if a user opened a malformed powerpoint document or visited an evil website. The attacker would be able to execute code on the user’s machine with the same level of permissions afforded to the logged on user. (If the user was logged on as an administrator, the evil code could execute as admin. If the user was logged on as a user-level account, then the evil code could only execute with user permissions and not admin permissions).

Microsoft has NOT released a patch at this time for Powerpoint on Mac. They said they weren’t seeing this flaw being executed against Macs and therefore didn’t want to hold up release of this patch for Windows machines while they finished the Mac patch. The patch for Powerpoint on Mac will be released at a later date.

The patches released today include versions of Powerpoint that weren’t flagged as vulnerable to the zero-day as Microsoft also included fixes for 13 additional vulnerabilities that were privately reported. Some of these vulnerabilities impact the newer versions of Powerpoint that were not vulnerable to the 0-day. Included in today’s release are patches for the Powerpoint viewer as well as the full version of Powerpoint.

Security patches for items like Powerpoint are considered ‘client-side’ patches because they can only attack a machine once a user has taken an action on their computer. Typical client-side actions might include opening malicious documents, reading an evil email, or viewing an evil web page. These types of attacks are usually constrained to systems where a user is interactively working on the desktop. Systems which don’t have a lot of user interaction at the desktop, like servers, are usually less susceptible to client-side attacks, though they are just as vulnerable if a user performs one of these actions at the desktop. In most cases, client side exploits only obtain the same level of access on the system as that of the currently logged on user.

Server-side attacks, on the other hand, don’t require user interaction to exploit vulnerabilities. Both workstations and servers are susceptible to server-side attacks. Server-side vulnerabilities leverage flaws in ‘services’ that are running on machines such as web services, file and print services, and networking services (such as TCP/IP or NetBIOS). Because these services are constantly running and are exposed externally on the system, no user interaction is required to interact with these services. This means the exploit can propagate from machine to machine very quickly. SQL Slammer, Nimda, Code Red, and Conficker are all examples of server-side exploitation. In many instances, server-side exploitation leads to administrative or ‘system’ level access on the target computer.

Viruses are a great example of a client-side vulnerability. Because it’s client-side, viruses usually require user interaction in order to spread and are therefoew slower to spread than a Worm. Worms, on the other hand, are representative of server-side exploitation. Since a worm doesn’t require user intervention to spread, it can propagate to other systems very rapidly.

Based on these definitions, today’s Powerpoint release addresses a client-side vulnerability. Its attack vector is dependant upon a user performing an action. As a result, we won’t see rapid propagation of infected systems through this vector (though once a machine is infected, it could launch other attacks using worm-like server side attack mechanisms such as Conficker). Best to patch your client-side systems (where users interact with the desktop) for this issue first, then patch any servers where Powerpoint products may be installed.

Leave a comment »

April 2009 Patch Day – Spring Cleaning

A slew of Microsoft updates this month – Eight bulletins released: 5 Critical, 2 Important, and 1 Moderate. While eight patches is a larger number than in recent months, this month’s release includes fixes for a number of issues that Microsoft previously identified as too laborious\complex to fix. This includes fixes for the Safari Carpet Bombing and SearchPath issues, additional enhancements for credential reflection (ala SMBRelay fix in MS08-068), and Service Isolation issues as called out at a 2008 security conference.

Microsoft had previously stated that each of these issues were either too complex to solve or didn’t represent actual vulnerabilities. It’s enlightening to see that they’ve taken a second look at each of these topics and have found solutions to address each. In probably their most ambitious patch to date, Microsoft even pulled developers off of Windows 7 to assist with the creation of the MS09-012 patch (discussed below). We can only hope that Microsoft continues in this vein and re-examines other parts of the Operating System that were thought too complex to fix. Gory details below…

Microsoft knocked off patches MS09-009 and MS09-010 for several outstanding 0-day issues, including fixes for Excel (advisory 968272 from February 09) and WordPad\Office (advisory 960906 from December 08). Users should install these patches right away because exploits for these issues have been circulating on the Internet for several months.

On to the good stuff:

1. Starting with the Carpet Bombing fixes: Microsoft has released two patches to deal with this issue – an IE patch and an OS patch. MS09-014 is a cumulative IE patch that addresses 6 vulnerabilities – one of these being the carpet bomb fix. In this scenario, an attacker would force an evil file down to a user’s desktop (through the initial release of the Apple Safari web browser). The evil file would be assigned a specific name – one that happened to match a normal Operating System file. When the user later opened Internet Explorer, IE would execute the evil ‘system’ file from the desktop rather than the similarly named (legitimate) file from system directory.

MS09-014 solves this issue by removing the current working directory (in this case, the desktop) from the search path. When IE is launched, it will now look in the system path for the proper file rather than loading the illegitimate file from the desktop.

The IE fix was accomplished by modifying two of the IE DLLs so that they don’t look in the current working directory first (when loading other app DLLs). While this fix only modifies Internet Explorer, Microsoft exposed a registry key that users can modify if they want to make all of their applications ignore the current working directory: [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\ Internet Explorer\Main\FeatureControl\ [FEATURE_ENABLESEARCHPATH_KB963027] “iexplore.exe”=dword:00000000 (spaces added in front of ‘Internet’ and ‘FEATURE’ to make for easier display – remove these spaces before setting this registry key)

The second fix for the carpet bombing issue was released in MS09-015, an OS patch for XP and later systems. This patch does two things: 1. It modifies one system DLL (secur32.dll) that incorrectly searched for schannel.dll in the current working directory, and 2. It introduces a new API function that application developers can use in their code to use safe search functions. Those APIs are SetDllDirectory which removes current working directory from DLL loading, and SetSearchPathMode, which moves current working directory to the end of the directories searched by the SearchPath API.

2. The second issue addressed this month (and also requiring installation of two patches) address more avenues for credential reflection. Credential reflection was first addressed in MS08-068. That bulletin addressed a scenario where opening a malicious email or document, or viewing an evil website would send encrypted versions of your credentials (username and password) to the attacker. The attacker could then turn these around and ‘replay’ the encrypted credentials to gain access to your computer. The MS08-068 patch addressed this issue when the attack vector was using the SMB protocol. MS09-013 is an Operating System patch that solves the same problem but is specific for the winhttp connection engine (using http protocol). MS09-014 is the Internet Explorer patch (previously referenced re: the carpet bombing fix) that also includes a fix for the credentials reflection issue, but this time when using wininet (http protocol) as the underlying connection engine when IE is used for establishing authentication.

In both credential reflection attacks, the attacker needs to have SMB access to the target system. The SMB access enables them to mount the registry and file system. Since the SMB protocol (tcp 139 ot tcp 445) is usually blocked at the Internet gateway/firewall, these attacks are more prone to execution on an internal corporate network. The MS09-014 wininet attack vector is worrisome in this environment, as Internet Explorer is configured by default to present credentials to remote systems when browsing in the Intranet zone.

To prevent your machine from being mounted via a credential reflection attack, install MS08-068, MS09-013, and MS09-014. (This will prevent attack when your system was the one that originally sent credentials to the attacker. This will NOT prevent exploitation if matching credentials gathered from another system are reflected from that system to your system.)

3. The last, and most interesting patch, that I’ll mention is MS09-012. This patch addresses ‘Token Kidnapping’. Essentially, it helps prevent applications running as NetworkService or LocalService from escaping their sandboxes and running as LocalSystem. In short, it means ‘better protection for your web and SQL servers’.

Token Kidnapping is detailed in a new whitepaper by Cesar Cerrudo (http://www.argeniss.com/research/TokenKidnapping.pdf) and presented at last year’s Hack in the Box conference (April 2008). By using impersonation functions, these services can execute code under a different context – where LocalSystem is the preferred context (as this has super-admin permissions). As a result, code can be executed with administrative rights.

Any application that uses NetworkService or LocalService (and SeImpersonate) is susceptible to this attack. The most common attack vectors include IIS servers and SQL Servers. IIS 6 and 7 servers run under the NetworkService context and enable FullTrust to .NET applications by default, making it an ideal candidate for this kind of attack.

This becomes a concern when we look at web servers where users are allowed to upload code to the server. The most common scenario is a multi-tenant webserver where an ISP is running websites for multiple customers on the same Server. Each customer is allowed to upload their web pages to their own website. If the customer uploads a specially crafted .aspx page, when that page is viewed – the .aspx page executes code as LocalSystem on the server. This can give the customer administrative access to the entire webserver – for example: allowing them access to all the websites on that server – not just their own site. From here, the customer (hacker) can access backend SQL databases or sensitive information, upload backdoors to the server, connect to other servers on the inside of ISP network, etc. Not good.

Microsoft expended a great deal of effort in correcting this issue – even pulling developers off of Windows 7 to assist with this patch. Certain parts of the fix were backported from Vista and Windows Server 2008 (tokens) while brand new code had to be written for all Operating Systems (XP through 2008). As a result of the effort, the MS09-012 patch provides Service Isolation that mitigates the attacks identified by Cesar Cerrudo.

Shavlik’s recommended order of installation:
Client systems:

  1. MS09-009
  2. MS09-010
  3. MS09-014
  4. MS09-011
  5. MS09-013
  6. MS09-012 (if running IIS or SQL)
  7. MS09-015

Server Systems:

  1. Follow recommendations for client systems, plus
  2. if hosting SQL Services or IIS web services where users can upload code to these systems, install MS09-012 as soon as possible
  3. install MS09-016 as soon as possible for ISA servers

Leave a comment »

Reflections on March 2009 Patch Day

Three new security bulletins released today. All three of today’s bulletins apply to the Operating System, though some apply to a smaller subset of machines, and each has a completely different impact on the end user experience (or lack of experience if you aren’t exploited).

The most Critical of today’s patches is MS09-006 which could allow an attacker to take complete control of your computer if you view a website, email, or document that contains an evil graphic or picture. Also Critical (in my mind, though Microsoft rates it Important), is a set of patches for Windows DNS Servers. Attackers can leverage this flaw to redirect Internet traffic to look-alike websites in hopes of gathering sensitive user information. Lastly, Microsoft issued a patch to correct an issue where attackers can access restricted websites that require certificates, even though they don’t have this certificate.

I recommend installing MS09-006 and MS09-008 right away – and while you’re at it, go ahead and install MS09-007 – that way you can install patches for all three vulnerabilities at the same time and leverage the same system reboot to complete the patch installation. Being OS patches, they should all be should be relatively simple to install.

Microsoft did NOT release a patch for the Excel zero day vulnerability. Maybe we can expect this as an out of band patch later this month?

Also, Adobe has just released a new version of Adobe Reader 9 to correct a zero day vulnerability that was previously announced.

follows a long line of vulnerabilities that can be exploited when viewing maliciously created graphic images. This time, the flaw exists in the way that the Operating System parses and displays WMF and EMF formatted images. The flaw actually resides in the Windows kernel – but is only exploited when managing the malformed pictures. All that the attacker needs do is encourage a victim to view a specially formatted image and the attacker can run code on the victim’s system. The evil code will execute with system privileges – even if the user wasn’t logged on as an administrator. With system privileges, the evil code can access, copy, or delete any files on the system, create or delete user accounts, change passwords, or install backdoors. IOW, nasty stuff.

While the common attack vector may be via images hosted on a website of questionable repute, the attack can also be spawned by viewing emails or documents with embedded images. Once again, don’t open documents or emails from people you don’t know. Don’t rule out hacks spawned from evil images hosted on Facebook.

This patch should be very safe to deploy and requires a reboot. Best to patch this first on machines where end-users exist – laptops, desktops, etc., then deploy to servers (where users are less likely to be reading emails, opening documents, or surfing the web.)

This patch applies to all Operating Systems and replaces MS08-061 (a kernel patch), which itself replaces MS08-025 (an earlier kernel patch).

MS09-007 is a seemingly innocuous spoofing vulnerability that can actually post great concern for certain types of users. This vulnerability can be used to connect to a website or resource that requires certificate-based authentication. Usually, this means that only users with the required certificate can access the site. However, in this scenario, an attacker could access the restricted site even though they don’t have the necessary certificate. In order to pull this off, the attacker needs to have a copy of the site’s public authentication certificate – which is something that is most easily obtained if the attacker has full access to the victim’s computer (and if this is the case, far worse things can happen).

Many users don’t ever do anything with certificate-based authentication for secure sites. Those that do probably use an Active Directory based certificate store, which thwarts this attack. Those that do use local accounts and certificates are most at risk from this vulnerability and should install the patch right away. All others can roll it out as they see fit – though if you’re rolling out MS09-006, just go ahead and roll this out at the same time and leverage the shared reboot.

This vulnerability impacts all Operating Systems. The Patch supersedes the one released for MS07-031, which also addressed an schannel vulnerability.

MS09-008 addresses a vulnerability in DNS and WINS services that could allow an attacker to insert bad data into a DNS (or WINS) Server, thereby redirecting people’s traffic to potentially evil websites. The security bulletin doesn’t list any workarounds, nor does it imply any pre-requisites on the part of the attacker, meaning it could be possible for a remote, unauthenticated attacker to modify a vulnerable DNS Server and redirect their site’s users. Assuming this knowledge is correct, that would make this a Critical issue, rather than a severity if Important, in my eyes.

The sole purpose of a DNS Server is to direct individuals to the proper end-location. If an unauthenticated remote attacker can modify these instructions and redirect people to bogus websites then the DNS Server isn’t doing its job and should be considered compromised. That’s a pretty serious situation – attackers can setup look-a-like websites hoping to entice users to enter sensitive information (though the redirection attack is thwarted by using SSL).

Any way I look at it, this should be a Critical patch to install on all DNS Servers right away. (Maybe Microsoft rated this Important as the level of effort to pull of this attack is so great that the likelihood of exploitation is minimal? However, exploit code was released for an earlier, similar exploit.) A similar patch was released for WINS servers to handle a similar type of attack, though limited to the internal WINS Server and its network.

This patch supersedes MS08-037 (a prior DNS Spoofing issue) and requires a reboot.

Leave a comment »

Excel zero day flaw announced

Microsoft released a security advisory today about a new Excel vulnerability.

This vulnerability impacts all versions of Microsoft Excel from 2000 to 2007.

In order to exploit a system, the attacker needs to entice the user to open a malformed Excel document. If this happens, the attacker can then take any action on the target system under the context of the logged on user. If the logged on user is an administrator, then the attacker can do anything they wish on the system (delete files, reformat the hard drive, steal information from the system, etc.). If the logged on user is a ‘user’ on the system (and not admin), then the attacker has fewer options on the box (read data accessible to the end user, delete data written by the end user, etc.).

Microsoft is researching the issue and will probably create a patch to fix the issue.

This is not unlike any other Microsoft Office vulnerability, except in this instance, knowledge of the vulnerability has been made public before a patch is available. Shavlik encourages users not to open Excel documents from unknown senders or locations.

Leave a comment »

Zero Day vulnerability in Adobe Reader and Adobe Acrobat

A security vulnerability was recently identified in two Adobe products that could allow attackers to take complete control of your system. Opening a malformed PDF document could allow unintended code to execute without the knowledge of the local user. The evil code could do anything on the system, up to the level of access given to the currently logged on user. Security researchers are seeing limited, targeted attacks in the wild. In most instances, the evil PDF file will crash the Adobe application, and in some instances may try and entice users to install a malicious anti-spyware application.

Adobe intends to patch their PDF products starting on March 11, 2009. Until the patch is released, users may protect themselves by disabling JavaScript in their Adobe applications. However, recent research indicates that even this workaround (disabling JavaScript) does not prevent exploitation of this vulnerability.

More info here:

The official Adobe response here:

Leave a comment »