September 2008 Black Tuesday Overview
Overview of the September 2008 Microsoft patches and their status.
# | Affected | Contra Indications | Known Exploits | Microsoft rating | ISC rating(*) | |
---|---|---|---|---|---|---|
clients | servers | |||||
MS08-052 | Multiple vulnerabilities in GDI+: VML heap buffer overflow, EMF memory corruption, GIF parsing, WMF buffer overflow, BMP header overflow. Impact is code execution. GDI+ is used by -among many others- Internet Explorer and Office to draw images. Replaces MS08-040 and MS04-028. |
|||||
GDI+ CVE-2007-5348 CVE-2008-3012 CVE-2008-3013 CVE-2008-3014 CVE-2008-3015 |
No publicly known exploits |
Critical | Critical | Important | ||
MS08-053 | Windows media encoder installs an ActiveX control maked safe for scripting, but it was never intended to be used by Internet Explorer. | |||||
Windows media encoder CVE-2008-3008 |
KB 954156 | No publicly known exploits | Critical | Critical | Important | |
MS08-054 | Windows media Player 11 input validation error in handling server side playlists. impact: code execution. | |||||
Windows media player 11 CVE-2008-2253 |
KB 954154 | No publicly known exploits | Critical | Critical | Important | |
MS08-055 | Lack of input validation in the URL validator for the OneNote protocol. The impact is code execution. Replaces MS07-025 and MS08-016. Email and web based attack vectors exist. |
|||||
Office |
KB 955047 |
No publicly known exploits | Critical | Critical | Important |
We appreciate updates
US based customers can call Microsoft for free patch related support on 1-866-PCSAFETY
- We use 4 levels:
- PATCH NOW: Typically used where we see immediate danger of exploitation. Typical environments will want to deploy these patches ASAP. Workarounds are typically not accepted by users or are not possible. This rating is often used when typical deployments make it vulnerable and exploits are being used or easy to obtain or make.
- Critical: Anything that needs little to become "interesting" for the dark side. Best approach is to test and deploy ASAP. Workarounds can give more time to test.
- Important: Things where more testing and other measures can help.
- Less Urgent: Typically we expect the impact if left unpatched to be not that big a deal in the short term. Do not forget them however.
- The difference between the client and server rating is based on how you use the affected machine. We take into account the typical client and server deployment in the usage of the machine and the common measures people typically have in place already. Measures we presume are simple best practices for servers such as not using outlook, MSIE, word etc. to do traditional office or leisure work.
- The rating is not a risk analysis as such. It is a rating of importance of the vulnerability and the perceived or even predicted threat for affected systems. The rating does not account for the number of affected systems there are. It is for an affected system in a typical worst-case role.
- Only the organization itself is in a position to do a full risk analysis involving the presence (or lack of) affected systems, the actually implemented measures, the impact on their operation and the value of the assets involved.
- All patches released by a vendor are important enough to have a close look if you use the affected systems. There is little incentive for vendors to publicize patches that do not have some form of risk to them.
--
Swa Frantzen -- Section 66
Apple updates iTunes+QuickTime
Following the media event announcing new gadgets, predictably, iTunes and QuickTime got updated. A bit of a surprise is that those upgrades also have a number of security fixes incorporated.
The QuickTime update to 7.5.5 refers to following CVE names: CVE-2008-3615, CVE-2008-3635, CVE-2008-3624, CVE-2008-3625, CVE-2008-3614, CVE-2008-3626, CVE-2008-3627, CVE-2008-3628, CVE-2008-3629
When apple is ready the description of the security part should end up here: http://www.info.apple.com/kbnum/n61798
All of them are relating to opening "crafted" media files. Read: it's the typical list of input validation failures leading to code execution. You want this one if you have QuickTime installed.
The iTunes 8.0 update references following CVE names: CVE-2008-3634, CVE-2008-3636.
The first one is interesting: it deals with an update of the text to not say that changing firewall settings doesn't affect security. The second allows local privilege escalation in the windows version. Compared to the QuickTime upgrade, this is less urgent in most environments.
--
Swa Frantzen -- Section 66
wordpress upgrade
Roseman pointed out that the popular blog software wordpress is in need of an upgrade.
Wordpress 2.6.2 fixes an interesting combination of bugs:
- A security bug allowing a user to reset another user's password to a random value (nasty, DoS, etc. but not the end of the world).
- A vulnerability in the mt_rand() function of PHP allowing the attacker to predict the random password that will be chosen on a password reset.
Sefan Esser's latest version of Suhosin does protect against this.
Lack of randomness will come back over and over till we get it right (16bit IDs in DNS, the Debian debacle with the lack of entropy in their implementation OpenSSL, random session IDs, ... )
Equally important remains the proper follow up of tools we use. Are you sure you'll note any tool you have on your machine(s) or servers will let you know it's in need of upgrading ? Are you subscribed to their means of letting you know (email, blog, ...).
--
Swa Frantzen -- Section 66
Evil side economy: $1 for breaking 1000 CAPTCHAs
You see CAPTCHAs everywhere you turn. Create a gmail account, do a whois that's to yield useful information of a .eu domain, comment on a blog, sign up for a forum, ...
CAPTCHA is an acronym for "Completely Automated Public Turing test to tell Computers and Humans Apart". It's mostly used to prevent automated registration or activity where we would like humans to participate, but keep the excesses away.
Dancho Danchev blogged about it over at zdnet. It's interesting to read it if you are or are using or are planning to use CAPTCHAs to protect something.
Once they start to employ sweatshops that break these for $ 0.001 a piece, the protection offered by this quickly dwindles to next to nothing. Also the capacity claimed to be available is tremendous. 200,000 CAPTCHAs per day seems something expected by those offering this "service".
Aside of causing the living standard to improve in those places that are cheap enough to have this kind of economy possible, what are you considering to replace your CAPTCHAs with once it gets overrun by this ?
Tell us and we'll summarize.
--
Swa Frantzen -- Section 66
Google Chrome being polished
Juha-Matti was the first (of undoubtedly many if I didn't post this) to warn us that Google Chrome did get a security update.
Remember it's "only" beta release software. Match your expectations (and usage) to the status. Google actually already released it on September 5th.
Links:
--
Swa Frantzen -- Section 66
The complaint that's an attack
Stephane wrote in with an email received on an administrative role email address that read like it came from an inexperienced spam target barking up the wrong tree.
From: [suppressed to protect the innocent]
To: [suppressed to protect the innocent]
Subject: I am wait your replyTo Whom It May Concern:
I am tired of receiving messages containing malicious computer programs (viruses) from your e-mail address!!!
If within 1-2 days you do not stop sending messages to my e-mail address, I will have to address this issue to the Police!...
Today I received a hard copy of your data logs from my Internet service provider. The copy contains your IP address, logs of sending malicious programs and your e-mail address details...
I am sending you the copy of the document containing your data and logs of sending malicious programs as the proof of your fault!!!!!!
You must print the document containing the list of your data and logs of sending malicious programs and pass it on to your Internet service provider with, so that they could find out why the viruses are sent from your computer to my e-mail address!!!!
Ask your Internet service provider to resolve this problem!!!!
Do this now!!!
Once again!!! If you don't stop sending the letters, I will address to the Police and file a lawsuit against you!!!
With an attachment called IPLOGS.zip, that contains:
$ unzip -v IPLOGS.zip
Archive: IPLOGS.zip
Length Method Size Ratio Date Time CRC-32 Name
-------- ------ ------- ----- ---- ---- ------ ----
81408 Defl:N 58399 28% 09-08-08 00:01 8b1aedc6 IPLOGS.exe
-------- ------- --- -------
81408 58399 28% 1 file
Sending it over to Virustotal yielded following result:
AhnLab-V3 | - |
AntiVir | - |
Authentium | W32/Malware!OC-based |
Avast | - |
AVG | PSW.Generic6.ABAB |
BitDefender | - |
CAT-QuickHeal | - |
ClamAV | Trojan.Zbot-2110 |
DrWeb | - |
eSafe | - |
eTrust-Vet | - |
Ewido | - |
F-Prot | W32/Malware!OC-based |
F-Secure | Trojan.Win32.FraudPack.gen |
Fortinet | PossibleThreat |
GData | Trojan.Win32.FraudPack.gen |
Ikarus | Trojan.Win32.FraudPack |
K7AntiVirus | - |
Kaspersky | Trojan.Win32.FraudPack.gen |
McAfee | - |
Microsoft | PWS:Win32/Zbot.gen!B |
NOD32v2 | - |
Norman | - |
Panda | - |
PCTools | - |
Prevx1 | - |
Rising | - |
Sophos | Troj/PWS-ATH |
Sunbelt | - |
Symantec | Infostealer.Banker.C |
TheHacker | - |
TrendMicro | - |
VBA32 | - |
ViRobot | - |
VirusBuster | - |
Webwasher-Gateway | - |
The zbot trend seems to be forming among the AV vendors.
The most tricky about this will be to convince some out there that our real complaints are real, but that's perhaps the goal of these scam artists.
--
Swa Frantzen -- Section 66
Comments