CounterMeasures - A Security Blog � microsoft

Merry Christmas and a Happy New 0-Day

Rik Ferguson — Thu, 23 Dec 2010 11:16:43 +0000

Well, work is winding down for the festive season and bellies are being prepared for several days of abuse. Maybe we should be preparing our computers for equal amounts of abuse if we use Internet Explorer right now…

My freshly built Snowlady, Frostenia

Firstly, I want to take this opportunity to wish all the Countermeasures readers all the best for this holiday period and wish that the very best thing that happened to you in the last year is the worst that hapens in the next! And to take one worry off your mind, in the absence of a patch for the new
Microsoft Internet Explorer 0-day vulnerability, keep yourselves safe this season by installing the free tool Browser Guard 2010 which already offered protection against this exploit before it was even known.

The vulnerability certainly looks serious, affecting all supported versions of Internet Explorer on all supported versions of Windows, including Windows 7, Vista and XP. As vulnerabilities go, this kind is of the most worrying as it allows remote execution of code, meaning the attacker can run programs (such as malware) directly on the victim computer. It also bypasses to key security mechanisms put in place to protect against this kind of exploit, namely Data Execution Prevention (DEP) and Address Space Layout Randomisation (ASLR).

The Microsoft advisory recommends that users set their Internet and Local Intranet security zones to “High” but have not yet said if they plan to release an out of band patch. The exploit code for this vulnerability has already been made public and already incorporated in the metasploit toolkit and we expect to see widespread criminal exploitation of this vulnerability.

This vulnerability is highly reminiscent of a vulnerability at the same time two years ago which prompted several national governments to warn against using IE and to switch to an alternative browser. For my point of view on that debate, have a gander at this blog posting.

Your secrets are (not) safe with mIE

Rik Ferguson — Mon, 06 Sep 2010 13:41:29 +0000

Tweet by Microsoft Security Response team

Microsoft Security Response team posted an interesting tweet at the tail end of Friday afternoon last week. The message itself was relatively low key, but pointed to something possibly more worrying. Enough to make me do some digging anyway…

“We’re aware of a publicly disclosed issue involving Internet Explorer. We’ll continue to investigate over the weekend.”

Hm, publicly disclosed where and by whom? What kind of issue and what kind of effect?

Well it looks like the tweet might be referring to an evolution of a vulnerability that was first made public by Google’s Chris Evans back in December of last year in a post on his Scary Beast Security blog.

Why have I jumped to that conclusion? Well, also on Friday last week, just a couple of hours before the Microsoft tweet, Chris Evans posted the following to the Full Disclosure mailing list

“Hi, In an attempt to get this bug fixed…

A nasty vulnerability exists in the latest Internet Explorer 8. I have been unsuccessful in persuading the vendor to issue a fix.

The bug permits — for example — an arbitrary web site to force the victim to make tweets.”

In the mailing list posting Chris goes on to state that there is evidence that Microsoft may have been aware of this bug since 2008 and that the same defect “probably” affects earlier versions of IE too.

The exploit acts by stealing the (supposedly secret) credentials for an already authenticated browser session, in his example Twitter. Those credentials are then abused to send arbitrary forged content.

Embarrassingly Opera, Chrome, Firefox & Safari have all already fixed this vulnerability. Let’s hope Microsoft had a good long investigate over the weekend then eh? With the ever increasing popularity of URL shortening services, vulnerabilities like this are all too easy to exploit.

Don’t take shortcuts

Rik Ferguson — Tue, 20 Jul 2010 08:40:58 +0000

picture from bradleygee's Flickr photostream under Creative Commons.

On the 16th of July Microsoft released Security Advisory 2286198 confirming an as yet unpatched vulnerability in Windows Shell that exposes all users of all current versions of Microsoft Windows to very real risk of attack and infection.

According to Microsoft “The vulnerability exists because Windows incorrectly parses shortcuts in such a way that malicious code may be executed when the icon of a specially crafted shortcut is displayed.” So what does that mean in plain language?

It means that if any user of Microsoft Windows opens a folder containing a shortcut which has been designed to exploit this vulnerability, they will be infected. No opening of files required, simple browsing is enough.

Although Microsoft have stated that “This vulnerability is most likely to be exploited through removable drives” users should be on their guard against all shortcut files whose authenticity they cannot guarantee. This same vulnerability could be exploited though contaminated file shares or something as simple as a malicious compressed archive such as a zip file.

Worryingly, the malware that was first exploiting this vulnerability appeared to be highly targeted, looking for Siemens WinCC SCADA systems, SCADA systems are routinely used in the control of utilities such as power and water and also in large-scale manufacturing. Siemens were warning their customers of this as early as July 14th.

The source code for this malware is now in open distribution, (and incorporated into the Metasploit framework) and we can expect to see widespread criminal adoption of this technique from this point.

For now the best defence against attacks is contained within the Microsoft Security Advisory; disable the displaying of icons for shortcuts and disable the WebClient service.

Further details on Trend Micro’s detection of the malware involved are available on the TrendLabs blog. Please be aware this is a breaking situation and further malware will take advantage of this same vulnerability.

Patch Tuesday is a-comin’

Rik Ferguson — Thu, 05 Mar 2009 20:32:16 +0000

So the advance notification for the forthcoming Microsoft “Patch Tuesday” crop has been released; 1 Critical and 2 Important bulletins. That means one that allows remote code execution and two that may lead to compromise of data or resources through spoofing attacks, affecting all currently supported versions of Microsoft Windows

The package will not include a fix for the Excel vulnerability that is currently being exploited, so I would encourage you to read the Microsoft Security Advisory and take note of the mitigation advice.

It’s worth noting that, according to beyondtrust, 92% of critical Microsoft vulnerabilities are mitigated by eliminating Admin rights