Direct patch download links for MS10-002 KB978207


Microsoft had released the out of band patch to resolve Internet Explorer vulnerabilities, see KB978207 and MS10-002 for additional details.

The patches for IE6, IE7, and IE8 are available on Windows Update and Microsoft Update.  Unfortunately for me, our business proxy blocks access to these sites.  We also have to go through a corporate vulnerability rating process, and if the vulnerability rates severe enough, a deployment plan will be developed, and tested, and scheduled…. long story short, without intervention on my part, it will be a long time until my machine sees any critical updates.

The ISC has rated this vulnerability at it’s highest risk level, PATCH NOW!

I manually downloaded the patch from the Microsoft download site.  You can find the patch for all OSs and versions of IE here.

New Internet Explorer 7 0-day exploit


SANS has reported a Microsoft IE7 0-day expoit that is now in the wild. This vulnerability is not adderssed by the forthcoming December 2008 patch Tuesday releases, or by the MS08-073 patch that was released on 12-09-2008.

Analysis shows the current exploit checks for the following conditions:

The user has to be running Internet Explorer
The version of Internet Explorer has to be 7
The operating system has to be Windows XP or Windows 2003

SANS has not yet confirmed if other versions are affected (Internet Explorer 6 or Internet Explorer 7 on Microsoft Windows Vista).

ThreatExpert has a very nice overview of the modifications the exploit makes to compromised computers.

Additional Resources:

ZDNet Security Blog
Secunia Advisory

MS08-067 vulnerability, exploit, and reverse engineering in detail


Since Microsoft released the out of band patch detailed in MS08-067 yesterday, an exploit and worm have already been developed and seen in the wild.  Dave Aitel announced the exploit yesterday in his DailyDave mailing list. SecurityFocus has the exploit available for download hereAlexander has also published his decompiled version of the vulnerable function.  Stephenl has a nice description of how he reverse engineered the patches to determine the specific vulnerability.

The ThreatExpert Blog has a very nice description of how the worm, named Gimmiv.A operates. Gimmiv.A creates three files in the %system%\WBEM\ directory: winbase.dll, basesvc.dll, and syicon.dll.

ThreatExpert reports

“After dropping and loading the aforementioned DLLs, the worm will collect system information from the compromised computer, collect passwords from the Windows protected storage and Outlook Express passwords cache, and post collected details to a remote host. The details are posted in an encrypted form, by using AES (Rijndael) encryption. 

Details collected by Gimmiv.A are then posted to a personal profile of the user “perlbody”, hosted with http://www.t35.com hosting provider. At the time of this writing, there are 3,695 entries in that file. Every line contains an encrypted string, which could potentially conceal current victims’ details, indirectly indicating how many victims have been compromised by this worm so far.

The most interesting part of this worm is implemented in the DLL basesvc.dll. This DLL is responsible for the network propagation of the worm.”

If you cannot immediately patch your systems, the best defense is to restrict access to ports 139 and 445.

For additional detail, see this Microsoft Security Vulnerability Research & Defense blog posting.

The Microsoft Malware Protection Center has a page dedicated to Gimmiv.A, which they are calling a trojan rather than a worm.

McAfee has a nice description of the exploit code as well.

You can verify your anti-virus vendor detects Gimmiv.A at virustotal.com

Sun Java Multiple Security Vulnerabilities Rated Highly Critical


Sun has disclosed multiple security vulnerabilities within their Java product, which are summarized here.  The categories of vulnerabilities include:

1) Security Bypass
2) Exposure of system information
3) Exposure of sensitive information
4) DoS
5) System access

The following Sun products are affected:

Java Web Start 1.x
Java Web Start 5.x
Java Web Start 6.x
Sun Java JDK 1.5.x
Sun Java JDK 1.6.x
Sun Java JRE 1.3.x
Sun Java JRE 1.4.x
Sun Java JRE 1.5.x / 5.x
Sun Java JRE 1.6.x / 6.x
Sun Java SDK 1.3.x
Sun Java SDK 1.4.x

The recommendation is to update your software immediately to a patched version:

JDK and JRE 6 Update 7:
http://java.sun.com/javase/downloads/index.jsp

JDK and JRE 5.0 Update 16:
http://java.sun.com/javase/downloads/index_jdk5.jsp

SDK and JRE 1.4.2_18:
http://java.sun.com/j2se/1.4.2/download.html

SDK and JRE 1.3.1_23 (for customers with Solaris 8 and Vintage Support Offering support contracts):
http://java.sun.com/j2se/1.3/download.html

VMware Running on Windows Host Security Hole


If you are running VMware on a Windows host configured with host-to-guest shared folders, it is possible for a program running in the guest to gain access to the host’s complete file system and create or modify executable files in sensitive locations.

A vulnerability exists in VMware’s shared folders mechanism that grants users of a Guest system read and write access to any portion of the Host’s file system including the system folder and other security-sensitive files. Exploitation of this vulnerability allows attackers to break out of an isolated Guest system to compromise the underlying Host system that controls it.

Affected versions include:

  • VMware Workstation 6.0.2 and earlier
  • VMware Workstation 5.5.4 and earlier
  • VMware Player 2.0.2 and earlier
  • VMware Player 1.0.4 and earlier
  • VMware ACE 2.0.2 and earlier
  • VMware ACE 1.0.2 and earlier
The following VMware products are not affected:
  • VMware Server is not affected because it does not use shared folders.
  • No versions of ESX Server, including ESX Server 3i, are affected by this vulnerability. Because ESX Server is based on a bare-metal hypervisor architecture, not a hosted architecture, it does not include any shared folder abilities.
  • VMware Fusion and Linux-hosted VMware products are unaffected.

Workaround

Until VMware releases a patch to fix this issue, users of affected Windows-hosted VMware products should disable shared folders.To disable shared folders in the Global settings:
  1. From the VMware product’s menu, choose Edit > Preferences.
  2. In the Workspace tab, under Virtual Machines, deselect the checkbox for Enable all shared folders by default.
To disable shared folders for the individual virtual machine settings:
  1. From the VMware product’s menu, choose VM > Settings.
  2. In the Options tab, select Shared Folders and Disable.

Out of the Box, the ASUS Eee PC is Incredibly Insecure


HDM pointed out on the Metasploit blog that the guys from RISE Security rooted an ASUS Eee PC quite easily. They used Metasploit to exploit a Samba vulnerability that was published in July 2007 – almost seven months ago.

Why is ASUS shipping new products with vulnerabilities that are serious enough to allow attackers to gain root access through commonly used security tools such as the Metasploit Framework?

Carl at CandyFOSS doesn’t think this could realistically be exploited, but I’m not so sure.

I’ve searched all over ASUS’s support website, and have not found a downloadable patch for this problem. One of my school districts just ordered 60 Eee PCs , and you can rest assured there’s no way I’m letting these devices out of the box until I can find a fix.

Anyone out there who has one of these machines, can you confirm if there is a patch that is automatically installed through the update process to address this vulnerability?

The ISC has a brief write-up of additional information the Eee PC reveals in it’s default configuration.

Major Websense Content Filter Bypass Vulnerability


I almost missed this Websense vulnerability, since it was published 12-21-2007, while I was on vacation. I’ve verified it works on one of my client’s networks using Firefox Portable 2.0.0.4, Websense 6.1.1, ISA Server 2004 Standard, and User Agent Switcher 0.6.10.

Mr HinkyDink, who discovered the issue used Websense 6.3.1, so I’m sure other Websense versions are susceptible as well. His instructions are:

I. Install FireFox 2.0.x

II. Obtain and install the User Agent Switcher browser plug-in by Chris Pederick

III. Add the following User Agents to the plug-in

Description: RealPlayer
User Agent : RealPlayer G2

Description: MSN Messenger
User Agent : MSMSGS

Description: WebEx
User Agent : StoneHttpAgent

IV. Change FireFox’s User Agent to any one of the preceding values

V. Browse to a filtered Web site

VI. Content is allowed

Content browsed via this method will be recorded in the Websense database as being in the “Non-HTTP” category.

See also Websense KnowledgeBase article #976, Websense cleaned up this issue in database #92938.

I work with a ton of school districts, all who are required by law to provide content filtering. We constantly struggle to keep ahead of the various methods of bypassing the filter that students find, but I really don’t fault the kids for being curious, or trying to outsmart the adults. I think the fault lies with the teachers who are supposed to be supervising, but instead allow the students to do whatever they want.