The Laws of Vulnerabilities

Keeping up with DLL hijacking

2010-08-31T19:03:59Z

A week has passed since Microsoft published security advisory KB2269637 that details the technology underlying the DLL hijacking vulnerabilities. Since then security researchers have looked at Windows applications from 3rd parties and from Microsoft itself and have identified many vulnerable programs Last week HD Moore from Rapid7 published an even better version of his DLL Hijacking finding tool that is in use by many of the researchers. Microsoft gave a very illustrative example on how a vulnerable application could be attacked on their SRD blog just this week.

We recommend installing the Microsoft Hotfix downloadable from KB2264107 and creating the CWDIllegalInDllSearch registry key, which instructs Windows to exclude the current working directory from the DLL loadpath when an application is started from network or WebDAV locations. In addition IT admins should keep an eye on the excellent list on vulnerable applications and their fix status that is being maintained by Secunia.

In Qualysguard we have introduced 2 new QIDs that are designed to help the IT admin to manage the installation of this Hotfix:

QID 118423 - Microsoft Windows DLL Search Order Design Error Vulnerability (KB2269637)
This detection indicates that the machine does not have the Hotfix installed
QID 90634 - Hotfix KB2264107 (DLL hijacking) is Installed
This detection indicates that the machine has the Hotfix installed and will contain the setting for registry key CWDIllegalInDllSearch in the result section

Microsoft provides advisory for DLL hijacking exploits

2010-08-23T20:30:12Z

Microsoft has just published security advisory KB2269637 that provides IT admins with the information and tools to deal with DLL hijacking. DLL hijacking attacks are targeted at Windows applications (3rd part and Microsoft) that have not followed recommended security practices and can be tricked to load DLLs from locations that are owned by the attacker. The attacker provided DLL is then used to take control of the target machine.

According to security research by Taeho Kwon and Zhendong Su from UC Davis, ACROS Security and HD Moore from Rapid7, it is straightforward to find applications that do not follow these best practices. Two weeks iTunes was patched for an occurrence of "binary planting" and Simon Raner of ACROS Security was credited.

The underlying idea of the attack is older (some discussion of the underlying issue is here from 2000) and not limited to Windows. Over time fixes and workarounds have been implemented, but a new attack vector using network shares and WebDAV increases the usability of the attack. With the available documentation and tools it is now easy to find vulnerable applications and craft exploits.

We recommend installing the hotfix in KB2264107 and setting the registry to not allow loading of binaries via network shares and WebDAV (setting 2) as soon as possible.

References:

In-depth Info on the SRD Blog
The Register initial report on the iTunes fix and other afflicted applications
Gregg Keizer's excellent summary in Computerworld
ISC Diary entry

Adobe Patches Reader/Acrobat on Windows, Mac and Unix

2010-08-19T23:32:02Z

Today Adobe published an out-of-band update APSB10-17 for a 0-day vulnerability published during Charlie Miller's BlackHat talk.

The vulnerability is critical and can be used to take control of the targeted computer and should be addressed as soon as possible.

Adobe credits Tavis Ormandy for the discovery of the vulnerability. It seems that Tavis reported the vulnerability to Adobe before Charlie's Black Hat presentation. This is an example that illustrates an effect that security researchers have long tried to call attention to: it is possible and seems to happen every once in a while that vulnerabilities are discovered independently, both by security researchers and/or malware writers. Tipping Point's ZDI initiative would be in a position to publish statistics on how often they have such an overlap.

The update also includes the update to Flash (Adobe Reader brings its own embedded Flash version) released last week - APSB10-016 and further improves the handling of vulnerability CVE-2010-1240, which was first addressed in June in APSB10-015.

More on August's Patch Tuesday...

2010-08-11T00:20:36Z

http://www.youtube.com/watch?v=wjk5YhoKc-w

Patch Tuesday Bottomline - August 2010

2010-08-10T17:24:13Z

A busy week - in addition to Microsoft August's Patch Tuesday which delivers a record setting 15 bulletins covering 35 vulnerabilities, Adobe has just released a Flash update and will be releasing a patch for a Adobe Reader 0-day vulnerability published a few weeks ago at Black Hat security conference.To help with this challenging patch workload, we have ranked the Microsoft bulletins into three distinct groups of updates, which can be addressed on different schedules.

IT admins should first tackle the updates that represent the biggest attack potential: end-users and internet browsing are at the subject of six bulletins, all of them of critical severity and four of them with an exploitability rating of "1", indicating that working exploits are expected within 30 days. MS10-053 has six direct fixes for Internet Explorer, while the ZDI submitted MS10-055 and MS10-052 address issues in media-plugins: MS10-055 for the Cinepak codec and MS10-052 for the MP3 file format. MS10-060 patches a critical .NET framework issue that can be exploited through web browsing/Silverlight and MS10-051 addresses a vulnerability in the Internet Explorer MSXML ActiveX component. MS10-049 deals with a client side vulnerability of the HTTPS protocol that can be triggered by a malicious HTTPS site. This and the previous MSXML ActiveX component are the bulletins in the group that are rated "2" on the exploitability scale (= harder to exploit). All of these updates should be applied as soon as possible.

A second group of updates has its focus on file format vulnerabilities. The most critical is MS10-056, a vulnerability in the RTF format in Microsoft Word 2007 and older. An attacker can craft a malicious file that triggers a remote code execution when opened by Word on the target computer. Users of Outlook 2007 installations need to pay special attention, since the preview pane in Outlook is configured by default to use Word to render the RTF format. This makes Outlook 2007 susceptible to an attack that does not even require the opening of the e-mail. Apply this update as quickly as possible. MS10-057 and MS10-050 provide fixes for Excel 2003 and earlier and Windows Movie Maker (a default component in Windows XP) file format vulnerabilities. Both have an exploitability rating of "1" and should be addressed as soon as possible.

MS10-058 deals with an interesting vulnerability. It is a located in the new TCP/IP stack for IPv6 under Vista, Windows 7 and 2008R2. While we believe that currently very few publicly facing network infrastructures have IPv6 enabled, this bulletin is important for them, because it is remotely attackable and few mitigations exist. It is a reminder that new OS components and applications are apt to introduce new attack vectors into networks. MS10-054 is a vulnerability in the SMB protocol; it requires read access to a share as well as attacker-controlled data on the target machine. The exploit here will most likely manifest itself as a local escalation of privilege attack.

The remainder of the August updates all address local flaws of the Windows Operating system family and are rated important as the attacker needs to be present on the target system to make use of them. MS10-047 is a Windows Kernel flaw, MS10-048 a flaw in the win32k.sys driver and MS10-059 fixes a problem in the tracing component of Windows.

Last week Microsoft released a bulletin for the 0-day flaw using the LNK filetype. If you have not done so yet, apply MS10-046 together with the first group of patches as desktop systems are at the highest risk of attack using the LNK vulnerability.

References:

Adobe Prenotification for August 2010

2010-08-05T18:51:49Z

Adobe announced that they will publish an out-of-band update APSB10-17 for a 0-day vulnerability published during Charlie Miller's BlackHat talk.

Charlie Miller's BlackHat paper is a result of a collaboration with Prof. Dawn Song from UC Berkeley and a continuation of his fuzzing efforts first revealed at the CanSecWest conference. At the time the tools he used were CrashWrangler and !exploitable, but it seems that BitBlaze, the tool from Prof. Song's research group provides much better insight into exploitable application crashes.

Patch Tuesday - Preview for August 2010

2010-08-05T18:13:12Z

This August is bringing a record setting number of updates from Microsoft. In addition to last week's LNK update, there will be another 14 bulletins addressing 34 vulnerabilities, that IT admins will have to take care of in the weeks after Patch Tuesday. Including the LNK update,9 bulletins have a rating of critical and affect all version of the Windows OS, Internet Explorer, Silverlight and Microsoft Office.

Windows 7 and 2008 R2 have a smaller number of critical vulnerabilities than Windows XP and 2003 in function of their improved security architecture, but are still affected by 2 critical vulnerabilities each.

Internet Explorer, Office and Silverlight updates apply across the board on all Windows versions. They are a examples of the this increasingly used type of flaw, where attackers and malware go through the installed applications rather than through the core operating system.

Windows XP SP2 users do not have any patches supplied to them, even though the 5 critical vulnerabilities for XP SP3 most likely apply to their discontinued version of the OS as well. Windows XP SP2 users should upgrade to SP3 as quickly as possible.

MS10-046 fixes 0-day LNK vulnerability out of band

2010-08-02T18:59:08Z

Microsoft released an update today that addresses the LNK vulnerability. The update is rated as critical and applies to all currently supported Windows Operating systems.

We recommend applying the update as quickly as possible. Attacks using this 0-day vulnerability have been increasing.

The recently discontinued Windows 2000 and Windows XP SP2 are not covered by the patch. Users of these Windows 2000 and XP SP2 need to work on an upgrade strategy for these operating systems, as over time without patch support they will become increasingly susceptible to attacks from malware

Microsoft issues out of band update for LNK

2010-07-30T18:02:40Z

Microsoft will issue an out-of-band update next Monday, August 2nd. The update will address the critical LNK vulnerability that applies to all versions of the Windows Operating system, from Windows XP SP3 to Windows 7.

Microsoft's decision to issue this upgrade before the normal Patch Tuesday on August 10 is due to reports of increasing number of attacks that use the LNK flaw.

Windows 2000 and XP SP2 users will not be covered and are now in a predicament that will become increasingly urgent. Attacks will continue to become more prevalent and their defensive options are limited. Microsoft's work-around in Advisory KB2286198 has a serious impact on the usability of the system as desktop icons are all replaced by standard generic representations and navigation is hampered. The best option for XP SP2 users is to upgrade to SP3 as soon as possible, Windows 2000 users need to migrate to a new OS alltogether.

Primary attack vectors for the LNK vulnerability are USB sticks and shared drives, ahe attack depends on a specially crafted LNK file and a custom DLL to function. Remote attacks through e-mail or websites are theoretically possible, but require multiple steps and user interaction. Nevertheless disabling SMB and WebDAV protocols in the outbound ruleset of internet facing firewalls is a measure that provides additional protection against the remote attack vector.

New Windows Flaw - XP SP2 Users Not Covered - Update

2010-07-17T17:49:38Z

Update
Businessweek has an article about the SCADA connection of this flaw, Siemens has issued an advisory and update for the software components that are being attacked by some strains of the malware.

Original
Just three days after July's Patch Tuesday, Microsoft issued an advisory for an issue affecting all current Windows Operating Systems. The flaw is located in Windows Shell and can be used to execute arbitrary code on vulnerable systems. According to the advisory, Microsoft is aware of targeted attacks in the wild exploiting the issue. Brian Krebs reports that Russian AV company VirusBlokAda detected the attack while analyzing a new malware sample.

The advisory lists workarounds that can be implemented by editing the registry. They change the way certain icons are visualized, so there is a visible impact on the desktop of the user.

The advisory does not list Windows XP SP2, or Windows 2000 for that matter, as being affected, because Microsoft just ended support for both Operating Systems last Tuesday. However we assume the attack works against both of them and attackers will surely take advantage of this security hole. We recommend upgrading your existing Windows XP SP2 installations to SP3 as soon as possible to be able to install the security update for this issue once Microsoft publishes it. Windows 2000 users face a bigger hurdle and they need to upgrade to an entirely new Operating System.

More on July's Patch Tuesday...

2010-07-14T01:03:24Z

http://www.youtube.com/watch?v=Fviwf2GvzjM

MSFT July Patch Tuesday Retires Windows XP SP2 and 2000

2010-07-13T17:09:02Z

Microsoft's July update is a small step for security updates, but a huge leap for enterprise security. Windows 2000 and Windows XP SP2 are being retired from official support today and will not receive security updates anymore. Our own internal statistics indicate that approximately 50 % of Windows XP machines are still on the SP2 level and external surveys put the number of organizations that still depend on SP2 at 77 %. This month there are four bulletins, two for security flaws in Windows and two for Microsoft Office. We rank MS10-042 as the most urgent update: It covers Windows XP (both SP2 and SP3) and Windows 2003 and addresses the Windows Help and Support Center vulnerability published by Tavis Ormandy in a much discussed full disclosure move. Microsoft showed a quick turnaround time on this update.

Next on our list is MS10-045 because it undermines the security model of attachments in Microsoft Outlook. Microsoft classified the vulnerability only as "important", but it allows an attacker to camouflage malicious files as a safe file type. An example would be to pass off an executable as a simple text file. All versions of Outlook are affected, excluding the newest Outlook 2010. The second Microsoft Office update, MS10-044 is a vulnerability in a Microsoft Access ActiveX component, is ranked critical and should be treated as a priority as well.

Last on our list is MS10-043, a vulnerability in the CDD display driver for Windows 7 and Windows 2008R2. It is ranked critical, but there are a number of mitigating factors; it is only applicable to 64 bit versions and requires a fairly high display resolution. The priority of the update depends on your environment.

MSFT July Patch Tuesday Will Address 0-Days

2010-07-08T18:28:05Z

Microsoft's July update is small - four bulletins in total, two of them addressing security flaws in Windows and two for Microsoft Office. Both Windows bulletins have a maximum rating of critical and both address previously disclosed vulnerabilities. The first one is for Windows XP and 2003 and fixes the Windows Help and Support Center vulnerability published by Tavis Ormandy in a much discussed full disclosure move. Microsoft showed some impressive turnaround time on that patch. The second bulletin fixes a problem in the AERO display driver component for Windows 7 and Windows Server 2008 R2, which was disclosed publicly earlier in May.

The two remaining bulletins, one ranked critical and one important, are for Microsoft Office and all versions but the new Office 2010 are affected, including Office XP, Office 2003 and Office 2007.

July also marks the end of support for two important Microsoft Operating Systems, Windows XP SP2 and Windows 2000. Windows XP SP2 users are advised to upgrade to SP3, which will be supported throughout 2014. Windows 2000 users need to upgrade to a different version of the operating system altogether, as the entire Windows 2000 line is discontinued.

References:

Adobe Reader 0-day patch released - Update2

2010-06-30T20:34:14Z

Update:

The "Launch" vulnerability still seems to be attackable according to some recent blogposts by security researchers.
Didier Stevens publishes a work-around for the new attack in this blog post

Original:
Yesterday Adobe released its quarterly security update for Adobe Reader and Adobe Acrobat. Adobe anticipated the release by 2 weeks, because some of the vulnerabilities addressed are currently being exploited in the wild. The release fixes the zero-day vulnerability in the embedded Flash player that Adobe ships within the Reader product and addresses 15 other vulnerabilities.

The new Adobe Reader also improves the treatment for the high profile "Launch" vulnerability and introduces changes and default settings that neuter that attack.

All Adobe users should update immediately because exploits for the vulnerability have been reported by many industry sources.

References:

Adobe PSIRT blog entry
Didier Stevens blog with screen shots of the launch vulnerability

New 0-day for Windows XP/2003 - Update2

2010-06-15T23:18:25Z

Update:

Microsoft warns of limited, targeted exploits in the wild.
Windows 2003 Server not affected
Secunia dissects the Hotfix (not the workaround)

Original:

Earlier today Tavis Ormandy released an advisory disclosing a new vulnerability in Windows XP and Windows 2003. The vulnerability is in the Windows Help and Support Center component and is accessed through the protocol handler "hcp://". It can be triggered through all major browsers, but as Tavis points out it is easier to exploit under IE7. Tavis provides sample exploit code for both IE8 and IE7 in the advsiory.

As a work-around for the vulnerability, it is possible to de-register the HCP protocol on the target machine:

From the Start Menu, select Run
Type regedit then click OK (The registry editor program launches)
Expand HKEY_CLASSES_ROOT and highlight the HCP key
Right mouse click on the HCP key, and select Delete

This workaround will disable all local, even legitimate help links that use hcp://. For example links in the Control Panel may no longer function. For more details on the workaround consult MS03-044, which lists the above instructions for an older vulnerability in the Help system.

Tavis' decision to use full disclosure for this vulnerability will certainly revive the discussions around full vs. responsible disclosure. Tavis provides some comments regarding that discussion and includes references to articles by Bruce Schneier exploring the matter.

We are working on testing the exploit and will update this post when new developments occur.

Updates: