|
Security News and Best Practices for corporate and home users
June 2006 - Posts
-
Users should always be careful to avoid processing files or URLs in the Instant Messaging environment. This new IM threat disguises itself like the new WGA process Microsoft is using to ensure the Windows OS has the proper license control keys.
Cuebot-K IM Worm - Hides as a Windows Genuine Advantage (WGA) Service
http://secunia.com/virus_information/30450/cuebot-k/
http://www.sophos.com/security/analyses/w32cuebotk.html
W32/Cuebot-K is a instant messaging worm and backdoor for the Windows platform. W32/Cuebot-K spreads via AOL Instant Messenger. The file wgavn.exe is registered as a new system driver service named "wgavn", with a display name of "Windows Genuine Advantage Validation Notification" and a startup type of automatic, so that it is started automatically during system startup.
|
-
-
It's important to stay up-to-date on all software products. New vulnerabilities were recently discovered for Open Office 2.0 and all users should move to the latest release
New Open Office Vulnerabilities - Security release v2.0.3 available
http://www.incidents.org/diary.php?storyid=1454
http://www.openoffice.org/security/bulletin-20060629.html
Security Bulletin 2006-06-29 -- OpenOffice.org 2.0.3 fixes three security vulnerabilites that have been found through internal security audits. Although there are currently no known exploits, we urge all users of 2.0.x prior to 2.0.2 to upgrade to the new version or install their vendor's patches accordingly. Patches for users of OpenOffice.org 1.1.5 will be available shortly.
|
-
 According to media reports, the laptop was stolen from the home, sold for $100, and had not been booted up beyond the password prompt (as it was password protected under XP or 2000). Thankfully, this appears to be more of a random burglary, than someone looking to conduct indentity theft on a massive scale.
Still, when we put on our security hats, we know that much more could be possible. Let's hope for a good outcome on this 
Stolen Laptop with info on 26 million Veteran's recovered
http://www.gcn.com/online/vol1_no1/41204-1.html
QUOTE: The Veterans Affairs Department said today that law enforcement officials had recovered the stolen laptop containing the personal data of more than 26 million veterans, and that initially it looks as though the data has not been accessed
The FBI said in a statement that a preliminary review of the equipment by the computer forensics team has determined that the database remains intact and has not been accessed since the laptop was stolen
|
-
-
 These are rated as a "moderate risk" and proof-of-concept exploits have been developed.
New IE unpatched OuterHTML and HTA vulnerabilities
http://secunia.com/advisories/20825/
http://www.incidents.org/diary.php?storyid=1448
http://www.frsirt.com/english/advisories/2006/2553
1) An error in the handling of redirections can be exploited to access documents served from another web site via the "object.documentElement.outerHTML" property.
2) An error in the handling of file shares can be exploited to trick a user into executing a malicious HTA application via directory traversal attacks in the filename. Successful exploitation requires some user interaction.
The vulnerabilities have been confirmed on a fully patched system with Internet Explorer 6.0 and Microsoft Windows XP SP2. Other versions may also be affected.
Solution:
1) Disable Active Scripting support.
2) Filter Windows file sharing traffic.
ISC Testing Note: Regarding the second vulnerability, what's interesting is that we were able to reproduce this even when using Mozilla FireFox.
|
-
Below is an updated list of recommendations, shared in the Sarbanes-Oxley forums ... To me, the cornerstones for success include: Planning, Training, and Commitment ... Wishing all those companies who must adapt these standards, the upmost success 
SOME GENERAL RECOMMENDATIONS FOR SOX IMPLEMENTATION
1. Set up a Project Plan for meeting SOX compliancy requirements (Research and explore what is needed prior to doing anything). Good planning will pay dividends for establishing this process.
2. Get training right away. The core team and especially the leader of the process should invest a week or so in training. Consider attending a formal seminar away from work where you can focus and interact with other participants. This will create a good foundation for what's required.
3. Perform an inventory of all your IT applications. Identify all of your financial systems and look for any indirect relationships.
4. In conjunction with the inventory, examine the workflow and human factors surrounding financial processing.
5. After the inventory, perform a Risk Management study on all your financial applications (looking at possibilities that someone could either accidently or alter financial records)
6. Look at ways of strengthening the Financial process and implement new controls (e.g., versioning, change management, and security)
7. Evaluate random sampling controls and requirements for your financial applications to setup a testing/sampling program on controls each quarter or month, depending on the needs.
8. Evaluate the SOX 404 standards for best practices associated with IT control improvements. Set up a plan to implement and improve standards. Evaluate the COBIT 4.0 standards for IT controls over financial applications (note that COBIT 3.0 is the minimal acceptance level)
9. Work closely with both internal and external auditors and gain their approvals for the work that will be done.
10. Setup an e-Library (electronic documentation library) to include all your SOX documents, test plans, communications, etc.
11. Make sure you obtain senior management support for the process. It is an important aspect for implementing change. They must also support the additional work, human resources, and costs that will be needed to gain compliancy.
12. After the initial process is implemented, continue to improve the SOX controls and keep up-to-date with changes in business and legal requirements.
|
-
The ISC has a good summary today of in-the-wild and POC exploits associated with the 3 areas of risk. These are not prevelent in the wild and staying up-to-date on AV protection will help. Most importantly, avoid all untrusted documents or URLs in email.
http://www.incidents.org/diary.php?storyid=1444
QUOTE: To help clearly identify the issues, exploit code and remedy related to the recently announce Excel vulnerabilities, I offer this humble correlation. This information comes from Microsoft, Mitre, and vigilant readers sending in tips. My thanks go to all.
CVE-2006-3059 aka "Excel Repair Mode"
http://www.microsoft.com/technet/security/advisory/921365.mspx
Exploited by: Mdropper.G, Booli.A, Flux.E, Booli.B
CVE-2006-3086 aka "Long Hyperlink"
http://blogs.technet.com/msrc/archive/2006/06/20/437826.aspx
Exploited by: Urxcel.A, and three known public exploit code examples
CVE-2006-3014 aka "Shockwave vulnerability"
Exploited by proof of concept code Flemex.A ... The workaround is a killbit
|
-
FrSIRT noted developments for MS06-025 and revised their status from "Green" to "Yellow" overnight. The MS06-025 exploit impacts W/2000 users but not XP SP2 users. Hopefully, there won't be in-the-wild attacks as they are anticipating with the exploit code publicly released
Everyone should be on the latest security patches and continue to avoid untrusted Excel documents until Microsoft patches these vulnerabilities.
Microsoft Windows Exploits Out - FrSIRT CTL™ Raised to Level 2
http://www.frsirt.com/english/threats/
Microsoft Windows Routing and Remote Access Code Execution Issues (MS06-025)
http://www.frsirt.com/english/advisories/2006/2323
Quote: Two remote code execution exploits that take advantage of vulnerabilities affecting Windows have been publicly released.
The first code targets a critical Windows Remote Access Connection Manager vulnerability (MS06-025) addressed last week. Microsoft Windows 2000 systems are primarily at risk from this exploit.
The second code exploits the recently disclosed Windows / Excel memory corruption (0day) and opens a command shell on port 4444 when a specially crafted link is clicked. Comments
FrSIRT Current Threat Level has been raised to ELEVATED (Level 2/4) ... We should expect to see active exploitation of these vulnerabilities in the wild within a few hours. Published : 2006.06.22 - 11:12:55 UTC
|
-
This new threat uses advanced techniques to hide it's presence on an infected system.
Mailbot.AZ - manipulates NTFS ADS and includes kernel mode root kit
http://www.f-secure.com/weblog/archives/archive-062006.html#00000907
QUOTE:
Let's take Mailbot.AZ (aka Rustock.A) as an example. There's only a single component lying on the disk, and that is a kernel-mode driver. It's stored as hidden data stream attached to the system32 folder (yes, folders can have data streams as well)! Saving your data into Alternate Data Streams is usually enough to hide from many tools. However, in this case, the stream is further hidden using rootkit techniques, which makes detection and removal quite challenging. Because Mailbot.AZ is hiding something that's not readily visible, it's very likely that many security products will have a tough time dealing with this one.
We've just released a new version of our BlackLight rootkit scanner (Build 2.2.1041) that can detect current variants of Mailbot.
Mailbot.AZ is a kernel-mode rootkit that modifies the kernel to hide its presence on the compromised system. It contains an encrypted payload that will be executed in the context of a process named "services.exe". The payload is a Spamtool with backdoor capabilities
|
-
Only trained IT professionals testing their own networks should use these tools. nmap which was purposely excluded and would be on this list as well. Each tool should be carefully assessed before using them in network penetration tests. Still it's beneficial to test with the some of the same tools that are used by the hacker community to ensure technical defenses are in place at all points.
http://SecTools.Org/
http://www.incidents.org/diary.php?storyid=1438
|
-
-
I've been using Opera as one of my complementary browsers for a number of years. They have enjoyed a good security track record with a state-of-the-art browser that offers excellent imaging capabilities. However, one day after the release, a new proof-of-concept vulnerability has surfaced which can trigger a denial of service attack (i.e., this is a minor security risk where the browser might hang for an extraordinary length of time). Thankfully, this risk is not in-the-wild and most likely an Opera 9.01 will be released in the near future.
Opera 9 - New Denial of Service POC vulnerability
http://www.incidents.org/diary.php?storyid=1436
QUOTE: Well, it didn't take long. Yesterday, Opera 9 came out, today there is a proof of concept for a long href denial of service exploit. No word on when a patch will be available
|
-
http://www.opera.com/index.dml
http://www.opera.com/pressreleases/en/2006/06/20/
http://www.opera.com/download/
QUOTE: Opera Software today released Opera 9, its newest Web browser for PCs. You can download it free in more than 25 languages for Windows, Mac, Linux and other platforms from www.opera.com. Opera 9 enhances the way you access, share and use online content by including innovative widgets - fun, small and useful Web programs - and support for BitTorrent™, the popular file distribution technology. Even while adding these improvements, Opera 9 maintains the security and speed millions of Opera fans have come to expect.
Secure browsing is still the single most important attribute of any Web browser. Opera has a long track record of keeping you safe while online. By introducing the security bar to prevent scams like phishing and strengthening Opera 9's pop-up blocker to weed out annoying or potentially malicious pop-ups, Opera gives you new options for safe browsing.
|
-
 A new vulnerability has surfaced with a proof-of-concept exploit. So far, there are no documented reports of this being exploited in-the-wild. Users should remain cautious with an untrusted email attachment, just in case this is spammed by email later. Microsoft is working on patches for Excel as noted in their blog entries.
Microsoft Information
http://blogs.technet.com/msrc/archive/2006/06/20/437826.aspx
Microsoft Office Long Link Buffer Overflow Vulnerability
http://secunia.com/advisories/20748/
http://www.frsirt.com/english/advisories/2006/2431
QUOTE: The vulnerability is caused due to a boundary error in hlink.dll within the handling of Hyperlinks in e.g. Excel documents. This can be exploited to cause a stack-based buffer overflow by tricking a user into clicking a specially crafted Hyperlink in a malicious Excel document. The vulnerability has been confirmed in Microsoft Excel 2003 SP2 (fully updated). Other versions and Office products may also be affected.
|
-
-
This new virus is not widespread in the wild and all .NET users should stay up-to-date on virus protection.
http://secunia.com/virus_information/30015/msil.kolilo/
MSIL.Kolilo is a polymorphic virus that infects .exe files under the Microsoft .NET Framework. This virus only executes on systems where Microsoft .NET framework is installed. The said installation is a component of the Windows operating system used to manage and provide pre-coded requirements to programs made specifically for the Windows platform.
|
-
It's important to avoid all suscipious email messages as a new virus has appeared and uses the World Cup Soccer tournament as a social engineering approach.
Sixem email virus - World Cup Soccer theme
http://secunia.com/virus_information/30033/sixem.a
W32.Sixem.A@mm is a mass-mailing worm that sends email messages regarding the World Cup.
|
-
So far, results have been good for the large number of security updates. MS06-025 may impact some users who are using older connectivity software as noted in the links below.
MS06-025 Security Patch - May impact dial up scripting
http://www.incidents.org/diary.php?storyid=1423
http://blogs.technet.com/msrc/archive/2006/06/17/436882.aspx
http://support.microsoft.com/kb/911280
QUOTE: So far there’ve been no issues with a vast majority of the updates, but one issue we are tracking has to do with MS06-025, very specifically related to dial up users that use dial up scripting, a very old piece of functionality not widely in use anymore. (Users using dial up for Internet or Remote Access Services who do not use dial-up scripting or terminal windows are unaffected.
|
-
Windows XP SP1 will no longer be supported by Microsoft after October 10, 2006. It is important to move to Service Pack 2 which can be downloaded from Microsoft's web site. Dial up users can obtain the CD by ordering it from Microsoft. While the CD is free, there is a shipping & handling charge.
IT Professionals should help get their friends and family who may not be aware of this issue to this more secure version of Windows.
Order Windows XP Service Pack 2 on CD
QUOTE: Thank you for your interest in the Windows XP Service Pack 2 CD. This CD includes the same Service Pack 2 software that is available for download from Microsoft Update.
Note: A shipping and handling charge will be assessed on your order.
Share This CD with a Friend -- After you have installed Service Pack 2, Microsoft encourages you to give this CD to a friend or family member using Windows XP.
|
More Posts Next page »
|
|
|