On the same day that Microsoft patched a slew of vulnerabilities in Office and other products, including Internet Explorer, the tubes were abuzz yesterday with news of a new exploit for IE 7 that was being used against fully patched Windows XP and Windows 2003 systems. Early reports of the attack said that it was affecting mainly users in China and other Asian countries. But there are now reports of it moving into other areas as well, and it’s likely to spread quickly.
The attack is related to the way in which IE handles XML. Microsoft is investigating the issue right now. From the excellent analysis of the attack and exploit by H.D. Moore:
The exploit can be broken down into three parts. The first part is a set of three functions used by the exploit. The first function provides the equivalent of a sleep() call, the second sprays a string into the process heap using a common technique, the third returns a string of a specific size and is used by the heap spray code. The second part of this exploit is the shellcode. Without getting into too much detail, this shellcode downloads the real payload – a Windows executable. The third part is the actual vulnerability trigger.
Exploiting this flaw relies on two core requirements; being able to force the instruction pointer to the location of the shellcode and being able to execute the shellcode once the instruction pointer has been set. The first requirement boils down to being able to allocate memory at a known location with arbitrary contents. If it is possible to control the exact location where memory is allocated, a large buffer that doubles as a nop sled is no longer necessary. The second requirement depends on the operating system, configuration, and hardware of the target system. Many of the articles that discuss browser exploits recommend that users enable Data Execution Prevention (DEP). This setting essentially breaks common heap overflow techniques by preventing shellcode from executing in memory regions that are considered “data,” such as the Internet Explorer heap. Unfortunately, DEP is not enabled in Internet Explorer 6 or 7, so unless DEP is manually enabled, it does the target little good.
Microsoft has shown a willingness recently to issue emergency out-of-band patches for critical vulnerabilities, but it likely will be several days at least before we know whether that’s going to happen.
Google has been working on a new technology that is designed to help developers create more secure and interesting Web applications that can run on any platform. Known as Native Client, the technology is still in the development stages, but Google is now making it available to developers and security specialists in the hopes that they’ll kick some holes in it and help make it more useful.
Our approach is built around a software containment system called the inner-sandbox that is designed to prevent unintended interactions between a native code module and the host system. The inner-sandbox uses static analysis to detect security defects in untrusted x86 code. Previously, such analysis has been challenging due to such practices as self-modifying code and overlapping instructions. In our work, we disallow such practices through a set of alignment and structural rules that, when observed, enable the native code module to be disassembled reliably and all reachable instructions to be identified during disassembly. With reliable disassembly as a tool, it’s then feasible for the validator to determine whether the executable includes unsafe x86 instructions. For example, the validator can determine whether the executable includes instructions that directly invoke the operating system that could read or write files or subvert the containment system itself.
Interesting approach from Google. One thing that’s important to note here is that Google obviously isn’t doing this out of the goodness of their hearts. Just as Microsoft for years has focused its efforts on getting as many developers as possible working on Windows-compatible projects, Google is interested in Web developers writing browser- and OS-independent applications. Google has its own browser now in Chrome, and while it doesn’t yet have an OS in the wild, it has just about everything else, including persistent rumors of an OS in the works.
So there’s motivation aplenty here and Google continues to do pretty well on the transparency scale. But there’s certainly a number of other security issues facing the company. Malicious search results continue to be a major problem, as does click fraud. But those aren’t solely Google’s problems either.
After being criticized for years for being completely opaque and obtuse about virtually everything that goes on inside the walls in Redmond, Microsoft has swung pretty far in the other direction lately, at least when the topic is security. The company has been very open about the processes and tools that it has used in its Trustworthy Computing effort, to the point of releasing books on its software security practices and inviting outside experts in for its semi-annual Blue Hat confabs. Microsoft’s latest effort in this long, drum-banging, kimono-opening, insert-evangelism-cliche-here process isa series of videos recorded during the invitation-only Blue Hat meetings. The company has posted a number of them on its TechNet site, including a video on Microsoft’s threat-modeling process, starring Adam Shostack.
The video, which also includes a segment with Danny Dhillon, a senior security consultant at EMC, explaining the company’s threat-modeling program, has a pretty good, if quick, overview of Microsoft’s program. Shostack spends much of his time in the video comparing Microsoft’s and EMC’s programs, which he says are “remarkably similar.” The companies have different terminologies and structures, but the basic ideas and goals are the same. The great thing about this video, as well as the others Microsoft has posted, and the other assorted content it’s been churning out related to its SDL and other processes, is that it can serve as a nice, free education for developers. For the vast majority of development organizations without the resources that Microsoft has, this content can be a great foundation for further investigation. Think of it as the technical equivalent of those free online courses from MIT.
Video of the rest of the sessions from the fall Blue Hat meetings are online as well, so take advantage of Microsoft’s legwork and largess and feed your mind.
VMware on Wednesday issued two security advisories, including one that fixes a critical memory corruption vulnerability that affects a wide range of the company’s products. The memory corruption vulnerability allows an attacker to send a malicious request from a guest operating system to the virtual hardware on a vulnerable machine, which could give the attacker the ability to write to uncontrolled physical memory, according to VMware’s advisory. The flaw affects ESX, ESX1, Fusion, ACE, Player, Workstation and VirtualCenter.
The second update VMware issued is a new version of the service console package bzip2. In vulnerable implementations, the flaw can cause applications to crash when they’re decompressing malformed archives. This problem affects several versions of ESX, the company said.
After a few delays, ICANN has officially transferred all of the domains that formerly belonged to registrar EstDomains to another registrar in response to EstDomain’s president being convicted of several crimes earlier this year. ICANN, which governs the use of top-level domains and accredits domain registrars, said it is transferring the domains that had belonged to EstDomains over to Directi Internet Solutions. The action comes more than a month after ICANN originally notified EstDomains of its decision to de-accredit the regitsrar, which is based in Estonia. The company has been linked to a number of malware distributors and has been a target of security researchers and antispam activists for years.
EstDomains was informed on 28 October 2008 that ICANN was terminating the company’s accreditation due to its president’s conviction for credit card fraud, money laundering and document forgery. ICANN stayed that termination following correspondence with EstDomains. However, after further investigation, ICANN decided to go ahead with the termination, effective yesterday, 24 November 2008.
In accordance with the De-Accredited Registrar Transition Procedure, ICANN put out a request for statements of interest from registrars interested in receiving a bulk transfer of the names formerly managed by EstDomains.
As part of that procedure, EstDomains is permitted to designate a gaining registrar. It chose to use that option and identified ICANN-accredited registrar Directi. ICANN reviewed that request and approved it.
Earlier this year, Directi was implicated as helping to control EstDomains, but that report was later dismissed and Directi and the group that put out the report, HostExploit, have been collaborating on actions to try and stop domain registry abuse.
More than a month after releasing an emergency patch for the MS08-067 RPC vulnerability, Microsoft on Tuesday warned that it is seeing increased levels of attack activity against the flaw. The company said there is a new worm, being called Win32/Conficker.A, which is exploiting the RPC flaw and spreading in both enterprises and in home-user environments. Conficker opens a random TCP port between 1024 and 10000 and then starts exploiting the MS08-067 vulnerability on other PCs on the network.
Once the remote computer is exploited, that computer will download a copy of the worm via HTTP using the random port opened by the worm. The worm often uses a .JPG extension when copied over and then it is saved to the local system folder as a random named dll. It is also interesting to note that the worm patches the vulnerable API in memory so the machine will not be vulnerable anymore. It is not that the malware authors care so much about the computer as they want to make sure that other malware will not take it over too.
This is the second piece of automated malware that has cropped up to attack the MS08-067 weakness. In the days immediately following Microsoft’s release of the patch last month, a worm called Gimmiv appeared and began exploiting the same flaw. The level of attacks against this particular flaw aren’t surprising, given the fact that it exists in every supported version of Windows and was severe enough for Microsoft to issue one of its unusual out-of-band patches.
VMWare has lost two of its key security people in the last couple of weeks: Nand Mulchandani and Alexander Sotirov. Mulchandani, the company’s top security executive, left VMWare recently to take the CEO job at OpenDNS, a startup focused on providing cloud-based DNS operations and security services. Mulchandani was the co-founder and former CEO of Determina, a security startup that VMWare acquired in 2007. He served as the senior director of product management and marketing at VMWare and was the company’s public face on security issues. Before the Determina acquisition, VMWare had been conspicuously quiet about security in general and had been taking some heat from researchers and customers on that front. After Mulchandani came on board, he made a point of talking up the security initiatives the company was working on, including its VMSafe program.
The company also lost one of its key product security experts in Sotirov, who is well known for his work with Mark Dowd on bypassing memory protection mechanisms in Windows Vista through browser exploits. Sotirov’s last day at VMWare is Dec. 2. Like Mulchandani, Sotirov landed at VMWare through the Determina deal, though he’s best known in the security community for his personal research on the browser exploits and other projects. Sotirov said he hasn’t decided on his next destination yet.
Microsoft’s decision this week to kill its Windows Live OneCare consumer antimalware suite has led to plenty of ruminations on the future of antivirus software and whether it is finally in its golden years. Industry analysts and security vendors have been proclaiming the death of AV for years, telling anyone who would listen that the time for reactive defenses is past. There’s no denying that AV is a product with severe inherent flaws. By design, it can only recognize and stop threats that it has seen before. Even with advanced heuristics, the best AV software can’t stop all of the new threats it sees. It just can’t. So AV has been taking criticism from all quarters for nearly a decade. When I first started covering security in 2000, every vendor I met with couldn’t wait to tell me that AV was going the way of the Newton, and soon. But, somehow, amid all the changes and chaos in the industry, AV has survived.
Why? There are probably a number of reasons, but one key contributor to this unnaturally long life is the worsening threat landscape. The volume, severity and level of innovation of attacks have shot up exponentially in the last six or seven years, leading to a corresponding spike in the volume (if not so much the innovation level) of security products on the market. Some of those products, such as IPS systems and NBAD systems are fairly efficient at detecting and blocking new threats. But there are so many threats out there these days, that systems like AV that are highly effective at finding and stopping known attacks are needed to keep the level of novel, previously unseen attacks manageable.
This has helped keep antimalware suites a necessary component of virtually all enterprise security programs. But whether this will continue to be enough for much longer is unclear. Consumers likely will always need antimalware software, or at least as long as we have our current computing architecture in place. But in the enterprise world? You tell me. Any enterprises out there going commando, sans anvitvirus? Let me know.
Microsoft’s experiment with a paid antimalware offering is over. The company announced on Tuesday that it is killing its Windows Live OneCare offering in June 2009 in favor of a free security suite code-named “Morro.” The new offering will include the same antivirus, antispyware and other security features as OneCare does now, but will not have the other capabilities the paid product has. Morro is designed to be a strictly antimalware product and will be offered as a free download for XP, Vista and Windows 7 users in the second half of next year.
One interesting point in this is what this decision might mean for Microsoft’s Forefront Client Security offering, the company’s enterprise antimalware and security suite. I doubt that it will mean the demise of Forefront, as Microsoft has a whole lot of time, money and energy invested in the Forefront brand and its presence in the enterprise. It’s a lot easier to pull the plug on a limited consumer offering like OneCare than it is to kill a product like Forefront, which enterprises depend on to protect their critical assets. Microsoft has spent a lot of time convincing IT security staffs that their antimalware product is as good or better than McAfee’s or Symantec’s or Trend Micro’s, and they’re not about to give up that real estate anytime soon.
Within an hour of the announcement yesterday that John Thompson plans to retire as Symantec CEO next April, speculation on Thompson’s next move began in earnest. After 10 years at the reins of Symantec, Thompson, 59, is still young enough to take on another challenge if he so chooses. But he’s also wealthy enough that he never needs to work another day in his life. As he told the San Jose Mercury News in an interview yesterday, “The only thing I have in mind is a chaise lounge on the beach, and a mai tai. My personal aspirations are just to relax and spend more time with my family.”
That may be so, but plenty of other people believe that Thompson may be preparing himself for a role in Barack Obama’s administration. Thompson was a vocal supporter of Obama’s during the campaign and Obama has said that he plans to create a national CTO position once he’s in office. Sources close to me say that could be a nice fit for Thompson. In addition to his experience running Symantec and growing it from a consumer AV company to a massive enterprise security and data storage firm, Thompson spent a large chunk of his career at IBM, where he learned the Big Blue management style which has served generations of executives well. He also knows his way around Washington fairly well, having served on the National Infrastructure Advisory Committee during President Bush’s first term.
But the real question is, what’s the upside for Thompson? The national CTO job could be a good platform from which he could have a real effect on the way technology is used in this country. Thompson has plenty of allies in Silicon Valley and the wider business world and he’d be able to open some doors and potentially change what so far has been a sad record on information security inside the Beltway. But the downside is just as big. Plenty of former CEOs and executives have gone to Washington thinking they’d shake things up and make the government work for them, and it just doesn’t happen. The federal government is a unique animal that does not respond well to outsiders with their fancy “real-world experience” and “track records.” It can be a maddeningly illogical environment for a seasoned executive to work in.
But then again, Thompson has shown a willingness in the past to do the unexpected (see: Veritas acquisition), so maybe he has one more trick up his sleeve. He’s supposed to be staying at Symantec until April, and Obama would probably like to have his cabinet and senior advisers in place before that, so we’ll just have to see what the next couple of months bring.