Microsoft Security

Conficker, Downadup worm hype? Get the facts

Update 1/23: Microsoft has released a blog post explaining everything you need to know about Conficker/Downadup. The bottom line: Ensure that MS08-067 is installed on all machines in the environment, use up-to-date antivirus, ensure you have strong passwords for user accounts, consider disabling AutoPlay.

——————————————————————-
Security vendors from across the spectrum have warned that a stingy worm has been successfully exploiting a hole in Microsoft Windows server service. Known as Conficker or Downadup, the worm spreads by exploiting a remote procedure call (RPC) vulnerability.

The flaw was patched by Microsoft in October. The MS08-067 update was meant to stop the worm in its tracks. Many patching vendors say organizations apparently have been slow to deploy the update.

But that may not be the case. Symantec released data explaining which countries have had the highest worm infection rates. North America does not even rank in the top 10 countries infected by the worm. It has spread in countries where software pirating is rampant. Bootlegged versions of Microsoft Windows won’t receive the latest security updates. Is it a coincidence that the highest infection rates are in China, Russia, Argentina, Taiwan and Brazil? (In that order) China and Russia have been at the top of the list of software pirating countries for years.

So first don’t panic. If you’re running antivirus and it’s up-to-date, you’re probably fine. Second, ensure that the MS08-067 update has been deployed. If it hasn’t deploy it and then do a thorough review of your patch management processes. This patch should have been deployed months ago.

In its latest round of updates, Microsoft security experts addressed the spread of the worm and how people can check to see if their machines are infected. Microsoft advises customers to scan the machine with up-to-date antivirus. The worm also blocks access to a large number of security websites listed by Microsoft.

Also, Microsoft said its Malicious Software Removal Tool completely cleans the registry elements related to the worm.

What’s all the fascination among security researchers about Conficker/Downadup? It’s not necessarily who’s infected, but how they are being infected. As Derek Brown, of TippingPoint’s DVLabs points out, the worm is an example of advanced malicious software coding. Conficker/Downadup can self-propagate by guessing a person’s weak password or it can spread by simply being passed along on someone’s portable storage device. It disables several system services and security products and then signals to its host that it is ready to download additional instructions.

Behind the MD5 attack

When the researchers who produced the elegant MD5 attack I wrote about this morning realized the severity of what they had found, they took two highly unusual steps. First, they consulted with lawyers from the Electronic Frontier Foundation, describing their findings and voicing their concerns about the potential legal ramifications. The researchers were afraid that if the certificate authorities found out about their work and its implications for the security of their digital certificates, the CAs would move to stop the their talk at the 25C3 conference today in Berlin, at the very least, and perhaps sue them for good measure.

Second, the group approached Microsoft and Mozilla, the two dominant browser vendors, and  explained that they had a serious browser security issue they’d like to share. But first, they needed some assurances from the two vendors that they wouldn’t share what they heard with the CAs before the researchers were ready to announce their findings. So they asked Microsoft and Mozilla officials to sign non-disclosure agreements. It was a 180-degree reversal from the way that these things normally work.

In most cases, researchers who approach a vendor with a security problem are asked by the vendor to keep quiet about the vulnerability until a patch is ready. But in this instance, the researchers held the upper hand and chose not to even tell the vendors what the issue was until they had the signed NDAs in hand. Alex Sotirov, one of the researchers involved in the project, said that it took some negotiations to get Microsoft officials to agree to the NDA, but they eventually signed on. As did Mozilla.

During their presentation on Tuesday, the researchers said they were hopeful that other researchers would follow their lead. And Dino Dai Zovi, a researcher who was not part of the project but who was briefed on the team’s work, agreed. “A letter from a lawyer is usually enough to stop any researcher,” he said. “But showing up with your own lawyer changes the balance of power.”

Microsoft says all versions of Internet Explorer vulnerable to XML attack

The Internet Explorer vulnerability saga continues to unfold. Microsoft late Thursday released more information about the unpatched XML flaw in IE, and confirmed that the vulnerability in fact affects all supported versions of IE, not just IE 7 as previously thought. Microsoft Malware Protection Center officials said the company has seen exploits against the vulnerability in the wild, including attacks against both home and enterprise users.

The exploit sites we’ve seen so far drop a wide variety of malware — most commonly password stealers like new variants of game password stealers like Win32/OnLineGames and Win32/Lolyda, keyloggers like Win32/Lmir, Trojan horse applications like Win32/Helpud along with some previously unseen malware which we generically detect as Win32/SystemHijack. We fully expect the variety of malware being dropped by this exploit to broaden as the exploit code starts to circulate around the Internet underground.

This issue could impact you even if you avoid surfing questionable sites. Over the past few months, we’ve seen a surge in SQL injection attacks which enable miscreants to inject content onto trusted sites (we even blogged about the technique a few months ago). This class of attack, along with other more classical forms of website intrusion, mean that even trusted sites can end up serving malicious content causing you to get infected.

Microsoft’s Security Response Center has added more information about the attacks and workarounds to its advisory, as well.

We’ve also added additional workarounds to the advisory and updated our guidance to recommend that you evaluate implementing two of the workarounds together for the most effective protection. Specifically, we’re recommending both setting the Internet zone security setting to High and using ACLs to disable Ole32db.dll. Our research so far has shown that these two steps together provide the most effective protections for this issue.

Unpatched Internet Explorer 7 flaw under attack

On the same day that Microsoft patched a slew of vulnerabilities in Office and other products, including Internet Explorer, the tubes were abuzz yesterday with news of a new exploit for IE 7 that was being used against fully patched Windows XP and Windows 2003 systems. Early reports of the attack said that it was affecting mainly users in China and other Asian countries. But there are now reports of it moving into other areas as well, and it’s likely to spread quickly.

The attack is related to the way in which IE handles XML. Microsoft is investigating the issue right now. From the excellent analysis of the attack and exploit by H.D. Moore:

The exploit can be broken down into three parts. The first part is a set of three functions used by the exploit. The first function provides the equivalent of a sleep() call, the second sprays a string into the process heap using a common technique, the third returns a string of a specific size and is used by the heap spray code. The second part of this exploit is the shellcode. Without getting into too much detail, this shellcode downloads the real payload – a Windows executable. The third part is the actual vulnerability trigger.
Exploiting this flaw relies on two core requirements; being able to force the instruction pointer to the location of the shellcode and being able to execute the shellcode once the instruction pointer has been set. The first requirement boils down to being able to allocate memory at a known location with arbitrary contents. If it is possible to control the exact location where memory is allocated, a large buffer that doubles as a nop sled is no longer necessary. The second requirement depends on the operating system, configuration, and hardware of the target system. Many of the articles that discuss browser exploits recommend that users enable Data Execution Prevention (DEP). This setting essentially breaks common heap overflow techniques by preventing shellcode from executing in memory regions that are considered “data,” such as the Internet Explorer heap. Unfortunately, DEP is not enabled in Internet Explorer 6 or 7, so unless DEP is manually enabled, it does the target little good.

Microsoft has shown a willingness recently to issue emergency out-of-band patches for critical vulnerabilities, but it likely will be several days at least before we know whether that’s going to happen.

Inside the Microsoft SDL and threat-modeling process

After being criticized for years for being completely opaque and obtuse about virtually everything that goes on inside the walls in Redmond, Microsoft has swung pretty far in the other direction lately, at least when the topic is security. The company has been very open about the processes and tools that it has used in its Trustworthy Computing effort, to the point of releasing books on its software security practices and inviting outside experts in for its semi-annual Blue Hat confabs. Microsoft’s latest effort in this long, drum-banging, kimono-opening, insert-evangelism-cliche-here process isa series of videos recorded during the invitation-only Blue Hat meetings. The company has posted a number of them on its TechNet site, including a video on Microsoft’s threat-modeling process, starring Adam Shostack.

The video, which also includes a segment with Danny Dhillon, a senior security consultant at EMC, explaining the company’s threat-modeling program, has a pretty good, if quick, overview of Microsoft’s program. Shostack spends much of his time in the video comparing Microsoft’s and EMC’s programs, which he says are “remarkably similar.” The companies have different terminologies and structures, but the basic ideas and goals are the same. The great thing about this video, as well as the others Microsoft has posted, and the other assorted content it’s been churning out related to its SDL and other processes, is that it can serve as a nice, free education for developers. For the vast majority of development organizations without the resources that Microsoft has, this content can be a great foundation for further investigation. Think of it as the technical equivalent of those free online courses from MIT.

Video of the rest of the sessions from the fall Blue Hat meetings are online as well, so take advantage of Microsoft’s legwork and largess and feed your mind.

New worm attacking MS08-067 vulnerability

More than a month after releasing an emergency patch for the MS08-067 RPC vulnerability, Microsoft on Tuesday warned that it is seeing increased levels of attack activity against the flaw. The company said there is a new worm, being called Win32/Conficker.A, which is exploiting the RPC flaw and spreading in both enterprises and in home-user environments. Conficker opens a random TCP port between 1024 and 10000 and then starts exploiting the MS08-067 vulnerability on other PCs on the network.

Once the remote computer is exploited, that computer will download a copy of the worm via HTTP using the random port opened by the worm. The worm often uses a .JPG extension when copied over and then it is saved to the local system folder as a random named dll. It is also interesting to note that the worm patches the vulnerable API in memory so the machine will not be vulnerable anymore. It is not that the malware authors care so much about the computer as they want to make sure that other malware will not take it over too.

This is the second piece of automated malware that has cropped up to attack the MS08-067 weakness. In the days immediately following Microsoft’s release of the patch last month, a worm called Gimmiv appeared and began exploiting the same flaw. The level of attacks against this particular flaw aren’t surprising, given the fact that it exists in every supported version of Windows and was severe enough for Microsoft to issue one of its unusual out-of-band patches.

Antivirus is dead; long live antivirus

Microsoft’s decision this week to kill its Windows Live OneCare consumer antimalware suite has led to plenty of ruminations on the future of antivirus software and whether it is finally in its golden years. Industry analysts and security vendors have been proclaiming the death of AV for years, telling anyone who would listen that the time for reactive defenses is past. There’s no denying that AV is a product with severe inherent flaws. By design, it can only recognize and stop threats that it has seen before. Even with advanced heuristics, the best AV software can’t stop all of the new threats it sees. It just can’t. So AV has been taking criticism from all quarters for nearly a decade. When I first started covering security in 2000, every vendor I met with couldn’t wait to tell me that AV was going the way of the Newton, and soon. But, somehow, amid all the changes and chaos in the industry, AV has survived.

Why? There are probably a number of reasons, but one key contributor to this unnaturally long life is the worsening threat landscape. The volume, severity and level of innovation of attacks have shot up exponentially in the last six or seven years, leading to a corresponding spike in the volume (if not so much the innovation level) of security products on the market. Some of those products, such as IPS systems and NBAD systems are fairly efficient at detecting and blocking new threats. But there are so many threats out there these days, that systems like AV that are highly effective at finding and stopping known attacks are needed to keep the level of novel, previously unseen attacks manageable.

This has helped keep antimalware suites a necessary component of virtually all enterprise security programs. But whether this will continue to be enough for much longer is unclear. Consumers likely will always need antimalware software, or at least as long as we have our current computing architecture in place. But in the enterprise world? You tell me. Any enterprises out there going commando, sans anvitvirus? Let me know.

Microsoft kills OneCare security suite

Microsoft’s experiment with a paid antimalware offering is over. The company announced on Tuesday that it is killing its Windows Live OneCare offering in June 2009 in favor of a free security suite code-named “Morro.” The new offering will include the same antivirus, antispyware and other security features as OneCare does now, but will not have the other capabilities the paid product has. Morro is designed to be a strictly antimalware product and will be offered as a free download for XP, Vista and Windows 7 users in the second half of next year.

One interesting point in this is what this decision might mean for Microsoft’s Forefront Client Security offering, the company’s  enterprise antimalware and security suite. I doubt that it will mean the demise of Forefront, as Microsoft has a whole lot of time, money and energy invested in the Forefront brand and its presence in the enterprise. It’s a lot easier to pull the plug on a limited consumer offering like OneCare than it is to kill a product like Forefront, which enterprises depend on to protect their critical assets. Microsoft has spent a lot of time convincing IT security staffs that their antimalware product is as good or better than McAfee’s or Symantec’s or Trend Micro’s, and they’re not about to give up that real estate anytime soon.

The MS08-068 patch: better late than never

Microsoft used to be notoriously slow about releasing patches, taking months and in some cases years to produce fixes, much to the dismay of customers and the researchers who reported the vulnerabilities. That’s certainly changed in the last few years with the advent of Patch Tuesday, but this week’s release of the MS08-068 patch was an interesting case study in how circumstances can still prevent vendors from getting fixes out for long-known problems.

Microsoft has known about the vulnerability in the Microsoft Server Message Block Protocol since 2001. (To put that in perspective, there are kids in first grade who have never known a world in which the SMB protocol wasn’t broken.) But after looking at the problem, analysts in the Microsoft Security Response Center decided there was no good way to fix the flaw without breaking a lot of other things.

When this issue was first raised back in 2001, we said that we could not make changes to address this issue without negatively impacting network-based applications. And to be clear, the impact would have been to render many (or nearly all) customers’ network-based applications then inoperable. For instance, an Outlook 2000 client wouldn’t have been able to communicate with an Exchange 2000 server. We did say that customers who were concerned about this issue could use SMB signing as an effective mitigation, but, the reality was that there were similar constraints that made it infeasible for customers to implement SMB signing.

That’s a pretty big obstacle to fixing the problem. So Microsoft decided against the fix, but kept working on the issue over the years, and eventually came up with a way to make it work. I think it’s important to note here that Microsoft could easily have just sort of swept this problem under the rug and said, Everyone will forget about this in a few months and we’ll just keep fixing the ones we’re able to fix and that will get the attention. But to the company’s credit, that’s not what happened. They kept chipping away at it, and eventually figured it out.

Still, as  Zero Day’s Ryan Naraine points out, there are other vulnerabilities in the Microsoft warehouse gathering dust for reasons unknown:

Oh, by the way, there’s another outstanding issue collecting cobweb.   This ‘token kidnapping’ issue was first discussed in March 2008 and, after a bit of hemming and hawing, confirmed in this Microsoft security advisory.   Exploit code for this privilege escalation vulnerability was publicly released last month.

Microsoft knows all this.

We are still waiting on a patch.

The waiting is the hardest part, as the man once said. Here’s hoping it’s not another seven years for this one.

Microsoft releases SDL and SDL Threat Modeling tool

Microsoft has been releasing small bits and pieces of its internal security program for a couple of years now, and on Monday the company took that a big step farther by publishing its Security Development Lifecycle Optimization Model and the attendant SDL Threat Modeling Tool. These are sort of the crown jewels of the security program that Microsoft has been working on since Bill Gates’s famous Trustworthy Computing memo. The SDL itself is the heart of the changes the company has made, and Microsoft officials have been talking it up for years. Other software vendors have implemented similar programs, but it’s still more the exception than the norm.

The SDL Threat Modeling tool is a companion to the SDL and is supposed to be used by developers to find and diagnose threat vectors in their applications and then figure out some mitigations for those problems.  Neither of these is a cure-all, but Microsoft has spent a whole pile of money on both the SDL and threat modeling, and if your development organization doesn’t have that kind of cash, it couldn’t hurt to have a look.