Platform Security

Conficker, Downadup worm hype? Get the facts

Update 1/23: Microsoft has released a blog post explaining everything you need to know about Conficker/Downadup. The bottom line: Ensure that MS08-067 is installed on all machines in the environment, use up-to-date antivirus, ensure you have strong passwords for user accounts, consider disabling AutoPlay.

——————————————————————-
Security vendors from across the spectrum have warned that a stingy worm has been successfully exploiting a hole in Microsoft Windows server service. Known as Conficker or Downadup, the worm spreads by exploiting a remote procedure call (RPC) vulnerability.

The flaw was patched by Microsoft in October. The MS08-067 update was meant to stop the worm in its tracks. Many patching vendors say organizations apparently have been slow to deploy the update.

But that may not be the case. Symantec released data explaining which countries have had the highest worm infection rates. North America does not even rank in the top 10 countries infected by the worm. It has spread in countries where software pirating is rampant. Bootlegged versions of Microsoft Windows won’t receive the latest security updates. Is it a coincidence that the highest infection rates are in China, Russia, Argentina, Taiwan and Brazil? (In that order) China and Russia have been at the top of the list of software pirating countries for years.

So first don’t panic. If you’re running antivirus and it’s up-to-date, you’re probably fine. Second, ensure that the MS08-067 update has been deployed. If it hasn’t deploy it and then do a thorough review of your patch management processes. This patch should have been deployed months ago.

In its latest round of updates, Microsoft security experts addressed the spread of the worm and how people can check to see if their machines are infected. Microsoft advises customers to scan the machine with up-to-date antivirus. The worm also blocks access to a large number of security websites listed by Microsoft.

Also, Microsoft said its Malicious Software Removal Tool completely cleans the registry elements related to the worm.

What’s all the fascination among security researchers about Conficker/Downadup? It’s not necessarily who’s infected, but how they are being infected. As Derek Brown, of TippingPoint’s DVLabs points out, the worm is an example of advanced malicious software coding. Conficker/Downadup can self-propagate by guessing a person’s weak password or it can spread by simply being passed along on someone’s portable storage device. It disables several system services and security products and then signals to its host that it is ready to download additional instructions.

Security chief Window Snyder leaving Mozilla

Window Snyder, the head of security at Mozilla, is leaving the company to help found a start-up venture unrelated to security. Snyder has been at Mozilla for more than two years and has been the driving force behind the company’s effort to make security a top priority in its popular Firefox browser.

 Snyder’s departure is a blow to Mozilla, a small organization that counts on participation from the open-source community for much of its work. Snyder has helped raise the company’s profile in the security community and made transparency about security issues a key initiative. The company currently is working on a  security metrics project with security analyst Rich Mogull of Securosis that is designed to measure the relative security of Firefox in a number of different ways.

It’s unclear who will be replacing Snyder, whose official title never evolved beyond the “chief security something-or-other” she came up with when she was hired. Snyder said she is not yet ready to talk about her new venture, but said it is something she is passionate about. When she joined Mozilla in 2006, Snyder was already one of the more visible personalities in the security community, having spent several years at Microsoft and at @stake before that. During her time at Microsoft, she was one of the key players in the development of Service Pack 2 for Windows XP, a massive security upgrade that was one of the first results of the vendor’s Trustworthy Computing program. After leaving Microsoft, Snyder did a short stint at Matasano Security, a consultancy.

Mogull, who has been working on the metrics program with Mozilla for several months, said he’d been impressed with the way Snyder had worked to make security a priority within the Mozilla community. “I think she’s done a great job. I mean, think about the challenge she faced going into that,” he said. “It’s an open-source project and she’s trying to put in a structured security program in an open-source environment. It’s not the same as a commercial software company where you have very rigid processes. It’s a very engaged community and that’s one of the reasons I was so excited to work with her. She broke new ground in combining the technology for developing secure software with a project like this.”

VMware drops patch for critical memory corruption flaw

VMware on Wednesday issued two security advisories, including one that fixes a critical memory corruption vulnerability that affects a wide range of the company’s products. The memory corruption vulnerability allows an attacker to send a malicious request from a guest operating system to the virtual hardware on a vulnerable machine, which could give the attacker the ability to write to uncontrolled physical memory, according to VMware’s advisory. The flaw affects ESX, ESX1, Fusion, ACE, Player, Workstation and VirtualCenter.

The second update VMware issued is a new version of the service console package bzip2. In vulnerable implementations, the flaw can cause applications to crash when they’re decompressing malformed archives. This problem affects several versions of ESX, the company said.

New worm attacking MS08-067 vulnerability

More than a month after releasing an emergency patch for the MS08-067 RPC vulnerability, Microsoft on Tuesday warned that it is seeing increased levels of attack activity against the flaw. The company said there is a new worm, being called Win32/Conficker.A, which is exploiting the RPC flaw and spreading in both enterprises and in home-user environments. Conficker opens a random TCP port between 1024 and 10000 and then starts exploiting the MS08-067 vulnerability on other PCs on the network.

Once the remote computer is exploited, that computer will download a copy of the worm via HTTP using the random port opened by the worm. The worm often uses a .JPG extension when copied over and then it is saved to the local system folder as a random named dll. It is also interesting to note that the worm patches the vulnerable API in memory so the machine will not be vulnerable anymore. It is not that the malware authors care so much about the computer as they want to make sure that other malware will not take it over too.

This is the second piece of automated malware that has cropped up to attack the MS08-067 weakness. In the days immediately following Microsoft’s release of the patch last month, a worm called Gimmiv appeared and began exploiting the same flaw. The level of attacks against this particular flaw aren’t surprising, given the fact that it exists in every supported version of Windows and was severe enough for Microsoft to issue one of its unusual out-of-band patches.

VMWare loses top security researcher Sotirov and exec Mulchandani

VMWare has lost two of its key security people in the last couple of weeks: Nand Mulchandani and Alexander Sotirov. Mulchandani, the company’s top security executive, left VMWare recently to take the CEO job at OpenDNS, a startup focused on providing cloud-based DNS operations and security services. Mulchandani was the co-founder and former CEO of Determina, a security startup that VMWare acquired in 2007. He served as the senior  director of product management and marketing at VMWare and was the company’s public face on security issues. Before the Determina acquisition, VMWare had been conspicuously quiet about security in general and had been taking some heat from researchers and customers on that front. After Mulchandani came on board, he made a point of talking up the security initiatives the company was working on, including its VMSafe program.

The company also lost one of its key product security experts in Sotirov, who is well known for his work with Mark Dowd on bypassing memory protection mechanisms in Windows Vista through browser exploits. Sotirov’s last day at VMWare is Dec. 2. Like Mulchandani, Sotirov landed at VMWare through the Determina deal, though he’s best known in the security community for his personal research on the browser exploits and other projects. Sotirov said he hasn’t decided on his next destination yet.

The MS08-068 patch: better late than never

Microsoft used to be notoriously slow about releasing patches, taking months and in some cases years to produce fixes, much to the dismay of customers and the researchers who reported the vulnerabilities. That’s certainly changed in the last few years with the advent of Patch Tuesday, but this week’s release of the MS08-068 patch was an interesting case study in how circumstances can still prevent vendors from getting fixes out for long-known problems.

Microsoft has known about the vulnerability in the Microsoft Server Message Block Protocol since 2001. (To put that in perspective, there are kids in first grade who have never known a world in which the SMB protocol wasn’t broken.) But after looking at the problem, analysts in the Microsoft Security Response Center decided there was no good way to fix the flaw without breaking a lot of other things.

When this issue was first raised back in 2001, we said that we could not make changes to address this issue without negatively impacting network-based applications. And to be clear, the impact would have been to render many (or nearly all) customers’ network-based applications then inoperable. For instance, an Outlook 2000 client wouldn’t have been able to communicate with an Exchange 2000 server. We did say that customers who were concerned about this issue could use SMB signing as an effective mitigation, but, the reality was that there were similar constraints that made it infeasible for customers to implement SMB signing.

That’s a pretty big obstacle to fixing the problem. So Microsoft decided against the fix, but kept working on the issue over the years, and eventually came up with a way to make it work. I think it’s important to note here that Microsoft could easily have just sort of swept this problem under the rug and said, Everyone will forget about this in a few months and we’ll just keep fixing the ones we’re able to fix and that will get the attention. But to the company’s credit, that’s not what happened. They kept chipping away at it, and eventually figured it out.

Still, as  Zero Day’s Ryan Naraine points out, there are other vulnerabilities in the Microsoft warehouse gathering dust for reasons unknown:

Oh, by the way, there’s another outstanding issue collecting cobweb.   This ‘token kidnapping’ issue was first discussed in March 2008 and, after a bit of hemming and hawing, confirmed in this Microsoft security advisory.   Exploit code for this privilege escalation vulnerability was publicly released last month.

Microsoft knows all this.

We are still waiting on a patch.

The waiting is the hardest part, as the man once said. Here’s hoping it’s not another seven years for this one.

Will Barack Obama keep his promises on cybersecurity?

More than two months before he is even scheduled to be sworn in, Barack Obama already has become something of a darling in the technology community. His campaign relied heavily on the youth vote, which he courted through deft use of social networking sites, message boards and email fund-raising efforts. And he has promised to appoint the country’s first CTO once he takes office, a move that has drawn praise from many industry observers who say that it is long overdue.

But the proposal that hasn’t gotten much attention as of yet is Obama’s cybersecurity plan. In his policy statements, Obama puts a lot of emphasis on protecting the country’s public and private networks, putting money into research and development for more secure and reliable software and hardware and getting a handle on the cybercrime problem.

• Strengthen Federal Leadership on Cyber Security: Barack Obama will declare the cyber infrastructure a strategic asset and will establish the position of national cyber advisor who will report directly to the president and will be responsible for coordinating federal agency efforts and development of national cyber policy.
• Initiate a Safe Computing R&D Effort and Harden our Nation’s Cyber Infrastructure: Barack Obama will support an initiative to develop next-generation secure computers and networking for national security applications. He will work with industry and academia to develop and deploy a new generation of secure hardware and software for our nation’s critical cyber infrastructure.

Stop me when this starts to sound familiar. These are all points that were laid out in the National Strategy to Secure Cyber Space, the document that the Bush administration commissioned nearly six years ago. The plan was developed with the input of a long list of security expertsm industry executives and academics and it had a wealth of good ideas in it, almost none of which were ever implemented. The national strategy became a punch line in the industry within days of its release, and within a few months the office in the White House that was dedicated to cybersecurity issues was dissolved, and that function was shipped off to the Department of Homeland Security where it has been ignored ever since. Several people involved in that process told me at the time that they didn’t expect anything to come of the strategy because there was no one person or even department responsible for implementing the plan, and they were exactly right.

Exactly two years after the release of the national strategy, the Presidential Information Technology Advisory Committee submitted a separate report to President Bush outlining the dire state of the nation’s cybersecurity efforts and urging immediate action on a number of fronts: research and development, education and recruitment of security talent to federal agencies. The result? In the words of Eugene Spafford, who was a member of that committee and spoke at our Information Security Decisions conference last week: “We did just enough to get the committee disbanded.” That’s encouraging, no?

So it’s come to this: Our expectations for federal cybersecurity efforts are so low that the mere mention of it by the president-elect has people giddy. There’s no way to know at this point whether Obama will follow through on his promises on this front, and he clearly has a few other issues that are going to take precedence in the first months of his presidency. But the fact of the matter is, all politics aside, even a minimal effort from his administration would be a vast improvement over what we’ve seen in the last eight years. Many of the recommendations made in the national strategy and the PITAC report are still valid right now, and despite the bitter taste many of them have in their mouths, I’d bet many of those involved in those previous efforts would help again, given some assurances that their input would be taken seriously this time.

Let’s hope that Obama keeps his promises and puts some money and resources behind the cybersecurity effort and gets things turned in the right direction. That would be a change we could believe in.

Hoff and Citrix’s Crosby to go all sumo at RSA

Security vendors and doomsayers have been using the specter of virtualized rootkits, undetectable malware worming its way into virtualized environments, and all manner of other bogeymen to warn people about the potentially terrifying security implications of deploying virtualization in their environments. So it’s only fitting that on Halloween we get word of an epic costume drama starring two of the virtualization world’s top draws: Chris Hoff and Simon Crosby. The two have been going back and forth for weeks on their respective blogs over the role of virtualization vendors in the security world, much to the amusement of the security community. Crosby, the CTO of Citrix, maintains that security should be added to Citrix’s Xen products by aftermarket vendors.

Unlike VMware, which with its acquisitions of Blue Lane, and Determina seems set for head to head competition with the security industry, we believe that this capability set is best added on top of the Xen hypervisor base by an ecosystem of vendors and the community, in a way that allows those vendors to add value to all Xen based products, independent of the particular Xen vendor.  If, say, a McAfee or Symantec product were released for the Xen Introspection API, then it is our specific goal that it would work for XenServer and for all other Xen based products on the market.

Hoff, chief security architect at Unisys and a frequent speaker on virtualization security topics, isn’t convinced. He sees the role of hypervisor vendors in the security world differently. On his Rational Survivability blog, he says:

It’s important to understand that I’m not suggesting that virtualization platform providers should secure the actual guest operating systems but they should enable an easier and more effective way of doing so when virtualized.

I mean that the virtualization platform providers should ensure the security of the instantiation of those guests as “hosted” by the virtualization platform.  In some cases this means leveraging technology present in the virtualization platform to do things that non-virtualized instances cannot. That’s more than just securing the hypervisor.

Securing the hypervisor whilst closing your eyes to the likelihood that the majority of attacks against it and other guests will come from “guests” within the same system is planting your head in the sand.  That means that there will be a need to ensure that certain behaviors specific to the hosted guests are mitigated to ensure that bad things don’t happen — to the guest or the hypervisor.

Transferring the responsibility to secure the environment to third party security ISV’s in order to secure the VM’s and preventing them from compromising one another or the hypervisor is difficult for me to comprehend, especially when they are playing catch up of what virtualization means within the context of security.

So how to settle this? Glad you asked. Hoff has proposed — and Crosby has accepted — a “sumo suit smackdown” at next year’s RSA conference.

What: Sumo Suit VirtSec Smackdown (how Xen/Zen!)

Who: Simon Crosby vs. Chris Hoff

Where: RSA 2009, Moscone Center, San Francisco, Venue TBD

When: During the April 20-24th, 2009 timeframe

Why: You know why…

Wow: This will be a charity event with the proceeds going to Johnny Long’s Hackers for Charity which you can find out about here.

None of the Vegas sports books has a line on the bout yet, but considering that Hoff is an expert in Brazilian jiu-jitsu, I’d make him an early 3:1 favorite. I can virtually guarantee it will be more entertaining than any of the RSA keynotes and the Kimbo Slice-Seth Petruzelli fight.

Security flaw exposes Google G1 phone to attacks

If you’re planning to bring a new smartphone to market anytime soon, you might want to check with the guys at Independent Security Evaluators first. For the second time in about 15 months, ISE researchers have discovered a security flaw in the operating system of a high-profile smartphone, this time it’s a vulnerability in the G1, also known as the Google phone. Charlie Miller, a well-known security researcher, hacker and principal security analyst at ISE, discovered that in putting together the operating system for the G1, known as Android, Google used some older open-source software that had known flaws, resulting in a vulnerability in Android itself. From Miller’s description of the problem:

A user of an Android phone who uses the Web browser to surf the internet may be exploited if they visit a malicious page. Upon visiting the malicious site, the attacker can run any code they wish with the privileges of the Web browser application. We have a very reliable exploit for this issue for demonstration purposes. This exploit will not be released until a fix is available.

The Android security architecture is very well constructed and the impact of this attack is somewhat limited by it. A successful attacker will have access to any information the browser may use, such as cookies used for accessing sites, information put into Web application form fields, saved passwords, etc. They may also change the way the browser works, tricking the user into entering sensitive information. However, they can not control other, unrelated aspects of the phone, such as dialing the phone directly. This is in contrast, for example, with Apple’s iPhone which does not have this application sandboxing feature and allows access to all features available to the user when compromised.

Miller and other ISE researchers last year found one of the first security problems with the iPhone, a  flaw that enabled attackers to compromise the phones using a malicious Web page. The attack allowed an attacker to read the victim’s SMS messages, address book, call log and other stored data.

Google is aware of the problem with the G1 and is working on a fix.

Intrusions hit Fedora, Red Hat Enterprise Linux servers; some OpenSSH packages compromised

The maker of Red Hat Enterprise Linux and Fedora said that hackers have gained access to key servers in what appear to be two separate incidents. Red Hat Inc. found last week that someone had compromised several Fedora servers, including one that is used to sign Fedora packages. The company said that although the server was accessed illegally, they don’t believe that the passphrase used to get to the key used to actually sign the packages was compromised.

Based on our review to date, the passphrase was not used during the time of the intrusion on the system and the passphrase is not stroed on any of the Fedora servers.

While there is no definitive evidence that the Fedora key has been compromised because Fedora packages are distributed via multiple third-party mirrors and repositories, we have decided to convert to new Fedora signing keys. This may require affirmative steps from every Fedora system owner or administrator. We will widely and clearly communicate any such steps to help users when available.

In the Red Hat Enterprise Linux incident, the attacker was able not only to compromise some servers, but also to use the RHEL key to sign some OpenSSH packages. The compromised packages were for RHEL 4 and 5, and Red Hat has published a blacklist of the affected packages. Red Hat also has released updated versions of the compromised packages.