Security bulletin

Law, PR Firms Being Targeted by Hackers says FBI

According to the Washington Post, “Hackers are increasingly targeting law firms and public relations companies with a sophisticated e-mail scheme that breaks into their computer networks to steal sensitive data, often linked to large corporate clients doing business overseas.”

Needless to say, I’ve informed all of my clients who may be affected.

The attacks turn out to be classic “spear phishing” attacks and they can be very convincing. (Recall that a couple of years ago, dentists were targeted.) Here’s what the FBI has to say about the current round of attacks:

[The FBI says hackers are using] spear phishing e-mails with malicious payloads to exploit U.S. law firms and public relations firms. During the course of ongoing investigations, the FBI identified noticeable increases in computer exploitation attempts against these entities. The specific intrusion vector used against the firms is a spear phishing or targeted socially engineered e-mail designed to compromise a network by bypassing technological network defenses and exploiting the person at the keyboard. Hackers exploit the ability of end users to launch the malicious payloads from within the network by attaching a file to the message or including a link to the domain housing the file and enticing users to click the attachment or link. Network defense against these attacks is difficult as the subject lines are spoofed, or crafted, in such a way to uniquely engage recipients with content appropriate to their specific business interests. In addition to appearing to originate from a trusted source based on the relevance of the subject line, the attachment name and message body are also crafted to associate with the same specific business interests.

I wasn’t able to find the text of the latest emails floating around in this spear phishing campaign, but the above description should give you a clue.

October 2009 Patch Tuesday Sets New Record

Microsoft Security Response Center’s October 2009 Bulletin Release Advance Notification:

For October we are releasing 13 bulletins (eight critical and five important), addressing 34 vulnerabilities, affecting Windows, Internet Explorer, Office, Silverlight, Forefront, Developer Tools, and SQL Server. Most of these updates require a restart so please factor that into your deployment planning.

Ten of the 13 bulletins–which include all eight critical vulnerabilities–involve patches for remote code execution vulnerabilities. All versions of Windows and Windows Server, including Windows 7 (scheduled for release on Oct. 22) are affected.

This sets a new record for Microsoft. The previous record was set in June when the company issued 31 updates. I’m not too sure how to take this. I’m certainly glad that Microsoft is addressing its security problems, but the trend is a bit disturbing: 28 patches in December, 2008; 31 patches in June, 2009; and, 34 patches this month. We still have the better part of 3months left in 2009. Will we see another record set before year end?

What do you think? Does this mean that Microsoft is being more security conscious or are there more bugs than ever?

Hit the comments and weigh in.

Patch Tuesday – Microsoft Fixes Eight Security Flaws

All of them are critical, but not a single one of them affects Windows 7, scheduled for release on October 22.

The most dangerous flaw covered by this month’s batch of patches is a remote code execution vulnerability in the way that the JScript scripting engine decodes script in Web pages (MS09-045). A remote attacker can exploit this vulnerability by convincing a user to visit a specially crafted Web page and this could result in execution of arbitrary code on the affected system. All versions of Windows—except Windows 7—are vulnerable. Here is the list of bulletins taken from the Microsoft Security Bulletin Summary for September 2009:

MS09-045 Vulnerability in JScript Scripting Engine Could Allow Remote Code Execution (971961)
MS09-049 Vulnerability in Wireless LAN AutoConfig Service Could Allow Remote Code Execution (970710)
MS09-047 Vulnerabilities in Windows Media Format Could Allow Remote Code Execution (973812)
MS09-048 Vulnerabilities in Windows TCP/IP Could Allow Remote Code Execution (967723)
MS09-046 Vulnerability in DHTML Editing Component ActiveX Control Could Allow Remote Code Execution (956844)

It remains to be seen how Windows 7 will fare once it’s released to retail, but so far, it appears to be more secure the previous versions of Windows. According to Wolfgang Kandek, chief technology officer at software security provider Qualys, "There are a number of additional security measures [in Windows 7] that seem to be working so far in its favor."

We can only hope.

What Will Conficker do on April First?

No one knows for sure, but we do know that *something* is going to happen on April Fools’ Day. Conficker is a new breed of malware; the people behind it are of exceptional intelligence. They aren’t a crew of script kiddies out to make a quick buck. Whatever Conficker is specifically designed to do, you can bet its actions will be directed toward: 1. Maximizing proliferation of its binaries (survival); 2. Avoiding detection; and, 3. Maximizing profit (or damage).

The worm has been pretty effective at #1, by some estimates having already infected several million PCs. It has done this through exploitation of a Windows vulnerability, MS08-067 that was patched back in October and about which I wrote Will They Ever Learn to Patch? in January. However, it’s possible that those computers in the most concentrated areas of infection–China, Russia, India, Brazil, and Argentina–are impossible to patch because they are running pirated copies of Microsoft Windows software, and Microsoft does not allow updates of any kind to its pirated software. Seems to me this is a self-defeating policy, but I’m just a sensible Geek, not a Microsoft executive.

As for #2, the latest variant has added new anti-detection features. According to Larry Seltzer writing in PCMag.com, “Avoiding detection is a major theme with Conficker.C. It’s not the first malware to try to defend itself in-memory against security software and diagnostic tools, but “C” does a lot of this. For instance, it disables Windows Automatic Updates and the Windows Security Center.”

We’ll find out Wednesday, April 1st, what–if anything–happens with #3. My bet is that it’ll be another Y2K-type event. Then again, who knows?

Will They Ever Learn to Patch?

The latest mass infection to hit the Internet is the Win32/Conficker/Downadup Worm, estimated to have already infected between 500,000 and 8.9 million PCs, depending on whose numbers you believe. This is astounding, considering that the worm exploits a vulnerability in Windows that Microsoft Security Bulletin MS08-067 addressed back in October 2008. Microsoft issued an emergency out-of-cycle patch to address the vulnerability. Windows users who have automatic updates enabled would have received the update so the hole is patched. But there are plenty of people and organizations who, for one reason or another, have automatic updates turned off.

Why any individual PC user would put themself at risk by having automatic updates turned off is beyond me. Organizations are another story; they want to test patches before deployment to ensure they don’t break critical applications or disrupt the network. But in this case, the patch should have been applied without question by every sys admin on the planet. Had this happened, the furor surrounding Conficker.A–the original worm–probably would have died down. Instead, enough sys admins left the hole open that a particularly ferocious variant–Conficker.B–surfaced; it’s the one responsible for the current mass infection.

You can read all about Conficker.B and its blended threat in this post at the Microsoft Malware Protection Center, so I won’t burden you with all the gory details about its blended threat here. I will, however, burden you with my informed opinion: Sometimes you have to heed the warnings and go ahead and patch, regardless of what problems that patch could potentially cause. A network taken down by a malware infection is much worse and potentially more costly to repair than a couple of broken apps here and there.

Microsoft Announces Out-of-band Patch for Zero-day Flaw

Microsoft issued today “Microsoft Security Bulletin Advance Notification for December 2008.” The actual security bulletin will be released on December 17, 2008:

Microsoft Security Bulletin Advance Notification for December 2008
Published: December 16, 2008

Microsoft Security Bulletin Advance Notification issued: December 16, 2008
Microsoft Security Bulletins to be issued: December 17, 2008

This is an advance notification of an out-of-band security bulletin that Microsoft is intending to release on December 17, 2008.

This bulletin advance notification will be replaced with the revised December bulletin summary on December 17, 2008. The revised bulletin summary will include the out-of-band security bulletin as well as the security bulletins already released on December 9, 2008.

I don’t have any statistics on how fast they’ve responded to zero-day flaws in the past, but this seems pretty quick to me.

Internet Explorer Targeted by Zero-day Attack

Even though Microsoft released the biggest batch of patches ever on Tuesday–28 flaws affecting Windows, Office, Internet Explorer, Visual Basic Active Controls and Windows Media Player, 23 of them rated “critical”–there’s no fix for a zero-day XML parser vulnerability that surfaced the same day. This was first reported by Robert McMillan of IDG News and was picked up quickly by other media. According to McMillan:

The code exploits a bug in the way IE handles XML (Extensible Markup Language) and works on the browser about “one in three times,” Huang said in an instant message interview. For the attack to work, a victim must first visit a Web site that serves the malicious JavaScript code that takes advantage of the flaw. …

In attacks, the code drops a malicious program on the victim’s PC which then goes to download malicious software from various locations.

According to a blog post by Symantec:

The vulnerability is caused by a function that incorrectly frees a certain region of heap memory so that an attacker is able to control the EAX register with a specially crafted Unicode URL, which includes the magic “0×0A0A” value in it,” Elia Florio, a security researcher at Symantec, wrote….

Symantec released the antivirus signature Bloodhound.Exploit.219 and IPS signature 23241 - HTTP MSIE Malformed XML BO to protect users against this exploit.

I recommend that anyone using Symantec’s antivirus or IPS products, immediately perform an update. Furthermore, Symantec recommends blocking the following hosts which are apparently being used by the exploit to download and install other malware:

• wwwwyyyyy.cn
• sllwrnm5.cn
• baikec.cn
•  oiuytr.net
• laoyang4.cn
• cc4y7.cn

In its security advisory 961051, Microsoft presents the following mitigating factors:

• Protected Mode in Internet Explorer 7 and Internet Explorer 8 in Windows Vista limits the impact of the vulnerability.

•By default, Internet Explorer on Windows Server 2003 and Windows Server 2008 runs in a restricted mode that is known as Enhanced Security Configuration. This mode sets the security level for the Internet zone to High. This is a mitigating factor for Web sites that you have not added to the Internet Explorer Trusted sites zone.

•An attacker who successfully exploited this vulnerability could gain the same user rights as the local user. Users whose accounts are configured to have fewer user rights on the system could be less affected than users who operate with administrative user rights.

•Currently known attacks cannot exploit this issue automatically through e-mail.

Nevertheless, users should avoid using Internet Explorer and should instead use Firefox with the NoScript extension installed until Microsoft issues a patch. We may see an out-of-cycle patch on this one according to the security advisory:

We are actively investigating the vulnerability these attacks attempt to exploit. We will continue to monitor the threat environment and update this advisory if this situation changes. On completion of this investigation, Microsoft will take the appropriate action to protect our customers, which may include providing a solution through a service pack, our monthly security update release process, or an out-of-cycle security update, depending on customer needs.

Well, since I’m forced to use IE for certain applications in my job, this customer needs a patch as quickly as possible.

Opera Zero-day Vulnerability

Just as Opera completed patches for critical vulnerabilities in its browser, researchers discovered another remote code execution bug. In its recent article, “Opera scrambles to quash zero-day bug in freshly-patched browser,”
The Register reports:

Among the bugs squashed in Opera 9.61 was a stored cross site scripting (XSS) vulnerability that allowed attackers to view victims’ browsing history. That attack is no longer possible, but now researchers have discovered an even more serious exploit that’s based on the same weakness.

Until Opera releases version 9.62, which should be “very, very soon” according to Opera spokesman Thomas Ford, your best bet is to disable iFrames and turn off scripting. Open opera:config and select Extensions|iFrames. Change the setting from “1″ to “0.” Similarly, change Extensions|Scripting from “1″ to “0.”

Bear in mind that the above temporary workaround is going to break a lot of sites that use scripting. It would be simpler if Opera had some way to designate “trusted sites” (or a plug-in like NoScript), but I’m not aware of any way to do this. Hit the comments and let me know if there’s a better workaround (I haven’t used Opera since my conversion to Firefox four years ago).

Microsoft Releases Out-of-Band Security Bulletin MS08-067

Microsoft just released a critical update for a “privately reported” vulnerability in the server service:

This security update resolves a privately reported vulnerability in the Server service. The vulnerability could allow remote code execution if an affected system received a specially crafted RPC request. On Microsoft Windows 2000, Windows XP, and Windows Server 2003 systems, an attacker could exploit this vulnerability without authentication to run arbitrary code. It is possible that this vulnerability could be used in the crafting of a wormable exploit. Firewall best practices and standard default firewall configurations can help protect network resources from attacks that originate outside the enterprise perimeter.

Exploits are already being detected, according to the Microsoft Malware Protection Center:

Currently, attacks try to download a trojan named n2.exe to the victim’s computer and there are now two different versions of this binary. Our products are able to detect both files as TrojanSpy:Win32/Gimmiv.A. This trojan drops another DLL that we detect as TrojanSpy:Win32/Gimmiv.A.dll. The malware deletes itself after it executes so you may not find it even on systems that were previously infected. Our products provide real-time protection that will block that malware from being copied to the hard drive. You can read more details about this malware in our encyclopedia write ups.

I’m going to update the servers right now. Everyone should do the same.