1 2 3 Previous Next

Information Security

42 Posts authored by: mjc

Many_patches.jpg Microsoft Security Bulletin Summary for December 2012 contains seven bulletins; five critical and two important. The key take away for this month's patch cycle is that most of the impact related to these vulnerabilities can be drastically minimized if the “least privilege” principle is enforced in organizations. It's always a good idea to look at the proliferation of administrative accounts, and many organizations can bring in the new year with fresh patches and limiting their administrative accounts.


MS12-077 is a cumulative security update for Internet Explorer and should be the first to-do. This security update resolves three privately reported vulnerabilities in Internet Explorer. An attacker who successfully exploited these vulnerabilities could gain the same rights as the victim. Since many users run with unnecessarily escalated privileges, attackers frequently achieve administrative rights by tricking a victim into visiting a malicious site.


MS12-079 is a critical bulletin that affects Microsoft Office. This one is interesting from an attacker perspective as a victim can be compromised if they preview or open an email message in Outlook while using Microsoft Word as the email viewer. Since it involves Outlook, which is a primary business tool in many organizations, this would be number two on my to-do list.


MS-080 is interesting because it fixes vulnerabilities in Microsoft Exchange Server 2007 Service Pack 3, Microsoft Exchange Server 2010 Service Pack 1, and Microsoft Exchange Server 2010 Service Pack 2. The most severe vulnerabilities are in Microsoft Exchange Server WebReady Document Viewing and could compromise an Exchange server if a user previews a malicious file using Outlook Web App (OWA). The attacker would have limited privileges, but it is fairly trivial to escalate privileges for experienced attackers.


MS-078 affects all Windows platforms and requires an attacker to convince users to visit a malicious website. This type of attacker usually involves social engineering and phishing emails.


MS-081 is also rated as a critical Windows update that will affect most consumers and enterprises. The attacker could exploit a victim if the user browses to a folder that contains a file or subfolder that contains a specially crafted name. The security update addresses the vulnerability by modifying the way that Windows handles files with specially crafted names.


MS-082 is rated as important and affects all supported Microsoft operating systems except for Windows RT. The vulnerability could allow remote code execution if an attacker convinces a user to view a specially crafted Office document with embedded content. This type of vulnerability is primed for spear phishing attacks, though an attacker would be limited initially to the victim’s privileges.


MS-083 is important, but only affects Windows Server 2012 and Windows Server 2008 R2. It could allow an attacker to bypass authentication with revoked credentials. While it sounds interesting, this attack shouldn't affect most organizations since it is such a narrow attack vector.

Many_patches.jpgMicrosoft Security Bulletin Summary for November 2012 contains eight bulletins and patches 17 vulnerabilities. A couple of bulletinsMS12-071 and MS12-075 will need to be addressed as soon as possible.


MS12-071 is a cumulative security update for Internet Explorer 9. This will be a priority for both businesses and consumers since an attacker would be able to compromise their system if the user visits a malicious web page. MS12-071 patches three vulnerabilities in Internet Explorer 9, and Microsoft points out that exploit code is likely to be available. This means that we are likely to see attacks targeting MS12-071 added to crimeware packs such as Blackhole in the near future.


MS12-075 is a critical vulnerability that almost flies under the radar, but is probably the most important to many organizations. MS12-075 patches vulnerabilities in Windows kernel-mode drivers which could allow an attacker to execute code remotely. MS12-075 patches a vulnerability that could allow a user to be compromised by visiting a malicious webpage using TrueType font files. This means MS12-075 can work across multiple versions of Internet Explorer.


MS12-072 and MS12-074 are also both listed as critical, but due to the complexity of exploitation, I don't think they are much risk to most organizations. To launch a successful attack against either of the vulnerabilities listed requires very specific configurations and environments. I call this sort of attack scenario, "The stars must all align attack vectors".


MS12-076 patches vulnerabilities in Microsoft Excel that would allow remote code execution and allow an attacker to inherit the same privileges as the current user. This would be third on my priority list in an organization. It is fairly trivial to escalate privileges once you have user-level access, and we still see an unhealthy number of people running as administrator, in that case it's game over.


MS12-073 is a moderate vulnerability in Microsoft Internet Information Services which could lead to information disclosure. MS12-073 is the easiest to bulletin mitigate without patching since it can be mitigated by filtering inbound FTP traffic.


Microsoft Security Bulletin Summary for October 2012 contains 7 bulletins to patch 20 vulnerabilities.


MS12-064, rated at critical, affects Microsoft Word and would allow an attacker to send a malicious file which, when opened or previewed, would fully compromise the victim's system. Organizations and consumers should apply this patch as soon as possible. This is the type of exploit that we have seen being used as a part of spear phishing attacks.


MS12-067 is an important bulletin which could be a concern for organizations running Microsoft FAST Search Server 2010 for SharePoint. FAST is Microsoft's search engine for SharePoint intranet content, and exploitation of MS12-067 would result in remote code execution. Microsoft has already patched 13 vulnerabilities related to FAST.


The interesting thing about this vulnerability is that the vulnerable component is Oracle's Outside In file format conversion library.  This library is heavily used in the enterprise application space and is embedded into many file search and indexing applications, including mobile gateways such as Blackberry Enterprise Server. I would expect to see a rash of related security updates become available for all enterprise products using this library. Oddly enough, even though the July bulletin included an update for Exchange 2007 and 2010 for Outside In flaws, the October one does not, which may point to an upcoming patch for Exchange server, or something specific about the issues identified in this bulletin that excludes Exchange as a potential target.


MS12-070 is an XSS vulnerability that could affect Microsoft's SQL Server, although it affects the web interface, not the actual database server itself. However, successful exploitation of MS12-070 would result in an escalation of privileges.


MS12-066 is another important bulletin that affects a wide range of web-based collaboration products, including SharePoint, Groove, and InfoPath, as well as the hosted version of Microsoft Office. This flaw allows privilege escalation through an XSS vulnerability and organizations with untrusted users of these products should prioritize this patch.


Also note that Microsoft updated KB2758994 yesterday, indicating that an update is now available for Windows 8 and Windows 2012 Server that fixes a known vulnerability in the Adobe Flash Player plugin.


MS12-069, although only a Denial of Service, should also be prioritized, as it may allow an unauthenticated attacker on the local network to take down Kerberos services on a Windows domain controller. A repeated attack against an organization's domain controllers could have a major impact of the functioning of the business.


The remaining bulletins should be triaged, tested, and applied as soon as possible.

White House Spear Phished

Posted by mjc Oct 2, 2012

whitehouse.jpgYesterday news broke that an unclassified system at the White House Military Office was breached via a spear phish attack. The news of this attack is not surprising at all. Our government networks are under non-stop targeted attacks and some of these attacks will eventually compromise the intended victim. The reports that we’ve seen indicate that it was an unclassified network that was compromised. These types of systems are connected directly to the Internet, and wouldn’t be considered mission critical systems, so if that’s all that was compromised, many of the reports are greatly exaggerated.


Unclassified networks can contain For Official Use Only (FOUO) information, which could be used to gather information for foreign intelligence. These types of networks may have information on logistics related to troop movements and supply chain. Critical networks and systems should be air gapped from this network which should make it hard for foreign attackers to directly compromise and exfiltrate data from our most secure networks.

Many_patches.jpgThe Microsoft Security Bulletin Summary for September 2012 includes just two bulletins, both of which address vulnerabilities rated “important”. The first, MS12-061, addresses a cross site scripting vulnerability (CVE-2012-1892) that affects Microsoft Developer Tools. The second bulletin, MS12-062, addresses a reflective cross site scripting vulnerability in System Center Configuration Manager (CVE-2012-2536). Both of these vulnerabilities would result in escalation of privileges should an attacker be able to successfully exploit them.


Both of these bulletins are pretty low risk to most organizations; however, employees should never be allowed to browse the Internet or check email from servers that this software could reside on. To be able to exploit these vulnerabilities, an attacker would craft a malicious link for a victim to click on, allowing them to compromise the victim’s system. It’s always a good idea to educate employees/ end-users on how to spot and avoid suspect links.


While there are only two bulletins, security professionals should focus on the fact that Microsoft will be issuing an update next month (October 2012) that will deprecate the use of certificates that are less than 1024 bit encrypted. Organizations should take advantage of this light patch month so they can focus on updating their legacy certificates.


Per Microsoft, some known issues that customers may encounter after applying this update may include:

•             Error messages when browsing to web sites that have SSL certificates with keys that are less than 1024 bits

•             Problems enrolling for certificates when a certificate request attempts to utilize a key that is less than 1024 bits

•             Difficulties creating or consuming email (S/MIME) messages that utilize less than 1024 bit keys for signatures or encryption

•             Difficulties installing Active X controls that were signed with less than 1024 bit signatures

•             Difficulties installing applications that were signed with less than 1024 bit signatures (unless they were signed prior to January 1, 2010, which will not be blocked by default).

Microsoft’s Patch Tuesday Security Bulletin Summary for August 2012 contains nine bulletins and addresses 28  vulnerabilities. Many_patches.jpg


MS12-052 is a critical patch for four vulnerabilities in Internet Explorer 6, 7, and 8. This bulletin is a continuation in Microsoft’s monthly Internet Explorer patch cadence. This should be number one on organizations’ and consumers’ “must patch” list.


MS12-053, labeled as critical, patches yet another Remote Desktop Protocol (RDP) vulnerability, though Microsoft states that exploit code would be difficult to build for this bulletin. MS12-054, also labeled as critical, address four vulnerabilities relating to Windows Network Components. Microsoft says that exploit code is unlikely for these vulnerabilities. Both MS12-053 and MS12-054 should be mitigated by traditional perimeter defense measures such as firewalls.


MS12-058 labeled as critical, addresses a vulnerability that was introduced by Oracle Outside In, which is used as part of Exchange. It’s interesting that Microsoft labels this critical, while Oracle listed the vulnerability in their Critical Patch Update with a base score of 2.1, which is very low. After MS12-052, MS12-058 should be an organization's second priority to patch. It appears to be an excellent option for spear phishing attempts since it can compromise the server simply by a legitimate user opening a malicious document using Outlook Web App (OWA). An attacker could then escalate privileges from there.


The last critical bulletin, MS12-060, addresses vulnerabilities in Windows common controls, which are used in a slew of productivity and business related software such as Office and SQL Server. This bulletin could affect both business and consumers. Microsoft is aware of it being used as part of targeted attacks in the wild, which are unlikely to affect consumers; however, business and government organizations should deploy this patch as soon as possible.

There's a Hole in the Network

Posted by mjc Aug 9, 2012

In this post SecurityStreet meets Sesame Street. One of my favorite travel songs growing up was "There's a hole in the bucket". The song can literally go on forever, which can be headache inducing at times. Here's the Sesame Street rendition, it may hit close to home as it did with me.



Why am I telling you this? Well, it feels to me like "There's a hole in the bucket" is a lot like "There's a vulnerability in the network". During my background in the military and government organizations, I saw the similarities play out on networks with systems vulnerabilities. Many of my friends are still in those trenches and express frustration with the vulnerability management process. What is unfortunate is that government agencies are victims of targeted attacks more than the average business. In many government agencies, the priority is the availability of critical services such as healthcare and military intelligence. Since availability is so important, it becomes difficult to take systems down to patch them. This poor patch management leads to widespread exploitation.


Liza in the video reminds me of many security professionals both in and outside government circles, demanding that their organization implements what they view as simple mitigating controls. This also includes some security compliance audits that I've seen where auditors can seem outright aggressive. The problem though, is that real world information security isn't as easy as we would like it to be. Many people get frustrated with the government and leave for commercial work, but the truth is that the same issues exist in corporate settings.


Many government, corporate, and other high availabiity networks organizations aren't able to patch as fast as they probably should because they don't want to take systems offline to do so. Unfortunately we know where ignoring patching usually leads - to a breach. There are networks being compromised out there with vulnerabilities that could have been patched at least a year ago in some cases. That is just sad for everyone involved. The simple answer seems to be to say "Get patching!", but in a large number of cases this doesn't happen. It really can be as complicated as the Sesame Street clip. Sometimes patches actually break things, in that case the patch was "too big" :).


When it comes down to it, business leaders, engineers, and security professionals must get together to plan agile, scalable systems and networks. They need to understand where the potential holes are in their "bucket", which is where vulnerability management comes in. Once you know where your holes are, I have always found it better to work with systems administrators - even sit with them - to fix findings. Fundamentally, good communications are the key to actually moving forward to a more secure environment. Even though Henry and Liza are communicating, they aren't really fixing anything. Good communications and teamwork requires everyone being on the same page.


Instead of getting angry as Liza does in the video, security professionals must work as a team with other stakeholders in the organization to actually fix issues. The truth is that sometimes you won't be able to apply fixes in all cases, and other cases real fixes aren't available. In this case the security team must work to provide compensating control options.


This is critical as government agencies and critical infrastructure are under non-stop attack and in many cases aren't able to deploy patches on an optimal basis. Whether you are a government, military, or private sector organization, you must take a holistic security approach and make vulnerability and patch management a priority. Again, vulnerability management lets us know where our holes are. In the words of G.I. Joe, "Well now you know, and knowing is half the battle".

Yahoo! Voices Breach Infographic

Posted by mjc Jul 16, 2012

On July 11th, Yahoo! Voices website made news when 453,492 accounts containing email addresses and passwords were breached. David Maloney (@TheLightCosine) and I performed some analysis on the leak and our Rapid7 team created the infographic below. There is an old saying, "I can show you better than I can tell you!", and this infographic drives several points home. You can click on the image to enlarge it or download it here. I hope you enjoy it.


Many_patches.jpgThe Microsoft Security Bulletin Summary for July 2012 contains nine security bulletins addressing 16 CVEs. Three of the bulletins are rated critical and the other six are rated important. All of the critical bulletins address vulnerabilities where a victim could be exploited if they visit malicious web pages. All three of the critical bulletins should serve as a warning that organizations will continue to face client-side browser related attacks.


MS12-043 addresses a vulnerability that is currently being exploited in the wild, and Microsoft predicts that MS12-044 and MS12-045 could also have reliable exploit code available within 30 days. Exploits targeting these vulnerabilities will likely be added to mass malware kits such as the Blackhole Exploit Kit once reliable exploit code is available.


MS12-043 addresses the CVE-2012-1889 vulnerability that is actively being exploited in the wild. Organizations should be aware that this update only patches MSXML versions 3, 4, and 6. All active exploitation has been leveraging attacks against MSXML version 3.  MSXML version 5 will be addressed in a future security update, which means organizations should apply the interim fix provided with Microsoft Knowledge Base Article 2719615 in the meantime (http://support.microsoft.com/kb/2719615).


MS12-044 is a critical cumulative Security Update for Internet Explorer. This is a critical bulletin that patches vulnerabilities that only affect Internet Explorer version 9. Since Internet Explorer versions 6, 7, and 8 are not affected, it indicates that this is a new vulnerability introduced with the new code base of version 9.


MS12-045 is a critical bulletin that patches vulnerabilities in Microsoft Data Access Components (MDAC). It appears that this exploit could be used to compromise any application that leverages MDAC, if the victim visits a malicious URL.


The three critical bulletins should be tested and patched as soon as possible. Of the important bulletins, MS12-046 and MS12-048 should be next on everyone's “Must Patch” list. MS12-046 and MS12-048 can both exploit victims who navigate to malicious WebDAV or SMB shares and opens malicious files in the malicious directory. These two bulletins are primed for spear phishing attacks.


MS12-046 addresses a DLL Preloading vulnerability related to Visual Basic for Applications [VBA]. There are targeted attacks in the wild that are exploiting this vulnerability. In regards to MS12-048, Microsoft predicts reliable exploit code will be developed within 30 days.


After MS12-046 and MS12-048 businesses can focus on the rest of the bulletins.

Many_patches.jpgThe Microsoft Security Bulletin Summary for June 2012 contains 7 bulletins addressing 28 security bugs.  Three of the bulletins are rated “critical” and the rest “important”.


MS12-036 is a critical bulletin that addresses vulnerabilities allowing an attacker remote code execution related to the Windows Remote Desktop Protocol (RDP). This relates to MS12-020, which had organizations on high alert in March after Microsoft issued warnings that the vulnerability could be weaponized to result in widespread attacks. Up to now, MS12-020 has only been exploited as a reliable denial of service attack; however, from what I understand MS12-036 may offer a more reliable attack vector for exploitation. The silver lining is that after MS12-020, many organizations took preventative measures to disable RDP, especially at egress points in their networks. If organizations must run RDP on the Internet, they should test and deploy MS12-020 patches as soon as possible.


MS12-037 is also labeled as critical and affects Internet Explorer 6, 7, 8, and 9. This is a cumulative patch that addresses several vulnerabilities, including those disclosed by VUPEN at CanSecWest's Pwn2Own hacking competition. MS12-037 should be priority number one for organizations and consumers. We consistently see browsers and their plugins as the primary attack vector for crimeware and advance persistent threats.


MS12-038 is a critical vulnerability that affects Microsoft Windows and the .NET Framework and is the second highest priority after MS12-037 due to its potential to affect organizations . MS12-038 allows an attacker to exploit systems if a user views a specially crafted webpage using a web browser. This could have limited affects if users operate under least privilege; however, we know that least privilege isn't always enforced in organizations.


If you were paying attention to the this month's advanced notification, Microsoft was supposed to patch important vulnerabilities related to Microsoft Office and Visual Basic with MS12-039. Instead, MS12-039 has been changed to update Microsoft Lync, formerly Microsoft Office Communicator. MS12-039 should only affect enterprise customers, although it is uncertain how large the actual deployment is of Microsoft Lync in enterprises. As a result of this change, organizations should also be on high alert as usual because Microsoft since pulled fixes for Microsoft Office related to Visual Basic. In reality we should always be wary of suspicious documents and attachments.


MS12-040 is related to Microsoft Dynamics AX 2012, which is a Microsoft enterprise resource planning software product. MS12-040 – although labeled as important – will make most organizations yawn because of the limited deployment of the product.


MS12-041 and MS12-042 are important bulletins that affects Microsoft operating systems, and could result in an escalation of privileges if successfully compromised. The MS12-041 vulnerability can be used on all modern Windows operating systems to escalate to administrative privilege level. MS12-042 also mitigates escalation of privilege vulnerabilities, but affects a select number of Windows operating systems not all, which is a bit strange. MS12-041 and MS12-042 has should affect both business and consumers.


My summary video of this month's Patch Tuesday (5:54):


If you like this video or have any suggestions, please leave a comment with your thoughts.

Oracle Issues Java Security Fixes

Posted by mjc Jun 13, 2012

Oracle released Java Release 7 Update 5 and Java Release 6 Update 33 in order to patch several security vulnerabilities. I expect older versions to have public exploit code available soon. IsJavaExploitable.com has been updated to assist everyone in detecting if they need to upgrade. Apple has also made patches available for OS X, which is a testament to Apple improving their consumer security. In the last couple of months Apple has made drastic improvements on response time in regards to Java.


It's Time to Ban Bad Passwords

Posted by mjc Jun 11, 2012


An important thing in the world of information security is to learn from our past mistakes. With 24-hour news cycles and the Internet, netizens seem to have developed very short memories. In late 2010, Gawker Media was compromised, revealing 188,279 plaintext passwords online. Many researchers analyzed the data and found simple passwords heavily in use.


Last week, LinkedIn password data was posted online with a total of 6.5 million SHA1 hashes. Being that only unique hashes were released the same analysis that was done on the Gawker leak was impossible; however, we were able to investigate whether the passwords seen in the Gawker analysis were still being used in passwords today. It was easy to cross check the usage of the LinkedIn passwords against the Gawker ones by creating a ruby script. LinkedIn had allowed passwords as small as six characters, and all Gawker-related passwords of six or greater characters where still in use on LinkedIn. It's interesting that two years after the Gawker breach, these horrible passwords are still being used, despite extensive coverage at the time of the insecurity of such passwords. I believe that it's about time that organizations ban the use of bad or overly obvious passwords.


We also need to ban these known bad strings as a part of passphrases. I was able to access over 165,000 plaintext passwords from the LinkedIn list and noticed that many of the passwords contained words that are known weak passwords as a part of passphrases. Although it was impossible to determine how many times an individual password was used, it was possible to determine the frequency of known bad password patterns. Please see the infographic below.


In order to gain insight on whether or not people were using known bad passwords as a part of a larger password or passphrase, I created a list based on the Gawker top 50 passwords, as well as LinkedIn-related words, ie. "career", "link", etc. From my quick analysis it is clear that people are using known bad passwords as a part of a larger password/ passphrase.


Now is the time to apply lessons learned instead of moving forward making the same mistakes. I'll talk about this and other information assurance strategies and best practices in my upcoming webcast: "Life's a Breach! Lessons Learned from Recent High Profile Data Breaches", Thursday, June 2pm EDT.



Microsoft has released an update for Windows Server Update Services (WSUS) 3.0 Service Pack 2 (SP2):




By hardening the Windows Server Update Services (WSUS), Microsoft is attempting to assure their customers that they can trust the update process. From a security perspective, Flame isn't a mass threat to most organizations; however, this is a way to ensure the integrity of the update process. It is apparent that Microsoft was working on many of these updates for the Windows 8 release. There is no way that Microsoft would have been able to pivot so quickly if that wasn't the case.


The news of Flame has forced Microsoft to incorporate these changes sooner, rather than later. We should also look for Microsoft to move away from MD5 certificates to at least SHA1 certificates. Flame was able to use a MD5 collision technique to forge Microsoft digital signatures via brute force.  It would be exponentially harder to do this with SHA1 and it hasn’t yet been a victim of any successful brute force collision attacks as far as I am aware.  I’d also expect them to move away from 512 bit to at least 1024 bit key length. More time is needed for attackers to brute force these longer key lengths. With all the changes that Microsoft has made in short order, it should give everyone renewed confidence in the update process. Security updates are essential to securing any organizations assets, so there can't be uncertainty.

Here is a couple of screen captures to help people change their LinkedIn Password. I highly recommend reading this post on Password Tips.


Click on your username > Settings:



Click on Account > Change password


flame_warning.pngI've seen a couple of postings on the Internet about a possible link between Flame malware with a project from National Laboratory for Scientific Computing (LNCC) in Brazil. They released a tool called Flexible and Lightweight Active Measurement Environment (FLAME) in 2009. This version of FLAME is a platform for prototyping network tools, which uses Lua as an extension language. FLAME allowed for the capability to deploy and remotely control packet flooding agents through instant messenger, and customize them with Lua. Both Lua and the original FLAME platform derive from Brazil.

I reached out to the creators of the FLAME platform and they quickly replied with the information below. To make a long story short, the creators of the FLAME platform informed me that their software has nothing do to with the malware which has been dubbed Flame. They also informed me that their source code isn't published. This is all an amazing coincidence for sure. Along with NMAP, this also shows that Lua has been use to extend network based tools heavily over the last few years.

See the full email response below:


Mr. Marcus Carey,

FIRST AND FOREMOST: The FLAME platform described at:
has *NOTHING TO DO* with the recently uncovered FLAME malware.
Our FLAME platform is for the rapid prototyping of active measurement tools, as described in the platform website.

We'd also like to add that:

- The FLAME environment developed by our MARTIN group at LNCC is NOT malware. We're aware of at least two other packages with the same name, it's simple and easy to make an acronym from such an appealling word, therefore it's quite likely the are other packages, including the cited malware, share this same name.

- Our FLAME environment does use Lua, but for the purpose of sending ICMP, TCP and UDP measurement probes. Crucially, our environment does not allow specially-crafted payload to be conveyed in such probes. Also, by no means it has any kind of code that allows recording audio, taking screenshots and other announced characteristics of the cited malware.

- The top hit for "FLAME Lua" on Google points to the website of our FLAME platform. The platform website has been online since November 2009.

- the source code of our FLAME environment hasn't been publicly available. A specific request for it must be made by email, explaining the requester's intended purpose. So far, we havent received such requests (the first one was a couple of hours ago, motivated by the news about the cited malware). Therefore it's unlikely that the cited malware has been even based on our package.

- Our FLAME platform only compiles on Linux. The cited malware is for Windows-based systems.

- The Lua code and log snippets presented at https://www.securelist.com/en/blog/208193522/The_Flame_Questions_and_Answers
have never been part of our FLAME environment.

As a final remark, we emphasize that all this matter boils down to a unfortunate coincidence of a malware having the same name as the acronym we’ve been using for a couple of years. If you're still interested in our platform with the aim of prototyping active measurement tools, we'll be glad to provide you with it.

Hoping to have clarified the matter, our best wishes.
MARTIN Lab team.

Filter Blog

By date: By tag: