George Ou blogs about a free WiFi driver checker from Aruba Networks.
Basically it scans domain computers via WMI using supplied credentials and reports if the wireless driver is vulnerable. They didn’t take the time to have it verify the computer is reachable, so there could be some long timeouts. I’ve seen other WMI scripts test first. They are testing with a tcp ping on 135 which they report will not work from XP computers.
Ou reports “When I spoke with the patch management companies at RSA 2007 in February and asked them about driver patches, they looked at me with a blank stare as if they didn’t even know what I was talking about.”
My vuln scanner does detect a couple of Intel 2200 BG vulnerabilities. But I’ve often wondered about the Broadcom drivers and the non-wifi drivers. It will be interesting to run this and see what, if anything, I’ve been missing.
this worked fine locally, but when I installed on a Windows 2003 to scan a subnet, it crashed. No, I haven’t reported the problem to the developer.
Archive for May 2007
WiFiEnum
SAV false positive in blindman.exe
Symantec Antivirus (SAV) is detecting a component of Spybot Search and Destroy as a Trojan Horse. This detection seems to have occurred in the latest AV definition updates (5/30). The file in blindman.exe.
According to the Safer Networking site, this file does nothing. It is used to prevent boot delay caused by their method of disabling unwanted autorrun items.
**update** – Symantec has announced that they will be releasing an update to fix this false positive this evening. Its already available in Rapid Release if you need that now.
Quicktime 7.1.6.200
I was a bit worried when SANS reported an update for Quicktime 7.1.6. I created a new Quicktime package on Friday and it was just about to go out to the test group. Fortunately for me, on Friday I downloaded a fresh copy of the Quicktime installer. It happened to have 7.1.6.200 which appears to be the latest version. So I’m covered for patches in http://docs.info.apple.com/article.html?artnum=305531. I’m not sure when that was officially released.
**update** – I realized tonight that the update is still needed. When it is installed a registry key is created at HKEY_LOCAL_MACHINE\SOFTWARE\Apple Computer, Inc.\QuickTime\Security Updates\2007-006. Since I see no way to slipstream this update into the 7.1.6 install I updated the package to run the updates sequentially. I’m also going to have to get the SMS guys to create a separate advertisement for those people who upgraded to 7.1.6 already.
BBB Virus
The antivirus gateway detected an interesting email this evening.
Envelope From: nobody@[edited]
From: cmplntscentercase[at]bbb.org
Originating IP 207.210.105.78 which is an IP address in Canada according to ARIN.
Subject: Complaint Case Number: 363619942 Joe User
(It contained the name of the recipient.)
File: Embedded inside the attachment complaint.doc in an exe ‘MicrosoftWordhasencounteredaproblemandthedocumentwasnotfullyloaded.Pleasedouble-clickontheicontoreloadmsword.exe’
There were multiple detections on this file:
W32/Heur-Dropper.gen.a-5e19-3e29
W32/Generic
Exploit/RTFEmbeddedExe
This email is similar to http://orwwa.bbb.org/release.html?value=61 from earlier this year. In that instance the users were tricked into clicking on a malicious link rather than conned into opening a viral attachment. According to this SANS diary entry, the link was to a EXE inside of a RTF document. So while the style of attack isn’t new, this email could indicate a new spam run of this virus.
AV-Test Bakeoff
PC Mag has an article with the results of the latest av-test.org Antivirus bakeoff.
I’m kind of surprised Symantec did so well. It seems like just a few years ago they were days behind other vendors in releasing updates. They even beat McAfee who only had a 87.28% detection rate.
Firefox 1.5.x EoL
http://www.mozilla.com/en-US/firefox/all.html
“Firefox 1.5: This version of Firefox will be supported until mid-May, 2007 with security and stability updates. We strongly encourage all users to upgrade to Firefox 2.”
The “check for updates” feature of Firefox at this time does not suggest upgrading to Firefox 2. I don’t know if that is somethign that will change later or not. Currently, a my company most of the users with Firefox are running 1.5. They tend to not use it at all so they don’t upgrade until someone tells them to.
Adobe 8.1 announced
Adobe has announced that Adobe Reader 8.1 will be released the week of June 4th. So if you’ve got your finger on the ‘deploy’ button ready to go with 8.0 you may just want to hold on for a second.
I’m trying to get 7.0.9 out this week. The question is, will 8.1 contain any security fixes and will those fixes be ported to 7.0.x if needed.
Delf.aki
The HTTP gateway detected the Delf.aki virus in a file profilewatcher_setup.exe which one of my users tried to download. Just for kicks I uploaded it to the virustotal site and here’s the result.
File size: 985897 bytes
MD5: 837c3036adf45c11a45c8a2f356c060e
SHA1: ef7311d94a80962d886befefb6bc08f03941f3e4
packers: BINARYRES
Antivirus Version Update Result
AhnLab-V3 2007.5.21.1 05.22.2007 no virus found
AntiVir 7.4.0.27 05.22.2007 DR/Delf.aki
Authentium 4.93.8 05.23.2007 no virus found
Avast 4.7.997.0 05.22.2007 no virus found
AVG 7.5.0.467 05.22.2007 no virus found
BitDefender 7.2 05.23.2007 no virus found
CAT-QuickHeal 9.00 05.22.2007 no virus found
ClamAV devel-20070416 05.23.2007 no virus found
DrWeb 4.33 05.22.2007 no virus found
eSafe 7.0.15.0 05.21.2007 Win32.Delf.aki
eTrust-Vet 30.7.3654 05.23.2007 no virus found
Ewido 4.0 05.22.2007 no virus found
FileAdvisor 1 05.23.2007 no virus found
Fortinet 2.85.0.0 05.22.2007 W32/Delf.AKI!tr.bdr
F-Prot 4.3.2.48 05.22.2007 no virus found
F-Secure 6.70.13030.0 05.23.2007 Backdoor.Win32.Delf.aki
Ikarus T3.1.1.8 05.22.2007 Backdoor.Win32.Delf.aki
Kaspersky 4.0.2.24 05.23.2007 Backdoor.Win32.Delf.aki
McAfee 5036 05.22.2007 no virus found
Microsoft 1.2503 05.22.2007 no virus found
NOD32v2 2285 05.22.2007 no virus found
Norman 5.80.02 05.22.2007 no virus found
Panda 9.0.0.4 05.22.2007 no virus found
Prevx1 V2 05.23.2007 no virus found
Sophos 4.17.0 05.21.2007 no virus found
Sunbelt 2.2.907.0 05.17.2007 no virus found
Symantec 10 05.23.2007 no virus found
TheHacker 6.1.6.120 05.21.2007 no virus found
VBA32 3.12.0 05.22.2007 Backdoor.Win32.Delf.aki
VirusBuster 4.3.23:9 05.22.2007 no virus found
Webwasher-Gateway 6.0.1 05.22.2007 Trojan.Delf.aki
As Steve Spurrior would say while coaching the Redskins,”6 and 10, not too good.” Virustotal will pass on this file to the vendors who didn’t detect it and they’ll “coach ‘em up.”
Test Domains and the Lanman Hash
I had an interesting thought this week. “Did we disable lanman hash storage on the test domains?” This is an important consideration. We use software to synchronize passwords from the production domain to the test domain for people in the I.T. department and HR. That would expose production passwords.
I looked at the primary test domain and found that we had indeed disabled the lanman hash.
On the other test domain, I found that we hadn’t disabled the lanman hash storage. I was able to use my rainbow tables and in a couple of hours I had 100 percent of the passwords. About 40 of those passwords were synched over from the production domain, so I was able to obtain the production password for the lead SA, my manager and the director.
So, the lesson learned here is to apply your hardening guide on your test domains.
RPC over HTTPS and SecurID
One of my “white whales” has been the ability to perform RPC over HTTPS. I think this would be great for the mobile workforce. It allows a remote user to open Outlook and directly connect to exchange without launching a VPN client. The problem is that any reasonable employer requires strong authentication for all remote access. Username and Password only just exposes the corporation too much. Ever since RPC over HTTP was announced, I’ve asked for the ability to use SecurID with it. Unfortunately what I found was that this would involve multiple design changes across ISA, Exchange and Outlook. This didn’t make it into Exchange 2007, ISA 2006 or Outlook 2007. If you’re interested in this sort of solution, please contact your Microsoft TAM and let them know.
I ran across a blog entry by Stefaan Pouseele that examines this issue more closely. He concludes that Outlook uses basic authentication and ISA can’t do Radius authentication off of basic authentication. Further Outlook RPC over HTTPS isn’t designed for a two credential logon (SecurID followed by AD as happens with the normal HTTPS logon).
For now this remains a nice dream.
