An exploit for MS08-067 is now available for Metasploit.
While up to now, exploitation of MS08-06 has been considered minor this does lower the bar somewhat.
Archive for October 2008
Metasploit exploit for MS08-067
VLC media player security update
Bad timing here, I just got the people at work who have installed VLC media player to update to 0.9.4. So of course they have released Security Advisory 0809
The fix isn’t out quite yet, but if you use it, keep an eye out for the update.
Lunker
I’ve been looking forward to the release of Lunker, a spear Phishing toolkit for pentesters. It was originally reported to be part of the OWASP live CD due out this month. We just dont have the budget for phishme (although it is cheap).
Unfortunately according to a comment on this post over at hackyourself.net they are getting a case of the conscience. “Its too ripe for exploitation”. So they are going to take a couple months to make it less ready to go. The rationale is that with metasploit anyone can patch and protect themselves from that. You can’t patch the users against social engineering.
MS08-067 Unscheduled Security Update
Microsoft does not normally release a security update outside the regular patch Tuesday. That they have chosen to push out this update indicates that it should be taken seriously.
http://www.microsoft.com/technet/security/bulletin/MS08-067.mspx
“This security update resolves a privately reported vulnerability in the Server service. The vulnerability could allow remote code execution if an affected system received a specially crafted RPC request. On Microsoft Windows 2000, Windows XP, and Windows Server 2003 systems, an attacker could exploit this vulnerability without authentication to run arbitrary code. It is possible that this vulnerability could be used in the crafting of a wormable exploit. Firewall best practices and standard default firewall configurations can help protect network resources from attacks that originate outside the enterprise perimeter. The security update addresses the vulnerability by correcting the way that the Server service handles RPC requests.”
Home systems should really be set to install patches automatically.
At work, the processes to deploy patches are hopefully well defined.
So there is really no point in running around in a panic, its just not that interesting. Potential for a new blaster just doesn’t equal a new blaster. People are much more likely to have established patching programs and have personal firewalls in place. So get patching, but no need to freak out.
Vishing
I’ve noticed that the number of vishing attempts reported at work has been on the rise. Vishing like phishing is a socially engineered attempt to get your financial information. Unlike phishing rather than luring you to a website, it lures you to a phone number. This could fool some people who are aware of the danger of phishing websites but unaware that of the ease of setting up a number to collect financial info. When calling your financial institutions only trust the number on the back of your card and the number on the bill.
Here is the text of the vish:
In our terms and contidions you have agreed to state that your account must always be under your control or those you designate at all times. We have noticed some activity related to your account that indicates that order parties may have tried gaining access or control of your information in your account.
Therefore, to prevent unauthorized access to your Old Point National Bank Internet Banking account,you are limited to five failed login attempts in a 24-hour period. You have exceeded this number of attempts.*
To reactivate your debit card , please call: +1(xxx-xxx-xxxx)
Disable Wireless when Wired Connected
This week Steve Riley of Microsoft wrote that “customers have asked for a way to configure a computer to automatically disable the wireless NIC when Ethernet is in use.” Nevertheless this will not be a feature in Windows 7, the next version of Windows.
Steve writes that this is only a security issue if the user is logged on as administrator and the two networks are routed. Since windows connection bridging isn’t on by default, this is not a issue in his opinion.
When users are connected to both wired and wireless network, the user can experience network problems.
When computers are constantly looking for Ad HOC connections (or alerting you to connection opportunities) it just doesn’t give you that strong secure feeling no matter what Steve says.
I will admit that absent a knowledgeable attacker a context aware personal firewall can effectively stop attacks of this sort.
Based on another blog post of Steve’s I’m wondering if he’s switched sides and now believes in default allow but secure it. I still believe in least privilege. Can anything good come from allowing wireless connections when Ethernet connected? I dont think so. Can anything bad occur when you disable wireless when Ethernet connected? There are some unforeseen consequences. Users with Ware look like they are Ethernet connected all the time unless they bridge the Ware adapters. Also it adds a big of complexity But that is a small price to pay.
I find it nice to not have the media considering articles because our computers connect to the fake AP they set up in the parking lot.
I’ve always said that with a context aware personal firewall, in many cases a more restrictive fw mode will go into place when the non-corporate network connection is detected. But does that mean in a perfect world I dont care that both connections are on? Heck no.
Mozy online Backup
I’ve written before about Mozy the online remote backup solution.
Through the end of October, if you signup and begin using Mozy backup, we both get an extra 512 MB of backup space. (this is normally 256 MB).
Your account has 2 GB of backup space for free. This is an easy way to get a bit more. The software is relatively easy to use. Give it a shot so that later you aren’t crying about your lost data.
Secunia Internet Security Suite Test October 2008
Symantec Internet Security 2009 detected nearly 10 times the exploits when compared to other security suites in a recent Secunia test.
Full results here.
Secunia’s related blog post.
I can’t wait for the vendors and bloggers to kick up a dust storm about why Secunia’s methodology, assumptions and testing are wrong. This being the Internet that should be starting shortly. 
At least Secunia can’t be attacked as easily as Consumer Reports.
The later point is that even the best detected less than 25%. So stay patched, and dont get socially engineered into manually installing the malware.
WiFi Security – Not Dead Yet
Elcomsoft put out a press release about a new version of their password recovery software that cracks WPA/WPA2. I thought even this was old news. I thought I read months ago that Elcomsoft was doing that. Must have been the beta version.
What’s going on here is not a huge leap forward. This is merely cracking pre-shared keys as cowpatty has done for years. This just makes it faster.
If you’re already following standard security practice, nothing needs to change. Don’t use WPA-PSK to protect access to a corporate network. At home, you probably are not running freeRadius and are suck with WPA-PSK. Use long and complex keys, and change them periodically.
Robert Graham has a nice debunking blog entry.
GPUs make password bruteforcing easier. However as I’ve found in bruteforcing domain passwords, using a strong password is still a good defense.
The Internet is not Private
We’ve all seen the stories about the intern busted by Facebook. We laughed at it, but did we stop to consider how traceable what we post on forums and blogs?
A recent incident on a forum where I’m a member has caused people to question their openness in an Internet community. In the incident that sparks this post, an individual made the mistake of using their real name as a screen name and posted personal information (home town and what type of business they are in – real estate). They then often said derogatory things about their manager and co-workers.
It became a simple matter for someone to find the company they work for. It took one Google query for first-name last name, state and “real estate”. Real Estate offices tend to list everyone working in a office along with posting pictures, job title and contact information. It was all too easy for someone to track down her boss and share “private” discourse. Or it could have happened the other way, people in her office learned of the discussion forum and found the thread.
So what do you do about this? I guess the first thing not to say things in private that you haven’t said to someones face first. While there is blowing off steam, doing so online in a large forum is more likely to get you in trouble than talking to your friends at the bar after work.
I would tend to use a screen name and try to avoid connecting it with real name. That becomes very hard though. People can and do screw that up.
