Roger's Information Security Blog

AV-Comparatives Performance Test

Fri, 21 Nov 2008 19:17:42 -0500

AV-Comparatives has released a test report comparing antivirus performance during boot, file copy and file compression.

To access the report, go to av-comparatives.org, click on Comparatives, and scroll down to the Performance Test report.

I'm always disappointed that the tests focus on consumer products (although Sophos is included. I'm more interested in Symantec Endpoint Protection than Symantec Antivirus 2009. I care more about McAfee Total Protection Suite than McAfee Antivirus.

EFS and SEP11

Fri, 21 Nov 2008 09:10:42 -0500

Occasionally when I try to open EFS encrypted text files on my Windows XP PC, the files are not decrypted and appear to be corrupt. If I reboot, I'm able to access the files again. These occurrences began when I installed Symantec Endpoint Protection 11 MR2.

A review of the Symantec Forums and Knowledgebase isn't particularly helpful. MR4 is rumored to be coming out in December, maybe that will help. Fortunately the problem is rare. I haven't had a user reported yet, though I've seen this a couple of times myself.

SEP11 and CPU usage on Virtual Machines

Mon, 17 Nov 2008 16:09:23 -0500

Since deploying Symantec Endpoint Protection (SEP) 11 MR2 MP1, I've been fielding complaints from the System Administrator that the virtual machines are running 20-30% higher in total CPU usage than before the upgrade. He that SMC.exe a SEP11 process is the culprit. SMC.exe is the process for administrative communication. So it seems odd that it would be constantly using so much CPU.

I first checked the Symantec Forums (forums.symantec.com) and found some people with the same problem but no solutions.
First I found an old problem. It seems that in the initial release when no user is logged in SMC.exe would average 50% of the CPU. Its my guess that this is only partially fixed. It looks to me like with MR2, when a user is logged in CPU usage for SMC.exe is 0-10% and with no user logged in it is 10-20%. The SA doesn't agree with my assessment due to some spikes in SMC, but I think those spikes are explainable by definition downloads or spikes right after logging in.

People in the forums also suggested turning things off. The problem is most of those things are already off in my environment. I don't believe in tamper protection. Proactive Threat Protection shouldn't be installed on servers either. I did turn off location awareness which I wasn't using anyway, and the application monitoring. I also changed the communications from push to pull and from every 5 minutes to every 60 minutes.

Nothing I changed helped. I even tried upgrading a server to MR3 to see if that would help.

Having done all I could I opened a case with Symantec. At this point, the case has been open over a week. I've gathered logs for them, but there hasn't been a resolution yet.

Adobe Air Bundles Vulnerable Flash

Sun, 16 Nov 2008 20:32:40 -0500

Secunia Personal Software Inspector reported a vulnerable version of Adobe Flash on my home computer.

It detected C:\Program Files\Common Files\Adobe AIR\Versions\1.0\NPSWF32.dll as version 9.0.124. Security bulletin APSB08-20 reports this is a vulnerable version.

I installed Adobe Reader 9 last week. I guess I forgot to get the AIR free version from ftp://ftp.adobe.com/pub/adobe/reader/win/9.x/9.0/enu/AdbeRdr90_en_US_Std.exe. AIR it seems has an old version of Flash, I'm not quite sure how to upgrade that. Since I didn't want AIR in the first place I'm uninstalling it.

update 11/17/2008
Adobe has now updated AIR

Firefox/Seamonkey/Thunderbird Vulnerabilities

Thu, 13 Nov 2008 20:31:03 -0500

Patches are out for Firefox, Seamonkey and Thunderbird to resolve vulnerabilities that would allow credential theft, information disclosure, and arbitrary code execution

These issues are present in:

Firefox 3.0.3 and prior
Firefox 2.0.0.17 and prior
Thunderbird: 2.0.0.17 and prior
SeaMonkey 1.1.12 and prior

Google Docs Viagra Spam

Mon, 10 Nov 2008 14:42:30 -0500

I was going through my Cox inbox and found Viagra spam with a link to http://doc.google.com/View?id=dfpqm7ft_0tt6xhdd2.

Its nothing new that spammers have been taking advantage of Google. Its just kind of annoying to me that this message was sent on October 30th, today is November 10th and the linked Viagra Google doc is still up ("consult a physician if the link stays up longer than 4 weeks"). Am I to believe that no one has reported this link to Google?

The paranoid part of me wonders if when I went to the link Google Docs helpfully checked my Google cookie and provided my Google email address to the spammer who previously only had my Cox email. Next time I'm clearing cookies and using a safer browser when following unsafe links. But I digress, the real point here is Google is woefully slow in responding to spam compared to Yahoo. What's up Google? use some of that 20 percent time to stop hosting spammers.

Adobe Exploit in the wild

Fri, 07 Nov 2008 23:07:07 -0500

Exploit code has been seen in the wild for the vulnerability patched by version 8.1.3 for Adobe Reader and Acrobat.

http://www.us-cert.gov/current/index.html#adobe_reader_exploit_circulating
https://forums.symantec.com/syment/blog/article?blog.id=vulnerabilities_exploits&thread.id=176
http://feeds.feedburner.com/~r/zdnet/security/~3/445697063/
http://isc.sans.org/diary.php?storyid=5312&rss

Adobe Acrobat and Reader 8 Security Updates

Tue, 04 Nov 2008 13:45:22 -0500

Adobe has released 8.1.3 to resolve multiple security issues in Adobe Acrobat and Reader 8.1.2 and earlier.
LINK

W32.Kernelbot.A

Mon, 03 Nov 2008 23:17:31 -0500

Symantec Virus Definitions
- --------------------------
LiveUpdate Plus: 11/03/08 v.025
LiveUpdate Daily: 11/03/08 v.025
LiveUpdate Weekly: 11/05/08
Intelligent Updater: 11/03/08 v.021

Summary
- -------
W32.Kernelbot.A is a worm that spreads by exploiting the MS08-067 vulnerability
and through file sharing networks. It may also download files on to the compromised computer.

References
- ----------
Sophos W32.Kernelbot.A
http://www.symantec.com/business/security_response/writeup.jsp?docid=2008-110315-4059-99

The Doors

Mon, 03 Nov 2008 21:21:07 -0500

At work the doors at the elevator lobby on each floor (other than the first and the cellar) started being propped open. I never saw any official notice that this was an authorized action rather than a rogue one. Scuttlebutt around the office was that someone had put in a suggestion to have the doors propped open. The doors were propped each morning and then unpropped at night (our floor doors are only alarmed at night).

The suggestion box. A method whereby a person can take a few minutes to write an anonymous bag of excrement, light it on fire, ring the doorbell and run away without consequence. Better yet, the suggestion box goes to the CEO, so the victims of the suggestion have to spend hours coming up with a reason why the suggestion sucks and they risk appearing resistive to change.

No one could quite agree on the reason for the doors being propped open. I believe the real suggestion was "the doors are heavy and when I'm carrying a laptop its difficult to open the door." The other theories were funny but for whatever reason, I found myself very annoyed that the elevator bell could now be heard clearly from my office. The loud cell phone talkers who once gathered in the elevator lobby, now disturbed my work as well.

I had my own list of reasons the elevator door should not be propped open. I never bothered to put in my own suggestion that the elevator lobby doors shouldn't be propped. Instead I just waited for the next inspection by fire marshall and let him do the dirty work. The doors are no longer propped.

Metasploit exploit for MS08-067

Wed, 29 Oct 2008 12:19:01 -0500

An exploit for MS08-067 is now available for Metasploit.

While up to now, exploitation of MS08-06 has been considered minor this does lower the bar somewhat.

VLC media player security update

Fri, 24 Oct 2008 14:46:53 -0500

Bad timing here, I just got the people at work who have installed VLC media player to update to 0.9.4. So of course they have released Security Advisory 0809

The fix isn't out quite yet, but if you use it, keep an eye out for the update.

Lunker

Fri, 24 Oct 2008 14:39:30 -0500

I've been looking forward to the release of Lunker, a spear Phishing toolkit for pentesters. It was originally reported to be part of the OWASP live CD due out this month. We just dont have the budget for phishme (although it is cheap).

Unfortunately according to a comment on this post over at hackyourself.net they are getting a case of the conscience. "Its too ripe for exploitation". So they are going to take a couple months to make it less ready to go. The rationale is that with metasploit anyone can patch and protect themselves from that. You can't patch the users against social engineering.

MS08-067 Unscheduled Security Update

Thu, 23 Oct 2008 13:51:55 -0500

Microsoft does not normally release a security update outside the regular patch Tuesday. That they have chosen to push out this update indicates that it should be taken seriously.

http://www.microsoft.com/technet/security/bulletin/MS08-067.mspx

"This security update resolves a privately reported vulnerability in the Server service. The vulnerability could allow remote code execution if an affected system received a specially crafted RPC request. On Microsoft Windows 2000, Windows XP, and Windows Server 2003 systems, an attacker could exploit this vulnerability without authentication to run arbitrary code. It is possible that this vulnerability could be used in the crafting of a wormable exploit. Firewall best practices and standard default firewall configurations can help protect network resources from attacks that originate outside the enterprise perimeter. The security update addresses the vulnerability by correcting the way that the Server service handles RPC requests."

Home systems should really be set to install patches automatically.
At work, the processes to deploy patches are hopefully well defined.
So there is really no point in running around in a panic, its just not that interesting. Potential for a new blaster just doesn't equal a new blaster. People are much more likely to have established patching programs and have personal firewalls in place. So get patching, but no need to freak out.

Vishing

Tue, 21 Oct 2008 20:06:40 -0500

I've noticed that the number of vishing attempts reported at work has been on the rise. Vishing like phishing is a socially engineered attempt to get your financial information. Unlike phishing rather than luring you to a website, it lures you to a phone number. This could fool some people who are aware of the danger of phishing websites but unaware that of the ease of setting up a number to collect financial info. When calling your financial institutions only trust the number on the back of your card and the number on the bill.

Here is the text of the vish:

In our terms and contidions you have agreed to state that your account must always be under your control or those you designate at all times. We have noticed some activity related to your account that indicates that order parties may have tried gaining access or control of your information in your account.

Therefore, to prevent unauthorized access to your Old Point National Bank Internet Banking account,you are limited to five failed login attempts in a 24-hour period. You have exceeded this number of attempts.*

To reactivate your debit card , please call: +1(xxx-xxx-xxxx)