Posts tagged ‘WMF’

« Previous Entries

Drudge, “Crisis of Confidence in Vista”

December 24, 2006, 6:39 pm

Matt Drudge should stick to what he does best; linking to other people reporting news and repeating rumors that reputable newspapers can’t publish without confirmation.
Where is the source for the information he posted today?

MSFT facing early crisis of confidence in quality of VISTA; security researchers, hackers find potentially serious flaws in system… Developing…

It is rather typical for anti-Microsoft people to talk them down new Microsoft releases while at the same time claiming that Microsoft has promised them to be bug free. Can we settle this now? Microsoft Vista will have better security than XP. Just as XP had better security than 2000 and 2000 was better than NT4. Does better mean bulletproof? There is no such animal.
What security flaws are in the news that would lead to this supposed “crisis of confidence.”
Is it the Windows Client/Server Runtime Server Subsystem (CSRSS) privilege escalation vulnerability? Reported here. A privilege escalation vulnerability means that a logged on user can gain higher rights than those already assigned. This is bad, but its not like a WMF vulnerability or a blaster vulnerability. The way most people currently use a computer, where everyone runs as admin ,this attack would not even be needed.
The metric for evaluating Vista isn’t when the first vulnerability is publicly announced. Vista will be evaluated based on the number of patches it doesn’t need that XPsp2 does. It will be evaluated on the number of patches in the first year, not the first month. It will be evaluated based on the severity of the patches.
Lets look at history, the other products developed under the security lifecycle have done great. Matt Drudge don’t hype vulnerabilities that you don’t understand.
– Update — Drudge now has a link to a New York Times article.

Tags: ,
Category: Microsoft  |  3 Comments

Holy Cow, Sunbelt Doesn’t Pile on MS

December 21, 2006, 9:37 am

Its posts like this that keep Sunbelt in the list of blogs I read regularly. In the post they explain why a recent security writers claim “IE7 is still the spyware writers dream” is actually hype.
The vulnerability is that if the bad guy has write access to your computer, he can get a dll run by IE7 because they are not requiring FQDNs to load a dll. While this might make it tougher to clean your computer, the bad guy must already have infected your computer to have write access. This is not like the WMF exploit or all the bad activeX controls that were in previous IE versions.

Tags: , ,
Category: General  |  Comment

Yet Another Zero Day: Vulnerability in Vector Markup Language

September 19, 2006, 9:10 pm

Microsoft is reporting that there is a zero day in Vector Markup Language. This can be vulnerability can be exploited to install software (such as spyware) without your knowledge when your visit a website in IE or open an email in Outlook.
Currently there are some workarounds and Microsoft is planning on releasing a patch on patch Tuesday in October. By implementing the workarounds, websites that use Vector Markup Language will no longer work correctly. I have not seen any reports of just how bad that would be.
The mitigation options are deregister the VML DLL or change the ACL for that dll so the everyone group is denied access.
Jesper has an example of how to create a security template to deploy this file permission through group policy.
The problem with these methods is that you are making a security change that is really weird, and you dont know how it will effect the patching process when an official patch is released. With the WMF patch, the people who disabled this, needed to re-enable it in order to apply the patch IIRC. While that may be easy on an individual computer, is kind of worrisome for a enterprise.

Tags: , , , , ,
Category: Microsoft  |  Comment

More Invision Power Board Vulnerabilities

July 18, 2006, 10:05 pm

Six Apart’s free support bulletin board for Movable Type has been offline for maintenance since this past weekend. I just saw why on Bugtraq. Looks like there is another SQL injection exploit in Invision Power Board that will grant an attacker admin access. This is a vulnerability in versions prior to 2.1.7. Hopefully they’ll get patched and back online soon.
Back in May, I wrote when that forum was exploited and modified to serve up WMF exploits. At that time I let the SANS ISC know about it. So it was pretty funny in June when a Circuit City IPB forum was hacked and it made the tech news. According to MSN search there are still a lot of boards running Invision Power Board 2.1.6. A lot of them are hobby websites that likely learn the hard way about keeping up with security patches.

Tags: , ,
Category: Hacks  |  Comment

Circuit City Discussion Board 0wned

June 1, 2006, 9:04 pm

I posted here and here on May 20th regarding exploitation of Invision Power Board bulletin board using in Movable Type’s support forum such that the BB would serve up WMF exploits via IFRAME.
I even submitted the incident along with links to the Secunia writeup to SANS and it was published in the ISC on May 21st.
Looks like whoever is running the Circuit City Home Theatre Discussion Boards didn’t get the message. According the CNET they were 0wned in the same fashion. I think it is interesting to note that unlike Movable Type, Circuit City is notifying the registered users of that board. On the other hand Circuit City apparently didn’t find out about the event until notified by the SANS ISC.
The WMF exploit came out beginning of January. So people really should be patched and on top of that have antivirus. Imagine if they’d been using a newer exploit.

Tags: , , ,
Category: General  |  1 Comment

Six Apart Forums WMF exploit

May 20, 2006, 11:39 pm

This is a follow on post on the exploitation of the Invision Forum used by Six Apart for its Movable Type free Support.
The code that is serving up the WMF exploits is in an IFRAME using an obfuscated url. Using a URL deobfuscator over at IPTools.com, I found that the iframe is calling http://traffnew1.biz/dl/adv670.php (danger will robinson, danger). Which I believe is hosted in Russia. Their DNS server is on the same IP block.
If you are running Internet Explorer when you go to that website you get exploited.
Spoofing IE6 on XPsp2 I get an obfuscated script. Not sure how to detangle that.
Gamedaily.com was hit by this bad guy on May 8th. They were also running Invision. So this has been occurring for a while.

Tags: ,
Category: Antivirus  |  1 Comment

Invision Board Vuln

May 20, 2006, 11:08 pm

While watching a little NASCAR this evening and IMing with friends, I decided to check out the Movable Type Support Forum. Movable Type is the blog software I use over at infosecblog.org.
The second I browse to http://www.sixapart.com/movabletype/forums/index.php I notice an odd script prompt:
Next I got virus alert popups from Symantec Antivirus telling me I had wmf exploits in my temp files!
It looks like Six Apart (the company that makes movable type) is using Invision Power Board version 2.0.4. A major vulnerability was announced on this version a few days ago.
Moral of the story, if you haven’t learned it already. 1) patch your system. 2) up to date antivirus 3) even when you aren’t surfing the seedy underbelly of the web, you can get exploits thrown at you.
I’ve sent an alert to the ISC as well as to the webmaster at six apart.

Tags: , ,
Category: Antivirus  |  2 Comments

The FUD Olympics

January 20, 2006, 11:48 pm

Thomas C Green has an article in The Register on Steve Gibson’s WMF conspiracy theory. I love it.

Tags:
Category: General  |  Comment

WMF Exploits, on a webserver near you

January 18, 2006, 12:08 am

One of the things I neglected to mention in the previous post is that by exploiting these sites, WMF exploits are served up by sites you may trust and go to every day. They may be your friends site, or the site of a small business.
Getting infected via WMF exploit isn’t a matter of visiting hacker or porn sites, its something that can happen very easily if you haven’t patched.

Tags:
Category: Antivirus  |  Comment

Shmoocon: Network Policy enforcement

January 13, 2006, 11:39 pm

Steve Manzuik, Toby Madhat, and Chris Farrow presented a Birds of a Feather titled “Network Policy Enforcement / Network Quarantine : Latest Security Gimmick or Good Idea.
NAC controls access to the network until the computer is brought into compliance. A lot of users go around the country plugging into any port available. What happens when they get back home. While they may get a cycle of penicillin, their computer gets attached to the network spreading anything the computer may have picked up.
You can have a lot of problems with NAC if you apply it foolishly. A company with 5-6 thousand users had NAC implemented. On Friday they configured NAC to require the WMF patch. When monday came, they had 3 thousand computers that couldn’t access the network. (does NAC have remediation? With a system with remediation, I dont see how this is a bad thing as long as management was on board that this was a critical requirement and they also had been made to understand what would happen.
There are three types of network enforcement. The client could isolate itself using a personal firewall. The switch could isolate bad clients. Or an appliance could be added in-line to the network to provide enforcement.
One of the key problems with Network Policy Enforcement is handling heterogeneous environments. Can you deal with mac and Linux. Second, how do you interrogate the clients. Is it only a network vuln scan like nessus, or is there a client agent. If you dont trust the computer, how can you trust the answer it gives to the agent. Someone could go to a lot of trouble to fool the agent. Or they could just write their own agent to give answers to the device assuming the protocols are that insecure.
In their experience it takes a huge amount of manpower and money. Some things just don’t scale well and Network Policy enforcement may never work on large 10k+ implementations.

Tags: ,
Category: General  |  Comment
« Previous Entries