Symantec Recommends Not Using PcAnywhere

Weak LinkReuters reports that Symantec has taken the rare step of advising customers not to use one of its mainstay products, saying that remote control software product pcAnywhere is at increased risk of getting hacked after details and code were stolen.  Symantec is asking customers to temporarily stop using the product, until it releases an update to the software that will mitigate the risk of an attack. PcAnywhere is also bundled with other titles, like Symantec’s Altiris line of software for managing corporate PCs.

This is a serious step, and I applaud Symantec for coming clean on the risks of this powerful and popular product.  Most vendors woould simply warn users of increased risk and provide workaround and mitigation steps that may or may not be implementable or effective.  I hope that Symantec can release new code quickly, and overcome this unfortunate problem.

New Exploits Released For SCADA Systems

Weak LinkWired reports a group of researchers have discovered serious security holes in 6 of the top industrial control systems used in critical infrastructure and manufacturing facilities.  They have also made it easier for hackers to attack systems before they can be patched or otherwise remediated.  They’ve packaged up the exploits in nice little modules for the MetaSploit tool so that any script-kiddie or organized crime team can just point and click.

The vulnerabilities exist in programmable logic controllers made by GE, Rockwell, Schneider Modicon, Koyo Electronics and Schweitzer Engineering Laboratories.  Apparently, the SCADA vendors were not quick enough for the researchers’ liking to acknowledge the vulnerabilities or release patches.  PLCs are used in industrial control systems to control functions in critical infrastructure such as water, power and chemical plants, gas pipelines, nuclear, and manufacturing facilities.

The various vulnerabilities provide backdoors, as well as authentication and encryption by-passes that could allow attackers to gain access to systems, and the ability to send malicious commands in order to crash, halt, and interfere with specific critical processes, such as the opening and closing of valves.

Nice…  Time to examine your SCADA environments and mitigate these vulnerabilities ASAP, and start elevated monitoring.  I don’t believe that this is the way to move vendors forward, but that is just me I suppose.  What do I know?  I wonder if there are any good litigation lawyers out there that might want to monitor the exploitation of some critical infrastructure and take action against those who provide such tools to the masses when harm is done to the public?

ASP.NET Attack Code Published

Well, that didn’t take long, did it?  Aren’t you glad you took the advice of so many security bloggers and patched December’s out-of-cycle Microsoft ASP.NET Web development platform vulnerability?

Exploit code for the recently patched denial-of-service (DoS) vulnerability has been published online, increasing the risk of potential attacks.

Webmasters who maintain ASP.NET Web applications should deploy the patches in Microsoft’s MS11-100 security bulletin immediately if they haven’t already done so.  The patch also addresses other ASP.NET vulnerabilities as well.

Denial of Service Vulnerability in ASP.NET

Detailed information has been published describing a new method to exploit hash tables, known as hash collision attacks.  These attacks are not specific to Microsoft technologies and affect other web service software providers as well.  This particular vulnerability affects all versions of Microsoft .NET Framework and could allow for an unauthenticated denial of service attack on servers that serve ASP.NET pages.

Sites that only serve static content or disallow dynamic content types are not vulnerable.  The vulnerability exists due to the way that ASP.NET processes values in an ASP.NET form post causing a hash collision.  It is possible for an attacker to send a small number of specially crafted posts to an ASP.NET server, causing performance to degrade significantly enough to cause a denial of service condition.

Microsoft is not aware of any active attacks, but detailed information about the attack methodology is available.  Details of a workaround to help protect sites against this vulnerability are provided in this article.  Individual implementations for sites using ASP.NET will vary.  Evaluate the impact of the workaround for applicability to your implementations.


Adobe 0-Day Patches Released

There have been reports of two critical vulnerabilities being actively exploited in targeted attacks against Adobe Reader 9.x on Windows.  These vulnerabilities could cause a crash and may allow an attacker to take control of the affected system.

Today’s updates address these vulnerabilities in Adobe Reader and Acrobat 9.x for Windows.  Version X has protected mode available that prevents this type of attack.  Adobe recommends users of Adobe Reader 9.4.6 and earlier 9.x versions for Windows update to Adobe Reader 9.4.7. Adobe recommends users of Adobe Acrobat 9.4.6 and earlier 9.x versions for Windows update to Adobe Acrobat 9.4.7.

Siemens SCADA Vulnerabilities Disclosed

Weak LinkSecurity researcher Luigi Auriemma has revealed details and proof of concept code for multiple vulnerabilities in Siemens supervisory control and data acquisition (SCADA) systems, affecting the WinCC and Automation License Manager.  The vulnerabilities reported could allow remote execution of malicious code and cause denial of service interruptions.

Mister Auriemma has a history of not following responsible disclosure procedures, and most likely provided little or no vendor notification and reaction time before going public with his findings.  These vulnerabilities pose a significant potential threat, in my opinion, since they can be exploited remotely on improperly configured SCADA systems.  It is worthwhile for administrators of such networks to review their configurations in light of these findings to ensure that they are not exposed. 

The following software packages are vulnerable:

  • Siemens SIMATIC WinCC flexible (Runtime) 2008 SP2 + security patch 1
  • Siemens Automation License Manager.

Continue reading

13 Microsoft Patches Released

As expected, Microsoft has released their August patches.  13 patches covering at least 22 vulnerabilities, some with exploit code available and with attacks in the wild.

SANS as usual, has a pretty good summary up.  Check out their analysis.

  •  MS11-057, which patches seven flaws in Internet Explorer, is the most important patch to apply in my opinion.  It affects all supported versions of Internet Explorer, including IE9 and affects desktops primarily, because best practices that we all have implemented preclude surfing from the server farm, right?  (Apply it to desktops and servers.)
  •  MS11-058 should also be applied as soon as possible.  It patches two vulnerabilities in Microsoft’s DNS service used to translate URLs into IP addresses.  Microsoft warns that attackers could
    remotely exploit the vulnerability on Windows Server 2008 & 2008 R2 simply by sending it a malformed query.  That could potentially allow an attacker to run arbitrary code.

As always, assess the risk, test like heck, and get those patches deployed ASAP.