Symantec Recommends Not Using PcAnywhere

Reuters reports that Symantec has taken the rare step of advising customers not to use one of its mainstay products, saying that remote control software product pcAnywhere is at increased risk of getting hacked after details and code were stolen.  Symantec is asking customers to temporarily stop using the product, until it releases an update to the software that will mitigate the risk of an attack. PcAnywhere is also bundled with other titles, like Symantec’s Altiris line of software for managing corporate PCs.

This is a serious step, and I applaud Symantec for coming clean on the risks of this powerful and popular product.  Most vendors woould simply warn users of increased risk and provide workaround and mitigation steps that may or may not be implementable or effective.  I hope that Symantec can release new code quickly, and overcome this unfortunate problem.

New Exploits Released For SCADA Systems

Wired reports a group of researchers have discovered serious security holes in 6 of the top industrial control systems used in critical infrastructure and manufacturing facilities.  They have also made it easier for hackers to attack systems before they can be patched or otherwise remediated.  They’ve packaged up the exploits in nice little modules for the MetaSploit tool so that any script-kiddie or organized crime team can just point and click.

The vulnerabilities exist in programmable logic controllers made by GE, Rockwell, Schneider Modicon, Koyo Electronics and Schweitzer Engineering Laboratories.  Apparently, the SCADA vendors were not quick enough for the researchers’ liking to acknowledge the vulnerabilities or release patches.  PLCs are used in industrial control systems to control functions in critical infrastructure such as water, power and chemical plants, gas pipelines, nuclear, and manufacturing facilities.

The various vulnerabilities provide backdoors, as well as authentication and encryption by-passes that could allow attackers to gain access to systems, and the ability to send malicious commands in order to crash, halt, and interfere with specific critical processes, such as the opening and closing of valves.

Nice…  Time to examine your SCADA environments and mitigate these vulnerabilities ASAP, and start elevated monitoring.  I don’t believe that this is the way to move vendors forward, but that is just me I suppose.  What do I know?  I wonder if there are any good litigation lawyers out there that might want to monitor the exploitation of some critical infrastructure and take action against those who provide such tools to the masses when harm is done to the public?

ASP.NET Attack Code Published

Well, that didn’t take long, did it?  Aren’t you glad you took the advice of so many security bloggers and patched December’s out-of-cycle Microsoft ASP.NET Web development platform vulnerability?

Exploit code for the recently patched denial-of-service (DoS) vulnerability has been published online, increasing the risk of potential attacks.

Webmasters who maintain ASP.NET Web applications should deploy the patches in Microsoft’s MS11-100 security bulletin immediately if they haven’t already done so.  The patch also addresses other ASP.NET vulnerabilities as well.

http://www.networkworld.com/news/2012/011012-attack-code-published-for-serious-254730.html

Denial of Service Vulnerability in ASP.NET

Detailed information has been published describing a new method to exploit hash tables, known as hash collision attacks.  These attacks are not specific to Microsoft technologies and affect other web service software providers as well.  This particular vulnerability affects all versions of Microsoft .NET Framework and could allow for an unauthenticated denial of service attack on servers that serve ASP.NET pages.

Sites that only serve static content or disallow dynamic content types are not vulnerable.  The vulnerability exists due to the way that ASP.NET processes values in an ASP.NET form post causing a hash collision.  It is possible for an attacker to send a small number of specially crafted posts to an ASP.NET server, causing performance to degrade significantly enough to cause a denial of service condition.

Microsoft is not aware of any active attacks, but detailed information about the attack methodology is available.  Details of a workaround to help protect sites against this vulnerability are provided in this article.  Individual implementations for sites using ASP.NET will vary.  Evaluate the impact of the workaround for applicability to your implementations.

 

Adobe 0-Day Patches Released

There have been reports of two critical vulnerabilities being actively exploited in targeted attacks against Adobe Reader 9.x on Windows.  These vulnerabilities could cause a crash and may allow an attacker to take control of the affected system.

Today’s updates address these vulnerabilities in Adobe Reader and Acrobat 9.x for Windows.  Version X has protected mode available that prevents this type of attack.  Adobe recommends users of Adobe Reader 9.4.6 and earlier 9.x versions for Windows update to Adobe Reader 9.4.7. Adobe recommends users of Adobe Acrobat 9.4.6 and earlier 9.x versions for Windows update to Adobe Acrobat 9.4.7.

 http://www.adobe.com/support/security/bulletins/apsb11-30.html

Siemens SCADA Vulnerabilities Disclosed

Security researcher Luigi Auriemma has revealed details and proof of concept code for multiple vulnerabilities in Siemens supervisory control and data acquisition (SCADA) systems, affecting the WinCC and Automation License Manager.  The vulnerabilities reported could allow remote execution of malicious code and cause denial of service interruptions.

Mister Auriemma has a history of not following responsible disclosure procedures, and most likely provided little or no vendor notification and reaction time before going public with his findings.  These vulnerabilities pose a significant potential threat, in my opinion, since they can be exploited remotely on improperly configured SCADA systems.  It is worthwhile for administrators of such networks to review their configurations in light of these findings to ensure that they are not exposed. 

The following software packages are vulnerable:

• Siemens SIMATIC WinCC flexible (Runtime) 2008 SP2 + security patch 1
• Siemens Automation License Manager.

Continue reading →

13 Microsoft Patches Released

As expected, Microsoft has released their August patches.  13 patches covering at least 22 vulnerabilities, some with exploit code available and with attacks in the wild.

SANS as usual, has a pretty good summary up.  Check out their analysis.  http://isc.sans.edu/diary.html?storyid=11341

•  MS11-057, which patches seven flaws in Internet Explorer, is the most important patch to apply in my opinion.  It affects all supported versions of Internet Explorer, including IE9 and affects desktops primarily, because best practices that we all have implemented preclude surfing from the server farm, right?  (Apply it to desktops and servers.)
•  MS11-058 should also be applied as soon as possible.  It patches two vulnerabilities in Microsoft’s DNS service used to translate URLs into IP addresses.  Microsoft warns that attackers could
  remotely exploit the vulnerability on Windows Server 2008 & 2008 R2 simply by sending it a malformed query.  That could potentially allow an attacker to run arbitrary code.

As always, assess the risk, test like heck, and get those patches deployed ASAP.

GFI SandBox 3.4 Released

I am a big fan of behavior based malware analysis.   I have assessed several products that claim to use behavioral analysis, most end up as a desktop product that constantly prompts the user to determine whether or not an action is nefarious or not.  I am still waiting for a single vendor to introduce a solid, reliable, and trustworthy antimalware engine that analyzes behaviroal characteristics and makes intelligent decisions regarding applications and communications, while still performing at a decent clip and not hogging all of the PC’s resources, or relying on non-technical users to make security decisions.

Until my dream product materializes, GFI has released GFI SandBox 3.4 (formerly SunBelt’s CWSandBox). The latest update to their malware analysis tool helps security professionals assess suspected files and URLs for potential threats within a controlled environment.   This tool provides quick and safe malicious behavior analysis and reporting.  It enables users to see how potential malware executes, what changes are made during execution, what network traffic is generated, and much more, without risking the loss of data or compromising a network.

.

Enhancements include:

• In-depth file analysis – Kernel-level monitoring provides greater confidence when analyzing any file or URL for malicious activity whether in a native or virtual environment.
• Digital behavior traits – A summary of behavior across multiple platforms alerts users to malicious behavior.  Users can also replicate any system configuration for real world testing.
• Easier collaboration – Admins can grant access to GFI SandBox to anyone in the organization to review and compare the Digital Behavior Traits of suspect files.
• Fast malware assessments – Quicker file submissions and shorter analysis times.
• Detailed reports – Security teams can instantly generate high-level summaries or comprehensive, in-depth analysis reports to share throughout an organization.

Until now, government agencies, threat researchers and large enterprises with their own highly skilled security teams were the only ones capable of purchasing and implementing sandboxing technologies.   While GFI SandBox 3.4 delivers stronger and quicker malware analysis, their focus for the new product is to make advanced malware analysis more accessible to organizations with limited in-house malware expertise, especially in the financial services sector where a lot of malware activity has been seen.  This is a product and technology well worth exploring.

Beware ‘News Of The Minute” Facebook Scams

Websense has found an alarming Facebook scam taking advantage of yesterday’s tragedy in Oslo, Norway, infecting an estimated one user every second.  The scam is a form of ‘clickjacking’ that replicates itself on users’ walls after they click on fake posts within their news feed.  I could not find details of what the payload is from this attack, but rest assured, these types of attacks generally look to infect your computer, and your friends’ computers with financially motivated malware.

Use caution when seeking news items.  Searching for breaking trends and current news represented a higher risk (22.4%) than searching for objectionable content (21.8%), including pornography.

http://community.websense.com/blogs/websense-insights/archive/2011/07/23/oslo-bombing-facebook-scams-infecting-1-user-every-second.aspx

VMware Multiple Vulnerabilities Patched

Multiple vulnerabilities have been identified in VMware and VMware Tools, a suite of utilities shipped by VMware with multiple product offerings, as well as by open-source distributions as the open-vm-tools package.  If you run VMware, you will want to apply this update.

a. VMware vmkernel third party e1000 Driver Packet Filter Bypass

An issue in the e1000 Linux driver for Intel PRO/1000 adapters that allows a remote attacker to bypass packet filters.

b. ESX third party update for Service Console kernel

This update for the console OS kernel package resolves four security issues.

1. IPv4 Remote Denial of Service
2. Local SCSI Driver Denial of Service / Possible Privilege Escalation
3. Kernel Memory Management Arbitrary Code Execution
4. e1000 Driver Packet Filter Bypass

c. Multiple vulnerabilities in mount.vmhgfs

VMware Tools includes mount.vmhgfs, a setuid-root utility that allows unprivileged users in a guest VM to mount HGFS shared folders.  Also shipped with VMware Tools is vmware-user-suid-wrapper, a setuid-root utility which handles initial setup to prepare for running vmware-user, which grants users access to other utilities included with VMware Tools.  This patch provides a fix for the following three security issues.  None of these issues affect Windows based Guest Operating Systems.

1. Mount.vmhgfs Information Disclosure via a vulnerability that allows an attacker with access to the Guest to determine if a path exists in the Host filesystem and whether it is a file or directory regardless of permissions.
2. Mount.vmhgfs Race Condition Privilege escalation that allows an attacker with access to the guest to mount on arbitrary directories in the Guest filesystem and achieve privilege escalation if they can control the contents of the mounted directory.
3. Mount.vmhgfs Privilege Escalation via a procedural error that allows an attacker with access to the guest operating system to gain write access to an arbitrary file in the Guest filesystem. This issue only affects Solaris and FreeBSD Guest Operating Systems.

d. VI Client ActiveX vulnerabilities

VI Client COM objects can be instantiated in Internet Explorer which may cause memory corruption. An attacker who succeeded in making the VI Client user visit a malicious Web site could execute code on the user’s system within the security context of that user.

http://www.vmware.com/security/advisories/VMSA-2011-0009.html