14 Patches Coming From Microsoft For February

Microsoft will release 14 bulletins for next Tuesday’s update.

3 items are rated “critical” and 11 are rated as “important”.

.

.

.

.

• All three critical items deal with remote code execution vulnerabilities in Windows.
• The important rated bulletins consist of vulnerabilities in Windows, Office, IE, Media Player and Publisher.
  • Seven remote code execution vulnerabilities
  • Three elevation of privileges issues
  • One information disclosure flaw

Get ready to drop some patches next week.  These remote code execution vulnerabilities will only remain “important” for as long as it takes to reverse engineer the patch code and identify the changes.  After that, they become critical.

Important SolarWinds & HP Vulnerabilities

Digital Defense has posted a couple of vulnerabilities in some pretty popular and common products that customers and colleagues may want to be aware of.  I would recommend assessing the relevance of these disclosures to your environments, and taking mitigating action where appropriate.  Consider the potential of insider as well as external attack.  The information and access that either of these two vulnerabilities offers is just too yummy for a malicious or driven attacker to pass up.

1) SolarWinds Storage Manager Server SQL Injection Authentication Bypass

Severity:  High

Vulnerability Description:  The ‘LoginServlet’ page on port 9000 of the SolarWinds Storage Manager Server is vulnerable to a SQL injection within the ‘loginName’ field.  An attacker can leverage this flaw to bypass authentication to the Storage Manager application or to execute arbitrary SQL commands and extract sensitive information from the backend database using standard SQL exploitation techniques.  Additionally, an attacker may be able to leverage this flaw to compromise the database server host operating system.

SolarWinds has not yet provided a patch to address the issue. Digital Defense, Inc. recommends restricting access to the affected port until an update has been produced by the vendor.

2) HP JetDirect Device Page Directory Traversal  (CVE-2011-4785)

Severity:  High

Vulnerability Description:  The HP-ChaiSOE/1.0 embedded web server on certain HP JetDirect printers allows a potential attacker to gain read only access to directories and files outside of the web root.  An attacker can leverage this flaw to read arbitrary system configuration files, cached documents, etc.  Information obtained from an affected host may facilitate further attacks against the host.  Exploitation of this flaw is trivial using common web server directory traversal techniques.

Known Affected:

• HP LaserJet 4650
• HP LaserJet P3015
• HP LaserJet 2430

At this time, HP has been notified of the vulnerability and has released a patch which addresses the issue for HP LaserJet P3015.

https://h20565.www2.hp.com/portal/site/hpsc/public/kb/docDisplay/?docId=emr_na-c03140700

Oracle SCN Vulnerability

Over the past two months, InfoWorld has been researching a flaw in Oracle’s flagship database software that could have serious repercussions for their customers, potentially compromising the security and stability of Oracle database systems.  There is a very detailed article at the link provided above, and a follow-up from InfoWorld here.  The “boiled down” version:

The flaw could make any unpatched Oracle Database vulnerable to attack, and could pose a special risk to large Oracle customers with interconnected databases.  Both vulnerabiilties stem from a mechanism that most Oracle DBAs seldom deal with.  At the core of this issue is the System Change Number (SCN) in Oracle.  This is a number that increments sequentially with every database commit and is crucial to normal Oracle database operation.  The SCN is also incremented through linked database activities.

The SCN “time stamp” is the key to maintaining data consistency in Oracle, allowing the database to respond to every query with the appropriate version of data at a given point in time.  It works like a clock for database transactions, and like time, cannot move backwards.

When Oracle databases link to each other, they synchronize to a common SCN to maintain data consistency.  This is the highest SCN carried by any participating Oracle database instance because the SCN clock runs forwards only.  Only very basic permissions are required to make a connection that can cause one database to increment the SCN on another.

Oracle’s architects knew the SCN needed to be a massive integer.  It is a 48-bit number (281,474,976,710,656).  It would take eons for an Oracle database to eclipse that number of transactions and cause problems, or so you might think… Continue reading →

78 Oracle Patches Coming

Here come some more patches for January.  Oracle will release 78 security fixes for vulnerabilities in its database, middleware and applications, next Tuesday.

• The highest CVSS Base Score among the MySQL bugs is 5.5, which falls into the “medium” range.
• 27 of those are intended for the MySQL database product.
• 1 of the vulnerabilities can be exploited over a network without log-in credentials.
• 2 fixes are for Oracle’s database application.
• 11 patches are for Fusion Middleware.
• 5 Fusion Middleware bugs can be remotely exploited with no user authentication required.

On the application front:

• E-Business Suite is getting 3 patches
• Supply chain app suite will receive 1
• PeopleSoft will get 6
• JD Edwards will have 8.

17 patches will be released for Sun products, including 6 that can be remotely exploited with no credentials. Affected products include GlassFish Enterprise Server and the Solaris OS.  Another 3 patches are for Oracle’s virtualization technology, including VirtualBox.

Sharpen up your deployment tools…

Security Technical Implementation Guide for Mobile Devices

It looks like 2012 is going to become the year of BYOD, or Bring Your Own Device.  Expect this trend to continue to heat up, and boil over as the year progresses.  Everyone wants to pare down the number of devices that hang off their belts, and at the same time, maximize their connectivity.  Work and personal communications are going to comingle if BYOD is permitted, and there are some issues that need to be considered by all.

If you don’t have a policy regarding personal devices, or even if you do, it should probably be reviewed with this trend in mind.  The largest concern that I see from the user end of the issue is personal data may be lost if the corporate policy is to wipe devices that contain company information when lost, stolen, or an employee leaves.  From the employers’ perspective, I see the largest concern to be that of data and malware control.  If it is not a corporate device, can it, should it, and will it be scanned, monitored, and patched against vulnerabilities or unlicensed / undesired software?  If not it could pose a serious threat vector to the organization.

The US Department of Defense has released its latest draft STIG specs for Android, Windows Mobile, BlackBerry, and iOS based devices.  This STIG provides policy, training, and operating procedure security controls for the use of mobile devices (smartphones and tablets).  Interesting to a gear-head if their significant other bought them an iPad for Christmas, or their boss cares just as much.  It is worth reviewing the STIGs, even if you don’t apply the specs, just to be aware of the available options, findings, and recommendations. Continue reading →

HP Printer Vulnerabilities

Boing-Boing has an interesting article up, regarding a presentation at the recent Chaos Communications Congress, Ang Cui’s “Print Me If You Dare“.   Ang explained how he reverse-engineered the firmware-update process for HP printers.  He discovered that he could load arbitrary code into any printer by embedding it in a document.  As part of his presentation, he sent a document to a printer that contained malicious code that copied the documents it printed and posted them to the Internet.  In his second demo, he took over a remote printer with a malicious document, causing that printer to scan and compromise vulnerable PCs, turning the printer into a proxy that gave him access through the firewall.

Printers are everywhere.  We use them and ignore them daily.  They are sitting on our networks and are intended to be shared resources.  They contain some pretty powerful server components, a fairly substantial amount of RAM and disk space, and are virtually ignored when we consider patch and vulnerability management.  I have been involved in at least one incident that involved using a network connected printer as the hub of malicious operations.  Hiding in plain site is a pretty clever strategy.

I would encourage anyone that has an HP printer to apply the latest firmware patch ASAP, because malware could be crafted to take over your printer, and then falsely report that it has already had the patch applied.  This is not just an HP problem though.  Got printers?  Get ’em up-to-date, and create a plan to keep them that way.

nCircle 360Suite Updated

 Vulnerability Management vendor nCircle has announced new versions of every product in the Suite360 product line, enabling organizations to improve security, manage change and configuration, measure and report on compliance.  The updates add new features, performance enhancements and increased coverage allowing nCircle customers to scan their networks for over 48,000 information security risk conditions.

nCircle products have always focused on creating actionable security and compliance intelligence.  This release adds valuable features that make it even easier for customers to achieve continuous monitoring, improve security and prove compliance.  I highly recommend them. Continue reading →

13 Microsoft Patches Released

As expected, Microsoft has released their August patches.  13 patches covering at least 22 vulnerabilities, some with exploit code available and with attacks in the wild.

SANS as usual, has a pretty good summary up.  Check out their analysis.  http://isc.sans.edu/diary.html?storyid=11341

•  MS11-057, which patches seven flaws in Internet Explorer, is the most important patch to apply in my opinion.  It affects all supported versions of Internet Explorer, including IE9 and affects desktops primarily, because best practices that we all have implemented preclude surfing from the server farm, right?  (Apply it to desktops and servers.)
•  MS11-058 should also be applied as soon as possible.  It patches two vulnerabilities in Microsoft’s DNS service used to translate URLs into IP addresses.  Microsoft warns that attackers could
  remotely exploit the vulnerability on Windows Server 2008 & 2008 R2 simply by sending it a malformed query.  That could potentially allow an attacker to run arbitrary code.

As always, assess the risk, test like heck, and get those patches deployed ASAP.

13 Microsoft Patches Coming

These short weeks of summer are just licking right past at an incredible rate.  Once again it’s time to brace for another Microsoft Patch Tuesday.  It would appear that we can expect at least 13 big patches in August.

Critical Security Bulletins
Bulletin 1
– Impact: Remote Code Execution
– Affected Software:  IE 6 though 9

Bulletin 2
– Impact: Remote Code Execution
– Affected Software:
– Windows Server 2003
– Windows Server 2008
– Windows Server 2008

Important Security Bulletins
Continue reading →

.NET Reverse Engineering Tool Released

Very few applications are written with self-protection in mind.  It’s just not something that’s thought of because it’s still not a primary concern for most developers.  They tend to focus on application delivery deadlines since that is what keeps money in the bank and food on the table.  Jon McCoy, a .NET software engineer and consultant at DigitalBodyGuard, has released a new tool at Black Hat 2011 that makes it easier for programmers to reverse-engineer applications developed using the Microsoft .NET Framework.

Reverse engineering can be critical to understanding an application’s weaknesses and how to defend it against attacks.  McCoy demonstrated how the tool can be used to attack Microsoft Media Center on disk and provide access to its source code in less than a minute during his presentation, “Hacking .NET Applications: The Black Arts”.  “Unfortunately, 90% of the market is vulnerable to the level of Media Center,” McCoy said.  “Very few applications are ever protecting themselves.  It’s just not something that’s thought of because it’s a slightly new paradigm.”

The new tool is a compiler/decompiler called GrayWolf.  It lowers the bar for entry-level programmers who want to decompile, reverse-engineer and manipulate .NET programs.  It allows the user to gain access to and change things in memory, manipulating and controling any program. “The tool I’m releasing and the techniques I release on the .NET framework simply make it easier.”

Decompiling aids in revealing and understanding Microsoft .NET application security issues, dependancies, underlying weaknesses and design flaws.  For example, an application that stores passwords can be decompiled to determine if it employs strong encryption and other secure software development best practices.  If it is riddled with vulnerabilities, contains backdoor code, or will likely leak stored passwords, the decompiling process will make these issues apparent.

The tool itself is free, and access to the tool’s source code can be had for $80. The goal with this release is to make it as accessible to programmers as possible.  McCoy has talked with Microsoft engineers about his research and they call his work a clever use of features.  McCoy’s techniques can fundamentally be used on applications written in any coding language.  He plans to showcase the GrayWolf tool again next week at the DEFCON 19 hacker conference.

McCoy, who consults on how to harden .NET apps, hopes developers will take advantage of the tool to harden applications against attack and data theft.  Good on ya, Jon.