|
Sharing Security Developments, and Best Practices for corporate and home users
April 2006 - Posts
-
 This new company provides web protection services has a number of informative articles related to web security.
http://www.acunetix.com/Websitesecurity/
Learn more about web attacks:
Security Articles:
QUOTE: Start-up Acunetix protects Web sites against unauthorized
modifications and denial-of-service attacks. The company
announced its Web Vulnerability Scanner last July as a tool for
identifying vulnerabilities before they can be exploited.
Acunetix also recently announced a useful site for anyone
interested in security Web sites (as usual, I have no
relationship whatsoever with the vendor)
|
-
-
 A new Internet Explorer 6 vulnerability has been documented by Secunia and so far no exploits have surfaced. Still folks should always be careful with sites they visit and avoid all URL links in spam email.
Internet Explorer 6 "object" Tag Memory Corruption Code Execution
http://secunia.com/advisories/19762/
QUOTE: The vulnerability is caused due to an error in the processing of certain sequences of nested "object" HTML tags. This can be exploited to corrupt memory by tricking a user into visiting a malicious web site. Successful exploitation allows execution of arbitrary code. The vulnerability has been confirmed on a fully patched system with Internet Explorer 6.0 and Microsoft Windows XP SP2. Other versions may also be affected.
|
-
-
If the April updates are working well, there is no need to reinstall the MS06-015 security update. As a limited number of users were impacted, Microsoft is addressing this with a release. This can be found as follows:
MSRC Blog Posting - This is Great site to bookmark for Patch news & info
http://blogs.technet.com/msrc/archive/2006/04/21/425838.aspx
When the update is re-released, it's going to be very much targeted to people who are having the problem, or people who have not installed MS06-015 yet. That means if you have already installed MS06-015 and are not having the problem, there's no action here for you.
|
-
Microsoft released Service Pack 1 for SQL-Server on April 19 with functionality improvements for it's latest version of SQL-Server.
SQL Server 2005 Service Pack 1 - Home Page
http://www.microsoft.com/sql/sp1.mspx
Microsoft Releases SQL Server 2005 Service Pack 1 - Press Release
http://www.microsoft.com/presspass/press/2006/apr06/04-19SQLExpands06PR.mspx
SQL Server 2005 SP1 Arrives with Production-Ready Mirroring
http://www.eweek.com/article2/0,1759,1951914,00.asp
QUOTE: Microsoft on April 19 introduced Service Pack 1 for SQL Server 2005, the server's first major update since its launch Nov. 7, 2005. SP1 encompasses several new features besides database mirroring, including SQL Server Management Studio Express and additional, flexible options for independent software vendors.
The SP1 release is the first result of a new SQL Server "customer-collaboration model" Microsoft has instituted, which uses customer feedback as the company formulates feature and security updates.
Key new features include the production-ready version of database mirroring, in which the primary production server is mirrored at all times by a standby server. "This allows for automated, seamless failover between primary and standby server, if the primary server needs to come down," SQL Server Senior Product Manager Carol Dullmeyer told eWEEK. "It's a really critical feature."
Microsoft sketches out it DB roadmap
http://www.eweek.com/article2/0,1895,1947288,00.asp
|
-
This article provides an update on HIPAA. This is a legal requirement for Health Insurance companies to ensure the privacy of their policyholders.
HIPAA article: Health Insurance Privacy Compliance Lags
http://www.eweek.com/article2/0,1895,1949646,00.asp
Current status ....
QUOTE: The good news about privacy and the Health Insurance Portability and Accountability Act is that more than 80 percent of companies involved in health care have technology and processes in place to provide the level of patient-privacy protection required by the 1996 law.
The bad news? All were supposed to have done so by April 2003.
More bad news? The percentage hasn't changed since last summer, meaning about 20 percent of health care companies are "unable or unwilling to implement federal privacy requirements," according to a twice-yearly survey of health care payers and providers conducted by Phoenix Health Systems and Healthcare Information and Management Systems Society, or HIMSS.
Some key issues in meeting HIPAA compliancy ....
QUOTE: The problem is that HIPAA rules are often vague and technology is developing so quickly that it's often hard to decide whether flash drives, hot-site disaster recovery, and other specific storage and file management technologies are covered or satisfy the rules.
"The regulations didn't have much precision," said Gillespie. "They were very general in a lot of cases. Regulatory statements said something about the requirements but didn't come out and say what technology was involved. We went through the regulation sections for more than a year to interpret those regulations into technology solutions that seemed to work and meet the regulations too."
|
-
-
 The following are scams that are circulating by email, regular mail, or phone calls that everyone should be aware of:
Article: Would I lie to you? Five cons still kicking
http://www.msnbc.msn.com/id/12394486/
http://www.msnbc.msn.com/id/12394486/page/2/
They've been around for generations, but people still fall for them
1. The Scam: Free Money -- Charismatic individuals claim they know of funding sources that don't have to be repaid.
2. The Scam: Patent and Invention Services -- Business "experts" evaluate your invention or business idea, declare it a sure-fire winner, and ask for thousands of dollars to secure intellectual property protection, help you find manufacturers, and do marketing.
3. The Scam: Advance Fee Loans -- Companies promise loans to would-be entrepreneurs who cannot get capital from banks or investors.
4. The Scam: Work From Home -- It's only after you've made an investment that you find out the business isn't so easy.
5. The Scam: Wealth-Building Seminars -- Few people actually get richer, but many people get poorer attending these meetings, which are often held at hotels near airports.
|
-
-
-
It was an interesting coincidence that F-Secure is commenting on the new Microsoft Update approach, as I used this approach for the 1st time on April 11th on some of my home and office PCs. Microsoft Update is essentially Windows Update plus Office Update plus perhaps other products that might be found during the more comprehensive checking performed by this facility. The Microsoft Update process worked well in my own testing of it and it applied all Windows and Office related updates properly. As noted by F-Secure, you must be at least Office XP to use this facility.
F-Secure article: Forget about Windows update (use Microsoft update instead)
http://www.f-secure.com/weblog/archives/archive-042006.html#00000854
Microsoft Update Link
http://update.microsoft.com/microsoftupdate/
|
-
-
Kaspersky has noted the 1st MS/Publisher virus to appear in the wild. PUB file extensions will most likely be necessary to include in scanning routines.
Avarta.A - First Microsoft Publisher Virus appears
http://www.viruslist.com/en/viruses/encyclopedia?virusid=117864
This is the first known virus that infects MS Publisher (*.pub) documents. It is a very simple overwriting virus, written in Visual Basic for Applications (VBA). The virus uses a rather crude replication method - it searches for Publisher documents and copies itself over them, thus destroying their content. Avarta gets the location which it will scan for Publisher documents to infect by opening the registry and fetching the key for the recently used files in Publisher. It sets the macro Security Level in Publisher to Low. This is a common technique in macro viruses.
|
-
-
The county or any governmental agency has a fiduciary responsibility to protect a person's privacy. That is the greater good over even legal requirements to display documents as part of the public records available through the Internet. Hopefully, they can address this issue by blocking all sensitive information that might be part of the document presentation requirements.
Florida's Broward County Posts Residents' Sensitive Data On Public Web Site
http://www.computerworld.com/securitytopics/security/privacy/story/0,10801,110389,00.html
QUOTE: APRIL 11, 2006 (COMPUTERWORLD) - The Social Security numbers, driver's license information and bank account details belonging to potentially millions of current and former residents of Florida are available to anyone on the Internet because sensitive information has not been redacted from public records being posted on county Web sites.
A Florida state statute that requires county officials to post images of certain official documents online has led to the public exposure of sensitive data on potentially millions of current and former residents in Broward County.
|
-
 The latest updates have just become available and were successfully installed on my laptop and desktop at work. These include security updates for Windows, Internet Explore and Office and should be applied by individual users or companies as quickly as possible.
http://www.microsoft.com/technet/security/Bulletin/ms06-Apr.mspx
|
-
-
The ISC lists several categories for reporting spam to authorities. Folks should always delete spam and never click on URLs to opt out or look at the offered products or services in detail. For an example, an opt out URL lets spammers know they have a valid address and your quantity of spam could increase significantly. Also, URLs can be always be a source for downloader trojan horses, viruses, spyware, or other forms of attack. The best practice is to line these up in the in-box and delete these messages.
http://www.incidents.org/diary.php?storyid=1252
|
-
Symantec has issued information on MSIL.Letum.A@mm, "a worm written in Microsoft .NET's Microsoft Intermediate Language (MSIL) that can affect both Windows PC and Windows Mobile powered devices that have the .NET framework installed.". Trend's analysis for WORM_LETUM.A is here.
|
-
-
Malware continues to evolve in sophistication and here's hoping security firms and all software vendors can keep pace with these developments
Beyond Rootkits: World's First Standalone Kernel Mode Bot?
http://www.emailbattles.com/archive/battles/virus_aaddcefedj_d/
QUOTE: A European student has just developed a Proof of Concept for what the developer believes is the world's first kernel mode IRCbot. The creator, Tibbar ("Rabbit" spelled backwards), says the difference between this innovation and standard Windows rootkits lies in its crossover ability. Most Windows-based rootkits hide in device drivers, then depend on outside, usermode applications to get anything done.
This creates several challenges for rootkitters:
* The abilities of requested apps are limited to the security rights granted to the User.
* The apps needed by the rootkit may not be present or accessible on the victim's system.
* Usermode operations are easier than kernelmode to detect.
That's why Tibbar thinks IRCbot is a huge leap forward. It carries its IRC app onboard, inside the kernel driver. So it doesn't need any outside help to get the job done. This means that future generations of rootkits... if that's what we'll call these... will be even stealthier than the current crop. Oh joy.
To pull this off, Tibbar drew from a Kernel mode sockets library by Valerino, who described his effort at rootkit.com as: A fully functional TDI sockets library. You can connect, send, receive, all from your supa-***-l333t kernelmode rootkit. Yes, you can bypass lame TDI firewalls with this. No, you can't bypass NDIS firewalls. (read : you can bypass norton's firewall) ....
|
-
This relatively new hoax emerged during February 2006 and continues to illustrate the need to not believe everything we read. I even found some humor in the phrase "It is better to receive this message 25 times than to receive the virus and open it." The text is noted in red below.
Virus Hoaxes are designed often as practical jokes or even to mislead folks. When in doubt, always cross check any warnings you receive with legitimate AV or security sites. Folks should always avoid opening any file or URL in and email or IM message unless you are absolutely certain it's safe.
New Virus Hoax - Olympic Torch
http://www.hoax-slayer.com/olympic-torch-virus-hoax.html
WARNING
You should be alert during the next days: Do not open any message with an attached filed called "Invitation" regardless of who sent it. It is a virus that opens an Olympic Torch which "burns" the whole hard disc C of your computer. This virus will be received from someone who has your e-mail address in his/her contact list, that is why you should send this e-mail to all your contacts. It is better to receive this message 25 times than to receive the virus and open it.
If you receive a mail called "invitation", though sent by a friend, do not open it and shut down your computer immediately.
This is the worst virus announced by CNN, it has been classified by Microsoft as the most destructive virus ever. This virus was discovered by McAfee yesterday, and there is no repair yet for this kind of virus. This virus simply destroys the Zero Sector of the Hard Disc, where the vital information is kept. SEND THIS E-MAIL TO EVERYONE YOU KNOW, COPY THIS E-MAIL AND SEND IT TO YOUR FRIENDS AND REMEMBER: IF YOU SEND IT TO THEM, YOU WILL BENEFIT ALL OF US
|
-
April's Patch Tuesday will provide critical security updates for Windows, Internet Explorer and Office.
http://www.microsoft.com/technet/security/bulletin/advance.mspx
On April 11, 2006 Microsoft is planning to release the following security updates:
• Four Microsoft Security Bulletin affecting Microsoft Windows. The highest Maximum Severity rating for these is Critical. Some of these updates will require a restart. These updates will be detectable using the Microsoft Baseline Security Analyzer and the Enterprise Scan Tool. One of the updates will be a cumulative Internet Explorer update that addresses the publicly known "CreateTextRange" vulnerability.
• One Microsoft Security Bulletin affecting Microsoft Office and Microsoft Windows. The highest Maximum Severity rating for this is Moderate. These updates may require a restart. These updates will be detectable using the Microsoft Baseline Security Analyzer and the Enterprise Scanning Tool.
Microsoft Windows Malicious Software Removal Tool
• Microsoft will release an updated version of the Microsoft Windows Malicious Software Removal Tool on Windows Update, Microsoft Update, Windows Server Update Services and the Download Center.
|
-
This new vulnerability can be used in conjunction with phishing attacks to appear to users that they are at a legitimate website. Always be careful when giving out information over the web.
Internet Explorer - New Address Bar spoofing vulnerability
http://secunia.com/advisories/19521/
QUOTE: The vulnerability has been confirmed on a fully patched system with Internet Explorer 6.0 and Microsoft Windows XP SP1/SP2. The vulnerability has also been confirmed in Internet Explorer 7 Beta 2 Preview (March edition). Other versions may also be affected.
Secunia Browser Test
http://secunia.com/Internet_Explorer_Address_Bar_Spoofing_Vulnerability_Test/
|
-
The Internet Storm Center (ISC) is one of my favorite sites for assessing new emerging risks for the world wide web. The following article by an ISC contributor suggests that Microsoft might benefit from allowing upcoming security patches to the beta tested publicly:
A Nonsensical Proposal - Beta Patches
http://www.incidents.org/diary.php?storyid=1237
COMMENTS: Testing is always a good thing, even for a one line program change. Still, I would vote "NO" for Microsoft opening up their trusted environment for beta testing security patches, as it would create more problems than it would solve. I'd like to offer the following counterpoints to the idea of public beta testing:
1. Beta testing works best for new products with very long development life cycles and timelines. It's not something that you can easily set up and disband in a 2-3 week
time frame. The same priniciple applies in applications development, where you parallel test large new systems rigorously with a lot of user involvelement. For smaller patches you still always need to test, but you don't need extensive user involvement. Hopefully, most issues discovered by Microsoft are on track for corrections in a very short time, (e.g.,days, or perhaps a couple of weeks at the most).
2. Beta testing could slow down the process. When zero day exploits emerge or vulnerabilities are published, Microsoft is focused to get quality security fixes out of the door as quickly as possible. A beta testing approach adds significant work and communications to a process that's under tight very time constraints.
3. Beta testing is more suitable for highly stable software releases. I'm sure Microsoft is continuing tweeking and refining their patches in a highly volatile manner, esp. in the early stages of addressing vulnerabilities. The dissemination of daily or maybe even hourly builds of software would not lend itself well to beta testing.
4. The biggest risk I see is that Microsoft has to maintain a high degree of confidentiality and ensure potential patches don't leak out to the public. For example, as soon as Patch Tuesday releases are made public, the bad guys immediately start reverse engineering the code to create new exploits. We're now faced with getting everyone updated quickly, as exploits can surface in just a few days. Now, imagine beta code leaking out for a new vulnerability to the bad guys, where new exploits surface on an unprotected public.
5. The Microsoft lab environment is setup to better meet testing requirements than the general public. They most likely include a wide range of software baselines (e.g., with and without certain service packs or other software in place). To assess any issues that surfaced, Microsoft would need to know all the detailed aspects of each beta participant's PC environment when issues surfaced, (e.g., they might need to analyze issues at the registry/config levels of the OS). Probably a lot of testers would want to maintain privacy and it'd be difficult to communicate these details remotely.
CONCLUSION: The "Create Text Range" vulnerability and exploits are indeed bad. Still, this risk can be avoided, if you stay away from questionable sites (e.g., "think before you click"). There's also current protection available by keeping your AV software updated, disabling scripting, and even using complementary browsers. Having patience is key, as quality isn't something you can rush out the door. In other words, we don't want the medicine to be worse than the illness. We're now less than a week away from Patch Tuesday and here's hoping Microsoft is successful in providing a high quality solution for this new exposure.
|
-
-
Below are two articles that recommend waiting for an official patch from Microsoft: F-Secure - Great diagams on disabling active scripting
http://www.f-secure.com/weblog/archives/archive-032006.html#00000843
Internet Storm Center cautions folks to wait
http://www.incidents.org/diary.php?storyid=1226
The exploits associated with this unpatched vulnerability are bad. Thankfully downloader websites are being shut down fast by authorities (they are usually highjacked). While I wouldn't mind an early out-of-cycle release, I can wait until Patch Tuesday.
Quality is #1 on my list and an IE release needs to always be well tested. The original advisory is noted below:
http://www.microsoft.com/technet/security/advisory/917077.mspx
Some ideas to stay protected:
1. Think before you click -- If you don't go to dangerous sites you should be okay. Avoiding a security risk completely is always your #1 defense.
2. I would avoid installing a 3rd party patch
3. Complementary browsers can help mitigate this specific risk.
4. Keep your Anti-Virus definitions up-to-date
5. Watch for any signs of an early MS release. As the advisory states, MS does might release early if the risks escalate.
6. You can disable Active Scripting (see F-Secure link)
|
-
-
 Polymorphism represents the capability for the virus to change it's characteristics, so it can better evade detection by AV products. Last week saw where Bagle GE included a rootkit component. Now, there's now a brand new downloader that uses an innovative approach where the binary is repackaged every 4 minutes on the server. So, possibly one minute an AV vendor can have coverage in place and this thing could mutate to where it becomes undetectable with scanning controls.
 The good news is that downloaders usually operate from highjacked websites that are quickly taken down by authorities to limit the capability to spread.
Bagle.GI - Kicks it up a notch on Polymorphism
http://www.f-secure.com/weblog/archives/archive-032006.html#00000846
QUOTE: We saw a new Bagle run start tonight. As usual, it was started by posting a new, undetected downloader to one of the dozens of URLs the already-infected Bagle machines are constantly polling. The difference this time is that every four minutes the link returns a different binary. Different size, different MD5. This is accomplished by repacking the same file with ASProtect again and again. ... the contents keep changing ...
|
More Posts Next page »
|
|
|