Saturday, March 31, 2007

the story behind 3 months after the latest ANI zero-day vulnerability

scandalous the story behind ANI vulnerability....

in 15th November 2004 January 2005 eEye research reported the ANI related vulnerability then publicly disclose after our "friend" M$ patched it with with MS05-002

BUT the fix was incomplete (so much for ... all Microsoft’s security updates must pass a series of testing processes... blah blah ... )

Déjà vu... ANI vulnerability roams its ugly head... again

And ACTUALLY the guys in determina found this vulnerability and notified the vendor (M$) in 20th December 2006 and now they publicly disclose it

shame on you M$, you knew it all a long

I am not a anti M$ fool, actually, I am already convinced that M$ products are very "good" for enterprise, but I hate the fact of their irresponsibleness and their evil marketing and FUD....

Now the interesting part is to see how long it takes for them to release the patch... most of AV vendors and leading IPS vendors have already signature to block this exploit...

3 months has passed and still no patch yet...


Friday, March 30, 2007

thoughts on IE/outlook extremely criticaly vulnerabilities...

Thinking about IE extremely critical vulnerabilities, from very bad to best
waiting for M$ patch release is a suicide mission
firewall is useless
AV weekly update is very bad
IE is very bad
IPS is nice
content filtering is the best

People look at me as if I am stupid when I say I dont believe in firewall (not that I dont believe in firewall, I think firewall just gives you a false sense of security... which is worse :(

people think I am paranoid when I say dont use IE...

I used to work in (and still work for) a security vendor (I can see the point why "security" people criticize security vendors, but I dont necessarily agree 100% with them :)

I am fortunate enough to get the chance to see wildest nightmare in action... I've seen things that opened my mind and scare shit outta of me... I've seen drive by install in action... exploits that silently install rootkit while simply browsing a suppose to be safe webpage...

You may criticize security vendors, but trust me they (we) know what they (we) are doing (besides making money of course ;)

When I say firewall just gives you a false sense of security I mean, the traditional and not so traditional firewall cannot block attacks using IE related extremely critical vulnerabilities that are unleashed in the wild, like
ANI or VML or the other VML or ActiveX Control Code Execution or CPathCtl::KeyFrame() or createTextRange() or
Windows Metafile (this one affect firefox as well!)

M$ may write any bull shit explaining ...In a Web-based attack scenario, an attacker would have to host a Web site that contains a Web page that is used to exploit this vulnerability... blah blah... An attacker would have no way to force users to visit a Web site (YEAH SURE)...


Down play the severity of these vulnerabilities and buying time...
Based on strong customer feedback, all Microsoft’s security updates must pass a series of testing processes... blah blah ...Microsoft’s intelligence sources indicate that the scope of the attacks is limited... blah blah

so basically they wont release any immediate patch...

BUT the fact is quite likely that these kind of vulnerabilities are being actively exploited... much easier than you think!

It is a known facts that google top results sometimes directly point your browser to web pages that contain exploits (must read very very good paper written by Dr. Igor G. Muttik of McAfee AVERT Manipulating the Internet)

In the past cracker defaced websites, nowadays, they dont change the visual appearance of webpages, but they insert exploit that silently install rootkits, I've seen popular, suppose to be safe, forum sites that was being cracked and silently installing rootkit... not even the owner of the site was aware....
(just imagine how many forum sites are using PHP...)

In the case of the latest M$ vulnerability, highly trafficked Dolphin Stadium website has been compromised with malicious code, allowing malware being silently installed by simply visiting the site using this IE ani vulnerability ...
The SANS Institute did some investigating into that incident. They posted portions of a response they received from a system admin where it was clear that a remote attacker exploited a SQL injection vulnerability to embed the malicious script. The same script is now serving the ANI file 0-day exploit reported yesterday. Googling the referenced script yields 113,000 results.

... so much for the very limited attacks.

OK, you have an IPS, nice ! (even when some "security" people still think IPSes are useless... I dont agree!) You are pretty much protected IF you updated your IPS & configured properly, best IPS vendors usually release signature updates as soon as they are aware of IE vulnerabilities (including this time for ANI vulnerability),

...but in the case of this ANI vulnerability, outlook is also affected, and in practice you should never ever block emails containing any vulnerability using IPS SMTP signature...

Because of the nature of SMTP, if you drop packet of SMTP session related to email transfer, the MTA will try to resend it again, blocking the mails queue until it sends the suspicious mail that keep being drop by IPS... it case you simply drop SMTP packet without reseting TCP session... dont be surprise if this infinitive cycle will crash a good MTA while trying to send/receive malicious mails (SMTP/TCP resource exhaustion)... hehehe

btw, a silly AV vendor still release weekly signature update, sadly their latest weekly signature was released in 28th March, I am quite sure it does not contain signature to block this ANI exploit...
meaning it takes another 1 week after ANI exploit is disclosed to have protection from an AV vendor weekly update...

Waiting for M$ for a patch is out of the question, if I remember correctly, historically it takes more than 2 weeks for M$ to release patch for extremely critical IE vulnerabilities... basically a suicide mission

Personally I think the best protection against this IE and outlook attacks is to have a good content filtering... content filtering can block attacks against IE and outlook vulnerability... as soon as your security vendor release the signature, within minutes you can be automagically protected without manual intervention... not configuration/patch tests needed... simple, quick, effective, painless... I like that.

PS: standard disclaimer applies... any views or opinions presented in blog are solely those of the author... blah blah...
PPS: I used to work and am still working for the best IPS vendors :-B... I think IPS is very nice to have, if it's properly configure it can help... a LOT.
PPPS: but I am a true believer of web/mail/ftp content filtering... one day I will explain why...
PPPPS: for your own safety avoid using IE and outlook


Thursday, March 29, 2007

another day... another IE & outlook exploit in the wild

In less than 3 months here we are again... sigh.. another zero day IE & outlook extremely critical vulnerability...

McAfee Avert Labs found exploit of this vulnerability already unleashed in the wild...

Preliminary tests demonstrate that Internet Explorer 6 and 7 running on a fully patched Windows XP SP2 are vulnerable to this attack. Windows XP SP0 and SP1 do not appear to be vulnerable, nor does Firefox 2.0. (AND OF COURSE!!!) Exploitation happens completely silently

kinda makes me miss old times in McAfee...

somehow these zero day IE extremely critical vulnerabilities remind me of Metallica No Remore song...
No mercy for what we are doing
No thought to even what we have done
We don't need to feel the sorrow
No remorse for the helpless one

War without end
No remorse no repent
We don't care what it meant
Another day another death (another zero day another death ;)
Another sorrow another breath
No remorse no repent
We don't care what it meant
Another day another death
Another sorrow another breath


Thursday, March 22, 2007

we're screwed

An interesting analysis by Secureworks of a trojan that freely spread in the wild, infecting without being detected by AV for quite sometime & use SSL as covert channel to send information... we're screwed :(

but there is hope, once again IE is the culprit, moral of the tale: dont use IE, better block outbound connection by IE.

Russian malware authors are finding new ways to steal and profit from data which used to be considered safe from thieves because it was encrypted using SSL/TLS.

Based on the reportedly accurate system clock of the infected PC, one can assume that, by this point, the trojan has been in the wild and mostly undetected for about 54 days

When scanned by 30 leading anti-virus products, none of them detected malware specifically; however, several of them using heuristics detected it as a "suspicious" file or "generic" threat based on the fact that it was compressed by a common malware packer...

Seven vendors still only identified it as a suspicious file or generic threat, including Symantec ("Downloader"), Sophos ("Mal/Packer"), F-Prot ("generic"), and four smaller vendors.

Notably, five of the antivirus vendors reported no threat at all, not even the suspicious use of an executable packer.

Each time a form submission was POSTed to the bank's server, another HTTP POST request was made to the malware's home sever.