Before It Bytes!

Posts about security topics or news.

Microsoft drops the patch bomb

Well, the August 2010 Microsoft patches are out.  And man, are they out! 14 bulletins, 34 vulnerabilities. 8 rated critical. Countless reboots! There’s a lot to go through here, but here is some coverage which may help you evaluate this hot mess of patch:

Securing password resets in web apps

Recently a developer asked me about how he should perform password recovery in his new web app. The first recommendation I had was not to do recovery, but reset instead. I searched for some information aimed at developers on password reset functionality and was surprised at what I found. While I found a lot of information about what not to do, I didn’t find much now what should be done.

After pulling together some of the information I wrote this paper called “Securing Self-Service Password Reset Functionality in Web Applications” in an effort to help educate developers and provide some guidance for them when adding this type of feature to web applications.

Of course, any comments or suggestions are welcome!

Securing Self-Service Password Reset Functionality in Web Applications (pdf)

Out-of-band patch for .LNK vulnerability

Microsoft has announced that they will be releasing an out-of-band patch for the .LNK vulnerability today (August 2nd), most likely due to the increased use of the vulnerability in malware such as the Stuxnet family (great write-up from Microsoft’s Malware Protection Center blog here). More (excellent) coverage is available at the Krebs On Security blog.

Update: Microsoft has published the advisory and patch. Details available here.

Interesting reports released

In an effort to make sure that those of us not attending the fun in Vegas are left out, a number of interesting security related reports have been released in the past week or so. In all the reports include a lot of data to be digested, but the takeaways from these seem to be:

  • Web App Security needs some work.
  • Privileged users can be dangerous
  • Organizations need to know what data they have and where
  • The information is in the logs, but no one is looking
  • Egress filtering is important
  • Malware is getting more sophisticated and customized

None of this is really news to infosec pros, but it may provide some fodder when explaining needs to management, as the reports contain hard numbers (and pretty graphs).

Here are some of the most recent reports:

Verizon 2010 Data Breach Investigations Report (DBIR)

The big news here is that the DBIR now includes data from the U.S. Secret Service, giving the folks at Verizon more data to work with. The report is very well put together and does a great job of presenting the data it contains, including pointing out where the new influx of data from the Secret Service has impacted the data making trends appear different than they have in past DBIRs. The report is available here.

Akamai State of the Internet Q1 2010

Akamai’s large global network certainly allows them to see a lot of traffic, both normal and malicious. Only the second section of the report deals directly with security, but the rest still makes interesting reading. In addition to attack traffic data, the report also contains information on global connection speeds, US connection speeds and mobile connection speeds. The report is available here (registration required).

Ponemone/ArcSight Cost of Cyber Crime Study

This study was sponsored by ArcSight, so there is a good amount of mention of SIEM systems and their benefits. The study still contains some interesting data on how much incidents can actually cost organizations (before, during and after an incident), with good information about the methodology used to arrive at the figures presented. The report is available here (registration required).

Digital Forensics Association “The Leaking Vault”

“The Leaking Vault” takes 5 years of data breach information taken from many different sources include FOIA requests, the Open Security Foundation, the Privacy Rights Clearinghouse, Sound Assurance, and the Identity Theft Resource Center. The result is a large amount of data which is sliced and presented in many different ways, providing some interesting incite into data breach notification (and the failures of them in some cases). The report is available here.

Cisco 2010 Midyear Security Report

The Cisco 2010 Midyear Security Report is less numbers focused than the reports listed above, but still interesting. The report is more focused on the changes in enterprises today and how those changes will impact security needs. This includes Mobile Devices, Virtualization and Cloud Computing, Social Media, and Government regulations. The report also includes information on worldwide spam volume. As an added bonus, the report also includes “The Artichoke of Attack” (page 21) which is by far my favorite graphic from any of these reports. The report is available here.

Interview with Joanna Rutkowska!

Several of our recent episodes have focused on crimeware and banking trojans.

In SecuraBit Episode 54 – Lions and Tigers and Banking Trojans, OH MY! we had Panda Security’s Sean-Paul Correll discussing Panda’s annual security report that disclosed the fact that 66% of all malware being released attempts to commit financial crime. In SecuraBit Episode 52: To catch a Mule with Krebs on Security! investigative reporter Brian Krebs (@briankrebs) discussed the Zeus banking trojan and the use of money mules to steal money. According to Shawn Henry, Assistant Director in the FBI’s Cyber Division, “More money is stolen electronically or in data breaches than through bank robberies.”

On April 7th, security researcher Joanna Rutkowska announced the development of a new high-security operating system, Qubes, that is a promising approach to addressing this problem. Joanna is well known in the security community through her presentations at security conferences around the world. Joanna was recently listed by NetworkWorld as one of the 12 “White Hat” hackers you should know. Joanna was kind enough to agree to an interview discussing Qubes.

BH: How did you get your start in security?
JR: It’s been so long ago, that I don’t remember anymore 😉
BH: After working so long with rootkits and VM compromises, why did you decide to design an OS?
JR: Well, indeed, we have done lots of offensive research over the past years, in the areas ranging from kernel rootkits, through virtualization security, and on the chipset and CPU security ending. During this time we have gathered lots of experience regarding how system software should and should *not* be built. And finally we became ready to build a system with a satisfactory level of security, I think. Also, the last year was somehow a break-through in terms of availability of some advanced hardware technologies for ordinary customers. One cannot really design and build a secure system  without a IOMMU and some trusted boot technology. Intel VT-d and Intel TXT technologies implement those two important technologies, and they have just entered shops in 2009.
BH: How long have you been working on Qubes?
JR: Over 6 months now. The first 2-3 months were mostly spend on designing the architecture, the rest on coding.
BH: How did you come up with the name Qubes?
JR: Oh, I though it was pretty obvious. “Qubes” is just a fancy way of writing “Cubes”, and each “cube” is supped to symbolize a Virtual Machine (VM). When we think about a Virtual Machine in security, we think about some kind of a cage, or a cube, something that is capable of containing and jailing whatever is inside (e.g. a malicious program).
BH: Can you briefly describe the goals of Qubes?
JR: To provide strong security for desktop computing by implementing “Security by Isolation” principle in an effective and easy-to-use way. My goal with Qubes is to make it useable not only by Linux geeks, but also by people like lawyers, doctors, businesspeople, and anybody who is concerned about potential compromise of their data.
BH: You mentioned using “security by isolation” as being superior to “security by obsecurity” or “security by correctness”    Can these approaches be combined?
JR: Actually, we always need “Security by Correctness” — there are always some elements in any system that must be flawless in order to manage and secure the rest of the system. But an attempt to apply the “Security by Correctness” approach to the whole system, including Web browsers, PDF readers, etc, is simply not reasonable. We won’t be able to find and patch all the bugs in all our applications anytime in foreseeable future. It is simply naive thinking. So, instead, we designed Qubes to minimize the number of elements in the system that we need to trust, i.e. those where we need “Security by Correctness”. The potential attack surface in Qubes is orders of magnitude smaller than in a typical mainstream OS like Windows, Linux or Mac OS X.
BH: What functionality has been the most difficutlt to design?
JR: That would be the GUI virtualization. In Qubes we wanted to provide seamless integration of all the user’s applications on one desktop, just like if all the applications were executing natively. But, of course, they all run in different VMs. The obvious solution would be to let all the applications to connect to one common X server so it could present them all on one desktop. But that would be a very bad security decision, because the X protocol is very complex, and I bet there are dozens of ways to exploit it. So, we had to create a special GUI daemon and a protocol to extract the application’s, so called, composition buffers from each VM’s private X server, and bring them all and display on the common desktop in Dom0. The protocol we implemented for this is extremely simple — just a few messages, compared to hundreds or thousands of complex messages in case of a regular X protocol. At the same time our GUI implementation turned out to be very efficient, so that it’s perfectly possible to e.g. watch fullscreen movies running in AppVMs. The GUI daemon is one of those few elements of the system that we must absolutely trust and that we hope are flawless (the GUI daemon itself counts some 2,000 Lines of Code). If an attacker found an exploitable bug in our GUI daemon, then they would be able to compromise the whole system.
BH: Several leading regulatory agencies have suggested using Live CD’s for conducting high-risk  financial transactions. Do you think Qubes could be used in this way, or is it an alternative approach?
JR: And how often are they advised to reboot the system? Every day? Every 1 hour? Or perhaps every 5 minutes? 😉 Still, they cannot prevent more advanced attacks, e.g. persistent BIOS infections [our team has recently showed it was possible to infect one of the most secure BIOS: the Intel vPro BIOS — see this link The whole idea behind Qubes is that you would not need to use such childish and annoying tricks.
BH: Is there a limit to how many ApplicationVM’s can be created?
JR: Yes, it is dictated by the amount of RAM your machine has. With 4GB RAM you should be able to run 7-10 VMs, depending on how much memory you assign to each VM (e.g. AppVMs for less demanding tasks might be assigned only 100 or 200 MB, while those used for Web browsing, running office apps, etc, would need some 400 MB; you also need to leave some 700 MB for your Dom0). We’re definitely planning to look into optimizing per-VM memory memory footprint in future versions, although if you have 4GB of RAM that’s pretty much enough for most usage cases even with current implementation. Please note that Qubes already optimizes disk usage for AppVMs — thanks to smart filesystem sharing, each AppVM takes only as much disk space, as needed for string its private data (e.g. user files). One side effect of this efficient filesystem sharing is the ability to automatically update software (e.g. Web browsers) in all the AppVMs all at once, which is extremely useful in practice.
BH: Do you plan to use content based page sharing to reduce memory footprint?
JR: This is currently a subject for further research.
BH: Do you plan to have application white listing within the ApplicationVMs?
JR: That’s certainly possible.
BH: In your architecture document you mention Firewalling ports in/out per VM. Do you think the complexity of doing this will restrict the acceptance of the OS?
JR: First, this is just an optional feature for the more demanding users. Also, we plan to provide pre-configured setups in the future, and perhaps also some management tools that would make more advanced setups much easier for non-technical users.
BH: You mention that the network stack is untrusted since you are using end-to-end encryption from within the ApplicationVM. Would protocol attacks such as certificate attacks or DNS poisoning be problematic?
JR: When we consider attacks on network protocols, then there is no difference if the attacker runs the exploits over WiFi, sitting in the adjacent hotel room or in the same lounge at the airport vs. if the attacker has compromised the NetVM. The opportunities are equal. If SSL or SSH is broken, you do have troubles, no matter if the NetVM is compromised or not.
BH: When do you expect Qubes to leave Alpha?
JR: Most likely at the end of summer holidays.
BH: What types of commercial extensions do you envision?
JR: One example would be support for running Windows-based AppVMs. Another example would be, as previously mentioned, various tools that would help to configure and setup Qubes deployments, especially in corporate environments.
BH: What can the community do to help?
JR: We have wiki with many information about the project, including how people can contribute:
BH: Thank you for taking the time for this interview. We look forward to watching the progress of this new operating system.

0days for Java Deployment Toolkit

Two researchers, Rubén Santamarta (@reversemode) and Tavis Ormandy have both posted proof of concept code today for exploiting a vulnerability in the Java Web Start functionality included in Sun’s Java since Java 6 Update 10.  The functionality is designed to make it easier for developers to deploy applications to end users.

In both cases the researchers were able to exploit the insufficient validation of parameters which are passed to the javaws command when used to deploy an application via a web page.  The end result is that an attacker would be able to launch a .jar file of their choice, almost silently on the user’s machine.

The exploits appears very simple, and Tavis did contact Oracle regarding the issue, but was told that the vulnerability is not severe enough to justify releasing and out-of-band patch for the issue.

Mitigation for the vulnerability can mean setting ActiveX killbits for Internet Explorer, or using file system permissions to block access to the Java Deployment Toolkit (npdeploytk.dll) from running.  More information on mitigation is available in the links below.

Currently the vulnerability is only exploitable on Windows versions of Java, but Rubén points out:

Although Linux contains vulnerable code, I was unable to exploit it in the same manner. It likely can be exploited by using the proper sequence of command-line arguments, but the sudden release didn’t allow me to research into this issue.I was focused on Windows at the moment of the disclosure.

So that may only be a matter of time.

More information and the POC code can be found here:
Full Disclosure Mailing List – Java Deployment Toolkit Performs Insufficient Validation of Parameters

Reverse Mode – [0DAY] JAVA Web Start Arbitrary command-line injection – “-XXaltjvm” arbitrary dll loading

Rootkit Analysis: Hiding SSDT hooks

In attempt to bring our readers/listeners more technical content, the SecuraBit team has brought on a guest blogger to cover some of the current issues facing malware analysts/reverse engineers.  Nick Jogie’s first post delves into rootkit analysis and explains in great detail how to detect such when AV and perimeter security devices just aren’t enough.  Provide feedback to the SecuraBit team and let us know your thoughts!

“System Service Descriptor Table (SSDT) patching has been widely used by rootkits and is usually easily detected.  BlackEnergy version 2 has implemented a technique which successfully hides from basic rootkit detection.  Basic rootkit detectors typically only check address ranges, on function pointers, listed in the SSDT.  If the pointers are outside the kernel address range, it implies that the SSDT is hooked.

The following will illustrate a procedural check, used to uncover this technique, using a kernel debugger…”

Read more here:

Rootkit Analysis – Hiding SSDT Hooks

Written by: Nick Jogie

Adobe and Google may team up for Flash

ZDNet has a post about a rumor that Google and Adobe may team up speculating that this may include bundling Flash with Chrome, both the OS and the browser.  We’ve had a lot of posts on Flash vulnerabilities on Securabit (they make a regular appearance during the Vulnerability Roundups), so the first thing that comes to mind is that could mean even more vulnerable systems for attackers to exploit.

On the other side, as has been mentioned on twitter by @jack_daniel, @quine and @egyp7, there could be some upside.  This could mean that the folks at Google will get to look through the source code for Flash, perhaps tightening it up, or that the sandboxing in Chrome sees some improvement to compensate for weaknesses in Flash.  While the first case would certainly be nice, any improvement to Flash security seems like a Win.  Now maybe if we can get them to team up on Reader…

Windows 7 “XP Mode” Vulnerability

This past Thursday (3/18/10) Microsoft announced that it will be dropping the hardware acceleration requirement for using the “XP Mode” feature on Windows 7.  XP Mode allows a user to run software which is not Windows 7 compatible in a virtualized instance of Windows XP on the same box.  Previously, to use this feature in Windows 7 you also had to have hardware virtualization acceleration, such as Intel  VT or AMD-V.  However, with this update anyone with Windows 7 (Professional, Enterprise, or Ultimate editions) can now use it.  It’s nice to see Microsoft making some concessions for those users that have been unable to migrate to it’s newest platform, and perhaps provide them some encouragement.  But there’s a catch.

That catch comes in the form of an announcement from Core Technologies of a vulnerability in Microsoft’s Virtual PC which allows an attacker to bypass some of the security safeguards which would normally be in place if the system was running on bare metal.  (rather than as a guest OS, as well as some of the tools in place to protect Windows 7 such as DEP, ASLR and SafeSEH)  This means that older vulnerabilities which were not considered exploitable, as other protections were in place, have been given a new lease on life.

Microsoft’s response downplays the announcement.  Microsoft is not calling this a vulnerability, as it requires that there already be another vulnerability to exploit.  As such, they will not be releasing a patch for the flaw, but will instead be waiting until the next release or service pack for the Virtual PC product.

In response, Paul Cooke from Microsoft says, “An attacker can only exploit a vulnerable application running “inside” the guest virtual machine on Windows XP, rather than Windows 7!”.  The exclamation mark at the end of this sentence was bothersome.  It seems that they are missing something.  Obviously there have been enough people up in arms about compatibility issues with Windows 7 that Microsoft felt the need to relax the restrictions on XP mode to encourage migration to 7.  This also says that there are companies which have software doing very important things and that the software doesn’t like Windows 7, hence the need for XP mode to be used more widely.  It’s all well and good that the host Windows 7 box is fine, as the excited Microsoft response above states, but if the important stuff is in the Virtual PC then who cares about the host OS?

More coverage is available at Threatpost

Vulnerability Roundup

Well, it isn’t Patch Tuesday yet, but that doesn’t mean there isn’t Microsoft news.  A new 0-day has been found which exploits the help system in IE and older versions of windows (2000, XP, 2003).  I’ve included a few links with information about the vulnerability and mitigation steps.  It appears a patch for this (and other known vulnerabilities) will not be included in the Microsoft release on Tuesday, which will include two bulletins, one for Office, and one for windows, which cover 8 vulnerabilities in total.

Cisco has also released three advisories for vulnerabilities in three of their products.  Patches are now available for the Unified Communications Manager, Digital Media Manager and the Digital Media Player Remote display.

An interesting hardware/software vulnerability has been released for OpenSSL which could allow an attacker to deduce at least parts of the private key.  The technique used to exploit this weakness doesn’t seem very practical for attacking a full size system, but could be practical against embedded devices.

A new release of the TYPO3 Core CMS system has been released to cover a few vulnerabilities (XSS, information disclosure).  Other Open Source projects, PHP and BIND have also been updated with security fixes.

The Zero Day Initiative also has some upcoming advisories for Apple’s Safari browser, which may mean updates from Apple.  The ZDI has rated these as “High” severity.

Last, but never least, VMWare has released and advisory for some of their products, which includes another large list of CVEs covered.  These updates include a long list of third party updates for packages in ESX.