Recently in Software Category

A Windows new remote-code execution vulnerability has been spotted in the wild. A proof-of-concept demonstration is available here.

From CyberInsecure:

a new public zero-day Windows vulnerability is being exploited in the wild. Microsoft Windows is prone to a remote code-execution vulnerability due to an unspecified error in 'NSlookup.exe'. Successfully exploiting this issue would allow the attacker to execute arbitrary code on an affected computer. Failed attacks will cause denial-of-service conditions. Microsoft Windows XP Professional SP2 is vulnerable; other versions and products may also be affected.

According to the alert, the issue is being actively exploited in the wild but details on the attacks are currently unavailable. At this moment there are no workarounds or vendor-supplied patches [From CyberInsecure:Zero-day Microsoft Windows NSlookup.exe Vulnerability Exploited In The Wild]

Technorati Tags: microsoft,windows,vulnerability,exploit

The OpenVAS project, a free and open source replacement for Nessus, announced its first stable release yesterday afternoon. This release includes server installation packages for OpenSUSE, Fedora, Mandrake, Gentoo, and FreeBSD. A client only package is available for Windows.

Nessus, one of the standards in vulnerability scanners, was an open source project until a couple of years ago. This project is a fork from the last open version.

From Full Disclosure:

The OpenVAS project is proud to announce the release of the first stable
version of the "Open Vulnerability Assessment System". OpenVAS is a fork of
the Nessus security scanner; while Nessus switched to a proprietary license,
OpenVAS will continue to improve the scanner and will provide all components
as Free Software.{From FullDisclosure: OpenVAS Stable Release]

Despite being delicately handled and patched at an unprecedented rate, Kaminsky's DNS vulnerability researc may have opened up a huge can of worms. Russian developer Evgeniy Polyakov has announced that fully patched DNS systems are still vulnerable to poisoning.

From his blog, Zbr's Days:

Two attacking servers, connected to the attacked one via GigE link, were used, each one attacked 1-2 ports with full ID range. Usually attacking server is able to send about 40-50 thousands fake replies before remote server returns the correct one, so if port was matched probability of the successful poisoning is more than 60%.

Attack took about half of the day, i.e. a bit less than 10 hours. So, if you have a GigE lan, any trojaned machine can poison your DNS during one night... [From Zbr's days.]

This has also been mentioned in the New York Times and the Inquirer. He has posted his proof of concept code here.

Is anyone really surprised that social networking sites such as Facebook and Myspace were discussed at this year's Blackhat in Vegas? The entire purpose of the genre is to share data, which can be difficult to do securely. According to one presentation, though, they aren't really even trying.

From Information Security Magazine:

Social networks like Facebook and MySpace are perfect models for the three D's of insecurity: insecure by design, insecure by default and insecure in deployment.

According to a pair of security consultants who spoke at the 2008 Black Hat briefings, security is clearly not part of the business model for owners of these wildly popular Web properties.

* * *

Speaking to a Black Hat audience in a rapid-fire, free-wheeling session Thursday, their key message was that when sharing something on a social network, assume it's going to be public.

If you give credit card information to Facebook, which it warns users not to do, you deserve to fail.

The duo demonstrated a series of all-too-easy MySpace attacks, which combine social engineering and technical hacks against an end-user population hungry for peer interaction and imbued with trust.[From MySpace, Facebook ignoring basic principles of security]

It looks like the Apple security problems that have been buried in the news this year are adding up. According to IBM's annual security report, they have more disclosed vulnerabilities than any other vendor.

While Microsoft has been making their security practices progressively more transparent, Apple is notoriously close-lipped; one can only speculate about the actual numbers.

From InfoWorld:

Apple has taken the place of Microsoft for disclosing more vulnerabilities than any other vendor, according to an IBM security report.

The company rose from second place in 2007 to take the top spot away from Microsoft, which had fallen into third place behind open source content management system Joomla.

Final results were close, according to the IBM X-Force 2008 mid-year report , with Apple achieving vulnerability disclosure score of 3.2 percent, followed by Joomla with 2.7 percent and Microsoft at 2.5 percent. [From Apple gets bruised in vulnerability report | InfoWorld | News | 2008-08-06 | By Darren Pauli, Computerworld Australia]

I am reminded of the Active Directory issue several years ago, in which all domains in a forrest were only as secure as the most poorly defended domain. In both that and this case, a fundamental architectural choice by Microsoft made patching impossible; only a complete shift in strategy and redesign can fix the problem.

With Microsoft's newfound religion around security, it is going to be very interesting to see how they handle this. It's the first major test of how seriously they take it (and of Ray Ozzie's leadership).

From Information Security Magazine:

Two security researchers have developed a new technique that essentially bypasses all of the memory protection safeguards in the Windows Vista operating system, an advance that many in the security community say will have far-reaching implications not only for Microsoft, but also on how the entire technology industry thinks about attacks.

In a presentation at the Black Hat briefings, Mark Dowd of IBM Internet Security Systems (ISS) and Alexander Sotirov, of VMware Inc. will discuss the new methods they've found to get around Vista protections such as Address Space Layout Randomization(ASLR), Data Execution Prevention (DEP) and others by using Java, ActiveX controls and .NET objects to load arbitrary content into Web browsers.

* * *

Researchers who have read the paper that Dowd and Sotirov wrote on the techniques say their work is a major breakthrough and there is little that Microsoft can do to address the problems. The attacks themselves are not based on any new vulnerabilities in IE or Vista, but instead take advantage of Vista's fundamental architecture and the ways in which Microsoft chose to protect it.

"The genius of this is that it's completely reusable," said Dino Dai Zovi, a well-known security researcher and author. "They have attacks that let them load chosen content to a chosen location with chosen permissions. That's completely game over. [From Windows Vista security 'rendered useless' by researchers]

Consumer Reports has recommended that Mac users avoid using the Safari Browser due to a lack of phishing protection. While the report isn't as detailed or useful as some, it does tackle the human element, noting that while Apple touts it inherent security, users fall for online schemes just as often as Microsoft customers.

From CyberInsecure:

According to this year's State of the Net survey, Mac users fall prey to phishing scams at about the same rate as Windows users, yet far fewer of them protect themselves with an anti-phishing toolbar. To make matters worse, the browser of choice for most Mac users, Apple's Safari, has no phishing protection. Consumer Reports says that until Apple beefs up Safari, users should use a browser with phishing protection, such as the latest version of Firefox or Opera. They also offer free anti-phishing toolbar such as McAfee Site Advisor or FirePhish.

This is not the first time Apple's Safari has been criticized for lacking built-in phishing protection. Earlier this year, PayPal's Chief Information Security Officer Michael Barrett, said that Apple, unfortunately, is lagging behind what they need to do, to protect their customers. Paypal recommended to use Internet Explorer 7 or 8 when it comes out, or Firefox 2 or Firefox 3, or Opera. [From Mac users are advised not to use Safari by Consumer Reports | CyberInsecure.com]

The EFF announced today a new project to shelter developers from legal threats while working on new and emerging technologies.

From LWN:

The Electronic Frontier Foundation (EFF) today launches its Coders' Rights Project -- a new initiative to protect programmers and developers from legal threats hampering their cutting-edge research.

* * *

"Coders who explore technology through innovation and research play a vital role in developing and securing the software and hardware we use everyday. Yet this important work can be stymied by bogus legal threats," said EFF Civil Liberties Director Jennifer Granick, who is heading up the project. "EFF's Coders' Rights Project will provide a front-line defense for coders facing legal challenges for legitimate research activities." [From EFF's Coders' Rights Project [LWN.net]]

It looks like Ray Ozzie has been making even more changes at Microsoft. First, he embraced the PHP community, joined the Apache Foundation, and released code under a GNU license. Now he is opening up the security patching process to give security vendors a head start on developing signatures.

For those without the budget or influence to be on the vendor list, he's also rating patches with a "exploitability index."

From Information Security Magazine:

The idea behind the early-access program is to give security vendors a head start on developing signatures and filters for attacks that follow the release of a new set of Microsoft patches on the second Tuesday of the month. Microsoft will announce its new plans at the Black Hat conference in Las Vegas this week.

Known as the Microsoft Active Protection Program (MAPP), the new plan will be open to security companies that provide defensive technology to large customer bases, meaning antivirus (AV), intrusion detection system (IDS) and intrusion prevention system (IPS) vendors. This kind of early notification is something that other companies have been calling for, and Microsoft officials said they've gotten to the point where they could use some help from the rest of the security community.

* * *

In addition to the MAPP announcement, Microsoft also plans to add a new component to its monthly security advisories: an exploitability index. The index will rank vulnerabilities based on the likelihood of someone developing working exploit code for the Microsoft flaws within 30 days immediately following the patch release. [From Microsoft to revamp patching, add exploitability index]

In an interesting turn of events, the controversial release of the BailWicked Metasploit modules has led to BreakingPoint research director and Metasploit author HD Moore getting hacked. We he targeted? Coincidence? Or is it karma?

From NetworkWorld:

HD Moore has been owned. That's hacker talk, meaning that Moore, the creator of the popular Metasploit hacking toolkit, has become the victim of a computer attack.

It happened on Tuesday morning, when Moore's company, BreakingPoint, had some of its Internet traffic redirected to a fake Google page that was being run by a scammer. According to Moore, the hacker was able to do this by launching what's known as a cache poisoning attack on a DNS server on AT&T's network that was serving the Austin, Texas, area. One of BreakingPoint's servers was forwarding DNS traffic to the AT&T server, so when it was compromised, so was HD Moore's company. [From DNS attack writer a victim of his own creation - Network World]

Infobyte has released a tool that targets insecure online updates. This is a case where I'm not sure that an automated testing tool is actually a good thing -- I'm sure that the problem with many of the exploitable applications is the process itself rather than a bit of insecure code that can be patched or disabled. In that situation, I'm not sure how constructive this tool would be for a pentester or analyst.

On the other hand, if it is used widely enough for illicit purposes, it may put enough pressure on vendors to fix flawed processes. I'm sure the repercussions of this tool will be felt for a long time to come.

From the Metasploit blog:

Francisco Amato of Infobyte Security Research just announced ISR-evilgrade v1.0.0, a toolkit for exploiting products which perform online updates in an insecure fashion. This tool works in conjunction with man-in-the-middle techniques (DNS, ARP, DHCP, etc) to exploit a wide variety applications. The demonstration video uses the CAU/Metasploit DNS exploit in conjunction with the Sun Java update mechanism to execute code on a fully patched Windows machine. For more information, see the README and slide deck. The first release includes exploits for Sun Java, Winzip, Winamp, Mac OS X, OpenOffice, iTunes, Linkedin Toolbar, DAP, Notepad++, and Speedbit [From Metasploit: Evilgrade Will Destroy Us All]

Kees Leune has pointed me towards some excellent pentest training resources, a set of live CD's that provide safe and legal targets for learning the tools included in Backtrack.

From Leune's blog:

I've been keeping an eye open for some other challenges, and I found one at The Last HOPE. One of the speakers mentioned that www.de-ice.net hosts some bootable CD images that are used to teach people pentesting skills. They author of the CD's did a nice job and grouped them in different levels of difficulty. The de-ice CD's are designed to be breakable with the tools included on the Backtrack Live CD.

After downloading the images, I was hooked.

Unfortunately there are only three CD's out at the moment, but I am proud to say that I managed to win all three challenges. I also admit that I needed some help getting the last one; I was unfamiliar with one of the tools used and needed a little hint. With that last hint, I was able to solve the third and final challenge. [From De-ice.net pentesting live CD's - Kees Leune]

It looks like Dan Kaminsky's DNS vulnerability has been released as a pair of metasploit modules, which means the script kiddies are about to unleash it on the unpatched (so patch already).

From the Metasploit Blog:

So, on to our new modules. There's no reason to rehash the deep tech regarding packet formats and spoofing techniques, as most of the speculation linked above was correct, and the original leak has been mirrored just about everywhere. In short, the way this flaw works is that it combines two previously known but somewhat mitigated flaws to achieve success. The first flaw is that since DNS (over UDP) is connectionless, it can easily be spoofed. The original mitigation for this was to make use of a transaction ID to correlate requests and replies that the attacker would have to guess. This makes spoofing harder, but not an insurmountable task. The second flaw was that additional records would be inserted into the cache which were included in replies from another nameserver during a recursive lookup. This original problem was somewhat mitigated by creating the in-bailiwick constraints that essentially limits the domain space for additional records that could be sent in the replies to hostnames from a given domain. Sounds reasonable; this prevents nameservers from doing malicious things to domains that they aren't authoritative for, while still allowing nameservers who are authoritative for a domain to update the records they need to. When you combine attacks for these two flaws however, an attacker can essentially pretend to be the authoritative nameserver, and update the nameserver record for a domain to point to a malicious nameserver address. Because the nameserver's name doesn't change, the update is in-bailiwick. You can also use this trick to inject cache entries for individual hostnames as long as those hostnames are not already cached, and also in-bailiwick.

The two Metasploit modules which implement these attacks are "DNS BailiWicked Host Attack" for injecting individual uncached host records into the target nameserver's cache, and "DNS BailiWicked Domain Attack" for replacing a target domain's nameserver records in a target nameserver's cache. Currently these must be run from the trunk development branch, as they rely on Net::DNS and raw sockets functionality which currently only exists in the development branch for MSF. The raw sockets code also currently only works when running MSF under Linux. [From BailiWicked]

For those who haven't been following the news this month, here is an executive overview, a recording of the press conference is available here, and on a more authoritative note, here is the US-CERT vulnerability note.

UPDATE: The modules have been updated for automatic tuning.

Today at OSCON, David Recordon of Six Apart (which produces Movable Type, the software that drives this blog) announced the formation of the Open Web Foundation.

From O'Reilly Radar:

To make sure that we working towards the same goal foundations (like OpenID) and specs (like OAuth) are created. Each time some of the same mistakes are made. The Open Web Foundation's goal it to provide a home for community created specs. with mentorship, resources and infrastructure. Hopefully this will help teams spend time on making the spec. [From Announcing the Open Web Foundation - O'Reilly Radar]

This is a very good thing -- standardized, community-driven specifications can be written at the speed of innovation instead of waiting for one format or another to win out (or waiting for Steve Balmer to giveth).

Here are the slides from the announcement:

| View | Upload your own

Apparently, spin and image are more important than reality. Microsoft has taken the "new Mojave OS" to a group of Vista critics. They loved it. Thing is, Mojave was actually just Vista.

From CNET:

Spurred by an e-mail from someone deep in the marketing ranks, Microsoft last week traveled to San Francisco, rounding up Windows XP users who had negative impressions of Vista. The subjects were put on video, asked about their Vista impressions, and then shown a "new" operating system, code-named Mojave. More than 90 percent gave positive feedback on what they saw. Then they were told that "Mojave" was actually Windows Vista.

"Oh wow," said one user, eliciting exactly the exclamation that Microsoft had hoped to garner when it first released the operating system more than 18 months ago. Instead, the operating system got mixed reviews and criticisms for its lack of compatibility and other headaches. [From Microsoft looks to 'Mojave' to revive Vista's image | Beyond Binary - A blog by Ina Fried - CNET News.com]

Personally, I've never understood the severity of Vista criticism that accompanied its launch. Sure, you have the somewhat ambitious hardware requirements, but Microsoft has always worked in the planned-hardware-obsolescence mindset. If you chose to use a Microsoft operating system, you chose to adopt that paradigm yourself; it's part of the package.

Vista is the most secure operating system that Microsoft has ever written. In my experience, it's less crash-prone than its predecessors, and it is designed to run the next-generation of technologies (look at .NET 3.5, there's some goodness packed in there).

I'm not a huge Microsoft fan. Truth be told, OpenBSD is where my heart is at, but I have to give Balmer and friends some credit -- Vista is a huge step forward, and it looks like those that look at the technology instead of the hype are coming around to those same ideas.