Tuesday, January 31, 2006

Microsoft Internet Explorer 7 Beta 2 Released

Internet Explorer 7 Pre-Release Beta 2 is open to the public. Come and get it.

It only works on Windows XP SP2 and some say it looks & feels alot like Firefox.

BetaNews.com has a write-up on the new public IE7.

Updated Security Tools - Ephedra Free

1) Nmap v4.0 was released over at Insecure.org today.

The changelog reports one change from v3.9999 -
  • Added the '?' command to the runtime interaction system. It prints a list of accepted commands. Thanks to Andrew Lutomirski (luto(a)myrealbox.com) for the patch.

2) The password cracker known by all as John the Ripper was updated to v1.7 recently. Claims of significant performance increases are along improvements in the changelog.

3) The brute-force login hacker, Hydra, was updated to v5.2 on Jan 27th. It includes fixes for the SSH2 module and a new "VMWare-Auth" module. That should be interesting to test.

4) Cain & Abel was updated to v2.8.4 on Jan 19th as well. New features include:

  • Rainbowcrack-Online client - The client has been developed in collaboration with Rainbowcrack-Online team. Cain can now interact with the outstanding power of this on-line cracking service based on RainbowTable technology. The service is not free and you need a valid account to use this feature, please check current rates on their site. The communication between Cain and the web site is SSL enabled to ensure privacy of transmitted information.
  • Oracle Password Cracker (Dictionary and Brute-Force Attacks).
  • Oracle Password Extractor via ODBC.
  • MySQL Password Extractor via ODBC.

Monday, January 30, 2006

OS X for Intel 10.4.4 Leaked

The news was released on the OSX86 Project today. I am not a Apple user but I believe 10.4.4 is the highest Intel OS X released to developers.

Of course, 10.4.5 was released to developers recently but it was for the PowerPC chip only, I believe. I could be wrong however.

Apple was smart to get the hacking geeks on their side...but it is a paradox box. Hacking geeks that want Apple on intel will get it...TPM or not.

Nmap 3.9999 - Runtime Interaction Feature

On Friday, I was asked to port scan a new server at work. Cool, portscans are always fun. I knew I had Nmap 3.95 on my laptop, but I jumped over to Insecure.org to make sure I still had the "latest and greatest"...well I didn't.

Checking out the changelog, I found a very cool feature introduced in 3.98 BETA1. It is called "Runtime Interaction". Yep, the name basically sums it up. This feature was created by Paul Tarjan as part of the Google Summer of Code. But initially, it only worked in the Linux/Unix version of Nmap 3.98 BETA1.

Well, Nmap 3.999 added runtime interaction support to the Windows port as well. Thanks to patches from Andrew Lutomirski and Gisle Vanem.

Then Nmap 3.9999 (that is four nines) was released. It added several minor nmap-protocols and mac-prefixes file updates over 3.999 (that is three nines).

Pretty cool. The runtime interaction feature should come in handy during large network scans. Anyways, update your ports or go directly to the source and get Nmap 3.9999

Friday, January 27, 2006

Microsoft Will Remove BlackWorm AFTER D-Day

The payload for the BlackWorm is set to activate on Feb 3rd but Microsoft isn't going to release their updated Windows Malicious Software Removal Tool until Feb 14th (Black Tuesday). Does that make any sense?

Sure, it really isn't Microsoft's job to clean worms off your computer - or is it?

Microsoft fully understands the worm at this point. They even wrote a full analysis of it. They call it a "Moderate" threat on their OneCare site as well.

Microsoft wants to make a move into the Anti-virus marketplace, right? Wouldn't this be a great chance to prove something to their possible customers?

Saving the data of thousands of people (perhaps tens of thousands) would be a good faith sign for a new comer in the AV world, would it not?

Microsoft cares about your security, seriously....as long as that caring can fall on the second Tuesday of the month (aka Black Tuesday).

Microsoft wants your money, they want your business but they can't release a tool a little early to save your data. However, normal people that just want to do good will spend all their free time protecting people they don't even know. In this case, that group was the BlackWorm Task Force.

Nice work Gadi and everyone that was involved in that underground effort.

Credit on the information dig goes to Fergie via the FunSec Mailing List.

Complacency – Still a Security Threat

You are the security administrator of a large data center. You have disabled all unnecessary services, triple-checked the firewall rules, conducted penetration tests on all active servers, written security procedures, and trained all employees on basic security ideas. You are golden right? Wrong.

One threat still remains – Complacency.

Complacency can be defined as the act of being content to a fault with one’s actions. In the information security world, it can be one of the hardest attack vectors to identify. Bleeding Snort does not have signatures on file to detect complacency and it will not show up in an event log report.

Complacency comes one from what some would call the weakest link in the security chain – people.

In simple terms, it is the difference in “doing everything you can to secure a network” and “thinking you already have”. Administrators aren’t perfect and therefore mistakes will be happen - c'est la vie. We are only human after all. But experts have warned about security complacency for years. However we never hear about the countermeasures.

I can only think of one – vigilance.

Always assume you have missed something, always watch for changes that were unexpected, stay on top of the news and emerging security threats, etc. Being vigilant should not control your every thought but it should be a layer in your thought process.

Recently, Bill Thompson over at BBC News cracked the hardened surface of this subject again in his “Mac user ‘too smug’ over security” article. He was quite surprised by the overall response of the Apple community.

Too many times, people feel they are more secure because they run _______. This is the red flag of complacency. This isn’t to say that people are wrong when they say “this operating system has a better security model (by design)” or “this operating system is more secure out of the box”. We all need to mindful no matter what OS we have on our machine.

It has always been my belief that a computer is only as secure as the person managing the box. Of course, all operating systems can be hardened beyond the default install. However, hardening servers should only be done by professionals that understand the workings of the system. If you don’t know what you are doing, you can easily harden yourself into an unscheduled DR situation. Anyone that works in the IT world knows managers don’t like unscheduled DR situations. =)

Moral of the Blog – Security is a very complex and fluid issue. Everyday, the security of a given system ebbs and flows as events on the internet unfold. Security isn’t filling in a checkbox on a requirement form or applying a single patch.

Staying vigilant is the only true countermeasure to security complacency.

Humor: Andy in Hyderabad, India

Most people know the pain of having computer problems, even IT professionals. We have all had those certain Tech Support calls that just didn't seem to really help. This great ConanO'Brien clip may give us insight into why this may happen.

Any goes to Hyderabad and causes trouble - (9MB Windows Media Vid)

Hyderabad is seen as the second "Silicon Valley" of India, after Bangalore. Hyderabad has several software technology campuses with leading companies such as Infosys, Microsoft, CSC, Oracle, Wipro, Kanbay, GE, iGate, ValueLabs, ADP, Dell, Deloitte, HSBC, SumTotal, Intergraph, Analog Devices, IBM, Keane, Baan, , Tata Consultancy Services, Amazon and Google having established centers in the city.

I love Wikipedia.

Thanks go to MW for the link.

TGIF

Thursday, January 26, 2006

Intel Macs - Get One Now or Wait?

Wired.com has a good article on just this subject.

Here are some of the reasons to wait:

1) "Most applications that run in OS X Tiger are able to run on Intel hardware via an emulation layer called Rosetta, but there are a few exceptions, spelled out in Apple's Universal Binary Programming Guidelines"

Also check out MacFixIt.com

2) "Jobs demoed Photoshop at Macworld, but conceded that the application's performance is worse under Rosetta than the speeds offered by older PowerPC hardware."

This is to be expected has that move to the Intel Chipset. Apps will be redesigned to take advantage of the Intel code, but that will take time.

3) "Almost every version of Windows requires a BIOS to launch, and Apple's Intel Macs use Intel's new extensible-firmware interface (EFI) instead, which Windows XP doesn't support. Vista supposedly will, so it might be possible by the end of the year."

Dual-Booting with Windows XP and OS X is not currently possible. But in a non-official way, this may be open to some hackers before the public. There is a contest running right now. First person to provide the steps and pictures will get a prize. That prize is currently over 7000 dollars and likely to go higher.

Tuesday, January 24, 2006

"Cleaning the Air" in Court (Fun)

I was reading the DailyDave mailing list this evening and found this little gem from Dave Aitel. After a quick Google search, I found this 2004 article over at SFGate.com

In February 2002, Consumer Reports published a lengthy article reviewing 16
different air purifiers. It placed the Ionic Breeze Quadra model at the bottom of its rankings, saying the device produced "no measurable reduction in airborne particles."

Consumer Reports ran a second article on purifiers in October 2003. Once
again, Ionic Breeze ended up near the bottom of the magazine's rankings.

Fun stuff. Not only does it not clean the air it produces high level of ozone.

In May 2005, Consumer Reports reported new finings that the Ionic Breeze Quadra S1737 SNX and four competing devices emitted excessive amounts of ozone that could cause respiratory difficulty when operated close to the user.

Wednesday, January 18, 2006

The Fight for Internet Neutrality Principles

Wikipedia defines Network Neutrality as the following:
Network neutrality is a principle of internet regulation with particular relevance to the regulation of broadband. It suggests that (1) to maximize human welfare, information networks ought be as neutral as possible between various uses or applications, and (2) if necessary, government ought to intervene to promote or preserve the neutrality of the network. Underlying the theory of the benefits of network neutrality is a belief that a neutral network promotes Schumpterian, or evolutionary innovation of information technology.

Sounds good eh? Well not everyone likes the sound of it.

BellSouth has talked about plans for a while to charge service providers extra for premium network usage. For example, Yahoo could pay BellSouth to make Yahoo Mail load up faster than Google Mail, or Microsoft could pay BellSouth to make MSN Search give results faster than Google Search - you get the idea.

Many in the IT world feel this new plan is direct more toward VoIP but who knows for sure and how really want to wait and find out. Opponents of this new plan as a power grab attempt by the major telephone companies, since most of them passed up the idea of the internet in the beginning.

Right now there is a piece of legislation at the U.S house of Representatives that connects directly with this "network neutrality" issue. Google believe this new legislation needs to be modified to protect the idea of neutrality for the internet.

Jeff Pulver, the man behind the company that is now called Vonage, even called for a Google and others to start a BellSouth Boycott yesterday.

Blogs and media sources have exploded in a new round of pay-for-QOS stories.
Silicon Valley.com Blog
Techdirt.com
MSNBC.com
CNNMoney.com

In response to this round of media noise, three consumer groups repeated today calls for a U.S law to prevent broadband providers from blocking or slowing customer access to some internet content by saying the public wants government protection.

"If we're not careful, we'll miss signs that there are threats to openness that makes the Internet so great," said Michael J. Copps, a Democrat on the U.S. Federal Communications Commission (FCC), speaking at the consumer groups' press conference. "The more concentrated that our [broadband] providers become, the more they have the ability, and possibly even the incentive, to act as Internet gatekeepers.

Google responded today with support for the neutrality principles in the NetworkingPipeline Blog.

Google's Barry Schnitt told Paul in an email: "Google is not discussing sharing of the costs of broadband networks with any carrier. We believe consumers are already paying to support broadband access to the Internet through subscription fees and, as a result, consumers should have the freedom to use this connection without limitations."

Tuesday, January 17, 2006

FSF Releases Draft of GPL v3

The Free Software Foundation (FSF) has released a draft of the GNU General Public License (GPL) Version 3.

One of the more interesting provision focuses on GPL software in DRM software. It prevents GPL-licensed software from being used in DRM copy-protection software.

"We are trying to do what we can, in a limited way, to use the freedoms that our licence gives us to actively work against the spread of DRM restrictions," said Eben Moglen, an FSF board member and one of the authors of the draft.

This provision was most likely set into stone after Sebastian Porst discovered LPGL code from the LAME project, mpglib and VideoLAN in the F4I code used in Sony's XCP software.

Monday, January 16, 2006

When Breakfast Shacks and Wifi Clash

Pretty cool story about how a small group of people found a connection between Starbucks new test ovens and their T-mobile wireless internet woes.

http://www.tmobiledoesntworkatstarbucks.org/

I have seen similar issues at my local starbucks, but it isn't every couple of mins.

New Security Tools - Now with Taurine!

Two updated tools were released on Sunday.

1) Paros Proxy 3.2.9 - Great tool to track Web Application traffic and check web application integrity. It allows the user to not only monitor and capture all HTTP & HTTPS data passing between severs and client, but it also allow users to track and modify cookies and form fields data on the fly.

2) Metasploit Framework v3.0 Alpha 2 - The Metasploit Framework (MSF) is an advanced open-source platform for developing, testing, and using exploit code. This project initially started off as a portable network game and has evolved into a powerful tool for penetration testing, exploit development, and vulnerability research. Remember this is a Alpha release and should only be used for testing purposes.

Ok, so I made up the Taurine part. While dietary taurine can be found in shellfish and organ meats like liver, I enjoy the primary taurine source of ubergeeks - Redbull.

Saturday, January 14, 2006

Open Source WMF Patch for Windows 98SE

As many of you know, Microsoft has decided not to release an official patch for the SetAbortProc() WMF flaw. Systems before Windows 2000 are not exploitable directly by default; therefore MS doesn’t see it as a critical security problem. It is also a great way for them to push users into upgrades however, but that is another issue all together. Lack of real security should be enough to force users into a move away from the Win9x kernel.

Microsoft has stated that they will only release really critical security patches for the Win9x platform until June 30 of this year.

But not everyone is happy about seeing this possible security risk before them. Open Source to the rescue. Inspired by Ilfak Guilfanov’s XP patch, Tom Walsh of the SecuriTeam blog has released his own open source WMF patch for Win9x Systems.

Nice work Tom.

Friday, January 13, 2006

The WMF Backdoor Debate

I don't believe the general press has grabbed on to this yet but there is a nice little debate happening right now on the security list. Was the WMF bug a deliberately designed backdoor into Windows?

Steve Gibson of GRC believes it might be and attempts to produce evidence on this Security Now Website.

I will let the reader decide on their own...but not everyone in the world agrees with Steve Gibson. I personally believe he may need to shave some off the top a bit. However we may never know the truth about why and how the WMF vuln was allowed to exist for so long.

Right now there is a great debate happening on Full-Disclosure and FunSec. Newer post are on the bottom.

Perhaps we can chalk it up to the today being Friday the 13th and a Full Moon.

Tuesday, January 10, 2006

Beware of Some "Antispyware"

Mark Russinovich has a great write-up on the new Antispyware Conspiracy. These so called "antispyware" products are pure danger and most of the times are far worse than the spyware they claim to find. This should be a good wake-up call to those users out there that fall for these types of tricks.

Stick to the popular and well-known products - Spysweeper, Counterspy, Ad-Aware, Microsoft Antispyware & SpyBot S&D.

Professionals also use more expert tools like HiJackThis. But due to damage that can be caused by this tools, only experienced people should go beyond the six stated above.

Dan Hubbard of Websense stated on the FunSec mailing list that they are tracking several of these fake antispyware programs at not just making you pay for nothing. Some are going a step beyond and planting keyloggers and traffic redirectors to steal credentials.

Patch Tuesday is Here

Here is what my computer just install - Windows XP SP2. This first one sounds pretty serious, going to keep eye on information connected to Kb908519

------------------------------
(KB908519) - MS06-002 - CVE-2006-0010

A vulnerability exists when viewing Embedded Web Fonts that could lead to remote code execution. Reported by eEye.

(KB902412) - MS06-003 - CVE-2006-0002

A vulnerability exists in TNEF messages that could allow remote code execution. Reported by John Heasman and Mark Litchfield of NGS Software.

The Spin Begins - Internet Explorer WMF DoS Vulnerability

Several days after the WMF DoS PoC was released, Lennart Wistrand @ Microsoft has responded on the MSRC blog.

"Lennart Wistrand here. I wanted to write a few lines about the public post made over the weekend about a new specially crafted WMF image that could potentially cause the application using the Windows Graphics Rendering Engine to crash. As it turns out, these crashes are not exploitable but are instead Windows performance issues that could cause some WMF applications to unexpectedly exit. These issues do not allow an attacker to run code or crash
the operating system. They may cause the WMF application to crash, in which case the user may restart the application and resume activity. We had previously identified these issues as part of our ongoing code maintenance and are evaluating them for inclusion in the next service pack for the affected products."

Wow. So now DoS is a performance issue. I rather Microsoft say "It isn't very dangerous yet, it isn't being exploited in the wild and we have more important issues to fix".

Important issues like:

EEYEB-20050505 - Remote Code Execution Vuln in IE and Outlook
EEYEB-20050627 - Remote Code Execution Vuln in Windows W2k-2003
EEYEB-20050801 - Remote Code Execution Vuln in Windows W2K-2003
EEYEB-20051017 - Remote Code Execution Vuln in IE and Media Player (metafile/media file??)

Let's not get into the DoS, Privilege Escalation, Security Bypass, System Access vulnerabilities listed for a wide range of Microsoft products on Secunia.

And those spoofing problems with IE that help phishers attack normal internet users.

Microsoft, you are doing better that is for sure, but the spin isn't needed. We are all adults here...

Monday, January 9, 2006

More WMF Woes for Microsoft - DOS Vulnerability - UPDATED

Symantec issued a vulnerability alert on its DeepSight Threat Management System that warns customers of multiple memory corruption vulnerabilities in the same rendering engine that Microsoft just patched (MS06-001).

As far as the information on the ground, it looks more like a DOS vulnerability at this point, but code execution should never be ruled out. Microsoft should remember this lesson from the IE flaw discovered by Benjamin Tobias in March of 2005. Once thought just to be a DoS vulnerability, it turns out that it also allows execution of arbitrary code.

Right now, it would appear that the DOS applies to Windows 98, 2000-2003 and Vista. Fine tuning of this information will occur over time however.

Moral to the story, no threat is too small to examine and take into account.

Reminds me of our ever changing road system.

At first, there are five pretty small potholes in the road. DOT comes out and fixes the biggest one, which most likely causes the most complaints and the biggest headaches. But after a while, those four other holes, grow and cause just as much problems if not more than the original.

UPDATE - It has been barely an hour from my original post. Andrey Bayora posted the following information on the FD Security Mailing list. I have no tested this WMF files at this point. Just passing the new information.

Well here is the PoC for the 2 new WMf vulnerabilities discovered by cocoruder and is not covered by MS06-001.

You can download WMF images at -http://www.securityelf.org/files/WMF-DoS.rar

UPDATE x 2 - It would seem that the first WMF flaw took Microsoft by surprise. Kevin Kean, a director in Microsoft Security Response Center (MSRC), said the following in this CNET article.

“"It is not a common buffer overflow," Kean said.”The software has a behavior that people can take advantage of. Obviously we did not intend it to be used in that way."

I was hoping Microsoft had learned that valuable lesson by now. Attackers and hackers use things all the time in a way they were not intended. This “Intending” issue is one of the core secure coding software problems.

Programmers always “intended” users to use correct data inputs and never “intend” to let the users input data over the limit of a buffer…but it happens. Part of the secure coding idea, is to look at your code and find the places were attackers could use the code in ways that were not “intended”.

On a positive node, this situation will remind Microsoft why it can not leave old code laying around. This new security push can only help in my mind. No pain, No gain.

Friday, January 6, 2006

Music DRM - Where are we now... UPDATED

Coldplay's new CD is loaded with DRM rules.

The CD has been manufactured for usage in regular CD players, but might not play in the following players:

  • Some CD players that have the capability of burning into an MP3 (such as portable players or car stereos)
  • Some CD players that posses CD-R/RW functions.
  • Blah, Blah, Blah.

Just look at the insert and you will quickly figure out that your freshly paid for CD will not play anything else a Generation 1 CD Player that has no other functions. Thank god for all these CD standards and new functions...right? Now we can't even listen to our music - which we just paid for.

Just so everyone knows, this huge list of stuff has done ZERO to stop internet trading. In this case, I saw the whole albums on BitTorrent sites almost 3 or 4 weeks before the CD was even released to stores.

So people can get it now or wait, pay and not be able to play it on their iPod, in their car or in their computer...umm...choices. =)

However in other more positive news, the EFF has sent an open letter to EMI records. In the letter published Wed, EFF urges EMI Music to publicly declare that it will not take legal action against computer security researchers who study copy-protected CDs released by record labels owned by EMI.

Basically the EFF believes that fans deserve to know whether EMI's copy-protected CDs are exposing their computers to security risks. After Sony attempted to sweep the whole XCP DRM rootkit story under the bed sheets, this sounds like a damn good idea - IMHO.

In late December, Sony BMG agreed settle to the class action over its XCP DRM rootkit. Mark Russinovich has a great blog about it as well.

One of the funny points in the agreement is that Sony BMG must provide the music on the CDs as unprotected MP3 files. Which is exactly the XCP DRM was created to stop. Ironic.

UPDATE - Paul Ferguson pointed me to a very interesting development in Sweden. A groups of students at the Viktoria Institude in Gothenburg has worked out a system of P2P music listening and sharing that runs on WiFi-enabled PDAs and allows users to actively recommend songs by pushing music to other users in the proximity. Wow.

Thursday, January 5, 2006

Official Microsoft Patch Released - MS06-001

http://www.microsoft.com/technet/security/bulletin/advance.mspx

"Microsoft announced that it would release a security update to help protect customers from exploitations of a vulnerability in the Windows Meta File (WMF) area of code in the Windows operating system on Tuesday, January 2, 2006, in response to malicious and criminal attacks on computer users that were discovered last week.

Microsoft will release the update today on Thursday, January 5, 2006, earlier than planned. "

Also, two other critical patches will be released in-band on Tuesday the 10th. Lets not forget about those and the chances that exploit could be created from those patches. If the holes are serious enough, that could be another whole problem in itself.

UPDATE - http://www.microsoft.com/technet/security/bulletin/ms06-001.mspx - The patch is here.

Updated Microsoft Advisory for WMF

http://www.microsoft.com/technet/security/advisory/912840.mspx

The key changes are related to embedded WMF files via Office and the affected OS list. No real surprises here. They have basically just officially confirmed notes that you have seen on this blog and others.

1) Embedded WMF file in Office document are dangerous. This was known in the community.

2) Windows 9x & ME are less vulnerable to a direct OS Level attack by default, but if you are using third-party image viewers on these OSs, than it is possible you are vulnerable as well. Check with the vendor of your applications for the details.

WMF FAQ by HD Moore

The creator of the Metasploit Framework has released his own WMF FAQ. This was posted to the FD Security Mailing list this morning. Good information.

---------------------------------------------------

Q) Why did you release an IDS and AV evading exploit module so soon after the vulnerability was discovered?

A) The vulnerability was being exploited, in the wild, for at least two weeks (based on email reports) prior to the original BT post. The WMF structure is widely documented. The AV vendors were providing less-than-capable signatures for no reason other than that no public code was available that demonstrated alternate encodings. The IDS vendors were (and some still are) providing signatures that couldn't survive a single legal byte change in the WMF header. The release of a "polymorphic" (not) exploit forced the vendors to either fix their products or cry "irresponsibility" and give up. IPS vendors realized how SOL they are wrt to client-side HTTP attacks (so many encodings, so many ways to DoS an IPS that tries to decode them).

Q) The Windows Meta File format has a number of optional headers, can any of these be used to trigger the arbitrary code execution flaw via SetAbortProc?

A) No. The CLP headers (16 bit and 32 bit) cause the Picture and Fax Viewer (PFV) and Internet Explorer to throw an error when trying to render the image. Internet Explorer will only display an image internally if the "placeable" header has been prepend to the bare WMF header. If the "placeable" header exists, a device context check will fail during the call to Escape() and the SetAbortProc() function is not reached. This effectively prevents IE or the PFV from executing the SetAbortProc() call when any optional header has been prepended. This may not hold true for Explorer's preview and icon view.

Q) What about the Enhanced Meta File format? Does this format allow access to the exploitable function?

A) No. The EMF format has a separate API (which may or may not have its own problems), but it does not allow access to the WMF Escape() function. A WMF file can be delivered with the EMF extension however, which will cause it to be processed with the vulnerable API.

Q) Are there any other ways to obtain code execution besides via WMF files viewed by PFV or Explorer?

A) Yes. Any application that accepts WMF files and calls PlayMetaFile with the supplied data can be exploited. Some of these only recognize WMF files with the placeable header, which may prevent the application from reaching the SetAbortProc function. There are *many* other places where standard (ie. included with the OS) applications call the PlayMetaFile function, its just a matter of figuring out which ones can be used to deliver the malicious WMF content. A potential vector includes the display of icons stored inside of a standard executable. Viewing these files in an Explorer directory listing could result in the execution of code in an embedded WMF file. This has yet to be tested.

Q) What WMF header fields are mandatory for code execution through the PFV ?

A) Not many. The Windows Meta File header and possible field values are listed below:

# Possible values: 1 or 2 (memory or disk) WORD FileType

# The HeaderSize must always be 9
WORD HeaderSize;

# The Version field can be 0x0300 or 0x0100 WORD Version

# This parameter can be anywhere from 0x20 to 0xffffffff DWORD FileSize

# Completely arbitrary
WORD NumOfObjects

# Completely arbitrary
DWORD MaxRecordSize

# Completely arbitrary
WORD NumOfParams

The MSB of the actual MetaFileRecord function field is completely ignored.

Credits: A number of anonymous sources contributed to this information.

More information on the WMF structure can be found at the following sites:
- http://wvware.sourceforge.net/caolan/ora-wmf.html
- http://www.geocad.ru/new/site/Formats/Graphics/wmf/wmf.txt

-HD

Wednesday, January 4, 2006

Upcoming Sober Threat - Friday, Jan 6th

It is highly possible they will we see a new Sober variant this Friday.

The first Sober Worm appeared in October 2003, but now the word "Sober" has turned into a huge series of variants.

AV vendors don't use common names, so it is normally pretty hard for normal people to cross reference Sober variants. We are at Sober.Y, or is it Sober.AH? Who knows, just know that they are dangerous. =)

Algorithm-Based URL

Many of the sober variants contain a very complex algorithm that is used to compute the next series of download URLs.

LURHQ has a great write-up on the date algorithm.

You heard Jan5th right? So did I. But LURHQ reports that the branch logic points to Jan 6th.

"Note that the "begin update" logic in the current variant is actually "current date > Jan 5", not "current date == Jan 5", so the update other sources are saying will occur on Jan 5, 2006 won't actually happen until Jan 6, 2006. "

Keep your eyes open this friday for strange e-mails and keep your ears on all the AV news.

Advanced "Keep-alive" Tricks

Most Sober variants have been shown to deactivate many popular antivirus packages, including Microsoft AntiSpyware and HijackThis.

When it gets in, it is pretty hard to remove. Booting on a Linux disc and cleaning the infected disk sounds like a good idea however.

Mass-Mailing MO

Most Sober variants have their own SMTP engines and generate large amounts of e-mail traffic. Sober uses e-mail generation as a method to spread.

But how can e-mail spreading still be effective?? People have been told not to click on unknown links, don’t open e-mail from strange people…delete, delete.

Sober is the king of using Social Engineering (SE) attacks in mass e-mails however. Sober.X included real looking messages from the CIA, the FBI and the German Bundeskriminalamat (BKA).

An alleged child porn offender even turned himself in to the police after receiving one of these Sober e-mails.

History / Political Motivations

One Sober variant sent messages of support for the far-right groups in Germany pending the local elections in the state of North-Rhine Westphalia. Some groups see connections between Sober Key dates and important days in history. WW2, Battles in German, Nazi party, etc, etc.

Are these motivations true or just a smart SE attack? Who knows...and in the sense of security, I don’t care.

Summary

1) Watch your e-mail servers tomorrow. It is possible they we will see a huge flux of e-mails generated by this “Sober update code”.

2) Block the known update sites listed in this F-Secure blog entry.

3) Make sure you e-mail gateway AV is up-to-date and stays that way. Double check AV on your endpoints and make sure it is updating as well.

3) Remember the Sober creator (or group) aren’t stupid and most likely aren’t very poor either.

As that old NSA saying goes: “Attacks always get better, they never get worse.”

WMF - Six Days Til Checkered Flag

Information comes in as fast as Le Mans racers sometimes. Here is an update.

1) A pre-release "official" Microsoft patch was leaked from Redmond it would seems. People have tested it and it has caused many problems. BSOD, etc. So even if it is an "official" leak, it will break stuff. Don't mess with it.

2) The "patch" by Ilfak Guilfanov has been supported by many big groups (F-Secure, SANS, etc) but it isn't perfect. It would appear that some printing problems could occur. The GDI32.dll file is used commonly in Postscript printing, it would seem.

Administrators should NEVER push patches to large groups of computer without extensive and proper testing. This goes for ANY program (fix, patch, new program, update, upgrade, workarounds - whatever). Home-grown or official.

3) Take everything with a gain of Sodium Chloride (NaCl). The general media is great at taking any story and hyping it up. The WMF threat is real and it is dangerous, but it isn’t a RPC Buffer overflow. Remember Blaster & Sasser.

A freshly installed, up-to-date computer can not get infected without some form of user interaction. True, this interaction is small and likely to happen - if you plan on using your new shiny computer. =) Remember the ILOVE & Melissa viruses.

In the defense of the media however, most hype does start from inside the computer community itself. Professional that spend all days looking in the dark corners of the world for bad guys, will always see a threat like this as serious. The exploit code is everywhere, people do do whatever they want with it and post it everywhere, it is serious for corporate security professionals. They get paid to protect corporate assets and every threat must be battled. This fight isn't as direct in the home user world....

Sometimes hype is playing it safe...sometimes hype is good for selling products. Whatever you call it, hype brings security issues to the front page..which is something that is needed.

4) IMHO, home users are in much more danger than big corporate users. Most large companies have multiple defense systems and can reduce the WMF threat greatly without applying the suggested workarounds. Home users on the other hand, tend to be less informed and tend to already have a lot of “bad” stuff on their computers. Home users always want free e-mail smiley faces and free wallpapers and all the programs that could cause a security issue for large companies.

So in the end, practice safe hex, be prepared to battle any infection beyond the WMF and wait for Microsoft to release their patch on Tuesday.

Network and Security Professionals may want the extra protect of applying IIfak’s patch. Go ahead use it. All my home computers have it and my work laptop, but with multiple defense layers in place here at the office, I don’t see a huge need to push it out like its MS03-039.

Tuesday, January 3, 2006

Revision in WMF Vulerable Operating Systems - UPDATED

Larry Seltzer of eWeek reported on his weblog that only Windows XP and Windows Server 2003 are vulnerable in a practical sense.

It is true that this vulnerability is in GDI32.dll all the way back to Windows 3.0, but it would appear that Microsoft never set up WMF assocation before Windows XP. Therefore in older systems (Windows 2000/Me/98), the hole is there but much less of a direct threat.

It would seem that F-Secure and iDefense also agree with on this point.

Hopefully Microsoft will come out of the fog and start to see that allowing everything in the OS to run code by design isn't a good thing.

On a side note, HexBlog was taken down by its ISP for a short due to huge traffic flows. It would seem that Hexblog was slashdotted or dugg. =)

UPDATE - Alex Eckelberry of SunBelt has provided alternative download points for both the unofficial patch and checker.

UPDATE x 2 - Since high traffic make the ISP cut off Ilak's HexBlog. CastleCops has stepped up and offered him a home for now. See the new Hexblog forum.

Metasploit isn't a Virus

Richard M. Smith posted a rather funny message to the FunSec Mailing list this evening.
------------------------------------------
http://online.wsj.com/article/SB113630873566736620.html?mod=yahoo_hs&ru=yahoo

Microsoft Readies Fix As New Virus Spreads
By CHRIS REITER DOW JONES NEWSWIRES
January 3, 2006 1:20 p.m.

Microsoft Corp. plans to release on Jan. 10 a patch for a new Windows security flaw that is being exploited by a rapidly spreading computer virus strain known as "metasploit."

The virus surfaced last week as hackers took advantage of a flaw found in current server and desktop versions of Windows. It is considered serious because it requires relatively minor user interaction to be unleashed. The virus is carried in picture files and can be triggered if an image is viewed in an email or on an infected Web site.
---------------------------------------------

How could they be so wrong? Metasploit (MSF) isn't a virus, it is a tool (a pretty good tool IMHO). This tool does contain exploits that could be used combined with a payload to create a virus.

A tool is neither good nor bad, just like a knife itself is neither good nor bad. Tools are static; actions decide how the tool is viewed in most cases.

In court, a knife is seen as a "deadly weapon" but on Food TV, a knife is seen as an essential piece of equipment that no kitchen would dare be without.

Hopefully someone will point out the mistake to the WSJ. Metasploit is a very invaluable tool and it is sad to see its name misused this way.

When will WSJ report on the "PacketStorm" virus?? lol

Microsoft to Release Official WMF Patch on 10th

Updated Microsoft Security Advisory (912840) - Vulnerability in Graphics Rendering Engine Could Allow Remote Code Execution

"Microsoft has completed development of the security update for the vulnerability. The security update is now being localized and tested to ensure quality and application compatibility. Microsoft’s goal is to release the update on Tuesday, January 10, 2006, as part of its monthly release of security bulletins. This release is predicated on successful completion of quality testing."

What is Microsoft's response to Ilfak Guilfanov's Patch??

"Microsoft recommends that customers download and deploy the security update for the WMF vulnerability that we are targeting for release on January 10, 2006.As a general rule, it is a best practice to utilize security updates for software vulnerabilities from the original vendor of the software. With Microsoft software, Microsoft carefully reviews and tests security updates to ensure that they are of high quality and have been evaluated thoroughly for application compatibility. In addition, Microsoft’s security updates are offered in 23 languages for all affected versions of the software simultaneously.Microsoft cannot provide similar assurance for independent third party security updates."

No real suprise. It isn't their patch so that was exepcted. No big deal.

I am still using Ilfak's patch and will leave it in place until next week - 10th.