http://isc.sans.org en-us Fri, 09 May 2008 15:15:02 +0000 Fri, 09 May 2008 00:26:01 GMT (C) SANS Institute 2008 isc rss feed maker 30 webmaster@sans.org http://isc.sans.org/images/status.gif http://isc.sans.org http://isc.sans.org/diary.php?storyid=4402&rss http://isc.sans.org/diary.php?storyid=4402&rss Wait, before I hand the Big Red Internet Button over to Mike Poor, (one press, and well, you know what happens) I just wanted to let everyone know that Thunderbird 2.0.0.14 is out. Right here is a link to the security release notes for this latest version. Just two it looks like.
So, okay, I'm turning it over to Mike now. Good luck all of you!
--
Joel Esler
http://www.joelesler.net http://isc.sans.org/diary.php?storyid=4399&rss http://isc.sans.org/diary.php?storyid=4399&rss I stole the headline directly from Mozilla. I am writing this diary entry for our readers in Vietnam. Apparently the Vietnamese Language pack for Firefox 2 has been compromised. About 16,667 downloads of the Vietnamese Language Pack have been downloaded since November of 2007, so the impact may or may not be significant. So be wary. If you have downloaded the Vietnamese Language Pack, you should know who you are, go to Mozilla's website and read all about it.
--
Joel Esler
http://www.joelesler.net http://isc.sans.org/diary.php?storyid=4397&rss http://isc.sans.org/diary.php?storyid=4397&rss Okay, so we're almost a week late in acknowledging that our friend, Daniel Cid has released the latest version of his OSSEC HIDS (with help from others listed in the announcement). The new release adds a number of new logs that can be monitored, and some new features and performance improvements (particularly to the windows agent). You can find the announcement at http://www.ossec.net/main/ossec-v15-released and you can download from here. Our thanx to Daniel for continuing to develop one of my favorite tools.
---Jim http://isc.sans.org/diary.php?storyid=4394&rss http://isc.sans.org/diary.php?storyid=4394&rss We've done a couple of stories resulting from the release of the APEG paper a couple of weeks ago, and this story is by no means an attempt to downplay the significance of the threat or suggest that you not employ the countermeasures discussed in previous stories. That said, when I first heard about it, my thought was, that sounds like an interesting result, but the hype is over the top. Yes, it is a significant result, but the sky is not falling. I happened across a post on Halvar Flake's blog that explains it better than I could, so take a look for yourself.
---Jim http://isc.sans.org/diary.php?storyid=4393&rss http://isc.sans.org/diary.php?storyid=4393&rss A loyal ISC reader, Rob, wrote in to point us at what looks to be a SQL Injection worm that is on the loose. From a quick google search it shows that there are about 4,000 websites infected and that this worm started at least mid-April if not earlier. Right now we can't speak intelligently to how they are getting into databases, but what they are doing is putting in some scripts and iframes to take over visitors to the websites. It looks like the infection of user machines is by Real Player vulnerabilities that seem more or less detected pretty well.
The details, the script source that is injected into webpages is hxxp://winzipices.cn/#.js (where # is 1-5). This, in turn, points to a cooresponding asp page on the same server. (i.e. hxxp://winzipices.cn/#.asp). This in turn points back to the exploits. Either from the cnzz.com domain or the 51.la domain. The cnzz.com (hxxp://s141.cnzz.com) domain looks like it could be set up for single flux, but it's the same pool of IP address all the time right now. hxxp://www.51.la just points to 51la.ajiang.net which has a short TTL, but only one IP is serving it.
Fair warning, if you google this hostnames, you will find exploited sites that will try and reach out and touch you... even if you are looking at the cached page. Proceed at your own risk.
UPDATE: We're also see this website serving up some attacks in connection with this SQL Worm (hxxp://bbs.jueduizuan.com)
UPDATE x2: As usual, the good folks at ShadowServer had a good write up on the details of everything after the SQL injection (i.e. what malware gets dropped, IPs involved, etc).
---

John Bambenek / bambenek \at\ gmail /dot/ com http://isc.sans.org/diary.php?storyid=4387&rss http://isc.sans.org/diary.php?storyid=4387&rss Microsoft, it appears, has just released Windows XP Service Pack 3. For the most part, it is a bundle of all the updates since Service Pack 2, but there are some key differences. First, the big gotcha:
If you are an IE 6 user, SP3 will simply updated your IE 6 installation. You will continue to be able to upgrade to IE 7 as an option.
If you are an IE 7 user, it will update your IE 7 installation. HOWEVER, you will NOT be able to go back to IE 6 after applying this service back.
If you are an IE 8 (beta) user, you will need to uninstall IE 8, apply the service pack, and then reinstall IE 8.
This link has a list of all the Knowledge Base articles that this service pack addresses. Some of the bigger notes is that it does retrofit some of the Vista functionality into XP, namely in the area of Network Access Protection, Black Hole Router Detection, enhanced security for administrator and service policy entries (basically some better default settings) and a kernel mode crypto driver. Additionally, some of the optional updates released since SP2 will be installed with SP3 (MMC 3.0, MXSXML6, WPA2 support, etc).
The good news is that TechNet provides installation media that can be used to slipstream install the service pack so workstations can be updated off the net.
---

John Bambenek / bambenek \at\ gmail /dot/ com
http://isc.sans.org/diary.php?storyid=4390&rss http://isc.sans.org/diary.php?storyid=4390&rss While a day does not go by without many public announcements of vulnerabilities in consumer and business software, it is rather rare when we hear about something wrong with software that is used to monitor or control industrial systems. Commonly called SCADA (Supervisory Control And Data Acquisition) or PCS (Process Control System), these are the systems that monitor and operate oil and gas refineries, large manufacturing plants, assembly lines, railroads, electrical grids, and countless other industrial processes.
Core Security announced yesterday that there is a Denial of Service vulnerability in the Invensys Wonderware InTouch SuiteLink service running in Windows operating systems, specifically slssvc.exe. According to Core, this vulnerability could allow an un-authenticated remote attacker with the ability to connect to the SuiteLink service TCP port to shutdown the service abnormally by sending a malformed packet. Exploitation of the vulnerability for remote code execution has not been proven, but it has not been eliminated as a potential scenario.
According to Wonderware's website, Wonderware is the leading supplier of industrial automation and information software solutions. One third of the worlds plants run Wonderware software solutions. Having sold more than 500,000 software licenses in over 100,000 plants worldwide, Wonderware has customers in virtually every global industry including Oil Gas, Food Beverage, Utilities, Pharmaceuticals, Electronics, Metals, Automotive and more. It's no wonder that a vulnerability in their monitoring software might be something the bad guys would be very interested in.
DHS (National vulnerability database) rates this one pretty high and says that the vulnerability Provides unauthorized access, Allows partial confidentiality, integrity, and availability violation, Allows unauthorized disclosure of information, Allows disruption of service. Our advice: Patch now.
Marcus H. Sachs

Director, SANS Internet Storm Center



http://isc.sans.org/diary.php?storyid=4384&rss http://isc.sans.org/diary.php?storyid=4384&rss PHP has announced the release of 5.2.6 which fixes 6 security bugs and a handful of other issues. Some of the research is still ongoing about how important some of these security bugs are, but they do include a stack overflow and some others that could be nasty depending on how extensive the vulnerability is. It includes over a 100 or so normal bug fixes so it is probably time to upgrade your PHP installations even if the security issues are non-events.
--

John Bambenek, bambenek /at gmail \dot\ com http://isc.sans.org/diary.php?storyid=4381&rss http://isc.sans.org/diary.php?storyid=4381&rss Last month, we reported on research that shows it is possible to create exploits from reverse engineering patches as they come out and this process can be automated. At that time, I didn't have alot to say about how to defend because I hadn't thought about the problem enough yet... I've had some time now.
Encrypting Patches
The paper mentions encrypted patches so that distribution of the patch could still take some time but they send out the decryption key simultaenously allowing the patch to be applied the same time around the globe. This would, in theory limit the window of opportunity for a hacker to reverse engineer the patch, get a working exploit, and start attacking the world. The problem with this is that the delay from the time of releasing the patch is not caused from the rolling cycle of downloads, but from the need to reboot systems after a patch is applied (most of the time). In short, a system may still have the key to decrypt a patch, but it would not be applied until either the user rebooted the machine or at some default time when a reboot is acceptable (i.e. 3am). The chief problem is the need to reboot which is a significant business disruption. Encrypting patches wouldn't fix this problem, it just creates another layer of the patching process.
Patches that Don't Require Reboot
This particular defense is for OS vendors only (and one vendor in particular). Patches that require a reboot must inevitably result in delaying the application until a maintenance window. If patches can be applied without incurring downtime, particularly among end-user workstations, this allows patches to be pushed out and applied as soon as they are available. This would go along way to closing the window of opportunity when a patch is out and when the patch is applied. Some patches, obviously, must entail a reboot, but as many patches as possible should be developed in such a way to minimize the need to reboot.
The Renewed Need for Workarounds
This defense is mostly on us (the Internet Storm Center) and the security community in general. For some time, workarounds have been less necessary because patching has been relatively easy to handle. The need to go significant periods of time before patching has only occurred a handful of times in the past few years. If the patch window is gone, that requires us to renew the efforts to find quick workarounds to limit the exposure of machines during the vulnerable period. Some patches will require reboots and there will be no way around that. We need to find defenses to allow people to protect themselves in the meantime.
Configuration Management
The last piece of the puzzle, a defense available to the people in the trenches, is centralized configuration/patch management. In part, this follows from our diary from yesterday on configuration management. If we get out hotfixes, registry changes, killbits, or any other defense, centralized configuration management allows for the quick deployment of these minor protective changes that will allow you to limp along until a patch can be applied. The important note about configuration management is that deploying a solution, especially if it manages everything in your environment, makes that configuration management solution that absolute most important system in your environment, even more important than those that house trade secrets, etc. A configuration management system becomes a single point of 0wnership that allows an attacker to take direct control over not one machine, but an entire organization whole and entire. Everything has its costs and benefits, and as long as you control the risks of centralized configuration management, the benefits certainly make it worth it. Protect the keys to the kingdom.
Comments? Send em along.
--

John Bambenek / bambenek \at\ gmail /dot/ com