Posted by jkouns
Thu, 13 Apr 2006 03:51:44 GMT
About a week ago I started receiving emails from vendors warning that if the upcoming Internet Explorer patch was installed it would break all of their applications. Some of the emails were fairly detailed and even explained that once the patch was installed there was no going back since it could not be uninstalled. I had not heard of anything prior to the emails but figured this month was going to be extra painful.
When reading the details for MS06-013 it becomes clear real quick that something is a bit off on this one when you get to the Caveats section.
From Microsoft’s website:
Caveats: Microsoft Knowledge Base Article 912812 documents the currently known issues that customers may experience when they install this security update. The article also documents recommended solutions for these issues. For more information, see Microsoft Knowledge Base Article 912812.
[…]
Compatibility Patch – To help enterprise customers who need more time to prepare for the ActiveX update changes discussed in Microsoft Knowledge Base Article 912945 and included in Microsoft Security Bulletin MS06-013, Microsoft is releasing a Compatibility Patch on April 11, 2006. As soon as it is deployed, the Compatibility Patch will temporarily return Internet Explorer to the previous functionality for handling ActiveX controls. This Compatibility Patch will function until an Internet Explorer update is released as part of the June update cycle, at which time the changes to the way Internet Explorer handles ActiveX controls will be permanent. This compatibility patch may require an additional restart for systems it is deployed on. For more information, see Microsoft Knowledge Base Article 917425.
It appears that Microsoft has packaged a non-security update with the “Cumulative Security Update” that is going to change the way ActiveX controls work in order to circumvent a recent patent lawsuit. The spin on this being included in the patch appears to be increased ActiveX security.
The bottom line is that if you want to patch Internet Explorer this month you also are going to have a good chance of breaking quite a few applications as these other change has been packaged with the update. It appears to be impossible to get a patch that just corrects the vulnerabilities. Ah, but there is some hope as Microsoft did release that “Compatibility Patch” that will give you until June to fix everything!
What am I missing here?
Here is a good article that explains the issues.
Posted in General Vulnerability Info | 2 comments
Posted by jericho
Wed, 29 Mar 2006 21:33:24 GMT
Steven Christey (CVE) recently posted about vulnerability history and complexity. The recent sendmail vulnerability has brought up discussion about both topics and adds another interesting piece of history to the venerable sendmail package. One point to walk away with is that while sendmail has a long history of vulnerabilities, the last five years have shown the product to be considerably more secure. While overflows still haunt the ~ 25 year old software package, they are growing fewer and requiring considerably more complex methods to exploit them. The latest discovery is by no means a run-of-the-mill remote overflow, rather it takes considerable skill to find and exploit the flaw.
Using vulnerability history to help evaluate the current security posture of software is a bit sketchy, but certainly helps. If a program starts out with standard overflows, race conditions, symlink issues, XSS or SQL injections, it’s basically expected. If years pass and new versions of the same package continue to exhibit the same coding practices that lead to these vulnerabilities, you begin to get an idea of the quality of code as it relates to security. On the other hand, if years pass and the vulnerabilities are published with more time between each, and the difficulty exploiting them increases, it shows the developers are security conscious and producing more secure code. As always, the lack of published vulnerabilities in a product doesn’t mean it is free from defect, just that they possibly have not been found or published.
Fun fact: The first documented Sendmail vulnerability was on Aug 23, 1981.
Posted in General Vulnerability Info | 1 comment
Posted by jericho
Wed, 29 Mar 2006 21:00:51 GMT
The Web Hacking Incidents Database
The web hacking incident database (WHID) is a Web Application Security Consortium project dedicated to maintaining a list of web applications related security incidents. WHID goal is to serve as a tool for raising awareness of the web application security problem and provide the information for statistical analysis of web applications security incidents.
The WHID is an interesting new database that seems to be a cross between a database of site specific vulnerabilities (something OSVDB has considered maintaining) and the Attrition Dataloss page.
Posted in General Vulnerability Info | no comments
Posted by jericho
Wed, 22 Mar 2006 10:01:01 GMT
CodeScan Labs recently disclosed that their new product was used on ASP Portal to look for vulnerabilities. These types of scanners are automated and check for common programming errors that lead to vulnerabilities. These types of tools have been around for many years, but are starting to mature quickly. However, one has to wonder just how effective they can be:
2006-03-02 - ASP Portal announces version 3.1.0 which contains “CodeScan security fixes”
2006-03-03- ASP Portal announces version 3.1.1 which contains “a critical security Fix” (in news_item.asp)
2006-03-14 - CodeScan discloses their tool found 10 SQL injections and over 50 cross-site scripting vulns
2006-03-20 - nukedx releases a working exploit for an SQL injection (in download_click.asp)
2006-03-21 - nukedx releases details for 10 sql injections in 3.1.1 including one in news_item.asp
So CodeScan finds 10 SQL injections, but doesn’t find the 11 others that nukedx finds a week later, and doesn’t find the “critical” issue in news_item.asp either. Hopefully these tools continue to mature very quickly. Maybe some day, cross-site scripting vulnerabilities will be a thing of the past! Hah yah right, if that were true, overflows and race conditions wouldn’t pop up every few days either.
Posted in General Vulnerability Info | 2 comments
Posted by jericho
Thu, 16 Mar 2006 10:47:45 GMT
FrSIRT Puts Exploits up for Sale
By Ryan Naraine
March 15, 2006
Independent security research outfit FrSIRT.com is putting its database of security exploits behind the paid curtain.
FrSIRT, previously known as K-Otik, has shut down the public exploits section of its Web site and announced that all exploits and
proof-of-concept code will be sold through its subscription-based VNS (Vulnerability Notification Service).
Since they presumably didn’t write a majority of their exploits, what is the motivation for people to keep sending in such code if it will be used for profit? Wouldn’t exploit writers send it to Securiteam or another site that focuses on the code more than vuln tracking?
Posted in General Vulnerability Info | 3 comments
Posted by jericho
Wed, 15 Mar 2006 10:42:29 GMT
(I wonder if this falls under Vuln Impact, or Vuln Market/Value more..)
Back on December 8th, 2005, I posted a comment about someone who created an eBay entry for a “Brand new Microsoft Excel Vulnerability”. The vulnerability was never sold via eBay, but may have traded hands through other means. For the most part, this incident faded into the background but I think this was the proverbial pebble thrown into the pond. Jump forward to yesterday, and Microsoft released an advisory covering multiple vulnerabilities in Excel. While chatting with one of the OSVDB manglers, I began to think out loud about why we would see so many Excel vulnerabilities released at once, and I think it became clear.
Remote Code Execution Using a Malformed Range - CVE-2005-4131
Remote Code Execution Using a Malformed File Format - CVE-2006-0028
Remote Code Execution Using a Malformed Description - CVE-2006-0029
Remote Code Execution Using a Malformed Graphic - CVE-2006-0030
Remote Code Execution Using a Malformed Record - CVE-2006-0031
Remote Code Execution Using a Malformed Routing Slip - CVE-2006-0009
Looking back at the original eBay entry, the poster said ”all the details were submitted to Microsoft, and the reply was received indicating that they may start working on it. It can be assumed that no patch addressing this vulnerability will be available within the next few months.” The technical details released at the time stated ”Microsoft Excel does not perform sufficient data validation when parsing document files. As a result, it is possible to pass a large counter value to msvcrt.memmove() function which causes critical memory regions to be overwritten, including the stack space.”
Note the CVE assignments for each of the vulnerabilities listed above. CVE-2005-4131 covers the eBay Excel 0-day. Shortly after that, we see CVE-2006-00xx assigned for five more Excel vulnerabilities and it is pretty clear what happened. Ollie Whitehouse, Peter Winter-Smith, Dejun, Eyas and Arnaud Dovi (via TP) all probably tried to find more details on the posted 0-day. In doing so, they discovered additional vulnerabilities in Excel and thankfully (for Microsoft) followed a responsible disclosure policy. This turned out to be an interesting byproduct of an amusing eBay listing.
Posted in General Vulnerability Info | 1 comment
Posted by jericho
Tue, 14 Mar 2006 14:50:14 GMT
US Government Studies Open Source Quality reads the SlashDot thread, and it certainly sounds interesting. Reading deeper, it links to an article by the Reg titled Homeland Security report tracks down rogue open source code. The author of the article, Gavin Clarke, doesn’t link to the company who performed the study (Coverity) or the report itself. A quick Google search finds the Coverity home page. On the right hand side, under ‘Library’, there is a link titled NEW >> Open Source Quality Report. Clicking that, you are faced with “request information”, checking the “Open Source Quality Report” box (one of seven boxes including “Request Sales Call” as the first option, and “Linux Security Report” is the default checked box), and then filling out 14 fields of personal information, 10 of which are required.
So, let me get this straight. My tax dollars fund the Department of Homeland Security. The DHS opts to spend $1.24 million dollars on security research, by funding a university and two commercial companies. One of the commercial companies does research into open source software, and creates a report detailing their findings. To get a copy of this report, you must give the private/commercial company your first name, last name, company name, city, state, telephone, how you heard about them, email address, and a password for their site (you can optionally give them your title, and “describe your project”).
Excuse me, but it should be a CRIME for them to require that kind of personal information for a study that I helped fund via my tax dollars. Given this is a study of open source software, requiring registration and giving up that kind of personal information is doubly insulting. Coverity, you should be ashamed at using extortion to share information/research that should be free.
Even worse, your form does not accept RFC compliant e-mail addresses (RFC 822, RFC 2142 (section 4) and RFC 2821). Now I have to add your company to my “no plus” web page for not even understanding and following 24 year old RFC standards. HOW CAN WE TRUST ANYTHING YOU PUBLISH?!
Oh, if you don’t want to go through all of that hassle, you can grab a copy of the PDF report anyway.
Posted in General Vulnerability Info | no comments
Posted by jericho
Mon, 13 Mar 2006 03:21:02 GMT
http://cve.mitre.org/cve/edcommentary.html#community_issues
CVE editor Steven Christey has begun to post commentary related to CVE and VDBs.
Posted in General Vulnerability Info | no comments
Posted by jericho
Fri, 17 Feb 2006 13:30:24 GMT
Steve Christey of CVE has posted to several lists asking What is the state of vulnerability research? Before you dismiss the question, give it serious thought for a few minutes. Have any ideas, opinions or concerns about where vuln research is heading? Where it should be? Drop him a line and let him know.
One person challenged him stating that if MITRE were the experts they proclaim, he wouldn’t have to ask. After a few years of being heavily involved with vulnerability databases and monitoring such research, I of course had to reply.
Posted in General Vulnerability Info | no comments
Posted by jericho
Sun, 12 Feb 2006 08:32:31 GMT
Fuzzers are by no means new. They have been used fairly extensively the last half decade to find a number of vulnerabilities. Back in July 2001 we saw an LDAP protocol fuzzer find issues in a variety of products. February 2003 saw SIP fuzzed, January 2004 was the time for H.323, and more recently in Nov 2005, ISAKMP was abused.
The last few weeks have seen two more incidents. Evgeny Legerov has written and released what he calls ProtoVer which contains 3,665 tests for the LDAPv3 protocol. His tool has uncovered issues in Lotus Domino Server, CommuniGate Pro, GnuTLS, Sun Directory Server and IBM Tivoli Directory Server. About the same time, Secuobs released a fuzzer for Bluetooth stack implementations which found issues in hcidump, Sony/Ericsson Cell Phones, as well as Nokia Cell Phones.
As a side note to the above list, Chad Loder posted a reply citing that the Lotus Domino LDAP issues were discovered, fixed, and reintroduced not once, but twice. What does that say about the quality and control of code in these big shops?
Dave Aitel responded to one post asking, “why do fuzzers still work?” This question is easily answered with “vendors simply don’t adequately test their products” but really does illustrate why we see so many vulnerabilites released every day. All this time, all the buzz and hype about the importance of security, and just about every single product is vulnerable to a well known and well documented class of attack. It is clear that such fuzzer utilities are very helpful in weeding out these issues. Since vendors aren’t taking it upon themselves to write and use such tools, I certainly hope a few security companies write some decent fuzzers and market them to the big vendors. Hopefully, 2006 will be the year for fuzzing and the published vulnerabilities demonstrate this.
Posted in General Vulnerability Info | 1 comment
