Security Watch

Patch Tuesday Analyzed

The latest Microsoft vulnerabilities discovered affect a variety of things from IE and Remote Desktop to Plug and Play and Print Spooler.

• By Russ Cooper
• 09/07/2005

• MS05-038 - Cumulative Update for Internet Explorer: Three more vulnerabilities in Internet Explorer were patched; all are most likely to be used (if at all) by malicious Web sites which install spyware. The best defense for these types of vulnerabilities is in your content filters and anti-spyware software. There are just too many vulnerabilities to exploit to believe that keeping yourself patched somehow eliminates being exploited. As such, these just represent more attack methods to be put in the "bag-of-tricks" being employed by such malicious sites. The bottom line is that being patched doesn't necessarily mean you won't be exploited.
• MS05-039 - Vulnerability in Plug and Play: Anyone remember the very first published vulnerability that affected Windows XP? It involved Universal Plug and Play, and was announced on the day XP was released. This UPnP flaw affects Windows 2000, XP and Windows Server 2003, albeit differently. XP SP2 and Windows 2003 both require the attacker to have an authenticated connection to the victim -- not likely to happen in home systems, but feasible on corporate networks. Zotob uses this attack. Most of the recent Zotob corporate infections occurred because their systems were allowed to connect insecurely to other networks.
• MS05-040 - Vulnerability in Telephony API (TAPI): Big whoop. Remote code execution is only possible on server products, and then only if the Telephony Server Service has been manually enabled. Attacks have to come via RPC traffic inbound to the vulnerable server, and any such traffic should not be originating from the Internet.
• MS05-041 - Remote Desktop Protocol Denial of Service: Generally speaking, RDP should not be Internet-facing, or if it is, should be restricted to known IP addresses (or VPN connections). Vague reports of this vulnerability being exploitable to run code of the attacker's choice have not been substantiated.
• MS05-042 - Kerberos Vulnerabilities: Interesting patch packaging here. Several vulnerabilities exist in Microsoft's implementation of Kerberos:
  • - The first involves PKINIT, a protocol used in the initial phases of a Kerberos login. The vulnerability could allow an attacker to spoof the actual Kerberos server the client wishes to authenticate with. As a result of the vulnerability, it may be possible for a man-in-the-middle attack, where a fake Kerberos server is placed between the actual Kerberos server and the client, thereby allowing all authentication traffic to flow through the fake Kerberos server. As such, the attacker could glean information about the account (or all accounts that log in through the fake Kerberos server.)
  • - The second involves a Denial of Service attack against a Kerberos server running on Win2K, XP or Windows 2003. As a result of the vulnerability, an attacker could cause the server to reboot.
  When put together, these two vulnerabilities create an effective attack against a Kerberos authentication environment. Set up your fake Kerberos server, cause the real Kerberos to reboot, and clients will begin to see your fake Kerberos server while the real one reboots. Packaging these fixes together is almost like providing a recipe for such an attack.
• MS05-043 - Vulnerability in Print Spooler Service: another "big whoop." Attacks against this service would come via the same channels the majority of Windows attacks come; for example, via 139/445. Further, on XP SP2 and Windows 2003 SP1 attacks must be from authenticated clients.

A program called "Peach Fuzzer" was featured on a Web site recently. This program allows for the abuse of program input via "fuzzing", or providing input which nearly complies, but fails in a variety of aspects, to comply with expected input. The program is intended to test applications which expect user input to determine if they can be exploited by injection.

Peach Fuzzer abuses the Windows RPC interface, a highly complex and long-overlooked major subsystem. Our brief review suggests the tool may not yet be mature enough to be a real threat to consumers, but the RPC subsystem is likely to contain numerous security vulnerabilities that such a tool can uncover, if past history is indicative. XP SP2 forces all RPC connections to be from authenticated users, which will dramatically reduce the potential impact of future RPC exploits.

Privacy
German bank Postbank has introduced a new service called iTAN (TAN is an acronym for Transaction Number.) The point of the service is to introduce a time-sensitive value provided only by the bank, with which customers are able to authenticate transactions. In Postbank's case, customers are required to enter their PIN (personal identification number) together with a specifically chosen (by Postbank, at the time of the transaction authorization) TAN. The TAN's life is extremely limited (seconds), and supposedly cannot be replayed within a reasonable period of time.

The value of such a system really has to be questioned. It's trivial for phishers to mimic the system Postbank is employing, including scraping the actual TAN number being offered to a client in order to validate the transaction.

Wow, a university has lost personal information to hackers ... again! Cal Poly Pomona is just another .edu to lose personal information stored on its networks to hackers.

One really has to wonder if there are any people in California who have not lost their personal information. By the looks of things, the only people who may not have had their personal information compromised are the uneducated.

Governance
Ofcom, the U.K. communications industries regulator, has announced it will be making radio spectrum available for use by Radio Frequency Identification (RFID) equipment without a wireless telegraphy license.