Patch Tuesday Analyzed
The latest Microsoft vulnerabilities discovered affect a variety of things from IE and Remote Desktop to Plug and Play and Print Spooler.
Hacking/Denial of Service
Microsoft released six new Security Bulletins. Here's what you need to know
- Cumulative Update for Internet Explorer: Three more vulnerabilities
in Internet Explorer were patched; all are most likely to be used (if at all)
by malicious Web sites which install spyware. The best defense for these types
of vulnerabilities is in your content filters and anti-spyware software. There
are just too many vulnerabilities to exploit to believe that keeping yourself
patched somehow eliminates being exploited. As such, these just represent
more attack methods to be put in the "bag-of-tricks" being employed
by such malicious sites. The bottom line is that being patched doesn't necessarily
mean you won't be exploited.
- Vulnerability in Plug and Play: Anyone remember the very first published
vulnerability that affected Windows XP? It involved Universal Plug and Play,
and was announced on the day XP was released. This UPnP flaw affects Windows
2000, XP and Windows Server 2003, albeit differently. XP SP2 and Windows 2003
both require the attacker to have an authenticated connection to the victim
-- not likely to happen in home systems, but feasible on corporate networks.
Zotob uses this attack. Most of the recent Zotob corporate infections occurred
because their systems were allowed to connect insecurely to other networks.
- Vulnerability in Telephony API (TAPI): Big whoop. Remote code execution
is only possible on server products, and then only if the Telephony Server
Service has been manually enabled. Attacks have to come via RPC traffic inbound
to the vulnerable server, and any such traffic should not be originating from
- Remote Desktop Protocol Denial of Service: Generally speaking, RDP
should not be Internet-facing, or if it is, should be restricted to known
IP addresses (or VPN connections). Vague reports of this vulnerability being
exploitable to run code of the attacker's choice have not been substantiated.
- Kerberos Vulnerabilities: Interesting patch packaging here. Several
vulnerabilities exist in Microsoft's implementation of Kerberos:
When put together, these two vulnerabilities create an effective attack against
a Kerberos authentication environment. Set up your fake Kerberos server, cause
the real Kerberos to reboot, and clients will begin to see your fake Kerberos
server while the real one reboots. Packaging these fixes together is almost
like providing a recipe for such an attack.
- - The first involves PKINIT, a protocol used in the initial phases
of a Kerberos login. The vulnerability could allow an attacker to spoof
the actual Kerberos server the client wishes to authenticate with. As
a result of the vulnerability, it may be possible for a man-in-the-middle
attack, where a fake Kerberos server is placed between the actual Kerberos
server and the client, thereby allowing all authentication traffic to
flow through the fake Kerberos server. As such, the attacker could glean
information about the account (or all accounts that log in through the
fake Kerberos server.)
- - The second involves a Denial of Service attack against a Kerberos
server running on Win2K, XP or Windows 2003. As a result of the vulnerability,
an attacker could cause the server to reboot.
- Vulnerability in Print Spooler Service: another "big whoop."
Attacks against this service would come via the same channels the majority
of Windows attacks come; for example, via 139/445. Further, on XP SP2 and
Windows 2003 SP1 attacks must be from authenticated clients.
A program called "Peach Fuzzer" was featured on a Web site
recently. This program allows for the abuse of program input via "fuzzing",
or providing input which nearly complies, but fails in a variety of aspects,
to comply with expected input. The program is intended to test applications
which expect user input to determine if they can be exploited by injection.
Peach Fuzzer abuses the Windows RPC interface, a highly complex and long-overlooked
major subsystem. Our brief review suggests the tool may not yet be mature enough
to be a real threat to consumers, but the RPC subsystem is likely to contain
numerous security vulnerabilities that such a tool can uncover, if past history
is indicative. XP SP2 forces all RPC connections to be from authenticated users,
which will dramatically reduce the potential impact of future RPC exploits.
German bank Postbank has introduced a new service called iTAN
(TAN is an acronym for Transaction Number.) The point of the service is to introduce
a time-sensitive value provided only by the bank, with which customers are able
to authenticate transactions. In Postbank's case, customers are required to
enter their PIN (personal identification number) together with a specifically
chosen (by Postbank, at the time of the transaction authorization) TAN. The
TAN's life is extremely limited (seconds), and supposedly cannot be replayed
within a reasonable period of time.
column was originally published in our weekly Security Watch
newsletter. To subscribe, click here.
The value of such a system really has to be questioned. It's trivial for phishers
to mimic the system Postbank is employing, including scraping the actual TAN
number being offered to a client in order to validate the transaction.
Wow, a university has lost personal information to hackers ... again! Cal
Poly Pomona is just another .edu to lose personal information stored on
its networks to hackers.
One really has to wonder if there are any people in California who have not
lost their personal information. By the looks of things, the only people who
may not have had their personal information compromised are the uneducated.
Ofcom, the U.K. communications industries regulator, has announced it
will be making radio spectrum available for use by Radio Frequency Identification
(RFID) equipment without a wireless telegraphy license.
Russ Cooper is a senior information security analyst with Verizon Business, Inc.
He's also founder and editor of NTBugtraq, www.ntbugtraq.com,
one of the industry's most influential mailing lists dedicated to Microsoft security.
One of the world's most-recognized security experts, he's often quoted by major
media outlets on security issues.