Technical Tidbits™

Posts Tagged ‘vulnerability’

Those of you who are my PC security (Introduction to PC Security) students don’t have to worry about this because in the first few lessons of the course you’ve disabled this!

However, many of you have not taken the course so I thought it was wise to post this.

Oh, and by the MAC users, this affects you too if you are using the Microsoft Remote Desktop Connection Client to connect a MAC to a windows PC.

According to Microsoft’s Security Bulletin: MS09-044:

This security update resolves two privately reported vulnerabilities in Microsoft Remote Desktop Connection. The vulnerabilities could allow remote code execution if an attacker successfully convinced a user of Terminal Services to connect to a malicious RDP server or if a user visits a specially crafted Web site that exploits this vulnerability. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.

via Microsoft Security Bulletin MS09-044 – Critical: Vulnerabilities in Remote Desktop Connection Could Allow Remote Code Execution 970927.

There is also known issues after installing this update, so you may want to check the bulletin for a list of those.

I’ve been teaching the Introduction to PC Security course for over 5 years and from day 1 I’ve had the students disable this service! I wonder what else you’re missing?

I’d like to take this minute to publicly thank the donor who bought me a cup of coffee by dropping a tip in my tip jar! Thank you! That was very sweet of you and very much appreciated!

Sometimes it really bothers me to be right!

You may remember that throughout the RUBotted pop-up discussions and my predictions for the year, I stated that:

There will be a IWMD (Internet Weapon of Mass Destruction) launched sometime during this year. It will be considered a mashup blended threat because it will take advantage of the security flaws in a multitude of web apps and will propagate through ad servers.

The keywords in my rants and my predictions have always been that the new malware will be pumped through ad servers.  Remember that?

Well, it’s not the huge Weapon of Mass Destruction but it could be heading in that direction.

Microsoft issued a security bulletin today. And it seems there is a bit of a problem with the way Internet Explorer handles CSS. Yes, you’ve read that right. Cascading Style Sheets! A standard on the web!

In fact, here’s what their Bulletin MS09-002 says:

A remote code execution vulnerability exists in the way Internet Explorer handles Cascading Style Sheets (CSS). An attacker could exploit the vulnerability by constructing a specially crafted Web page. When a user views the Web page, the vulnerability could allow remote code execution. An attacker who successfully exploited this vulnerability could gain the same user rights as the logged on user.

And as they’ve told us repeatedly,  Microsoft knows all about security and all about web standards!

But this is not the BEST part!

The Mitigating Factors section or the conditions in which this vulnerability becomes a problem states:

In a Web-based attack scenario, an attacker could host a Web site that contains a Web page that is used to exploit this vulnerability. In addition, compromised Web sites and Web sites that accept or host user-provided content or advertisements could contain specially crafted content that could exploit this vulnerability. In all cases, however, an attacker would have no way to force users to visit these Web sites. Instead, an attacker would have to convince users to visit the Web site, typically by getting them to click a link in an e-mail message or Instant Messenger message that takes users to the attacker’s Web site.

Now, what was it I said in the RUBotted pop-up discussion about ad servers possibly pushing the malware? Hmmm, maybe I’m not such a joke after all Symantec employee – huh?

The other part of that above quoted section makes me want to laugh myself off my chair.

In all cases, however, an attacker would have no way to force users to visit these Web sites. Instead, an attacker would have to convince users to visit the Web site, typically by getting them to click a link in an e-mail message or Instant Messenger message that takes users to the attacker’s Web site.

Dear Idiots at Microsoft, if the fracking thing can be exploited through hosted ads, nobody needs to be directed to a website! Nearly every freaking website has hosted ads now!

Am I the only one that sees how lame and ridiculous this is?

So needless to say, if you’ve got your auto-updates turned off as I do, then make sure you install the fix for this baby.  But since we know there will be more fixes just move to Firefox and be done with it!

For the technical information on the new release see: Microsoft Bulletin Summary for February.

On another note, the RUBotted issue. My pop-ups are not as frequent as they were in the beginning, but I’m still getting a few here and there.

I think I’ve found multiple reasons for the message and although I tried to contact TrendMicro through our partner program and their twitter account, no one is responding – so what else is new?

One web site set off my RUBotted pop-up and I found a piece of code in the header that could explain it. The code was trying to activate my Firefox Skype toolbar  – which I don’t have.

I’ve inserted the code at the bottom of this post so you can see it for yourself.

Upon researching what this does, I found that this code snippet is inserted by accident when someone is editing a web page and using the Skype toolbar add-on for Firefox.

However, since the Skype toolbar add-on makes it easy to call from FireFox, the JS file associated with this toolbar led me to believe that it was trying to activate something on the toolbar which set off RUBotted.

Remember, all the RUBotted pop-up messages claim that something is trying to launch a program remotely! And that’s exactly what the script does!

(To see the JS file associated with this script code, visit here: Koders Code Search.)

Next, I have seen several other pop-ups associated with Flash files on a web site – either ads or just plain flash files on a web site.

Did you ever notice how you can right click over a flash file and get to the settings?

Just go to adobe.com and there’s a huge flash section in the upper section. Right mouse click and select the settings.

The first thing that appears is the privacy settings and you can allow or deny flash player to access your web cam or microphone – if you have them – and I do.

What if, there’s something attempting to access the flash player on those sites that are giving us the pop-up?

I don’t have the answer yet because it’s very time consuming and quite difficult to go through every flash ad and try to reverse engineer it to find out what it’s doing.

But I was correct about the ad servers and malware, just didn’t know about the CSS vulnerability. How many other ad server vulnerabilities are there that we still don’t know about? Or is this someone doing some testing for the next round of malware?

So, who’s to say I’m not right about these flash pop-ups either?

There is one flaw in my thinking however. My housemate didn’t have flash player installed when he first got hit with his pop-up. And…. he doesn’t have a web cam nor a microphone.

But! Could his pop-ups have been related to the Skype toolbar issue? Or something else?

I’ve had several people contact me with theories and thoughts, and another big possibility is the attempt to launch your messaging program, chat, or instant messenger.

We continue investigating flash files, JavaScript files, and lines and lines of code!

I should rephrase that because I actually liked the headlines that InfoWorld used: Microsoft patches ’super nasty’ Windows bugs.

I love it!

I’ll get back to that article in a minute. First, we need to address this update.

1. Yes you should get it!

2. Immediately!

Okay?

Seriously, the patch fixes two undisclosed vulnerabilities and one publicly disclosed vulnerability in the Microsoft Server Message Block (SMB) Protocol.

Now don’t let the name of the protocol fool you – this does not mean the patch is meant for servers only.

First, for those of you new to our blog and our education site, let me explain that a protocol is nothing more than a set of rules or ordered steps.  In computing, you use IP (Internet Protocol) all the time to surf the web. It’s the set of steps that your computer takes to make those necessary connections.  (And geekie people and techies, please don’t give me a lot of comments about this definition – it’s aimed at the beginners! I know what and how protocols are programmed – k?)

That being said, SMB Protocols main purpose is file sharing but, that’s not all it does. (Are you surprised? NOT) It also covers: determining other Microsoft SMB Protocol servers on the network, or network browsing, printing over a network, file, directory, and share access authentication, file and record locking, file and directory change notification, and a few more things I didn’t want to include because of the technical nature of what they do. (Geekie people and Techies: Please feel free to visit the overview at Microsoft’s Tech Net for more info!)

The first vulnerability in this protocol is – can you guess? - A BUFFER OVERFLOW! (Don’t even get me started again!)

The fix validates the fields in the protocol packets to prevent the overflow.  Microsoft programmers – how many more unchecked buffers are still there? Huh???

The next vulnerability, although being billed as: SMB Validation Remote Code Execution Vulnerability, is nothing more than the same unchecked buffer. But in this instance, it’s Microsoft’s software not validating the size of the buffer before writing it. (Now why does that totally NOT surprise me?)

And the final vulnerability again is related to the same unchecked, unvalidated  buffer size which in turn creates a Denial of Service vulnerability.

If your reading this and you’re one of my students from the hacking course, do you remember this problem? (Hint: Following Shirley Hacker)

Now, this whole mess causes a big problem for the users when someone sends you a packet with a huge amount of data inside that this buffer (or placeholder) can’t handle. I’ve used this example before repeatedly but you’ve experienced a buffer overflow when you tried to send too much information to print on your printer and you got page after page of one line filled with wingding type characters.  That’s because your printer didn’t know what to do with all the excess data so it got all confused.

It’s worse in the situation we’re talking about with the Microsoft packets because malware writers know how to put programming code inside those over stuffed packets that allows them to remotely access your computer. Instead of crashing, restarting, or spewing out junk like a printer, the overflow delivers a set of instructions to your operating system that allows this access!

So that is why I really feel it’s important that you get this update! If you do not have your auto-updates turned on, then go to the Windows update site and get this critical update: MS09-001 or click here: Microsoft Update Site.

Now that we’re done with all that, let me go back a minute to the InfoWorld article mentioned above.  Specifically, this one little paragraph:

“This is super nasty,” said Eric Schultze, the chief technology officer at Shavlik Technologies LLC, who also called today’s update “super critical” as he rang the alarm. “Expect to see a worm on this one in the very near future, [because] this is Blaster and Sasser all over again.”

My, my, my! Where have I heard that before? Let me see……oh yes! I remember now! I said it! No, actually, I predicted it on my Friday’s Quickie on December 12, 2008 only I state it will be much worse than Sasser and Blaster Mr. Schultze and InfoWorld!

2. There will be a IWMD (Internet Weapon of Mass Destruction) launched sometime during this year. It will be considered a mashup blended threat because it will take advantage of the security flaws in a multitude of web apps and will propagate through ad servers.

Enough said?