Tuesday, February 13, 2007

Network Security Nightmare Week

What a week for computer security! The eSoft Threat Level has been raised from low yellow to solid orange due to a number of threats of concern to network administrators that are considered extremely critical. Here's an overview of the major threats Threat Center is tracking:

First there's the telnet vulnerability in Solaris 10 and 11. This is at the moment an unpatched vulnerability that will allow anyone to telnet into a Solaris system as root without any kind of authentication. Even scarier, the exploit doesn't require any special tools but can be accomplished with a standard telnet client. If you're running Solaris and have telnet enabled, turn on SSH, turn off telnet, and make sure it never starts up again. And while you're at it, block incoming TCP port 23 at your firewall to avoid all telnet traffic.

It always gets our attention when security products meant to protect you put you at risk. This week we've had a trifecta of these issues. Early in the week we became aware of a vulnerability in Trend Micro's antivirus engine where scanning a malicious UPX-encoded executable file could compromise a system. Now we learn that Microsoft's antivirus engine has its own vulnerability where a malicious PDF file being scanned could compromise a system. Exploits of the vulnerabilities will give the exploiter Administrator privileges. Finally, Cisco IOS IPS has a series of issues that could allow a hacker to take down your IPS box. This is the most recent in a series of Cisco issues that, luckily, we still haven't seen public exploits for. Don't hold your breath though.

Today is Patch Tuesday and in addition to announcing the antivirus scanner bug above, Microsoft has fixed a number of known vulnerabilities, and several unknown ones. The best news is that the growing handful of Microsoft Office vulnerabilities with exploits in the wild have finally been fixed. We've been waiting months for these fixes. Unfortunately, we have new things to worry about.

First, let's talk about Internet Explorer. The HTML Help ActiveX control has a fresh vulnerability. This isn't the first time Microsoft has recommended disabling the HTML Help ActiveX control in Internet Explorer due to security problems and if you didn't do it last time, you might want to do it this time. If you have a group policy editor, you can disable it on a bunch of machines. If you have an Intrusion Prevention System, check to see if there are rules to detect and stop this ActiveX component.

Microsoft Data Access Components in Internet Explorer also have a fresh vulnerability. Like the HTML Help ActiveX control, I'm having deja vu on this one. You'll have to think a little bit longer before deciding to block due to its widespread use in rich content internet applications, but if you can't enforce an immediate update of all of your site's computers, then block it and worry about consequences later. Better to have some annoyed users because of your policy than because their computer is mysteriously slow due to its raging malware infection.

Finally, we have one of the scariest batch of ActiveX Internet Explorer bugs I've ever seen. There are two "COM Object Instantiation" vulnerabilities that will allow an attacker to exploit any ActiveX object (DLL, OCX, etc.) that wasn't specifically intended to be used in Internet Explorer. And because these vulnerabilities were reported to Microsoft by H.D. Moore, founder of the Metasploit project, we expect proof-of-concept exploits to be published any time now. For some reason that I don't quite understand, Microsoft is recommending the blocking of a handful of ActiveX objects in particular. Apparently these are especially susceptible to the exploit. To find the CLSIDs to block, dig into the FAQ section of the MS07-016 security bulletin.

Microsoft released three separate patches for issues involving MFC (a framework for developers used in many Windows applications), OLE (object linking and embedding -- have you ever put an Excel document in the middle of a Word document? that's OLE), and RichEdit. Although it sounds like it may have wider implications, Microsoft is currently telling us that the attack vectors for these problems all center around RTF files with embedded content. Go pester your antivirus vendor and see if they'll add support for blocking RTF files with embedded content. And while you're at it, you may want to start blocking RTF files at your mail gateway.

Of the Patch Tuesday vulnerabilities, I've saved the scariest for last. MS07-016 also fixes a problem where a malicious FTP server could compromise a computer. Now, on the face of it, this doesn't sound too bad, but consider that almost every Windows application that accesses files via FTP uses the wininet library to do it, and this is the library with the vulnerability. Now consider the fact that Outlook and Outlook Express will automatically fetch files off of a FTP server if an e-mail references them. If an HTML e-mail is spammed out and it has html like <img src="ftp://badserver/somefile.gif" /&rt; in it, then the badserver can take control of the computer. Microsoft recommends that you only view e-mails as text until you've patched your system. The good news is that there isn't a public exploit available at this time. The bad news is that this affects all versions of Internet Explorer from 5 through 7, Outlook, Outlook Express, and all versions of Windows. And exploits will be here soon. The guys at iDefense who discovered this in May of 2006 have given enough details for people to figure it out.

This is my first post to the ThreatCenter Live blog and its far longer than I expect the average post to be, but we've got quite a lot of news to share. The eSoft Threat Level will remain at its elevated position for a few days to raise awareness of these issues. Assuming no exploits start hitting and being widely used in the next few days (which very well may happen with the ftp vulnerability in particular), we will lower the threat level back down.

[Note from the sponsor: eSoft's Intrusion Prevention, Gateway AntiVirus, and Gateway AntiSpyware Softpaks together protect users from all of the above mentioned vulnerabilities except for the Cisco IOS IPS issue.]

No comments: