Internet Security Systems - AlertCon(TM)

CVE-2012-0003 Exploited in the Wild

Posted by Shane Garrett on January 26, 2012 at 4:09 PM EST.

If for whatever reason you haven’t applied the critical January 2012 security update from Microsoft, now you really need to. Live web based exploitation of the vulnerability we found for handling MIDI in Windows Multimedia Library was reported by Trend Micro.

CVE-2012-0003 was disclosed by me, Shane G, of X-Force Research and addressed in the critical severity bulletin MS12-004 which was released as part of the this month’s Microsoft monthly security update. Additional details, including IDS protection for our customers, can be found in our advisory.

In addition to the appearance of live exploitation, detailed discussion of the vulnerability details and methods of exploitation have been seen. The relatively low complexity of locating the vulnerability will doubtlessly lead to more malware targeting it. As a further warning, another update this month, MS12-002 addressed a low complexity vulnerability that is likely to see exploitation for code execution.

January 2012 Microsoft Super Tuesday

Posted by Shane Garrett on January 10, 2012 at 1:22 PM EST.

The January 2012 monthly update from Microsoft weighed in with a relatively light seven bulletins and eight CVEs addressed.  Only one of these bulletins, “ MS12-004 : Vulnerabilities in Windows Media Could Allow Remote Code Execution“  was rated critical (It also happens to contain a fix one my disclosures, CVE-2012-0003.)  Here’s a breakdown of the bulletins that I felt are  especially noteworthy.

  • MS12-005 : Vulnerability in Microsoft Windows Could Allow Remote Code Execution

    This vaguely titled update patches a hole in Windows object packager’s protection for running unsafe file types.  The object packager is used as a way to embed arbitrary file into things like Office documents.   Certain file types, like executables, are inherently dangerous to automatically run, so protection was built into the packager to present a warning dialog asking for permission before launching them.  A particular file type was left off from the black-list of unsafe file types and therefore can be launched without any warning or user interaction.  Although this vulnerability was privately reported, the bulletin gives enough information that I wouldn’t be surprised to see malicious documents exploiting this issue appearing after the update is released.  Consider applying this update immediately or if that isn’t feasible, applying the workaround provided in the bulletin.

  • MS12-004 : Vulnerabilities in Windows Media Could Allow Remote Code Execution

    Two privately reported remote code execution vulnerabilities were addressed in this critical update.  CVE-2012-0003 addresses a vulnerability in the Windows multimedia library when dealing with unexpected values when processing MIDI files that can be leveraged for code execution.  The issue is in the library itself, and not an individual music player or application so the potential exists for any application using the vulnerable API functions to be exploitable.  The other vulnerability is in how the DirectShow library parses certain specially crafted subtitles.  These subtitles can be embedded in common video container formats such as AVI or ASF.

  • MS12-006 : Vulnerability in SSL/TLS Could Allow Information Disclosure

    A few months ago there was a demonstration of a proof of concept called BEAST that could decode session cookies from a SSL/TLS connection.  The vulnerability that made this possible was the fact that the SSL 3.0 and TLS 1.0 protocols implicitly use the last ciphertext block as the initialization vector (IV) when using cyclical block cipher (CBC) ciphersuites.  This implicit IV vulnerability was addressed in this update.  This vulnerability has been known about for a long time (and was addressed in TLS 1.1) and practical exploitation is still somewhat difficult to achieve in most situations.

A Note on Critical Infrastructure

Posted by Michael Montecillo on December 16, 2011 at 3:34 PM EST.

I was recently asked to put a few thoughts together on the state of critical information protection with regards to information security to speak about at the Michigan Cyber Security Summit. To be fair this was a topic that I hadn’t put a ton of thought into since I’d worked for the State of Michigan in information security. When I looked at the issue again from a threat researcher perspective however, I noted two glaring issues.

The first, which I will not discuss in this post, is that our views on critical infrastructure have typically been at the macro-level. However, given ever shrinking computer technology, macro-critical infrastructure is not the only area where there is concern. Today pocket sized computer infrastructure, could mean life or death for users. These micro counterparts already play an extremely significant part in society today and their role will only increase as new advances are made.

The second issue I noted is that the method with which critical infrastructure is designed is inherently flawed. While security professionals are continually adding in new security countermeasures and expending effort trying to fix problems related to insecure design, in many arenas we are failing. In trying to determine the root cause of these design issues it became clear, the historical perspective on critical infrastructure built the foundation for vulnerabilities in the information security of critical infrastructures. This blog post aims to identify those issues and offer guidance for future discussion on resolving some of the key areas where critical infrastructure is currently struggling.

Historical Perspective did not Anticipate the Current Landscape

When the notion of critical infrastructure came to being, information was often not a primary arena for concern. Rather, the primary concern was in maintaining service availability of those infrastructures. While information security was clearly a concern for other realms, which is made clear by the many data classification and data secrecy efforts of the time, the two fields were in many ways segmented. Remnants of this can be found at the core of critical infrastructure, the definition itself.

Consider the US Department of Homeland Security’s definition of critical infrastructure:

“Critical infrastructure is defined by federal law as ‘systems and assets, whether physical or virtual, so vital to the United States that the incapacity or destruction of such systems and assets would have a debilitating impact on security, national economic security, national public health or safety, or any combination of those matters.’" ~DHS website (http://www.dhs.gov/files/programs/critical.shtm)

One major thing to note is that the Department of Homeland Security definition addresses, “Incapacitation or destruction” but fails to address “infiltration.” In a way this is logical as it is “critical infrastructure” and not “critical information.” Therefore, it makes some sense that the primary concern would be availability of the infrastructure.

However, as computer technology continues to integrate further and further into the daily lives of the public as well as into the very fibers of critical infrastructure, information can be equally as important, if not more important, than the actual physical or logical infrastructure. In fact, the infrastructure could be entirely dependent on the information itself. Therefore, it is necessary to view critical infrastructure protection as protection of both assets and unify historically segmented efforts of critical information and infrastructure security.

Historical Perspective Creates Issues for the Currently Landscape

While this certainly comes as no surprise to information security professionals, the simple fact of the matter is that the historical perspective causes a number of issues. Namely, the response to fears of incapacitation or destruction lead organizations to invest in massively distributed, highly redundant infrastructures where no single point is any more or less important than the next, which creates a massive attack surface.

In terms of infiltration and information protection this means every endpoint may be equally as important as the entire infrastructure itself. It is not necessary to gain access to top-levels of the infrastructure rather it is only necessary to gain access to a single point. As a result, protections must be provided equally to every aspect of a critical infrastructure. In other words, the critical infrastructure protection strategy is only as strong as it’s weakest point. 

Unfortunately, as a result of actions taken to ensure availability, the highly redundant, widely distributed networks are also often owned and operated by multiple, disparate entities. This means that multiple owners of the infrastructure with varying levels of security expertise and investment exist. The discrepancy between these owners in itself may be the most severe vulnerability in critical infrastructure today.

As a direct result organizations with the strongest level of security (and often times the highest investment) began creating and levying stringent, often complex, compliance methodologies onto other organizations who owned the infrastructure. While it is unlikely that anyone reading this blog does not recognize that compliance is not security, it must be said, ”compliance is not security.”

Hung out to dry

This leaves those who view the environment from a threat perspective out to dry. On the one hand they are very aware of the infiltration vectors as well as the potential impact on critical infrastructure. On the other hand, their management may only be willing to invest in a level of security capable of meeting compliance requirements and not the challenges presented by real-world adversaries.

Even if their management were willing to invest in better protection, the reality of the situation is that segmentation and distribution of the infrastructure across multiple locations and management structures will likely limit their reach. Which in the end leaves the entire critical infrastructure with large attack surface (due to highly distributed, redundancies), and without a unified effort to secure the entire infrastructure from real-world threats. 
 
Moving Forward

If critical infrastructure owners truly want to ensure security today, or in the future, there is a simple method to carry out this effort. Of course the recommendation in many cases is amongst the dirtiest word in the infrastructure world: “redesign.”

In order to truly ensure the security of critical infrastructure it is necessary to redesign the infrastructure to be more inclusive of the specific type of security necessary for the particular environment being protected, this begins at defining critical infrastructure in a manner that is more inclusive of both information and infrastructure assets. Once the environment has been properly defined, it is necessary to prioritize the security needs of the environment according to what makes the infrastructure critical. For example, infrastructure for delivering water would likely have protection against disruption as a primary need, where as a law enforcement information network, would like have protection against infiltration as a primary concern.

If the latter is the primary concern then, architects must recognize that traditional methodologies for vast distribution and massive amounts of redundancy could cause issues. These types of critical infrastructure should be designed to allow security professionals to gain full visibility of the infrastructure, harden each and every singular point and manage all of this from a simple controllable hierarchy. Put simply organizations must be able to fully manage and monitor their critical infrastructures from a simple, central logical location.

December 2011 Microsoft Super Tuesday

Posted by Shane Garrett on December 13, 2011 at 2:05 PM EST.

Microsoft has released a large number of updates this December.  I wanted to highlight the Critical bulletins and to draw particular attention to the fix for the 0day vulnerability in TTF (CVE-2011-3402) that has been actively exploited in the wild.

  • MS11-087: Vulnerability in Windows Kernel-Mode Drivers Could Allow Elevation of Privilege

    In November it was determined that the installer for the DUQU malware was using a previously unknown vulnerability in Window’s True Type Font (TTF) parser to execute its installer at a privileged level.  Microsoft had previously released a “Fix it” to resolve the vulnerability and is including it in this month’s update.  TTF vulnerabilities expose a large attack surface.  In addition to often being embedded in documents such as Microsoft Word, they can also be embedded in web pages as well.  If you have not already applied the fix it you should immediately apply this update.

  • MS11-092: Vulnerability in Windows Media Could Allow Remote Code Execution

    A critical, privately reported vulnerability in the processing of Microsoft Digital Video Recording (.dvr-ms) files was fixed in this update.  The vulnerability in the encdec.dll module could allow a specially crafted ms-dvr file to run attacker supplied code in the context of the current user.  The most likely attack vectors include hosting a malicious file on a web page or sending a malicious email attachment.

  • MS11-090: Cumulative Security Update of ActiveX Kill Bits

    One of the ActiveX controls killbitted this month in the rated Critical bulletin includes the privately reported CVE-2011-3396.  This affected a Microsoft Time control that can be embedded in a web page.  Successful exploitation of this control could result in remote code execution.  A number of third-party controls were also killbitted in this update as well.

In addition to these vulnerabilities there were several updates to Office products to address vulnerabilities in OLE, Excel, Power Point, Word and Publisher.  These should all be applied as Office documents are common vectors for spreading malware.

Tune in to the December Blackhat Webcast

Posted by Tom Cross on December 01, 2011 at 7:45 PM EST.

I'm presenting on the December Blackhat Webcast along with Chris Valasek (presently of Accuvant). The webcast is at 1PM EST and is absolutely free. Register here.

This webcast will go over some of the more interesting security vulnerabilities that have been disclosed in 2011. We'll look at these vulnerabilities from a technical standpoint and talk about who found them, why they are interesting, how they were exploited (or why they were hard to exploit) and what kinds of lessons they teach us about where vulnerability research is going in the future.

We'll frame this discussion with quantitative data on vulnerability disclosures, exploit releases, and patching from the IBM X-Force trend report, including a preview of some of the full year vulnerability statistics from 2011 that X-Force will publish in our next trend report in the new year. Listeners will come away with an indepth technical understanding of the state of security vulnerabilities and exploitation at the end of 2011.

Comments or opinions expressed on this Weblog are the opinions of the authors alone. They are not necessarily reviewed in advance by anyone but the individual authors, and neither IBM Internet Security Systems nor any other party necessarily agrees with them. The views expressed by outside contributors and links to outside websites do not represent the views of IBM Internet Security Systems, its management or employees. All content on this Weblog has been made available on an “as-is” basis, and IBM Internet Security Systems shall not be liable for any direct or indirect damages arising out of use of this Weblog.