Hackin9

InfoSec News

As a follow up to the fact the we've raised the INFOCON level to yellow for MS12-020, a step not taken lightly, it was suggested that we offer a few simple things folks can do to ensure that they're patched appropriately, as well as employ possible mitigations and detection.
Specifically, MS12-020 includes KB2671387 (Remote Code Execution - CVE-2012-0002) and KB2667402 (Denial of Service - CVE-2012-0152) or KB2621440.
The reference for the update you'll see on a Windows system, when installed, depends on the version of the OS you're running. For Windows 7 you'll likely note KB2667402, whereas you should only expect KB2621440 on a Windows XP host.
Confusing, I know, but it matters. Read the fullMS12-020bulletin to confirm.

The simplest step to determine if you're properly updated, using Window 7 x64 as an example is:
Start - All Programs - Windows Update - View Update History and look for reference to KB2667402 as seen in Figure 1.


Figure 1

If on a Windows XP host, using Microsoft Update, you can opt for Start - Microsoft Update - Review your update historyand ensureKB2621440 is installed.

Additionally, at the command prompt, you can use Windows Management Instrumentation Command-line (WMIC) and issue:
wmic qfe | find KB2667402 or wmic qfe | find KB2621440
If patched you'll note results as seen in Figure 2.


Figure 2

Mitigation
Per the bulletins, systems that do not have RDP enabled are not at risk.
Your privileges on a given system (enterprise GPOs may prevent changes) may dictate your level of success.
Options include, aside from the obvious (PATCH):
1) Don't run RDP if you don't really need it.
Start - Run - services.msc - Stop and/or disable Remote Desktop Services(Figure 3) or disable it via Control Panel

Figure 3

2) Use Windows Firewall (where applicable and if enabled) to prevent access to RDP (Figure 4)at the host level

Figure 4

3) Ensure your network security configurations don't unnecessarily allow RDP (TCP 3389) from the Internet. If you absolutely, positively must do so, restrict it to approved hosts.
check in with your vendor/provider accordingly.

Feel free to comment with methodology related to the above that works for you and thus may help others.

Russ McRee
@holisticinfosec (c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
 
Microsoft has fixed a bug that made it impossible for about a dozen models of Skype-certified phones to log into the popular IM, VoIP and video-conferencing service.
 
Mozilla Firefox/SeaMonkey/Thunderbird 'window.fullScreen' Security Bypass Vulnerability
 
Condor Multiple Format String Vulnerabilities
 
[Announcement] ClubHack Mag - Call for Articles
 
PayPal doesn't want to handle payments for porn.
 
The new iPad on Verizon Wireless' 4G LTE network can also run on AT&T's data network when an AT&T SIM card is inserted in the Verizon device, early buyers have found.
 
The PaaS-abilities are endless. Industry analysts are saying that now is the right time for developers to look to Platform-as-a-service as a viable option.
 
Although most end users never get a clear view of the infrastructure underlying the services they consume via Amazon's Elastic Compute Cloud, Accenture Research Manager Huan Liu recently estimated that a whopping 454,400 individual blade servers are currently being used to power that product.
 
[ MDVSA-2012:030 ] systemd
 
[ MDVSA-2012:029 ] pidgin
 
VMSA-2012-0004 VMware View privilege escalation and cross-site scripting
 
AST-2012-003: Stack Buffer Overflow in HTTP Manager
 
Intel is ready to start cranking out chips for tablets, but is the chip maker moving fast enough to boost its presence in the mobile market?
 
In announcing price reductions for Office 365 this week, Microsoft said its cost of running the cloud suite has fallen and that it wants to "pass on" those savings to customers, but some analysts believe the primary drivers for the move have little to do with goodwill.
 
The state of Texas has entered into new data center contracts, worth more than $1 billion, to run its massive consolidation project.
 
Hackers who posted a barebones proof-of-concept attack for a critical Windows vulnerability may have obtained some of the code from Microsoft or one of its antivirus partners, the bug's finder said today.
 
Google on Friday morning posted a brief, apologetic message on a forum filled with angry comments from app developers who haven't been paid for sales of their Android apps.
 
1. The Senate bill called the Public Company Accounting Reform and Investor Protection Act became law under the name...
 
The FCC's proposal to kill LightSquared's planned LTE network would violate the fledgling carrier's property rights by taking away its spectrum and destroying its multibillion-dollar investment in mobile broadband, LightSquared will argue on Friday in a formal comment to the agency.
 
Sprint Nextel has terminated its 15-year spectrum-hosting agreement with LightSquared, eliminating the would-be wholesale mobile operator's main carrier partnership even as the U.S. Federal Communications Commission seeks to shut down its network plans.
 
Android is still the most attractive smartphone OS for malevolent hackers, so devices based on the platform will continue to get compromised, researchers said at Black Hat Europe.
 
VMware has made its vCloud Integration Manager available, which it says lets service providers more efficiently provision cloud networks for clients.
 
Minitube Insecure Temporary File Creation Vulnerability
 
Antimalware vendors say proof-of-concept exploit code has surfaced on several Chinese websites. Experts recommend patching Windows systems now.

Add to digg Add to StumbleUpon Add to del.icio.us Add to Google
 
Google Chrome Prior to 17.0.963.78 Multiple Security Vulnerabilities
 

InfoSec Institute Outlines Today's Top IT Security Threats and the Most ...
Virtual-Strategy Magazine
InfoSec Institute, the leader in Information Security training for enterprises and individuals, provides the education and best practices needed for enterprises to effectively combat security threats, mitigate risk and uphold compliance standards.

 
Google will cooperate with any investigations into allegations that it bypassed privacy settings in Apple's Safari browser, the company said, after a news report that both U.S. and E.U. officials are investigating the company.
 
As has become a custom with every major Apple product launch, die-hard fans lined up outside the company's retail stores worldwide to purchase the third-generation iPad, called the "new iPad," which went on sale on Friday morning.
 
Less than a week after Microsoft put its foot down on OnLive's virtual desktop solution for allegedly violating its licensing standards, tuCloud capitalized by releasing its own product, taking a few jabs at both OnLive and Microsoft in the process.
 
It seems like a simple question. After all, there seems to be little debate about where other C-suite officers should report. While there have been some discussions about the reporting structure for such C-level executives as the chief privacy officer and the chief compliance officer, these are relatively tame compared to the heated debate that I have witnessed and been a part of over the past few years.
 
As we feared the MS12-020 bulletin from last black Tuesday caused a race for finding an exploit.

The last few evolutions in that process cause our worries to increase significantly. In order to help raise awareness and call administrators to action, we're raising our INFOCON to YELLOW for 24 hours.



Some history:

Luigi Auriemma found a problem on May 16th, 2011.
Microsoft was warned on August 24th, 2011 working with TippingPoint's Zero Day Initiative
Microsoft released bulletin MS12-020 on March 13th, 2012, crediting Luigi Auriemma, working with TippingPoint's Zero Day Initiative, for reporting an issue described in MS12-020
Luigi Auriemma released his work on March 16th, 2012



Luigi wrote today: now that my proof-of-concept is out (yeah rdpclient.exe is the poc written by Microsoft in November 2011 using the example packet I sent to ZDI) I have decided to release my original advisory and proof-of-concept packet written the 16 May 2011... full-disclosure as usual :) and he released his analysis and exploit of the vulnerability.



This is expected to speed up the efforts of the bad guys significantly and gives those having exposed RDP services very little time to fix before it will get exploited somehow.



The clock is ticking, please consider:

block off RDP from all sources but those you absolutely need
install the Microsoft patch



--

Swa Frantzen -- Section 66 (c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
 

Graphical Look at Fed Infosec Performance
GovInfoSecurity.com
By Eric Chabrow, March 17, 2012. The White House Office of Management and Budget, in its yearly Federal Information Security Management Act report to Congress, gives departments and agencies mixed grades in their efforts to secure federal IT for fiscal ...

and more »
 
Virtual Computer NxTop Enterprise 4.0 conquers desktop virtualization with intuitive central management, Xen-based client hypervisor, and strong policy-based controls. Insider (registration required)
 
Virtualization is a reality in most date centers these days, but now IT executives are looking at mobile virtualization as a result of the BYOD culture. By running two instances of an operating system on a smartphone, you can relegate personal apps and services to one OS and business services to a more secure OS.
 
Will the new iPad with 4G LTE wireless service be as popular as the less expensive version that's Wi-Fi-only?
 
Samsung Electronics got a reprieve from Apple's legal onslaught in Germany on Friday, as a court in Mannheim suspended a case about Apple's slide-to-unlock feature because of questions regarding related intellectual property protection.
 

InfoSec Institute Outlines Todays Top IT Security Threats and the Most ...
Broadcast Newsroom
InfoSec Institute, the leader in Information Security training for enterprises and individuals, provides the education and best practices needed for enterprises to effectively combat security threats, mitigate risk and uphold compliance standards.

and more »
 

InfoSec Institute Outlines Today's Top IT Security Threats and the Most ...
DigitalJournal.com (press release)
InfoSec Institute, the leader in Information Security training for enterprises and individuals, provides the education and best practices needed for enterprises to effectively combat security threats, mitigate risk and uphold compliance standards.

 
VMware View Privilege Escalation Vulnerabilities
 
VMware issued the following security advisories:
VMware View privilege escalation and cross-site scripting (VMSA-2012-0004) [1] and VMware vCenter Server, Orchestrator, Update Manager, vShield, vSphere Client, ESXi and ESX address several security issues (VMSA-2012-0005) [2].
[1] http://www.vmware.com/security/advisories/VMSA-2012-0004.html

[2] http://www.vmware.com/security/advisories/VMSA-2012-0005.html
The following advisory has been updated:
VMware ESXi and ESX updates to third party library and ESX Service Console address several security issues (VMSA-2012-0001.1) [3]
[3] http://www.vmware.com/security/advisories/VMSA-2012-0001.html
-----------
Guy Bruneau IPSS Inc. gbruneau at isc dot sans dot edu (c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
 
Hundreds lined up in Tokyo, some for a day and a half, for a chance to buy Apple's new iPad early Friday.
 
Sprint Nextel will drop its planned 15-year 4G network partnership with would-be hybrid network operator LightSquared, the Wall Street Journal reported on Thursday.
 

InfoSec Institute Outlines Today's Top IT Security Threats and the Most ...
PR Web (press release)
InfoSec Institute, the leader in Information Security training for enterprises and individuals, provides the education and best practices needed for enterprises to effectively combat security threats, mitigate risk and uphold compliance standards.

 
Elgato's external SSD is the first of its kind with a 10Gbps Thunderbolt port, which enables data transfers at more than three times the speed of USB. But there are drawbacks, too.
 
Those who jumped on the iPad pre-order train last week will be watching for the delivery truck, but anyone who isn't already on Apple's lengthening wait list will have to hustle if they want one today.
 
PayPal is targeting small businesses, service providers, and casual sellers on the move with its new PayPal Here service which allows vendors to process a variety of payments including checks and cards using their mobile phones.
 
Internet Storm Center Infocon Status