Monday, April 26, 2010

Exploit Code Published for MS10-020 (KB980232)

Exploit code for MS10-020 (KB980232) has been published here.  Please read http://sharpesecurity.blogspot.com/2010/04/problems-with-microsoft-april-2010.html for all known issues with patching MS10-020, paying special attention the information about MS10-020 and Cisco WAAS-related issues if you use that technology in your environment.


email: david @ sharpesecurity.com
website: http://www.sharpesecurity.com/
Twitter: twitter.com/sharpesecurity

Saturday, April 24, 2010

Problems with Microsoft April 2010 Patch MS10-020 - KB980232

In some cases, there are problems after installing Microsoft April 2010 Patch MS10-020 (KB980232).  Microsoft acknowledges that there are problems and is collecting data to determine the root cause(s).

We have seen four symptoms.  In each case, removing the KB980232 patch and rebooting the affected machine resolved the problem:

1).  Errors saving from Office 2007 applications to network shares.

2).  Not being able to read the contents of the Security tab when looking at the properties of a file on a file share.  Click the image below to see a larger view.



3).  Not being able to see the file and folder "owner" column information for file in a file share.  The owner column information just shows blanks.  Click the image below to see a larger view.



4).  Crashes in explorer.exe when navigating to network shares.




Microsoft is working on a fix. Hopefully we will have an ETA soon. Until then removing MS10-020/KB980232 seems to fix the problem.

UPDATE (26 April 2010):  It turns out this is a bug in Cisco WAAS (Wide Area Application Services).  You need to upgrade your Cisco WAAS 4.0.x and 4.1.x installations to a patched version.

From Cisco:
File Save/Save As Issues After Installing Microsoft Patch (KB980232)


Symptom:

When using the new Windows patch (MS10-020 KB980232), the file save/save-as operation may not be successful when WAAS CIFS optimization is turned on. A popup message indicating "There has been a network or file permission error. The network connection may be lost" is generated by the client

Conditions:

Installation of Microsoft patch (MS10-020 KB980232) to Windows clients

Applies to all 4.0.X and 4.1.X releases

Workaround:

1. Using the new Windows patch : If the customer has installed (or wishes to install) the Windows patch and wants to keep the patch in place, turn the WAAS CIFS optimizations off. Once the new WAAS software is available and deployed, CIFS optimizations can be turned on again.

2. Deploying the Windows patch MS10-020 after the relevant WAAS S/W update is available: After reviewing the patch notes from Microsoft, customers may choose to apply the Windows patch after the updated WAAS software is available.

References:
http://www.cisco.com/en/US/ts/fn/633/fn63320.html
https://supportforums.cisco.com/message/3060183
http://www.cisco.com/en/US/docs/app_ntwk_services/waas/waas/v415/release/notes/ws415xrn.html#wp85418


email: david @ sharpesecurity.com
website: http://www.sharpesecurity.com/
Twitter: twitter.com/sharpesecurity

Tuesday, April 20, 2010

GDI Object Leak Still Present in Adobe Reader 9.3.2 Release

The GDI object leak problem described here is still present in Adobe Reader 9.3.2.

Hopefully Adobe will provide a fix soon. People affected by this bug cannot upgrade their Adobe Reader instances to either the newest version of 8.x or 9.x until this gets fixed.

email: david @ sharpesecurity.com
website: http://www.sharpesecurity.com/
Twitter: twitter.com/sharpesecurity

Tuesday, April 13, 2010

You Really, Really Should Upgrade Adobe Reader

I am analyzing a Windows RAM dump now where a machine running a version of Adobe Reader that is long off vendor support - version 6.x - got compromised by navigating to a website serving up malicious PDF content from an installation of the YES Exploit Kit.

Many of the commonly available commercial exploit toolkits include robust and reliable working exploits for unpatched Adobe Reader util.printf, Collab.collectEmailInfo, and Collab.getIcon vulnerabilities. Soon I will translate a number of the top exploit kits' exploit lists to English and publish those here to back up my point. For now please take my word for it.

You really, really should be patching Adobe Reader. You really, really should also be actively managing the software lifecycle of Adobe Reader to make sure the versions you have installed on your Windows client machines are patchable (8.x and 9.x only). Just because Adobe stops supporting a version of Adobe Reader doesn't mean those older versions aren't getting exploited. The machine I described in the first paragraph got exploited through an unpatched Adobe Reader 6.x installation, and ended up with a ZeuS/Zbot infection. For over a year now, we have seen malicious PDFs being one of the top types of attacks coming at us.

We have upgraded many thousands of Adobe Reader instances with our packaged upgrade solutions. if you need help getting started doing that yourself, please contact us at sales @ sharpesecurity.com.


email: david @ sharpesecurity.com
website: http://www.sharpesecurity.com/
Twitter: twitter.com/sharpesecurity

MoonSol's new Windows Memory Toolkit

I just stumbled across Matthieu Suiche's new website and his (Windows Memory Toolkit). The free version of that toolkit includes a utility to convert Windows RAM dumps from all current versions of 32-bit Windows to crash dump format for use with windbg/kd. Very cool! It is also very cool that 32-bit support is free!

Given the various problems each of the free and commercial vendors are having in the Windows RAM dump analysis space, Windbg plus custom extensions might be the way to go for the future for Windows RAM dump analysis for incident response and malware analysis.

I wish Matthieu all the best with his new business venture, and I look forward to seeing what other innovations are forthcoming from him at MoonSol.


email: david @ sharpesecurity.com
website: http://www.sharpesecurity.com/
Twitter: twitter.com/sharpesecurity

Friday, April 2, 2010

Poke in the Eye to SANS and CISSPs in Defcon 18 CTF Announcement

From the Defcon 18 CTF contest announcement at https://forum.defcon.org/showthread.php?p=112359#post112359:

"This isn't CTF like your mama used to make. Level 1 questions make CISSPs turn red, Level 2 make SANS Fellows cry in frustration, Level 3 are typically only answerable by sheep of above average barnyard intelligence, you get the idea."

and

"Those with SANS certs need not apply. CISSPs are right out".

Two things spring to mind:

1). The organization putting on Defcon 18's CTF is "Defense Diutinus Technologies Corp (ddtek)". My understanding is that ddtek is really Chris Eagle's Naval Postgraduate School CTF team. The Naval Postgraduate School team are the ones that have dominated Defcon CTF the past few years by being extremely bright and capable, but also by sending 25+ person teams to help overwhelm the competition with their sheer numbers when other teams are sending around 8 people each.
2). Defcon is run by Black Hat. Those expensive pre-conference Black Hat training courses are for beginners just like SANS' courses. SANS training and certifications do have their place - for those new to security or wanting a introduction to a topic. There a lot of people who have CISSPs and SANS training and certifications maintaining and defending the same networks that "ddtek" employees and graduates work on.

So Naval Post Graduate/ddtek, please don't insult those folks. We need everyone from the elite people that you train down through the rank and file feeling respected, happy, and productive.



email: david @ sharpesecurity.com
website: http://www.sharpesecurity.com/
Twitter: twitter.com/sharpesecurity