Threat Level: green Handler on Duty: Chris Mohan

SANS ISC InfoSec Handlers Diary Blog


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
ISC StormCast for Wednesday, March 14th 2012 http://isc.sans.edu/podcastdetail.html?id=2395

Why We Rated the MS12-020 Issue with RDP "Patch Now"

Published: 2012-03-13
Last Updated: 2012-03-13 20:17:26 UTC
by Lenny Zeltser (Version: 1)
17 comment(s)

Microsoft's March 2012 "Black Tuesday" announcement included the MS12-020 patch, which fixes a vulnerability in Microsoft's implementation of RDP. This vulnerability (CVE-2012-0002) could allow a remote unauthenticated attacker to execute arbitrary code on the affected system. Microsoft labeled this issue "Critical" and we assigned it our highest severity label "Patch Now" for servers. Here's why:

  • The CVE-2012-0002 vulnerability applies to most flavors of Microsoft Windows.
  • It can be exploited over the network.
  • Companies often make RDP accessible on the standard TCP port 3389 from the Internet for remote access to servers and sometimes workstations.

These factors make it very attractive for attackers to attempt reverse-engineering Microsoft's MS12-020 patch to, understand the details of the bug and craft an exploit. This will likely happen sooner than 30 days. The universal applicability of the exploit and its targetability over the Internet and internal networks might motivate the creation auto-propagating worms to capture systems quickly and efficiently.

For these reasons, we recommend applying the MS12-020 patch as quickly as practical in your environment. Until you install the patch, consider moving your RDP listeners to non-standard ports. You should also explore the applicability of Microsoft's advice to enable Remote Desktop’s Network Level Authentication (NLA). This will mitigate the problem: "On systems with NLA enabled, the vulnerable code is still present and could potentially be exploited for code execution. However, NLA would require an attacker to first authenticate to the server before attempting to exploit the vulnerability."

------
Lenny Zeltser
zeltser.com
@lennyzeltser

Keywords:
17 comment(s)

March 2012 Microsoft Black Tuesday

Published: 2012-03-13
Last Updated: 2012-03-13 20:10:36 UTC
by Lenny Zeltser (Version: 1)
2 comment(s)

Overview of the March 2012 Microsoft patches and their status.

# Affected Contra Indications - KB Known Exploits Microsoft rating(**) ISC rating(*)
clients servers
MS12-017 Vulnerability in DNS Server Could Allow Denial of Service
DNS Server
CVE-2012-0006
KB 2647170 no. Severity:Important
Exploitability: Likely
N/A Important
MS12-018 Vulnerability in Windows Kernel-Mode Drivers Could Allow Elevation of Privilege
Kernel-Mode Drivers
CVE-2012-0157
KB 2641653 no. Severity:Important
Exploitability: Difficult
Important Important
MS12-019 Vulnerability in DirectWrite Could Allow Denial of Service
DirectWrite
CVE-2012-0156
KB 2665364 no. Severity:Important
Exploitability: Unknown
Important Less Urgent
MS12-020 Vulnerabilities in Remote Desktop Could Allow Remote Code Execution
Remote Desktop
CVE-2012-0002
CVE-2012-0152
KB 2671387 no. Severity:Critical
Exploitability: Likely
Critical PATCH NOW
MS12-021 Vulnerability in Visual Studio Could Allow Elevation of Privilege
Visual Studio
CVE-2012-0008
KB 2651019 no. Severity:Important
Exploitability: Likely
Important N/A
MS12-022 Vulnerability in Expression Design Could Allow Remote Code Execution
Expression Design
CVE-2012-0016
KB 2651018 no. Severity:Important
Exploitability: Likely
Important N/A
We will update issues on this page for about a week or so as they evolve.
We appreciate updates
US based customers can call Microsoft for free patch related support on 1-866-PCSAFETY
(*): ISC rating
  • We use 4 levels:
    • PATCH NOW: Typically used where we see immediate danger of exploitation. Typical environments will want to deploy these patches ASAP. Workarounds are typically not accepted by users or are not possible. This rating is often used when typical deployments make it vulnerable and exploits are being used or easy to obtain or make.
    • Critical: Anything that needs little to become "interesting" for the dark side. Best approach is to test and deploy ASAP. Workarounds can give more time to test.
    • Important: Things where more testing and other measures can help.
    • Less Urgent: Typically we expect the impact if left unpatched to be not that big a deal in the short term. Do not forget them however.
  • The difference between the client and server rating is based on how you use the affected machine. We take into account the typical client and server deployment in the usage of the machine and the common measures people typically have in place already. Measures we presume are simple best practices for servers such as not using outlook, MSIE, word etc. to do traditional office or leisure work.
  • The rating is not a risk analysis as such. It is a rating of importance of the vulnerability and the perceived or even predicted threat for affected systems. The rating does not account for the number of affected systems there are. It is for an affected system in a typical worst-case role.
  • Only the organization itself is in a position to do a full risk analysis involving the presence (or lack of) affected systems, the actually implemented measures, the impact on their operation and the value of the assets involved.
  • All patches released by a vendor are important enough to have a close look if you use the affected systems. There is little incentive for vendors to publicize patches that do not have some form of risk to them.

(**): The exploitability rating we show is the worst of them all due to the too large number of ratings Microsoft assigns to some of the patches.

------
Lenny Zeltser
zeltser.com
@lennyzeltser

Keywords: black tuesday
2 comment(s)

Please transfer this email to your CEO or appropriate person, thanks

Published: 2012-03-13
Last Updated: 2012-03-13 03:54:59 UTC
by Lenny Zeltser (Version: 1)
2 comment(s)

The following domain name registration scam has been making rounds at least for a couple of years. Its longevity suggests that it remains effective at separating the victims from their money. The scam's email messages usually begin with the phrase:

"(It's very urgent, Please transfer this email to your CEO or appropriate person, thanks)"

The message is typically addressed to the generic title of CEO, President or Principal without specifying the person's name. It claims to come from a Chinese domain registration organization and states that some company is trying to register Asian versions of the domain name associated with the recipient's company, in TDs such as:

.asia, .cn, .co.in, .com.cn, com.hk, com.tw, .hk, .in, .net.cn, .org.cn, .tw

The text urges the recipient to contact the sender to protect this domain from the alleged impostor. Here's a sample:

"After our initial checking, we have found the name were similar to your company's, so we need to check with you whether your company has authorized that company to register these names. If you have authorized this, we will finish the registration at once. If you have not, please let us know within 7 workdays, so that we will handle this issue better. Out of the time limit we will unconditionally finish the registration for 'Arub Asia Investment Ltd'."

The sender signs off with "Best Regards" and includes an email signature block that usually looks like this:

"Best Regards,
Charles Chen
Tel:+86-5515223114    Fax:+86-5515223113
No.1688 Taihu Road,Baohe District,Hefei,Anhui,China"

The text of the email message is mostly the same as it was when we saw this scam in 2010, though the sender's name, company association, domain name and address details are different.

Blogger Michael Lerner described his email interactions with the company sending such email messages in 2010, which confirmed that the scammers' goal was to convince the victim into registering the domain names in question through their company. Here's an excerpt from a response to Michael's correspondence:

"If you think his registration will confuse your clients and harm your profits, we can send an application document to you and help you register these domains within our approving period. This is a better way to prevent domain name dispute"

The most recent variant we've seen asked the sender to respond to "charles.chen@dnsip-net.com.cn". The website residing at that domain claims to belong to a "comprehensive company engaged in the Internet intellectual property services that mainly provides network-based service, network intellectual property service, network promotion service, etc." The organization's website includes the slogan "The Better Network, The Better Solutions." Searching for this slogan reveals lots of websites with nearly identical text and similar design.

If you analysed this old, yet still widespread scam, or if you have additional details to share regarding it, please contact us.

-- Lenny Zeltser

zeltser.com
@lennyzeltser

Keywords: domain name scam
2 comment(s)
Diary Archives