Last Updated: 2011-04-15 12:10:35 UTC
by Jim Clausing (Version: 4)
Here are the April 2011 Black Tuesday patches. Enjoy!
Overview of the April 2011 Microsoft Patches and their status.
|#||Affected||Contra Indications||Known Exploits||Microsoft rating||ISC rating(*)|
|MS11-018||Cumulative Security Update for Internet Explorer ( Replaces MS11-003 )|
|Internet Explorer 6-8
|KB 2497640||ACTIVELY EXPLOITED.||Severity:Critical
|MS11-019||Vulnerabilities in SMB Client Could Allow Remote Code Execution ( Replaces MS10-020 )|
|KB 2511455||POC Available.||Severity:Critical
|MS11-020||Vulnerability in SMB Server Could Allow Remote Code Execution ( Replaces MS10-012 MS10-054 )|
|KB 2508429||No Known Exploits.||Severity:Critical
|PATCH NOW!||PATCH NOW!|
|MS11-021||Vulnerabilities in Microsoft Excel Could Allow Remote Code Execution ( Replaces MS10-080 MS10-087 )|
|Office XP SP3-2010, Office 2004-2011 for Mac, Open XML File Format Converter, Excel Viewer SP2, Office Compatibility Pack for 2007 file formats
|KB 2489279||No Known Exploits.||Severity:Important
|MS11-022||Vulnerabilities in Microsoft PowerPoint Could Allow Remote Code Execution ( Replaces MS09-017 MS10-036 MS10-087 MS10-088 )|
|KB 2489283||No Known Exploits.||Severity:Important
|MS11-023||Vulnerabilities in Microsoft Office Could Allow Remote Code Execution ( Replaces MS10-087 )|
|Office XP - 2007, Office 2004 - 2008 for Mac, Open XML File Format Converter
|KB 2489293||POC Available.||Severity:Important
|MS11-024||Vulnerability in Windows Fax Cover Page Editor Could Allow Remote Code Execution|
|Fax Services, Fax Server Role
|KB 2527308||POC Available.||Severity:Important
|MS11-025||Vulnerability in Microsoft Foundation Class (MFC) Library Could Allow Remote Code Execution|
|Visual Studio .NET 2003 - 2010, Visual C++ 2005 - 2010 Redistributable Package
|KB 2500212||No Known Exploits.||Severity:Important
|MS11-026||Vulnerability in MHTML Could Allow Information Disclosure|
|KB 2503658||ACTIVELY EXPLOITED.||Severity:Important
|MS11-027||Cumulative Security Update of ActiveX Kill Bits ( Replaces MS10-034 )|
|Windows XP- 7, Server 2003-2008
|KB 2508272||POC Available.||Severity:Critical
|MS11-028||Vulnerability in .NET Framework Could Allow Remote Code Execution ( Replaces MS09-061 MS10-060 MS10-077 )|
|.NET framework (all supported version)
|KB 2484015||No Known Exploits.||Severity:Critical
|MS11-029||Vulnerability in GDI+ Could Allow Remote Code Execution ( Replaces MS09-062 MS10-087 )|
|Windows XP-Vista, Windows Server 2003-2008, Office XP
|KB 2489979||No Known Exploits.||Severity:Critical
|MS11-030||Vulnerability in DNS Resolution Could Allow Remote Code Execution ( Replaces MS08-020 MS08-037 MS08-066 )|
|Windows XP - 7, Windows Server 2008
|KB 2509553||No Known Exploits.||Severity:Critical
|MS11-031||Vulnerability in JScript and VBScript Scripting Engines Could Allow Remote Code Execution ( Replaces MS09-045 MS10-022 MS11-009 )|
|OpenType Compact Font Format (CFF) driver
|KB 2514666||No Known Exploits.||Severity:Critical
|MS11-032||Vulnerability in the OpenType Compact Font Format (CFF) Driver Could Allow Remote Code Execution ( Replaces MS11-007 )|
|OpenType Compact Font Format (CFF) driver
|KB 2507618||No Known Exploits.||Severity:Critical
|MS11-033||Vulnerability in WordPad Text Converters Could Allow Remote Code Execution ( Replaces MS10-067 )|
|KB 2485663||No Known Exploits.||Severity:Important
|MS11-034||Elevation of Privilege Vulnerabilities in Windows Kernel-Mode Drivers (Replaces MS10-012 )|
|Kernel Mode Drivers
|KB 2506223||No Known Exploits.||Severity:Important
Exploitability: 1, 1, 1, 1, 1, 1, 1, 1, 1, 1 ,1 , 1 , 1, 1, 1, 1, 1, 1, 1, 1, 1, 2, 1, 1, 1, 3, 1, 1, 1, 1
We appreciate updates
US based customers can call Microsoft for free patch related support on 1-866-PCSAFETY
- We use 4 levels:
- PATCH NOW: Typically used where we see immediate danger of exploitation. Typical environments will want to deploy these patches ASAP. Workarounds are typically not accepted by users or are not possible. This rating is often used when typical deployments make it vulnerable and exploits are being used or easy to obtain or make.
- Critical: Anything that needs little to become "interesting" for the dark side. Best approach is to test and deploy ASAP. Workarounds can give more time to test.
- Important: Things where more testing and other measures can help.
- Less Urgent: Typically we expect the impact if left unpatched to be not that big a deal in the short term. Do not forget them however.
- The difference between the client and server rating is based on how you use the affected machine. We take into account the typical client and server deployment in the usage of the machine and the common measures people typically have in place already. Measures we presume are simple best practices for servers such as not using outlook, MSIE, word etc. to do traditional office or leisure work.
- The rating is not a risk analysis as such. It is a rating of importance of the vulnerability and the perceived or even predicted threat for affected systems. The rating does not account for the number of affected systems there are. It is for an affected system in a typical worst-case role.
- Only the organization itself is in a position to do a full risk analysis involving the presence (or lack of) affected systems, the actually implemented measures, the impact on their operation and the value of the assets involved.
- All patches released by a vendor are important enough to have a close look if you use the affected systems. There is little incentive for vendors to publicize patches that do not have some form of risk to them
Jim Clausing, GIAC GSE #26
jclausing --at-- isc [dot] sans (dot) edu
SANS SEC401 coming to central OH in May, see http://www.sans.org/mentor/details.php?nid=24678
Last Updated: 2011-04-11 22:33:13 UTC
by Johannes Ullrich (Version: 1)
Adobe released that a so far unpatched vulnerability has been used in recent targeted attacks.
Flash Player 10.2.153.1 is vulnerable, as is the flash player component used to execute flash in Adobe Reader / Acrobat. Adobe Reader X is vulnerable bu but not exploitable.
At this time, according to Adobe, the attack is performed using Flash files embedded in Word documents.
Note that Flash may be embedded in other Office document formats like Excel. Adobe is not planning on an out of band patch at this point, as Adobe Reader X is not exploitable.
Last Updated: 2011-04-11 18:28:18 UTC
by Johannes Ullrich (Version: 1)
IPv6, just like IPv4, is a layer 3 (Network Layer) protocol. However, it does depend on Layer 2 (Link Layer) to reach the next hop. Historically, Layer 2 has been a fertile attack breeding ground. Layer 2 protocols like Ethernet do not address these security issues and are build to be lightweight rather then secure. The assumption is that physical access to the network is restricted, and with that physical access controls can be used to mitigate most Layer 2 risks.
Of course, this hasn't been true for most networks. Wireless access, access to unsecured network jacks in public areas and even remote access via compromised hosts inside the network have been shown to provide access to layer 2. 802.1x is probably the best option to mitigate most of these threats, but even 802.1x will not protect you from a compromised authenticated workstation, and 802.1x can be difficult to implement in many scenarios.
So how does this all apply to IPv6? One of the big changes in IPv6 is that ARP is replaced with the Neighbor Discovery Protocol (NDP). NDP is based on ICMPv6. In addition, Router Advertisements (RA) are used to configure hosts.
Probably the most important thing to understand: Neither NDP or RA prevent by default any attacks we have seen against ARP or DHCP. Just like for ARP and DHCP, we need to be able to detect and mitigate spoofing.
By default, NDP messages are not authenticated, just like ARP is not authenticated. In its simplest form, we can use the NDP to impersonate a legitimate host on the local network to play man in the middle (MITM). MITM attacks work and can be applied just like with IPv4
Variations of the attack can be used in denial of service as well. Just like for IPv4, an IPv6 host will check if the address it is about to use is already used. By just responding to these checks ("gratuitous ARP" in IPv4), we are able to to prevent a host from obtaining an address.
The RA protocol replaces DHCP in many cases and can be used to assign IP addresses. Spoofing router advertisements can help with MITM attacks as the attack is now pretending to be a router. In a regular IPv6 network, this may only be partially successful as the rogue router is competing with legitimate routers. But by assigning itself a high priority and creating a DoS against the legitimate router, the attack has a decent chance of succeeding.
Recently (see a few diaries back), this attack was demonstrated against IPv4 networks by combining it with NAT-PT and the preference of current operating systems to route over IPv6 if both IPv4 and IPv6 are available.
Of course, if you just spoof random RA, you will be able to mess up hosts sufficiently to stop responding at all.
There is probably at least one tweet/slashdot/digg "event" a day advertising a new tool to implement these attacks. To save yourself some time: Check out the THC IPv6 attack library. It already implements a lot of these tools including a nice library to implement more. Implementing the same tools again in scappy gets you some python brownie points though.
For the IPv4 versions of these attacks, many vendors implemented defenses, and there are open source tools like arpwatch to help you detect these attacks. In addition, we have just gotten used to watching out for these attacks and a reasonably skilled network admin is usually able to spot ARP spoofing.
For IPv6, we are a bit behind the curve when it comes to defenses. RFC 6105 outlines a mechanism calls "RA Guard"  that can be used to identify legitimate routers and only allow RA messages from switch ports connected to authorized routers, just like we are used to when configuring DHCP Snooping.
RFC3971 defines a mechanism called "SEND" (Secure Neighbor Discovery" which uses PKI to sign ND messages. In addition, cryptographically generated addresses (CGA) are used to avoid spoofing on the local network. However, this protocol is not yet widely implemented and the overhead associated with it can cause DoS conditions itself.
Unlike ARP messages, the ICMPv6 messages could be routed. However, a host is not supposed to accept any ND or RA message with a TTL of less then 255.
Layer 2 defense is not easy. In particular defending against DoS. The best thing you can probably do is to know what's supposed to be on your network, and be able to quickly detect and disconnect misbehaving hosts.
Last Updated: 2011-04-11 01:51:45 UTC
by Johannes Ullrich (Version: 1)
A few months ago, after the infamous "Aurora" attack, it became known that GMail accounts are under active attack from entities in China. In response, Google added a warning banner to its GMail accounts notifying users if someone logged into the account from China recently.
We had one user reporting such an incident, and are wondering if others have seen this warning recently. This user did use Google's two factor authentication, which is of course in particular concerning.
What security precautions do you take if you use GMail? Do you archive/delete old email? Any scripts you use for it that you could share? Do you use Google's two factor authentication?