ISSA Ireland are hosting a special event next Wednesday the 10th of June. The event is being run in conjunction with Microsoft and will focus on the security features of the Windows platforms. There are some really good talks lined up which will prove to be very useful to those of you charged with securing a Windows environment. In these days of recession and cut backs you will find out about some of the inherent security features of Windows that you can employ at little or no cost and perhaps save you having to purchase third party tools.
The talks are;
Security Improvements in Windows 7 and Windows Server 2008
How Microsoft Manages Information Security
Microsoft’s Malware Research: Conficker a Case Study
There will also be series of lighting talks given by members on their favourite free security tools for the Windows platform.
The event will kick off at 2 p.m. and finish at 5 p.m. It will be held in the Academy Buildingat 42 Pearse St. More details of the location can be found on the Academy‘s website or see the map below. To register for the event you should go to the ISSA Ireland website.
Microsoft are again urging PC users to apply the MS08-067 emergency patch issued last October due to an increase in attacks aimed at exploiting that vulnerability. In particular a new worm Worm:Win32/Conficker.A. has been noted as causing a rise in the number of attacks.
Once a PC is infected the Worm:Win32/Conficker.A. will patch the vulnerability to prevent the PC from being exploited by another worm or attacker and will also reset the system restore point to make it more difficult to recover the infected PC.
Microsoft tonight released a critical patch, MS08-067, outside their normal patch cycle. For Microsoft to release a patch outside of their patch cycle indicates that this is a serious issue that we must pay attention to.
I am obviously not the only one who thinks that as the Internet Storm Center‘s Infocon has turned yellow which means they are “currently tracking a significant new threat. The impact is either unknown or expected to be minor to the infrastructure. However, local impact could be significant. Users are advised to take immediate specific action to contain the impact. Example: ‘MSBlaster’ worm outbreak. “
The vulnerability could allow an attacker without authentication to remotely run arbitary code using a specially crafted RPC request on Microsoft Windows 2000, Windows XP, and Windows Server 2003 systems. This is similar in nature to how the MSBlaster worm propogated throughout the Internet and this vulnerability could be used in the same way. Microsoft have reported that they have seen live targetted attacks on some customer systems using this vulnerability.
It is recommended that you patch your systems ASAP. However patches, be they from Microsoft or other vendors, brings with them many inherent risks that we need to consider before rolling them out onto production systems. Will the patch introduce new problems as well as fixing the ones identified? Will it impact on other applications and systems? If we patch we may have problems, if we don’t we may have a security breach. Not the easiest of choices for an IT or Infromation Security professional to have to make.
I recommend you look at the following steps to mitigate the problem;
A concise and factual presentation should be made to senior management with the options to address the issue laid out clearly, together with the potential downside to each solution.
Whatever solution is decided upon needs to be agreed to and signed off by senior management.
An incident response team should be set up in order to (a) respond to any side effects from the selected plan of action or (b) in the event your systems are compromised in spite of the steps taken.
Remember as part of the plan to ensure that all your backups have been running successfully and more importantly that you can restore them!
Have key contact details for all relevant personnel in the event of a major problem with your systems, including contacts in third parties such as ISPs, partner companies, extranet contacts etc.
Communicate clearly with the user population explaining why the patch is being deployed and to report any unusual behaviour.
Ensure that all Anti-Virus signatures and software is up to date.
Ensure all Intrusion Detection/Prevention Systems’ signatures are up to date.
Consider how best to update remote PCs and laptops that may not be connected to your corporate network.
Make sure your perimeter firewall is configured properly and that where possible personal firewalls are installed on desktops and more importantly on servers.
I strongly advise, as with all patches, to ensure that you test and are satisfied that the patch does not negatively impact your environment before you deploy it. It also may be worth keeping on high alert even after deploying the patch as;
Other new vulnerabilities could still be found in this feature of Windows.
Not everyone will patch their systems in a timely fashion as we have seen time and time again and their compromise may impact your organisation.
Microsoft has released the latest service pack for Windows XP. Service Pack 3 includes all the updates and hot-fixes released since Service Pack 2 and also a number of new security features. most notably;
“Black Hole” Router Detection, whereby Windows XP will now by default detect routers that silently discarding packets.
Network Access Protection (NAP) which is currently in Windows Vista and Windows Server 2008 and is now also available for Windows XP. NAP can enable you to enforce compliance on end user computers before they join the network ensuring that items such as anti-virus signatures and patches are up to date.
It will be interesting to see how organisations manage to deploy Service Pack 3 and in particular how many will roll out NAP to better secure their environment. Given that many organisations are still running Windows XP and that Service Pack 3 will no doubt extend the life of XP in those environments, this may be the jolt in the arm that end point policy enforcement solutions need.
I also wait to see how third party vendors of NAC solutions react to this development and whether they will decide to compete head on or complement their own solutions with NAP.
Microsoft Windows XP Service Pack 3 is available for download and comes in at 316 MB. The release notes for the service pack are also available.
The Microsoft Security Response Centre has just released an advisory alerting us to targetted attacks using an unpatched vulnerability that affects Microsoft Office Excel 2003 Service Pack 2, Microsoft Office Excel Viewer 2003, Microsoft Office Excel 2002, Microsoft Office Excel 2000 and Microsoft Excel 2004 for Mac.
Microsoft Office Excel 2003 Service Pack 3, Microsoft Office Excel 2007 and Microsoft Excel 2008 for Mac are not impacted. This vulnerability is being actively exploited at the moment in attacks targeting specific organisations. That is not to say however that a more widespread attack could not happen.
If you cannot upgrade your systems to the non-affected versions it may be prudent to block incoming emails or Internet downloads of Excel into your network until more details emerge and/or Microsoft release a patch.
The advisory also contains a number of suggested workarounds.
Seeing as it is the beginning of a New Year I have reviewed the past year or so of the Security Watch Blog’s existence and thought I would highlight the most popular posts. I picked these posts based on on a combination of the number of comments on each post, the number of links to a particular post and the number of views to a post. In no particular order we have;
One of the highlights of the RSA Europe Conference was meeting with a very interesting gentleman who works for Microsoft. Simon Rose Femerling works with the Microsoft Ace Team. We had some really interesting conversations about security, including research conducted in the hotel bar at 3 a.m. to try and determine the motivation of the average consumer in buying a computer and whether or not security is one of their criteria. Needless to say that is one research paper that won’t get published.
One thing that really impressed me about Simon was his dedication and enthusiasm to improve computer security for us all while at the same time understanding the real world challenges facing businesses and system administrators.
While chatting over a few beers Simon gave me an insight into the work he and his colleagues are doing. One of the projects is now available for free from the team’s Blog. It is their XSSDetect tool which runs as a Visual Studio plug-in to enable developers detect XSS (cross site scripting) attack vulnerabilities within their code.
Given that web application attacks are becoming more and more prevalent, indeed recent research shows that 70% of web attacks are at the application layer, the above tools and the work that Simon and his colleagues are doing are becoming more and more important.
If you are working with .NET I recommend that you download the XSSDetect tool and have a look at it. It may save you a few embarrassing situations in the future. If you find any issues with it then feed it back to the Microsoft Ace Team so they can improve the tool.
Over the past few months I have been increasingly impressed by Microsoft‘s improvements in security. My impressions have not been formed or shaped by the Microsoft marketing machine but based on the people I have met who work for Microsoft. People like Simon, and those I met while keynote speaker at Microsoft Ireland’s IT Professional Security Training Event, demonstrate to me that Microsoft have people working for them that really care about security. And of course the way Microsoft release their patches is an example other vendors should be following. Anyone from Apple or Oracle should take heed.