Microsoft Warns Users Over PowerPoint Zero Day, Releases Fixit

Microsoft has warned Windows users that cyber criminals are exploiting a zero-day vulnerability using malicious PowerPoint documents.

The vulnerability affects all versions of Windows except Windows Server 2003.

Microsoft has already released a Fixit tool that neuters known PowerPoint attacks but there is a risk that new attacks may yet spring up. The fix, found here, is not available for 64-bit versions of PowerPoint run on 64-bit versions of Windows 8, Windows 8.1, Windows Server 2012, or Windows Server 2012 R2.

The exploit is a remote code execution vulnerability which means a successful attack would allow an attacker to hijack a PC after a user opens up an affected Office document, potentially opening the door for further attacks in the form of other malware then being planted, or to the theft of personal or sensitive data stored on the target machine.

In the case of a successful attack, the infiltrator would have access to the same privileges as the user which could be a significant problem for those who log on as an administrator, or those who get waylaid by a User Account Control (UAC) prompt that appears when the document is opened – Microsoft reports that a UAC prompt appears in every attack it is aware of.

While a UAC prompt appearing upon the opening of a document is not normal, many users may not be aware that is the case, again highlighting why security awareness is so important both within the business realm and among home users.

Of course it isn’t only Microsoft Office documents that pose a threat here – other files could do too if the corresponding application supports OLE (object linking and embedding) objects.

Commenting on the news, Sagie Dulce, security research engineer at Imperva said:

“This was recently discovered by iSight. They exposed a Russian hacker group they call SandWorm.

This vulnerability was used for the initial compromise. Using social engineering, this group gained initial foothold on machines, by convincing the victim to open a PowerPoint document.
The victim also had to click “allow” when opening the file, to allow a malicious code to be executed.

“According to iSight: “there have been several confirmed incidents in Ukraine, Poland, Western Europe and the United States since at least 2009. NATO, the public sector and private firms in energy and telecommunications have been targeted.”

“The malware identified related to this attack is BlackEnergy. Early version of which were used for DDos, spam and CC theft.

Because this campaign seems to be government sponsored, the malware was probably used to download additional components after the initial exploit (and not perform DDoS..)

“Apart from the newest zero day, these attackers exploited a range of Office related exploits, dating back to 2010.”

While Mark Sparshott, EMEA director at Proofpoint highlighted how the bad guys could employ phishing techniques to get infected emails onto a target system:

“Object Linking & Embedding (OLE) is legitimately used to display parts of a file within another file, e.g. to display a chart from an Excel Spreadsheet within a PowerPoint presentation. This is not the first time that a vulnerability in OLE has been exploited by cybercriminals, however most previous OLE vulnerabilities have been limited to specific older versions of the Windows operating system. What makes this vulnerability dangerous is that it affects the latest fully patched versions of Windows.

The race is on. Cybercriminals will use phishing and longlining emails containing URL links to websites hosting malicious files that exploit this vulnerability or attach the malicious file to the email itself. While Microsoft and security vendors rush to close the security hole the best form of defence remains using the latest next generation detection technologies such as sandboxing at the email gateway to prevent the emails reaching users in the first place. Organisations not yet using advanced detection tools will need to fall back to notifying users and relying on them not to click the links and open files, unfortunately Proofpoint’s Human Factor Report highlighted that staff click on 1 in 10 malicious links on average so cybercriminals will see a lot of success before the security gap on this vulnerability is closed.”

Mark James, security expert at ESET made the point that the end user would need to initiate the attack in some way, thus highlighting yet again how technology can only take security so far:

“These particular attack vectors are created from a number of opportunities, either the user must be directed to an offending website or an email containing the compromised file would need to be opened. If directed to a website then an email containing a link with a promise of a reward or benefit would arrive in your inbox, which, if clicked, would present you with in this case a PowerPoint show or presentation (All Microsoft Office file types as well as many other third-party file types could contain a malicious OLE object) again containing some kind of enticing properties (celebrities are often used in these cases). If you are tempted to click and open the file you could open up the possibility of being infected by further malware.

Obviously in this case, and many other similar scenarios, the end user must initiate the means to be infected. User Account Control (UAC) will help protect you in these cases and is on by default in operating systems from Vista onwards. Users should also always be mindful of emails containing links or files even from sources they trust. It’s better to delete and ask the sender to send again than to chance being infected and opening up your whole business network to malware attack. Also, wherever possible, do not use an administrator account when working with emails. These vulnerabilities take on the same access rights as the account that executed the file, if that is full admin rights then you’re in a whole world of trouble.”

Lamar Bailey, director of security research and development at Tripwire played down the threat posed by the zero day, saying:

“This is not a major issue. The vulnerability is just an escalation of privilege issue and requires a watering hole attack and/or persuading the victim to open a file to exploit.  If a user can be convinced via email, instant message, social media, or in some manner to open a PowerPoint attachment then the attacker will gain the same user rights as the current user.

If the current user has the ability to install programs or access critical systems in the environment this could be used by attackers to gain a foothold in a network and the exploited system would be used as a base of attack.

Users should know better than to open attachments from unknown sources in email or downloading documents from random internet sites. A successful attack will likely spoof and email from an internal user or put a malicious file on a compromised site.”

While I agree that the issue shouldn’t be a major one for the reasons Lamar mentions, it is unfortunate that in 2014 not every user understands the need to be careful when opening emails or downloading documents, whatever their source.

Until at least a moderate appreciation of security issues is held by the population at large, such attacks will still, alas, continue to be successful for those that launch them.

MailPoet Newsletters Plugin For WordPress Vulnerable, Update Available

If you have responsibility for a corporate blog (or run your own) and it runs on WordPress and has a newsletter then I would suggest that you check how your newsletters are handled.

If you find that your blog relies upon MailPoet (a plugin that has been downloaded over 1.7 million times) then you need to be aware that a vulnerability was discovered yesterday which allows a hacker to upload just about anything to the affected site without any form of authentication being required.

Daniel Cid, CTO of Sucuri, gave the following warning in a blog post:

“If you have this plugin activated on your website, the odds are not in your favor. An attacker can exploit this vulnerability without having any privileges/accounts on the target site. This is a major threat, it means every single website using it is vulnerable.”

Sucuri researchers, who kept most of the technical details to themselves for obvious reasons, said that the vulnerability allows a potential attacker to do just about anything on his victim’s website, such as sending out spam, affecting other sites on the same shared host, acting as a lure for phishing attacks and hosting malware directly.

Cid explained that:

“The basics of the vulnerability however is something all plugin developers should be mindful of: the vulnerability resides in the fact that the developers assumed that WordPress’s “admin_init” hooks were only called when an administrator user visited a page inside /wp-admin/.

It is a easy mistake to make and they used that hook (admin_init) to verify if a specific user was allowed to upload files.

However, any call to /wp-admin/admin-post.php also executes this hook without requiring the user to be authenticated. Thus making their theme upload functionality available to everybody.”

Cid goes on to say that the research team shared their findings with the plugin author a few weeks ago and, to their credit, they responded well and issued a new patched version (2.6.7) yesterday. Unfortunately, however, the author makes little mention of the security issue, bar one line in the changelog, so its quite likely that a large number of users may not be aware of the pressing need to install the latest version.

If you are using the MailPoet plugin then you should check now that you have the latest version installed.

If you don’t then you can navigate to your blog’s Dashboard.

From there, click on Plugins > Update Available and look for the MailPoet plugin. Directly underneath it you will see the option to ‘upgrade now’. Click on that and follow the instructions.

Alternatively, you can find the plugin via WordPress.org (click here), download the latest version and then follow the installation guide.

As ever, I would advise running a full backup of your site before making any changes such as updating core files or plugins and, if you don’t already have one, now would also be a good time to implement a regular backup schedule, just in case anything does ever go wrong in the future (WordPress is a popular target for attackers and this isn’t the first time that a noteworthy plugin has had issues lately).

List of the TOP 25 Most Dangerous Programming Errors Released

Earlier today the List of the Top 25 Most Dangerouse Programming Errors was released.  The list was compiled by a number of different organisations and coordinated by the SANS Institute

Criminals are now moving from attacking the infrastructure layer and moving to finding ways into systems by means of bugs in the applications sitting on top of the infrastructure.   In light of this change in tactics it is very important that if you are responsible for developing applications that you ensure that your code does not contain any of these errors.  If you are not responsible for developing applications then make sure this list get to those who are and that they pay heed to it.

SSL Certificates Vulnerable to Attack

The computer security community is abuzz with the news announced today by a team of security researchers at the 25th Chaos Communication Congress in Berlin.  The researchers were able to demonstrate how they were able to generate a fake Certificate Authority certificate and thereby allowing them to impersonate any secure website using SSL certificates.

The research is very interesting and the full paper is available here.  What I particularly liked is they used an array of 200 PS3 game consoles to break the certificate.

However, before we all panic and think that the Internet as we know it has come to an end, we should note that the attack has a number of limitations.  Firstly the attack is against the MD5 algorithm, which has known weaknesses since 2004.  Secondly the certificates broken were using sequential serial numbers.  Finally, the researchers have kept their methods to themselves to allow vendors time to address the issue.

Wired magazine has a good write up on the issue, while Rich Mogull has an excellent post on his blog as to why we should not panic with regards to this issue, as does the Security Uncorked blog.  The Errata Security Blog also highlights that not all certificates based on MD5 are vulnerable.  The SANS Internet Storm Center also has a good write up of the issue with a list of vendor statements regarding the status of their certificates.

You can also use this site to check what SSL certificates are being used by a site you are visiting.

Microsoft To Release Out Of Cycle Patch for IE Vulnerability

Microsoft has announced that it will release an out of band patch for the vulnerability in Internet Explorer as outlined in the Microsoft Security Advisory 961051.

The patch will be released on the 17th December 2008.

Microsoft will host two webcasts to address questions on the patch. The first is scheduled for 13:00 Pacific Time (US Canada) on the 17th of December , you can register for this webcast at http://msevents.microsoft.com/CUI/EventDetail.aspx?EventID=1032399448Culture=en-US.

The second is scheduled for 11:00 AM Pacific Time (US Canada) on the 18th of December , you can register for this webcast at http://msevents.microsoft.com/CUI/EventDetail.aspx?EventID=1032399449Culture=en-US

More details on this out of patch band are available at http://www.microsoft.com/technet/security/bulletin/ms08-dec.mspx

I was interviewed about this vulnerability on this evening’s Last Word Show on Today FM by Matt Cooper.  A podcast of the show is available here, my piece is about 5 minutes in from the beginning. 

I found it interesting to see how today a security vulnerability is getting press attention, whereas a few years ago it would be computer viruses.  Have we moved on to realise that the threat landscape is changing?

Microsoft Warn of New Attacks Against MS08-067

Microsoft are again urging PC users to apply the MS08-067 emergency patch issued last October due to an increase in attacks aimed at exploiting that vulnerability.  In particular a new worm Worm:Win32/Conficker.A. has been noted as causing a rise in the number of attacks.
 
Once a PC is infected the Worm:Win32/Conficker.A. will patch the vulnerability to prevent the PC from being exploited by another worm or attacker and will also reset the system restore point to make it more difficult to recover the infected PC.
 
More details are available on the Microsoft Malware Protection Center Blog at http://blogs.technet.com/mmpc/archive/2008/11/25/more-ms08-067-exploits.aspx
 
If you have not yet applied this patch it is strongly recommended that you do.

Microsoft Release Critical Out-Of-Band Patch

Microsoft tonight released a critical patch, MS08-067, outside their normal patch cycle.  For Microsoft to release a patch outside of their patch cycle indicates that this is a serious issue that we must pay attention to. 

I am obviously not the only one who thinks that as the Internet Storm Center‘s Infocon has turned yellow which means they are “currently tracking a significant new threat. The impact is either unknown or expected to be minor to the infrastructure. However, local impact could be significant. Users are advised to take immediate specific action to contain the impact. Example: ‘MSBlaster’ worm outbreak. “

The vulnerability could allow an attacker without authentication to remotely run arbitary code using a specially crafted RPC request on Microsoft Windows 2000, Windows XP, and Windows Server 2003 systems.  This is similar in nature to how the MSBlaster worm propogated throughout the Internet and this vulnerability could be used in the same way.  Microsoft have reported that they have seen live targetted attacks on some customer systems using this vulnerability. 

It is recommended that you patch your systems ASAP.  However patches, be they from Microsoft or other vendors, brings with them many inherent risks that we need to consider before rolling them out onto production systems.  Will the patch introduce new problems as well as fixing the ones identified? Will it impact on other applications and systems?  If we patch we may have problems, if we don’t we may have a security breach.  Not the easiest of choices for an IT or Infromation Security professional to have to make.
I recommend you look at the following steps to mitigate the problem;

  1. A concise and factual presentation should be made to senior management with the options to address the issue laid out clearly, together with the potential downside to each solution.
  2. Whatever solution is decided upon needs to be agreed to and signed off by senior management.
  3. An incident response team should be set up in order to (a) respond to any side effects from the selected plan of action or (b) in the event your systems are compromised in spite of the steps taken.
  4. Remember as part of the plan to ensure that all your backups have been running successfully and more importantly that you can restore them!
  5. Have key contact details for all relevant personnel in the event of a major problem with your systems, including contacts in third parties such as ISPs, partner companies, extranet contacts etc.
  6. Communicate clearly with the user population explaining why the patch is being deployed and to report any unusual behaviour.
  7. Ensure that all Anti-Virus signatures and software is up to date.
  8. Ensure all Intrusion Detection/Prevention Systems’ signatures are up to date.
  9. Consider how best to update remote PCs and laptops that may not be connected to your corporate network.
  10. Make sure your perimeter firewall is configured properly and that where possible personal firewalls are installed on desktops and more importantly on servers.

I strongly advise, as with all patches, to ensure that you test and are satisfied that the patch does not negatively impact your environment before you deploy it.  It also may be worth keeping on high alert even after deploying the patch as;

  1. Other new vulnerabilities could still be found in this feature of Windows.
  2. Not everyone will patch their systems in a timely fashion as we have seen time and time again and their compromise may impact your organisation.

More details are available from the Microsoft Security Response Center and also from the Internet Storm Center.  It is a pity that we do not have our own CERT here in Ireland to help coordinate a response to this issue and help Irish businesses better protect themselves.

Clickjack Proof Of Concept

Details of the much talked about Clickjack exploit are now available on Jerermiah Grossman’s blog, RSnakes blog and Adobe’s websiteJeremiah and RSnakewere meant to demonstrate clickjack at a recent conference but decided not to in order to give the vendors time to address the problem.  Given that this exploit can be used to remotely use a victim’s webcam and/or microphone the implications for stalking, industrial espionage or indeed national security highlight that the guys were right in waiting. 

Jeremiah and Rsnake should be commended on how they handled this issue and credit should also go to the Adobe PSIRT for their response to the problem.

More on the DNS Vulnerability

Since my post on this issue yesterday and also Andy Whelan’s post to the ISSA Ireland’s newslist, a number of people have come back to me offline with regards to the current status within the Irish Internet space.  It seems that a number of ISPs, 16 apparently, have not yet patched their DNS servers.  But the biggest challenge appears to be organisations ensuring that their DNS servers are patched.

Here is an excerpt from an email I recieved that highlights the challenges;

“we’re patched and we have been notifying our clients who have dns servers non-patched.  There is also a worldwide effort by “non-for-profit security organisations” to alert ISP abuse desks, although whether they act or the sysadmins act on the email is anyone’s guess.

There are 35 ISP in INEX (https://www.inex.ie/about/memberlist), a quick look through a “special list – as of 21/07/2008″ shows there were 16 ISPs with DNS servers in their range vulnerable.
The irish ISP’s have patched their main DNS servers, but the problem seems to be their clients who run their own DNS servers, have servers in hosting centres or rogue departmental servers hidden away the IT security teams don’t know about.”

More details are emerging of the nature of this problem (hat tip to Security4all) and active exploit tools are now being used.  So in short;

  • The criminals have a major opportunity to steal more money,
  • They have automated tools to achieve that goal
  • They will find vulnerable DNS servers
  • They will exploit those servers
  • If you have a vulnerable DNS server they will exploit it!

So to those 16 ISPs, patch your systems ASAP.  If your normal maintenance window is still a number of weeks away then consider using an emergency window instead.  Talk to your upstream ISPs and ensure they also patch their servers.

To those of you who manage or look after your own DNS servers you need to get the finger out and patch them.

Critical DNS Vulnerability Addressed

Various vendors have banded together to fix a critical DNS cache poisoning vulnerability.  The vulnerability was discovered by Dan Kaminsky six months ago and can enable criminals to conduct phishing scams by altering DNS records for legitimate sites to point to their phishing sites.  The Register has a good article on it and SiliconRepulbic.Com also cover it.  Details of the problem are available from US-CERT and The Internet Storm Center.

Dan Kaminsky’s own Blog goes into more detail on the issue and has an online checker so you can see if your DNS server is impacted.

Finally it is interesting to note that in other countries the response to this has been coordinated by their respective CERTs to ensure ISPs and others are aware of the issue and addressing it.  It will be interesting to see if the Irish Internet space can respond appropriately without our own CERT.