Vulnerability Expert Forum

eEye Research September 15, 2010

2010 eEye Confidential & Proprietary

Agenda

About eEye Microsofts September Security Bulletins Security Landscape Other InfoSec News Secure and Comply with eEye Q&A

2010 eEye Confidential & Proprietary

eEye Digital Security

About eEye

Our Company
Founded in 1998 Growing and profitable Leaders in security & compliance

Our Strengths
World renowned research team Trusted security advisors Recognized product leadership Unparalleled services & support

Our Difference
Fast, flexible deployment Integrated end-to-end solution Commitment to our customers Securing companies of all sizes from SMBs to Enterprise

2010 eEye Confidential & Proprietary

eEye Digital Security

eEye: A Security and Compliance Powerhouse

Security research drives unrivaled capabilities of eEye solutions eEye regularly consults with top government agencies, congressional committees and industry analysts eEye is focused on supporting the changing compliance landscape eEye is at the forefront of Unified Vulnerability Management

2010 eEye Confidential & Proprietary

eEye Digital Security

eEye Research Services

eEye Preview
Advanced Vulnerability Information Full Zero-Day Analysis and Mitigation Custom Malware Analysis eEye Research Tool Access Includes Managed Perimeter Scanning

eEye AMP
Any Means Possible Penetration Testing Gain true insight into network insecurities Capture-The-Flag Scenarios

eEye Custom Research

Exploit Development Malware Analysis Forensics Support Compliance Review

Having a great R&D team issuing advisories and being on the front lines of discovering security issues is assuring and was a primary decision factor in choosing eEye when migrating from ISS.
Robert Timko Information Security Director

2010 eEye Confidential & Proprietary

eEye Digital Security

Microsoft September Security Bulletins

9 total bulletins; 11 Issues Fixed Vulnerability in Print Spooler Service Could Allow Remote Code Execution

(2347290) Vulnerability in MPEG-4 Codec Could Allow Remote Code Execution (975558) Vulnerability in Unicode Scripts Processor Could Allow Remote Code Execution (2320113) Vulnerability in Microsoft Outlook Could Allow Remote Code Execution (2315011) Vulnerabilities in Microsoft Internet Information Services (IIS) Could Allow Remote Code Execution (2267960) Vulnerability in Remote Procedure Call Could Allow Remote Code Execution (982802) Vulnerability in WordPad Text Converters Could Allow Remote Code Execution (2259922) Vulnerability in Local Security Authority Subsystem Service Could Allow Elevation of Privilege (983539) Vulnerability in Windows Client/Server Runtime Subsystem Could Allow Elevation of Privilege (2121546)

2010 eEye Confidential & Proprietary

eEye Digital Security

Microsofts Security Bulletin: MS10-061

Vulnerability in Print Spooler Service Could Allow Remote Code Execution.

1 vulnerability fixed in bulletin Print Spooler Service Impersonation Vulnerability - CVE-2010-2729 (Previously
0day )

Criticality: Critical Used by Malware to exploit network machine A variant of Stuxnet uses this vulnerability to exploit machines with a shared

network printer Windows XP is especially vulnerable Certain printers even with password sharing enabled are still vulnerable Not a buffer overflow Memory Protection mechanisms will be useless against this attack.

Mitigation Disable printer sharing Enable password sharing on devices not vulnerable (KB2347290)
2010 eEye Confidential & Proprietary
eEye Digital Security

Microsofts Security Bulletin: MS10-062

Vulnerability in MPEG-4 Codec Could Allow Remote Code Execution.

1 vulnerability fixed in bulletin MPEG-4 Codec Vulnerability - CVE-2010-0818 Criticality: High Another perfect attack vector in a multimedia world Drive by browser attack vector will be the most used Dont forget the local attack / network shared drive attack vectors Attack can come from ASF, WMV, or WMA files Mitigation Remove the following CLSIDs from the registry:
82CCD3E0-F71A-11D0-9FE5-00609778EA66 2a11bae2-fe6e-4249-864b-9e9ed6e8dbc2

Install Blink Personal/Professional to mitigate out of the box

2010 eEye Confidential & Proprietary
eEye Digital Security

Microsofts Security Bulletin: MS10-063

Vulnerability in Unicode Scripts Processor Could Allow Remote Code Execution. 1 vulnerability fixed in bulletin Uniscribe Font Parsing Engine Memory Corruption Vulnerability - CVE-2010-2738 Criticality: Critical Another browse and get owned situation Affects all browsers regardless an ideal web based attack exploit Office has its own font rendering subsystem meaning its vulnerable regardless
of OS

Attackers are looking at this vulnerability very carefully Mitigation Use CACLS to restrict execution access to USP10.DLL. Prevent embedded fonts from being parsed within Internet Explorer and other
applications

Install Blink Personal/Professional to mitigate against this right out of the box
2010 eEye Confidential & Proprietary
eEye Digital Security

Microsofts Security Bulletin: MS10-064

Vulnerability in Microsoft Outlook Could Allow Remote Code Execution.

1 vulnerability fixed in bulletin Heap Based Buffer Overflow in Outlook Vulnerability - CVE-2010-2728 Criticality: Critical Attackers will use this to compromise machines Outlook makes an ideal target for remote attackers looking to exploit corporations
and businesses

Attacker sends an email, victim views the email in HTML/Rich Text mode, victim is
compromised

Outlook XP is especially vulnerable Mitigation Set Outlook to view emails in plain-text mode by default. Install Blink Personal/Professional

2010 eEye Confidential & Proprietary

eEye Digital Security

Microsofts Security Bulletin: MS10-065

Vulnerabilities in Microsoft Internet Information Services (IIS) Could Allow Remote Code Execution. 3 vulnerabilities fixed in bulletin IIS Repeated Parameter Request Denial of Service Vulnerability - CVE-2010-1899 Request Header Buffer Overflow Vulnerability - CVE-2010-2730 Directory Authentication Bypass Vulnerability - CVE-2010-2731 (Previously 0day) Criticality: High 1 DoS, 1 RCE, and 1 Bypass = Bad Times Administrators running IIS should patch these immediately CVE-2010-2730 against IIS 7.5 is especially critical allows RCE relatively easily CVE-2010-2731 was used in the wild against multiple targets Mitigation Mitigate against the RCE vulnerability (CVE-2010-2730) by disabling FastCGI. Install Blink Server for mitigation
2010 eEye Confidential & Proprietary
eEye Digital Security

Microsofts Security Bulletin: MS10-066

Vulnerability in Remote Procedure Call Could Allow Remote Code Execution.

1 vulnerability fixed in bulletin RPC Memory Corruption Vulnerability - CVE-2010-2567 Criticality: Important Not as bad as it originally seem Client-side RPC attack, the attacker has to convince a client to connect to their
malicious server

However this could be done using numerous route poisoning/hijacking methods Attackers will much more likely use 061 or 068 Mitigation Block all ports associated with RPC on the internal firewall. Install Blink Personal / Professional

2010 eEye Confidential & Proprietary

eEye Digital Security

Microsofts Security Bulletin: MS10-067

Vulnerability in WordPad Text Converters Could Allow Remote Code Execution.

1 vulnerability fixed in bulletin WordPad Word 97 Text Converter Memory Corruption Vulnerability - CVE-20102563

Criticality: Moderate Unlikely Attack Vector Theres much bigger fish to fry than WordPad Machines with Microsoft Office installed would require additional social engineering
to exploit

Attackers are not likely going to develop exploits for this theres much better
exploits out (PDF)

Mitigation Disable WordPad's access to the Word 97 text converter. Install Blink Personal or Professional to mitigate

2010 eEye Confidential & Proprietary

eEye Digital Security

Microsofts Security Bulletin: MS10-068

Vulnerability in Local Security Authority Subsystem Service Could Allow Elevation of Privilege. 1 vulnerability fixed in bulletin LSASS Heap Overflow Vulnerability - CVE-2010-0820 Criticality: Critical If you have an Active Directory server and you have clients Patch Now Ideal exploit for compromising entire networks Attacker would compromise a client machine using a browser exploit (PDF / Flash

0days are out) Once on the compromised machine the attacker would then wait for the user to authenticate to the domain (this can be forced or through patience) Attacker will then send a malicious LSASS request to your Active Directory Server Game Over

Mitigation Systems running on a domain should be patch immediately. Install Blink Professional to buy you some time before patching
2010 eEye Confidential & Proprietary
eEye Digital Security

Microsofts Security Bulletin: MS10-069

Vulnerability in Windows Client/Server Runtime Subsystem Could Allow Elevation of Privilege. 1 vulnerability fixed in bulletin CSRSS Local Elevation of Privilege Vulnerability - CVE-2010-1891 Criticality: Low Pay No Attention Unless You Are in China, Japan, or Korea Local privilege elevation due to Unicode characters exploit is not reachable in
environments with standard character sets

Likely only used by attackers in very targeted scenarios The least of your worries this month Mitigation No practical mitigations exist, apply the patch at your earliest convenience

2010 eEye Confidential & Proprietary

eEye Digital Security

Security Landscape - More than a Microsoft World

CTO/CSO/CxO News
HP buys 3PAR, Fortify and ArcSight

IT Admin News
Adobe Reader 0day In The Wild Adobe Flash 0day In The Wild ( http://isitsafetouseadobereader.info/ ;) ) Here you have malware

Researcher News
DLL Hijacking iTunes Ping Scam Sony Playstation 3 Hacked Blu-Ray DRM Master Keys Leaked MOAB 0days
2010 eEye Confidential & Proprietary
eEye Digital Security

Secure and Comply with eEye

2010 eEye Confidential & Proprietary

eEye Digital Security

17

Connect with eEye

http://blog.eeye.com

http://www.facebook.com/eEyeDigitalSecurity

http://www.twitter.com/eEye

http://www.YouTube.com/eEyeDigitalSecurity

2010 eEye Confidential & Proprietary

eEye Digital Security

18

Secure & Comply with eEye

Visit www.eeye.com

Contact us at +1.866.282.8276 or email us at research@eeye.com

Visit our Resource Center for demonstrations, webinars and events

2010 eEye Confidential & Proprietary

eEye Digital Security

19

Secure & Comply with eEye

Thank you for joining us

A copy of this presentation can be found at www.eeye.com/vef

2010 eEye Confidential & Proprietary

eEye Digital Security

20