Users of Wi-Fi hotspots have been warned about the “Poodle” attack – the latest bug in Internet browsers that can hijack web sessions and transactions, and even extract data from secure HTTP connections, The Straits Times reported today.

Poodle, or Padding Oracle on Downgraded Legacy Encryption, exploits Secure Sockets Layer version 3 (SSLv3), one of the protocols used to secure Internet traffic, the Singapore daily said.

All major browsers, from Google Chrome to Mozilla Firefox, support SSLv3.

An attacker can access online banking or email systems “secured” by HTTP connections. The flaw was reported by Google employees – Bodo Möller, Thai Duong and Krzysztof Kotowicz – in a paper published on Thursday.

The Poodle attack relies on the fact that most web servers and browsers are still using an “ancient” SSLv3 to secure their communications.

Source: The Malaysian Insider

Bitlocker was introduced when Vista was in the works, and Bitlocker became one of Microsoft’s key feature in pushing Windows Vista to the corporate customers.

For the people who doesn’t know what Bitlocker is: Bitlocker is a drive encryption technology by Microsoft. Unlike EFS (Encrypted File System) which is a file level encryption technology, Bitlocker will encrypt the entire disk or volume or partition. OS and data files would be encrypted.

The bad news is, Bitlocker comes only in Windows Vista Business/Enterprise/Ultimate editions…

If you need a full disk encryption but do not have the $$$ to purchase any of the above Windows Vista license, introducing – TrueCrypt 6.

TrueCrypt 6 is a full disk encryption just like Bitlocker, but it can do more than Bitlocker (sorry Microsoft!). Depending on the password that you input during the bootup, TrueCrypt will load the respective operating system the password corresponds to. So if you are being “knife-pointed” and was asked for your OS password, you can provide the thelf/attacker the password to load a not-so-important-operating system. Savvy?

Creating a volume in TrueCrypt

So how is it better/worse than Bitlocker? Here is my breakdown:

Pros of TrueCrypt:

– Much more flexible/More options VS Bitlocker: Simple straightforward wizard
– Different password to load different OS VS Bitlocker: Can only protect one OS/Not so straightforward if 2 or more OSes need to be protected.
– Type of encryption can be specified VS Bitlocker: Microsoft sets the Encryption for you.
– Protect/Hide different volumes VS Bitlocker: Not supported…

Cons of TrueCrypt:

– Too many options – Normal users tend to stay away VS Bitlocker: Straightforward process.
– Not easy/Not hard to setup VS Bitlocker: Easy to setup if using Bitlocker Drive Preparation Tool.

So which one do you prefer? Which is better? Why? Have your say!

Yep…It’s still going-and its worse than ever it seems. Hundreds of thousands of unsuspecting people are stillstumbling across perfectly legitimate websites that have been compromised by an SQL injection, and as a result are infected with a nastyTrojan.
These types of Trojans are known for changing an affected system’s local DNS and Internet browser settings, thus making the system vulnerable for even more potential threats. (Trend Micro have written a very good post explaining what happens once infected)

Therefore I thought I would take some time to mention a dew domains (courtesy of f-secure) admins should block to avoid any possible chance of infection:

yl18.net

www.bluell.cn

www.kisswow.com.cn

www.ririwow.cn

winzipices.cn

www.wowgm1.cn

www.killwow1.cn

www.wowyeye.cn

vb008.cn

9i5t.cn

computershello.cn

This is a good time to again mention that this not a vulnerability in Microsoft IIS or Microsoft SQL that is used to make this happen. If you are an administrator of a website that is using ASP/ASP.NET, you should make sure that you sanitize all inputs before you allow it to access the database.

There are many articles on how to do this such as this one. You could also have a look at URLScanwhich provides an easy way to filter this particular attack based on the length of the QueryString.

After investigating public reports, Microsoft has published Microsoft Security Advisory 951306, which describes a vulnerability that affects multiple versions of Windows (including Windows XP Professional Service Pack 2, all supported versions and editions of Windows Server 2003, Windows Vista, Windows Vista Service Pack 1, and Windows Server 2008.)

The newly found security flaw could potentially allow a malicious local user (who has authentication) to execute specially crafted code to raise his privilege level to LocalSystem. IIS and SQL Server are the main attack vectors. But other vectors are possible, such as Microsoft Distributed Transaction Coordinator (MSDTC) on Windows Server 2003.

The vulnerability looks like it basically allows for any process that has the SeImpersonatePrivilege to execute some code and be able to impersonate LocalSystem (which has the NT AUTHORITY\SYSTEM SID and a wealth of privileges in its token). For Windows 2003 and beyond the users awarded that privilege are in the Network Services, Local Services, Local System, and Administrators groups. On Vista/Server 2008 you additionally won’t have the privilege unless you’ve elevated. That fortunately reduces the scope of this otherwise highly serious vulnerability, though it still isn’t pretty.

It must be noted however  Microsoft stated in its advisory that- “Hosting providers may be at increased risk from this elevation of privilege vulnerability.” However, no exploitation has been observed at this time.
Microsoft Security Advisory 951306

One of my favorite documents for Windows Server 2003 is now available in beta form for Windows Server 2008.  If you have never reviewed these guides I strongly recommend them.  The guide makes it easy to tailor the security configuration to accommodate the needs of your organization.  There is also a really cool GPOAccelerator (Group Policy Object Accelerator) tool to help you rapidly setup, test and deploy configurations of Group Policy security settings.  Here are some of the resources for Windows Server 2008 Security Guide:

Check out the Executive Overview.

Join the Windows Server 2008 Security Guide beta.

Microsoft’s Windows Live SkyDrive (formally Windows Live Folders) launched their public beta late last year. It is an online storage service for sharing files and links… and NOW it’s also an online repository for spammers to host links to their electronic junk-mail/spam.

The service lets you save information online for personal use; share information with select people based on their Live ID, with either read or contributor permissions; and makes content available to anyone via web-links. The Live SkyDrive interface is simple and intuitive, and the service currently enforces a 1GB limit.

As of late spammers have been abusing this service by taking advantage of a loophole (of such) within the Sky Drive system itself. So how do they do it?

Spammers simply create a free SkyDrive account and upload a simple html file that redirects the unsuspecting viewer to a respiratory of pills and meds for sale (how cliché).
The html file is relatively simple, consisting of some basic JavaScript:

<html><body><script language=JavaScript>window.location.replace(
"http://top10epharms.com“)</script></body></html>

So what makes services like these worth abusing and attractive to spammers?

• Unique urls
• Domains relatively safe from blacklisting
• Link longevity
• abuse handling issues
• Features – host *almost anything*
• Great Price
• Someone else pays the hosting costs

Usually spammers use compromised servers in foreign countries or bonnets to send out their spam, however utilizing file sharing sites (such as SkyDrive) is not the newest trick in the book, this one just got hit…hard & suddenly.

Another interesting point is the number of times we trapped each URL was interestingly low for such a big campaign, I’d therefore estimate they had tens of thousands of files uploaded- McAfee Weblog.

Microsoft have come to the party however and are beginning to shut down these malicious SkyDrive accounts (some 24 hours after they had started), instead replacing the old malicious files with Sky Drive Welcome Notes as seen here.

Yet another instance of “If its free and worth abusing, discovery time is the variable these days”

As good as the recovery console in is Windows-it really aint that secure at all. Did you know that the Command Prompt tool found in Vista’s System Recovery Options doesn’t require a User Name or Password? And that the Command Prompt provides Administrator level access to the hard drive? For multiple versions of Windows? All you need is a Vista Install DVD and you’re all set to go.

Just boot from the DVD and select the Repair option:

Then select the Command Prompt:

Here you have full access to this computer, not only as an administrator but also as a system account user. After this you can insert usb-memory and copy any non-encrypted file from this computer to usb-memory and steal information without leaving any marks to the system or event viewer logs.
Also, you could for example copy SAM-file (contains names and passwords of local users) from c:\windows\system32\config to usb-memory and start cracking computer’s user password at  remote computer.

A cracker can:
1. … copy files from hard disk to USB, floppy or network server
2. … create / modify / delete files and folders
3. … use most of the MS-DOS like commands
4. … use this method in Vista, XP, 200x

To protect you computer or workstation, try to:

setup bios boot order so that booting from other media than hard disk is not possible

This kind of reminds you of a Windows XP Home feature. The Administrator account password for XP Home is blank by default and is hidden in Normal Mode. But if you select F8 during boot for Safe Mode, you can access the Administrator account and have complete access to the computer.

For more proof of the concept check out find more details from Mr. Kimmo Rousku and F-Secure

Microsoft confirmed yesterday that it has uncovered targeted attacks exploiting a new vulnerability in the Windows Server DNS Service.

Microsoft immediately mobilised its Software Security Incident Response Process (SSIRP) to investigate.

Due to a stack-based buffer overrun that exists in the Windows DNS Server’s remote procedure call (RPC) interface, attackers can send an RPC packet to the interface enabling them to run malicious code on the system. This vulnerability could allow a criminal to run code in the security context of the Domain Name System Server Service in Microsoft Windows 2000 Server Service Pack 4, Windows Server 2003 Service Pack 1, and Windows Server 2003 Service Pack 2, which by default runs as Local SYSTEM.

Users are encouraged to follow its “Protect Your PC” guidance of enabling a firewall, applying all security updates and installing anti-virus and spyware software to help minimise the possibility of a successful attack.

Microsoft is also urging customers to disable remote management over RPC capability for DNS Servers through the registry key setting, as well as block unsolicited inbound traffic on ports between 1024 and 5000 and enable advanced TCP/IP filtering, which will act as a workaround and stop attackers exploiting this vulnerability.

Details and workarounds can be found in Microsoft’s Technet Security Advisory 935964.

Source vnunet.com

Microsoft’s Patch for the ANI vulnerability is now out.

Click for bigger view

As discussed in our previous blog, this update was earlier to the usual second Tuesday monthly Security Release because of the alarming increase of Malwares and sites exploiting the ANI vulnerability. Please make sure you install this security update right now!

Update: When you install the patch and have a computer with a Realtek Audio card you might get an error message saying “Rthdcpl.exe – Illegal System DLL Relocation”. Microsoft has released a hotfix for this so if you have this problem, you can download the fix here.

Update etc sourced from F-secure

Microsoft’s January patches are now out. The update includes three critical patches that fix flaws in Excel, Outlook, and Internet Explorer. All of these allow remote code execution and can be used as a vector for virus or trojan attacks.

 

At the moment, anti-virus vendors such as f-secure haven’t seen malware taking advantage of these vulnerabilities.

Start the year right, patch now!

Microsoft has received and acknowledged that a new 0-Day exploit is public, and the proof-of-concept code announced for it is valid today on their Security Blog.

The proof-of-concept code targets the CSRSS (Client/Server Runtime Server Subsystem) the part of windows that launches and closes applications, the exploit affects all versions of Windows including the (un)released Windows Vista.
Tested on XP Service Pack 2 the proof-of-concept will cause the computer to crash resulting in a system lockup, system failure (Blue Screen of Death), or simple hard reboot.

Microsoft SRC said today “Initial indications are that in order for the attack to be successful, the attacker must already have authenticated access to the target system. Of course these are preliminary findings and we have activated our emergency response process involving a multitude of folks who are investigating the issue in depth to determine the full scope and potential impact to Microsoft’s customers.”

This is good news for users, as a patch is coming. The potential for attack, rated less critical by Secunia is still problematic if the system is infected by rootkits, or applications designed to allow remote access to a PC. The method of attack, and the way this exploit works, means there is no real protection for end users, other than to ensure you are fully patched, and your malware, spyware, and virus scanning software is running and up to date.

Info Sourced from monstersandcritics.com

Windows XP SP2 Update KB917021 was published on October 17th 2006. What’s that you say?

It’s an update to “help prevent the Windows wireless client from advertising the wireless networks in its preferred networks list”. Those of you that travel with confidential information might want to investigate this patch. It wasn’t included in Microsoft’s monthly updates.

Advertising the name of your preferred networks creates the potential for a man-in-the-middle attack. This patch won’t stop your Windows notebook from using a spoofed network, but it will fix it so that the hacker would have to guess the name.

You can find more details on this from Brian Krebs and Knowledge Base article 917021. You can download it from Microsoft’s Download Center – Validation Required.

 

This update is further to the ones that were released on Tuesday where several code execution vulnerabilities. However December update does not include a patch for the number of recently discovered Word vulnerabilities.

Info Sourced from F-Secure.com

Well… probably anyway. Not all “virus” are actually viruses you know; a lot of anti-virus suites pick up certain bits of code which could cause damage and they take the necessary precautions such as deleting the file or quarantining it. Sometimes JavaScript code can be seen as damaging which is unfortunate as all it wants to do is make something better for the user and I believe that’s what has happened in the case of Gmail.

I don’t use Gmail – I’m a Windows Live Mail user (but of course…) and only use Gmail for competitor reviewing and suchlike for my work. I logged in today and to my surprise Windows Live OneCare jumps in and tells me it’s detected a virus… actually on the main Gmail page after I entered my credentials.

 

 

To me, this tells me that Windows Live OneCare is incredibly good at picking up even the smallest threats (even when one might not be a threat at all), and that Gmail has unstable or insecure code. On the other hand, this tells me that Windows Live OneCare is too damn picky about what is a threat and what isn’t… and that Gmail has unstable or insecure code 😉

Microsoft released their latest Internet Explorer yesterday with so called new security features and functionality.

Less than 24 hours have passed and there is already a vulnerability.

A vulnerability has been discovered in Internet Explorer, which can be exploited by malicious people to disclose potentially sensitive information.

The vulnerability is caused due to an error in the handling of redirections for URLs with the “mhtml:” URI handler. This can be exploited to access documents served from another web site.

Test code is readily available and the threat is marked as less critical.

Source Neowin

First McDonald’s and now Apple…

Apple Support has a very interesting notice available today. It seems that some of the iPod (video) units available for purchase from September 12th contain the RavMonE.exe virus. More details are available from: http://www.apple.com/support/windowsvirus/.

Also of interest is Apple’s framing of this support issue. Note that the notice is located in a sub-folder named “WindowsVirus” rather than “virus”. In fact, the words “Windows Virus” appear eight times while the name of the virus – RavMonE.exe – is mentioned only twice. Let’s be clear, some Apple iPods have shipped with a virus that affects mass storage devices. So it might not be a Mac OS or an iPod issue. But this is an Apple issue, not just Windows.

“Small number”, “less than 1%”, “less than 25”, and “easily restore” are also mentioned frequently in the notice. With more than eight million iPods shipped in Apple’s third quarter we would be interested in a raw number for that 1% effected by this. What’s one percent of a few million?

From the notice: “As you might imagine, we are upset at Windows for not being more hardy against such viruses, and even more upset with ourselves for not catching it.” Whom do you think the people that bought those iPods will be more upset with? Its just another little ploy to sell Apple computers.