Re: Patching isn't enough

From: Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] (sbradcpa_at_pacbell.net)
Date: 07/01/04 

Date: Wed, 30 Jun 2004 19:26:23 -0700

==== 1. In Focus: Combined Attack Methods ====
by Mark Joseph Edwards, News Editor, mark at ntsecurity dot net

The June 16 Security UPDATE includes a link to the news story "New IE
Flaws Might Allow Code Injection," which describes a relatively new
attack method being used by both intruders and purveyors of suspicious
or malicious software to infest systems that use Microsoft Internet
Explorer (IE). Jelmer Kuperus said that the attack uses Javascript,
iframes, PHP, and timing techniques to gain access to the trusted
intranet zone on a user's system. According to Kuperus, the exploit
also "uses several known vulnerabilities and two previously unknown
vulnerabilities." One of the vulnerabilities, for which no patch
exists, involves ActiveX Data Objects (ADO).
http://www.winnetmag.com/article/articleid/42959/42959.html

Through this attack method that uses multiple vulnerabilities, many
people's systems (possibly even the systems of some of you readers)
have become infected with various sorts of software, most of which is
annoying, if not outright dangerous. For example, nefarious entities
have installed adware that generates an endless stream of pop-up
windows on users' systems. That's the lighter side of the problem
though.

As you can learn by reading the news story "Vulnerable IIS Sites and
IE Users Under Attack" below, yet another factor was added to the mix
last week, this time involving Microsoft IIS. Using the IIS
vulnerability described in Microsoft Security Bulletin MS04-011
(Security Update for Microsoft Windows) on systems that haven't yet
been updated with a patch that's been available since mid-April,
intruders can inject Javascript into a server's Web pages. The
Javascript then uses a technique similar to the one I described above
to get IE to download Trojan horse software onto an unsuspecting
user's systems. The Trojan horse program then gathers ("phishes")
log-on and financial information.

So now instead of intruders having to establish their own Web sites to
host malicious Javascript code, they're penetrating unpatched IIS
systems around the Internet that host legitimate Web sites. As Bugtraq
mailing list moderator David Amhad points out in a June 25 posting,
these combined vulnerabilities have "no dependence on version or
memory layout or any other such messy factors, firewalls are totally
irrelevant and VPNs become basically a free ride in, [and] the browser
doesn't end up crashing (i.e., the victim remains blissfully unaware
that they've been owned)." These combined vulnerabilities have the
potential to become devastating.
http://www.securityfocus.com/archive/1/367120/2004-06-25/2004-07-01/0

Some preventive steps are obvious, and some aren't so obvious,
depending on the user or administrator. Obviously, loading the IIS
patch MS04-011 on your servers will stop intruders from manipulating
the servers' Web pages into hosting malicious code. Turning off
scripting in the IE security zones will also protect users to a
certain extent. But in countless scenarios, turning scripting off just
isn't possible. And sometimes scripting is essential to a Web site's
usability. Many of you probably already know how to improve security
in IE, but in case you don't, Microsoft has some recommendations that
you can read at the following URL:
http://www.microsoft.com/security/incident/settings.mspx

One workaround if you can't turn off scripting is to disable ADO
databases (ADODB) in IE. Drew Copley of eEye Digital Security wrote a
simple registry script that does this very thing and one that undoes
the changes. He also wrote an executable program that disables and
re-enables ADODB. You can download the scripts and executable program
at the eEye Web site.
http://www.eeye.com/html/research/alerts/al20040610.html

Another way of protecting IE systems against ADODB attacks is to use
PivX Solutions' Qwik-Fix, which protects IE against a variety of
intrusion methods. Recently, the company made available a version of
Qwik-Fix for enterprise environments. I don't know of any other tool
that provides the same sort of functionality.
http://www.pivx.com

Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] wrote:

> Absolutely you are spot on Andrew. When CERT is telling us to disable
> active scripting or move to another browser... I guess they are Chicken
> Little's too?
>
> http://www.us-cert.gov/cas/techalerts/TA04-163A.html
>
> Although a patch is not yet available for this issue, it is a good
> practice to use Microsoft Windows Update to help ensure the security of
> your computer.
>
> Disable Active scripting and ActiveX controls
> Disabling Active scripting and ActiveX controls in the Internet Zone (or
> any zone used by an attacker) appears to prevent exploitation of this
> vulnerability. Disabling Active scripting and ActiveX controls in the
> Local Machine Zone will prevent widely used payload delivery techniques
> from functioning. Instructions for disabling Active scripting in the
> Internet Zone can be found in the Malicious Web Scripts FAQ. See
> Microsoft Knowledge Base Article 833633 for information about securing
> the Local Machine Zone. Also, Service Pack 2 for Windows XP (currently
> at RC1) includes these and other security enhancements for IE.
>
> CERT/CC Malicious Web Scripts FAQ:
> http://www.cert.org/tech_tips/malicious_code_FAQ.html
>
>
>
> Andrew M. Saucci, Jr. wrote:
>
>> When the potential consequences on so many security
>> vulnerabilities
>> are "run code of attacker's choice" the network administrator has to take
>> steps to eliminate that possibility; I don't think that serious
>> concern is
>> unwarranted here.
>>
>> "root" <postmaster@buchanangc.com> wrote in message
>> news:%23pGNMswXEHA.3944@tk2msftngp13.phx.gbl...
>>
>>> Now with all this chicken little and hair tearing stuff, no one has
>>> specified with all this massive terror attack the world suffered in the
>>
>>
>> last
>>
>>> week whether there was any actual damage/penertrations beyond just a few
>>> machines. Was it all bark and NO BITE? I heard it was detected and
>>
>>
>> blocked
>>
>>> before it passed go! There's nothing to fear except fear itself!
>>>
>>> "Andrew M. Saucci, Jr." <spam-only@2000computer.com> wrote in message
>>> news:%23xB53ZwXEHA.2408@tk2msftngp13.phx.gbl...
>>>
>>>> From message I posted here October 11, 2003:
>>>>
>>>> "I guess what I've been trying to explain is that I just don't
>>>> have faith that being fully patched and updated is going to protect me
>>>> adequately from here on out. I just don't have that sense of security,
>>>
>>>
>>> even
>>>
>>>> now that I have MS03-039 on almost all of my servers. I still wonder
>>
>>
>> what
>>
>>>> else remains broken in that massive glob of code we call Windows and
>>>> Exchange and IIS and SQL and ISA and the rest of it. I feel that I need
>>
>>
>> to
>>
>>>> be ready for anything, not just what we've already seen."
>>>>
>>>> From message I posted here the following day:
>>>>
>>>> "What worries me is that sooner or later the exploit is going
>>
>>
>> to
>>
>>>> come before the patch. That is when we will need to be able to act
>>>> instantly."
>>>>
>>>> Business Week Online, June 29, 2004, commentary by Stephen H.
>>>> Wildstrom:
>>>>
>>>> "In late June, network security experts saw one of their worst
>>>> fears realized. Attackers exploited a pair of known but unpatched flaws
>>
>>
>> in
>>
>>>> Microsoft's Web server software and Internet Explorer browser to
>>>
>>>
>>> compromise
>>>
>>>> seemingly safe Web sites. People who browsed there on Windows computers
>>>
>>>
>>> got
>>>
>>>> infected with malicious code without downloading anything..."
>>>>
>>>> Note the key words: "known but unpatched." Next comes "unknown
>>>
>>>
>>> and
>>>
>>>> unpatched." It all goes downhill from here.
>>>>
>>>> What's my point? I don't know myself now, except that my
>>
>>
>> clients
>>
>>>> aren't going to settle for "I had you all patched and updated" as an
>>>
>>>
>>> excuse
>>>
>>>> when their networks go down. Is patching essential? Sure is. Is it
>>
>>
>> enough?
>>
>>>> Not by a longshot.
>>>>
>>>>
>>>>
>>>>
>>>>
>>>
>>>
>>
>>
> 

-- 
http://www.sbslinks.com/really.htm