VEF_Sep

8/3/2019 VEF_Sep

1/20

2010 eEye Confidential & Proprietary

eEye Research September 15, 2010

Vulnerability Expert Forum

8/3/2019 VEF_Sep

2/20

2010 eEye Confidential & Proprietary eEye Digital Security

Agenda

About eEye

Microsofts September Security Bulletins

Security Landscape Other InfoSec News

Secure and Comply with eEye

Q&A

8/3/2019 VEF_Sep

3/20


About eEye

Our Company Founded in 1998 Growing and profitable Leaders in security & compliance

Our Strengths World renowned research team

Trusted security advisors Recognized product leadership Unparalleled services & support

Our Difference Fast, flexible deployment Integrated end-to-end solution Commitment to our customers Securing companies of all sizes

from SMBs to Enterprise

3

8/3/2019 VEF_Sep

4/20


eEye: A Security and Compliance Powerhouse

Security research drives unrivaledcapabilities of eEye solutions

eEye regularly consults with topgovernment agencies, congressionalcommittees and industry analysts

eEye is focused on supporting thechanging compliance landscape

eEye is at the forefront of UnifiedVulnerability Management

4

8/3/2019 VEF_Sep

5/20


eEye Research Services

eEye Preview Advanced Vulnerability Information

Full Zero-Day Analysis and Mitigation

Custom Malware Analysis eEye Research Tool Access

Includes Managed Perimeter Scanning eEye AMP

Any Means Possible Penetration Testing Gain true insight into network insecurities

Capture-The-Flag Scenarios eEye Custom Research

Exploit Development

Malware Analysis

Forensics Support

Compliance Review

Having a great R&D team issuing advisories and being

on the front lines of discovering security issues

is assuring and was a primary decision factor in

choosing eEye when

migrating from ISS.

Robert TimkoInformation Security Director

8/3/2019 VEF_Sep

6/20


Microsoft September Security Bulletins

9 total bulletins; 11 Issues Fixed Vulnerability in Print Spooler Service Could Allow Remote Code Execution

(2347290)

Vulnerability in MPEG-4 Codec Could Allow Remote Code Execution (975558) Vulnerability in Unicode Scripts Processor Could Allow Remote Code Execution(2320113)

Vulnerability in Microsoft Outlook Could Allow Remote Code Execution (2315011) Vulnerabilities in Microsoft Internet Information Services (IIS) Could Allow

Remote Code Execution (2267960) Vulnerability in Remote Procedure Call Could Allow Remote Code Execution

(982802) Vulnerability in WordPad Text Converters Could Allow Remote Code Execution

(2259922) Vulnerability in Local Security Authority Subsystem Service Could Allow Elevation

of Privilege (983539) Vulnerability in Windows Client/Server Runtime Subsystem Could Allow Elevation

of Privilege (2121546)

8/3/2019 VEF_Sep

7/20


Microsofts Security Bulletin: MS10-061

1 vulnerability fixed in bulletin Print Spooler Service Impersonation Vulnerability - CVE-2010-2729 (Previously

0day ) Criticality: Critical Used by Malware to exploit network machine

A variant of Stuxnet uses this vulnerability to exploit machines with a sharednetwork printer

Windows XP is especially vulnerable Certain printers even with password sharing enabled are still vulnerable

Not a buffer overflow Memory Protection mechanisms will be useless against thisattack. Mitigation

Disable printer sharing Enable password sharing on devices not vulnerable (KB2347290)

Vulnerability in Print Spooler Service Could Allow Remote Code Execution.

8/3/2019 VEF_Sep

8/20



1 vulnerability fixed in bulletin MPEG-4 Codec Vulnerability - CVE-2010-0818

Criticality: High Another perfect attack vector in a multimedia world

Drive by browser attack vector will be the most used Dont forget the local attack / network shared drive attack vectors Attack can come from ASF, WMV, or WMA files

Mitigation Remove the following CLSIDs from the registry:

82CCD3E0-F71A-11D0-9FE5-00609778EA66 2a11bae2-fe6e-4249-864b-9e9ed6e8dbc2

Install Blink Personal/Professional to mitigate out of the box

Vulnerability in MPEG-4 Codec Could Allow Remote Code Execution.

8/3/2019 VEF_Sep

9/20



1 vulnerability fixed in bulletin

Uniscribe Font Parsing Engine Memory Corruption Vulnerability - CVE-2010-2738 Criticality: Critical Another browse and get owned situation

Affects all browsers regardless an ideal web based attack exploit Office has its own font rendering subsystem meaning its vulnerable regardlessof OS

Attackers are looking at this vulnerability very carefully

Mitigation Use CACLS to restrict execution access to USP10.DLL. Prevent embedded fonts from being parsed within Internet Explorer and other

applications Install Blink Personal/Professional to mitigate against this right out of the box

Vulnerability in Unicode Scripts Processor Could Allow Remote Code Execution.

8/3/2019 VEF_Sep

10/20



1 vulnerability fixed in bulletin Heap Based Buffer Overflow in Outlook Vulnerability - CVE-2010-2728 Criticality: Critical Attackers will use this to compromise machines

Outlook makes an ideal target for remote attackers looking to exploit corporationsand businesses

Attacker sends an email, victim views the email in HTML/Rich Text mode, victim iscompromised

Outlook XP is especially vulnerable Mitigation

Set Outlook to view emails in plain-text mode by default. Install Blink Personal/Professional

Vulnerability in Microsoft Outlook Could Allow Remote Code Execution.

8/3/2019 VEF_Sep

11/20



3 vulnerabilities fixed in bulletin IIS Repeated Parameter Request Denial of Service Vulnerability - CVE-2010-1899 Request Header Buffer Overflow Vulnerability - CVE-2010-2730 Directory Authentication Bypass Vulnerability - CVE-2010-2731 (Previously 0day)

Criticality: High 1 DoS, 1 RCE, and 1 Bypass = Bad Times

Administrators running IIS should patch these immediately CVE-2010-2730 against IIS 7.5 is especially critical allows RCE relatively easily CVE-2010-2731 was used in the wild against multiple targets

Mitigation Mitigate against the RCE vulnerability (CVE-2010-2730) by disabling FastCGI.

Install Blink Server for mitigation

Vulnerabilities in Microsoft Internet Information Services (IIS)

Could Allow Remote Code Execution.

8/3/2019 VEF_Sep

12/20



1 vulnerability fixed in bulletin RPC Memory Corruption Vulnerability - CVE-2010-2567 Criticality: Important Not as bad as it originally seem

Client-side RPC attack, the attacker has to convince a client to connect to theirmalicious server

However this could be done using numerous route poisoning/hijacking methods Attackers will much more likely use 061 or 068

Mitigation Block all ports associated with RPC on the internal firewall. Install Blink Personal / Professional

Vulnerability in Remote Procedure Call Could Allow Remote Code Execution.

8/3/2019 VEF_Sep

13/20



1 vulnerability fixed in bulletin WordPad Word 97 Text Converter Memory Corruption Vulnerability - CVE-2010-2563

Criticality: Moderate

Unlikely Attack Vector Theres much bigger fish to fry than WordPad Machines with Microsoft Office installed would require additional social engineering

to exploit Attackers are not likely going to develop exploits for this theres much better

exploits out (PDF) Mitigation

Disable WordPad's access to the Word 97 text converter. Install Blink Personal or Professional to mitigate

Vulnerability in WordPad Text Converters Could Allow Remote Code Execution.

8/3/2019 VEF_Sep

14/20



1 vulnerability fixed in bulletin LSASS Heap Overflow Vulnerability - CVE-2010-0820

Criticality: Critical If you have an Active Directory server and you have clients Patch Now

Ideal exploit for compromising entire networks Attacker would compromise a client machine using a browser exploit (PDF / Flash0days are out)

Once on the compromised machine the attacker would then wait for the user toauthenticate to the domain (this can be forced or through patience)

Attacker will then send a malicious LSASS request to your Active Directory Server Game Over Mitigation

Systems running on a domain should be patch immediately.

Install Blink Professional to buy you some time before patching

Vulnerability in Local Security Authority

Subsystem Service Could Allow Elevation of Privilege.

8/3/2019 VEF_Sep

15/20



1 vulnerability fixed in bulletin CSRSS Local Elevation of Privilege Vulnerability - CVE-2010-1891 Criticality: Low Pay No Attention Unless You Are in China, Japan, or Korea

Local privilege elevation due to Unicode characters exploit is not reachable inenvironments with standard character sets

Likely only used by attackers in very targeted scenarios The least of your worries this month

Mitigation No practical mitigations exist, apply the patch at your earliest convenience

Vulnerability in Windows Client/Server Runtime

Subsystem Could Allow Elevation of Privilege.

8/3/2019 VEF_Sep

16/20


Security Landscape - More than a Microsoft World

CTO/CSO/CxO News HP buys 3PAR, Fortify and ArcSight

IT Admin News Adobe Reader 0day In The Wild Adobe Flash 0day In The Wild ( http://isitsafetouseadobereader.info/ ;) )

Here you have malware

Researcher News DLL Hijacking iTunes Ping Scam Sony Playstation 3 Hacked Blu-Ray DRM Master Keys Leaked MOAB 0days
http://isitsafetouseadobereader.info/http://isitsafetouseadobereader.info/

8/3/2019 VEF_Sep

17/20


Secure and Comply with eEye

17

8/3/2019 VEF_Sep

18/20


Connect with eEye

18

http://blog.eeye.com

http://www.facebook.com/eEyeDigitalSecurity

http://www.twitter.com/eEye

http://www.YouTube.com/eEyeDigitalSecurity

8/3/2019 VEF_Sep

19/20


Secure & Comply with eEye

19

Visit www.eeye.com

Contact us at +1.866.282.8276 or email us at research @ eeye.com

Visit our Resource Center for demonstrations, webinars and events

8/3/2019 VEF_Sep

20/20


Secure & Comply with eEye

20

Thank you for joining usA copy of this presentation can be found at www.eeye.com/vef

VEF_Sep

Documents