8/3/2019 VEF_Sep
1/20
2010 eEye Confidential & Proprietary
eEye Research September 15, 2010
Vulnerability Expert Forum
8/3/2019 VEF_Sep
2/20
2010 eEye Confidential & Proprietary eEye Digital Security
Agenda
About eEye
Microsofts September Security Bulletins
Security Landscape Other InfoSec News
Secure and Comply with eEye
Q&A
8/3/2019 VEF_Sep
3/20
2010 eEye Confidential & Proprietary eEye Digital Security
About eEye
Our Company Founded in 1998 Growing and profitable Leaders in security & compliance
Our Strengths World renowned research team
Trusted security advisors Recognized product leadership Unparalleled services & support
Our Difference Fast, flexible deployment Integrated end-to-end solution Commitment to our customers Securing companies of all sizes
from SMBs to Enterprise
3
8/3/2019 VEF_Sep
4/20
2010 eEye Confidential & Proprietary eEye Digital Security
eEye: A Security and Compliance Powerhouse
Security research drives unrivaledcapabilities of eEye solutions
eEye regularly consults with topgovernment agencies, congressionalcommittees and industry analysts
eEye is focused on supporting thechanging compliance landscape
eEye is at the forefront of UnifiedVulnerability Management
4
8/3/2019 VEF_Sep
5/20
2010 eEye Confidential & Proprietary eEye Digital Security
eEye Research Services
eEye Preview Advanced Vulnerability Information
Full Zero-Day Analysis and Mitigation
Custom Malware Analysis eEye Research Tool Access
Includes Managed Perimeter Scanning eEye AMP
Any Means Possible Penetration Testing Gain true insight into network insecurities
Capture-The-Flag Scenarios eEye Custom Research
Exploit Development
Malware Analysis
Forensics Support
Compliance Review
Having a great R&D team issuing advisories and being
on the front lines of discovering security issues
is assuring and was a primary decision factor in
choosing eEye when
migrating from ISS.
Robert TimkoInformation Security Director
8/3/2019 VEF_Sep
6/20
2010 eEye Confidential & Proprietary eEye Digital Security
Microsoft September Security Bulletins
9 total bulletins; 11 Issues Fixed Vulnerability in Print Spooler Service Could Allow Remote Code Execution
(2347290)
Vulnerability in MPEG-4 Codec Could Allow Remote Code Execution (975558) Vulnerability in Unicode Scripts Processor Could Allow Remote Code Execution(2320113)
Vulnerability in Microsoft Outlook Could Allow Remote Code Execution (2315011) Vulnerabilities in Microsoft Internet Information Services (IIS) Could Allow
Remote Code Execution (2267960) Vulnerability in Remote Procedure Call Could Allow Remote Code Execution
(982802) Vulnerability in WordPad Text Converters Could Allow Remote Code Execution
(2259922) Vulnerability in Local Security Authority Subsystem Service Could Allow Elevation
of Privilege (983539) Vulnerability in Windows Client/Server Runtime Subsystem Could Allow Elevation
of Privilege (2121546)
8/3/2019 VEF_Sep
7/20
2010 eEye Confidential & Proprietary eEye Digital Security
Microsofts Security Bulletin: MS10-061
1 vulnerability fixed in bulletin Print Spooler Service Impersonation Vulnerability - CVE-2010-2729 (Previously
0day ) Criticality: Critical Used by Malware to exploit network machine
A variant of Stuxnet uses this vulnerability to exploit machines with a sharednetwork printer
Windows XP is especially vulnerable Certain printers even with password sharing enabled are still vulnerable
Not a buffer overflow Memory Protection mechanisms will be useless against thisattack. Mitigation
Disable printer sharing Enable password sharing on devices not vulnerable (KB2347290)
Vulnerability in Print Spooler Service Could Allow Remote Code Execution.
8/3/2019 VEF_Sep
8/20
2010 eEye Confidential & Proprietary eEye Digital Security
Microsofts Security Bulletin: MS10-062
1 vulnerability fixed in bulletin MPEG-4 Codec Vulnerability - CVE-2010-0818
Criticality: High Another perfect attack vector in a multimedia world
Drive by browser attack vector will be the most used Dont forget the local attack / network shared drive attack vectors Attack can come from ASF, WMV, or WMA files
Mitigation Remove the following CLSIDs from the registry:
82CCD3E0-F71A-11D0-9FE5-00609778EA66 2a11bae2-fe6e-4249-864b-9e9ed6e8dbc2
Install Blink Personal/Professional to mitigate out of the box
Vulnerability in MPEG-4 Codec Could Allow Remote Code Execution.
8/3/2019 VEF_Sep
9/20
2010 eEye Confidential & Proprietary eEye Digital Security
Microsofts Security Bulletin: MS10-063
1 vulnerability fixed in bulletin
Uniscribe Font Parsing Engine Memory Corruption Vulnerability - CVE-2010-2738 Criticality: Critical Another browse and get owned situation
Affects all browsers regardless an ideal web based attack exploit Office has its own font rendering subsystem meaning its vulnerable regardlessof OS
Attackers are looking at this vulnerability very carefully
Mitigation Use CACLS to restrict execution access to USP10.DLL. Prevent embedded fonts from being parsed within Internet Explorer and other
applications Install Blink Personal/Professional to mitigate against this right out of the box
Vulnerability in Unicode Scripts Processor Could Allow Remote Code Execution.
8/3/2019 VEF_Sep
10/20
2010 eEye Confidential & Proprietary eEye Digital Security
Microsofts Security Bulletin: MS10-064
1 vulnerability fixed in bulletin Heap Based Buffer Overflow in Outlook Vulnerability - CVE-2010-2728 Criticality: Critical Attackers will use this to compromise machines
Outlook makes an ideal target for remote attackers looking to exploit corporationsand businesses
Attacker sends an email, victim views the email in HTML/Rich Text mode, victim iscompromised
Outlook XP is especially vulnerable Mitigation
Set Outlook to view emails in plain-text mode by default. Install Blink Personal/Professional
Vulnerability in Microsoft Outlook Could Allow Remote Code Execution.
8/3/2019 VEF_Sep
11/20
2010 eEye Confidential & Proprietary eEye Digital Security
Microsofts Security Bulletin: MS10-065
3 vulnerabilities fixed in bulletin IIS Repeated Parameter Request Denial of Service Vulnerability - CVE-2010-1899 Request Header Buffer Overflow Vulnerability - CVE-2010-2730 Directory Authentication Bypass Vulnerability - CVE-2010-2731 (Previously 0day)
Criticality: High 1 DoS, 1 RCE, and 1 Bypass = Bad Times
Administrators running IIS should patch these immediately CVE-2010-2730 against IIS 7.5 is especially critical allows RCE relatively easily CVE-2010-2731 was used in the wild against multiple targets
Mitigation Mitigate against the RCE vulnerability (CVE-2010-2730) by disabling FastCGI.
Install Blink Server for mitigation
Vulnerabilities in Microsoft Internet Information Services (IIS)
Could Allow Remote Code Execution.
8/3/2019 VEF_Sep
12/20
2010 eEye Confidential & Proprietary eEye Digital Security
Microsofts Security Bulletin: MS10-066
1 vulnerability fixed in bulletin RPC Memory Corruption Vulnerability - CVE-2010-2567 Criticality: Important Not as bad as it originally seem
Client-side RPC attack, the attacker has to convince a client to connect to theirmalicious server
However this could be done using numerous route poisoning/hijacking methods Attackers will much more likely use 061 or 068
Mitigation Block all ports associated with RPC on the internal firewall. Install Blink Personal / Professional
Vulnerability in Remote Procedure Call Could Allow Remote Code Execution.
8/3/2019 VEF_Sep
13/20
2010 eEye Confidential & Proprietary eEye Digital Security
Microsofts Security Bulletin: MS10-067
1 vulnerability fixed in bulletin WordPad Word 97 Text Converter Memory Corruption Vulnerability - CVE-2010-2563
Criticality: Moderate
Unlikely Attack Vector Theres much bigger fish to fry than WordPad Machines with Microsoft Office installed would require additional social engineering
to exploit Attackers are not likely going to develop exploits for this theres much better
exploits out (PDF) Mitigation
Disable WordPad's access to the Word 97 text converter. Install Blink Personal or Professional to mitigate
Vulnerability in WordPad Text Converters Could Allow Remote Code Execution.
8/3/2019 VEF_Sep
14/20
2010 eEye Confidential & Proprietary eEye Digital Security
Microsofts Security Bulletin: MS10-068
1 vulnerability fixed in bulletin LSASS Heap Overflow Vulnerability - CVE-2010-0820
Criticality: Critical If you have an Active Directory server and you have clients Patch Now
Ideal exploit for compromising entire networks Attacker would compromise a client machine using a browser exploit (PDF / Flash0days are out)
Once on the compromised machine the attacker would then wait for the user toauthenticate to the domain (this can be forced or through patience)
Attacker will then send a malicious LSASS request to your Active Directory Server Game Over Mitigation
Systems running on a domain should be patch immediately.
Install Blink Professional to buy you some time before patching
Vulnerability in Local Security Authority
Subsystem Service Could Allow Elevation of Privilege.
8/3/2019 VEF_Sep
15/20
2010 eEye Confidential & Proprietary eEye Digital Security
Microsofts Security Bulletin: MS10-069
1 vulnerability fixed in bulletin CSRSS Local Elevation of Privilege Vulnerability - CVE-2010-1891 Criticality: Low Pay No Attention Unless You Are in China, Japan, or Korea
Local privilege elevation due to Unicode characters exploit is not reachable inenvironments with standard character sets
Likely only used by attackers in very targeted scenarios The least of your worries this month
Mitigation No practical mitigations exist, apply the patch at your earliest convenience
Vulnerability in Windows Client/Server Runtime
Subsystem Could Allow Elevation of Privilege.
8/3/2019 VEF_Sep
16/20
2010 eEye Confidential & Proprietary eEye Digital Security
Security Landscape - More than a Microsoft World
CTO/CSO/CxO News HP buys 3PAR, Fortify and ArcSight
IT Admin News Adobe Reader 0day In The Wild Adobe Flash 0day In The Wild ( http://isitsafetouseadobereader.info/ ;) )
Here you have malware
Researcher News DLL Hijacking iTunes Ping Scam Sony Playstation 3 Hacked Blu-Ray DRM Master Keys Leaked MOAB 0days
http://isitsafetouseadobereader.info/http://isitsafetouseadobereader.info/8/3/2019 VEF_Sep
17/20
2010 eEye Confidential & Proprietary eEye Digital Security
Secure and Comply with eEye
17
8/3/2019 VEF_Sep
18/20
2010 eEye Confidential & Proprietary eEye Digital Security
Connect with eEye
18
http://blog.eeye.com
http://www.facebook.com/eEyeDigitalSecurity
http://www.twitter.com/eEye
http://www.YouTube.com/eEyeDigitalSecurity
8/3/2019 VEF_Sep
19/20
2010 eEye Confidential & Proprietary eEye Digital Security
Secure & Comply with eEye
19
Visit www.eeye.com
Contact us at +1.866.282.8276 or email us at research @ eeye.com
Visit our Resource Center for demonstrations, webinars and events
8/3/2019 VEF_Sep
20/20
2010 eEye Confidential & Proprietary eEye Digital Security
Secure & Comply with eEye
20
Thank you for joining usA copy of this presentation can be found at www.eeye.com/vef