Category Archives: Security

IPv6: hopes, disappointments…

image

 

This scary gadget screenshot (26th of December here) tells us that it is only a question of a month, may be, two to run out of IPv4 addresses. Well, not exactly “we”. It is IANA who will run out of it. Of course, some time since then it will affect some customers who want to buy their own autonomous system, and large providers and sooner or later – end users. I won’t do any predictions about the time it will become a real problem (you know, there were too many of these predictions) but now it is more than ever obvious that IPv4 must R.I.P just soon enough to think about it at least today, in case you didn’t do it yesterday.

Some guys are not only prepared for it, but even more: they are in it almost totally (some say that China has almost half of their addresses in IPv6), or partially (US governmental institutions are to be on IPv6 by now, AFAIK), or not ready at all.

I’m ready to roll towards implementation in my mind: I subdued to the necessity in my mind, but… Again those “but”. There is too many problems in security (LOL: security problems with the protocol which has built-in IPSec, huh? =) ). My ISA cannot filter it. Darn: TMG cannot also! I need some transition technologies to implement DirectAccess, because some legacy software just cannot do well with IPv6.

Well… Anyway, how are you feeling about IPv6? Do you need it? Can you implement it just with good planning, without some crutches or changing your firewalls, network equipment and company you work for? Why?

alt

(Pictures: a screenshot of Windows gadget from Hurricane electric and IPv4-picture from www.gomonews.com)

Advertisements

IPD Guide: Beta for malware response

I love those IPDs. You don’t know what “IPD guide” stands for? Well… I suggest it to be for “I Plan Darn good”. MS, all of a sudden, thinks that it is for “Infrastructure Planning and Design guide”. Anyway, what has been just issued is a beta for one more process: answer to a malware infection in your organization (I bet I can adopt it for home usage too, but it can wait). Why is it important to have such a plan (we do have one, by the way Winking smile)? Well… It is like everything with security: if something went wrong it is a disaster… unless you have a plan which is good and which is known to be implemented and is known how to implement. Because if you have a plan, you can just go and do what’s in the paper. If you don’t – you are beginning with a creation of some plan and usually it doesn’t work from the first try, you go for the second and so on…

If you plan something like that:

Untitled

but in more details and delivery the training on the process, then you will be able just to get rid of your troubles in a very effective manner.

So, at the moment I am still reading the IPD guide and already have something to say to its authors. If you are interested in it, then go for download to the MS Connect site, read and tell the authors what you think of it.

To disclose or not to disclose

imageThe second topic I’d like to raise in connection with the vulnerability in VMWare products is almost Shakespearean one. What should do a person or an organization in case they found a vulnerability? Tell the vendor and publicly disclose at the same time? Only publicly disclose? Notify the vendor and wait for a patch? There is a bunch of strategies, as you can see. As usual everyone has its own point of view on the problem. Microsoft, for example, follow theirs Coordinated Vulnerability Disclosure Policy. That does mean that they want the time to create and test a fix before public disclosure (so that to give the customers as little problem as possible) and will give anyone that time. Google drive Responsible Disclosure Policy, giving anyone 60 days to close the breach. The first option gives a vendor time to do really good testing, so that not to harm customers, but it may provoke them to procrastinate delivery of the cure. The second seems to force a vendor to fix an issue ASAP, but producing patches in the very best case can take up to 3-4 weeks. In some cases it can take even more time. Dissemination of the information about the vulnerability before the patch hits public availability may hurt even more than long waiting for the patch without public awareness of the security hole. Or, maybe not? The security is a strange area where there is no trustworthy statistics on many things.

So, I guess, everyone just will find their own way of disclosure (regardless what is the reason for the choice: belief, own statistics or marketing). The question is what to choose for myself? What am I to regard as acceptable for myself? The practice has showed that I am more on the MS side of the road: I will disclose the information to vendor (and to my company’s security officer, of course). But what will I do in case they don’t do anything? I have not been in such a situation, so it is hard to say. It will depend on the vulnerability severity, reaction of the vendor and time. May be somewhat later I will threaten the vendor with disclosure and then just disclose. Fortunately my contact with VMWare was not the case, so I still do not know how I would deal with it: from my report till the new version there was only 17 days.

I’m interested, though, what do you think on the issue?

On the issue of downloading files from untrusted sites #2

As I promised, I am going to describea couple of ideas I perceived while I was going through the vulnerability in VMWare products. Here is the first one. More than a year ago I wrote about the threats of downloading OS from p2p networks and one of my Russian readers told me that it is quite safe if you know the correct hash value for the ISO image. Unfortunately, my recent post about the vulnerability has just rendered such an opinion as not very correct. You see, when the file is downloaded from some p2p network, it is sometimes accompanied with some unnecessary files, so it is pretty easy to trigger such a trap. Therefore, there is no safe p2p downloads, actually.

P.S. BTW, hash code only does reasonably good protection – not a silver bullet. It is not necessary unique for every file of the same size.

Vulnerability in VMWare Workstation installer. Not a 0-day anymore.

The only reason for mentioning the vulnerability is… Bragging. Yes, I’m going to brag about the first vulnerability I had discovered and reported before the CVE was issued =) I found several vulnerabilities earlier, but all of them already had a CVE published, so it was useless.

The vulnerability in VMWare Workstation and Player installer allowed criminal to launch any code you may embed into a .htm page. Well, the page must be placed in the same directory where the installer is placed and it will shoot your computer only if you are installing the new version, but, hey, it’s my firstling and my work is not to look for those! =)

What it looked like before version 7.1.2:

1) If we have a folder where there is an index.htm file and, say, VMWare Workstation 7.1.1 file

image

2) and run our installation, then, after elevation prompt all of a sudden:

image

What the heck is this???!!! Well, this is what our malicious .htm file does. Of course, no one is going to click the link if it looks like this (and with such a text), though… Well, that’s another story. Nevertheless, if we will succeed in putting into that file some script or will make the page look like installer window and place some link in it… Then our malicious file will be executed with elevated privileges.

Very narrow attack vector, of course, but still I’m glad it is closed now.

P.S. Of course bragging is not the only reason to write about this topic: finding the issue gave me two more ideas for discussion, so consider this article as an introductory one.

x64 attacks, part II

malwareWhen I wrote about the surge of 64-bit platform which had come to the client computers I didn’t think about one obvious things: as some platform becomes mass and popular, it attracts all sorts of ill-minded persons to it. In our age it means that all the instruments that hackers use to do what they do will become adapted to the new reality. Unfortunately it is happening whether I think about it or no (maybe someone else had thought about it? Quit it, then Winking smile). Guys from MS have reported that we have received a 64bit version of Alureon malware. At the moment of report it produced non-bootable XP or 2003 and ruined some disk functionality in the later systems, but I have no doubt: the bad guys will correct these mistakes and make this malware even better (for them, of course and worse for you and me). That will again tell me, that every statistics about vulnerabilities, virus quantities and such kind of things must be normalized to the user base or else it just tells you wrong.

MS Security advisory: Insecure Library Loading Could Allow Remote Code Execution

lockRecently issued advisory has kind of shaken the around-security-society: “we all gonna die will be hacked”. Really, this is that nasty sort of a bug which is not a bug, actually. It is more like FireWire: just vulnerable by design, so it is to be fixed more on software vendors side, rather than on Windows one. Correspondingly it is a long, long process and until it is finished it will be considered as a 0day vulnerability. But will it really have such an impact on your security?

I doubt it. Really. On the one hand, an attacker, who successfully utilized the vector has all the power of the current user, which is not good anyway. On the other hand, nevertheless,  the attacker must be either in your local network, or you should use WebDAV. LAN is usually considered as more or less secure. Now the question: how often do you open applications from a not trusted WebDAV folders? I don’t do it and I don’t recommend it whether there is some 0day vulnerability around or no. The only thing that you can do to harm yourself is to open a document from a “prepared” WebDAV folder. This is the hard part to protect from. But you just can avoid doing that unless you are totally sure that the software piece you use to open the document is patched by its vendor or download the document to a local drive before opening it.

So, in normal environment the attacker will get only user’s rights and only in case a document or a program was opened from a not trusted location. It is bad situation, but not as bad as some journalists picture it.

P.S. I still recommend to read the advisory and take precautions.