Network and Computer Security

A vulnerability has been reported in Microsoft XML Core Services, which can be exploited by malicious people to compromise a users system.

The vulnerability is caused due to an unspecified error in the XMLHTTP 4.0 ActiveX Control.

Successful exploitation allows execution of arbitrary code when a user e.g. visits a malicious website using Internet Explorer.

Microsoft Advisory & Suggested Workarounds: http://www.microsoft.com/technet/security/advisory/927892.mspx

Microsoft today released ten patches to fix at least 26 separate security holes, including a whopping 16 flaws in Microsoft Office and its constituent apps.

According to Washingtonpost.com’s Security Fix blog, this is the most number of patches ever released by Redmond outside of a Windows service pack.
Also of note, six of today’s updates apply to fully patched Windows XP systems, and two of the flaws are actually present in Windows Vista.

Less than 1 month after the discovery of a very serious vulnerability in Internet Explorer, EEyes has just published an advisory concerning a very similar (through different) vulnerability in the lastest IE.

Here’s the overview:

“eEye Digital Security has discovered a second heap overflow vulnerability in the MS06-042 cumulative Internet Explorer update that would allow an attacker to execute arbitrary code on the system of a victim who attempts to access a malicious URL. Windows 2000, Windows XP SP1, and Windows 2003 SP0 systems running Internet Explorer 5 SP4 or Internet Explorer 6 SP1, with the MS06-042 patch applied, are vulnerable; unpatched and more recent versions of Internet Explorer are not affected.”

The actual problem lies in URLMON.DLL, here’s a link to the full advisory.

Just as if we needed that, a new polymorphism technique allows viruses on AMD-64 processors to be even harder to detect.

“The virus, dubbed W64.Bounds, is not spreading in the wild, but was submitted as a proof of concept to antivirus researchers. The program is not easy to detect because it encrypts itself using a new algorithm and exploits a Windows feature available only on AMD64 systems to control execution”, Peter Ferrie, senior antivirus researcher for Symantec, said.

See the full article on SecurityFocus.

Just as Microsoft released on August 8th an IE 6 update to fix multiple vulnerabilities (See Microsoft Security Bulletin MS06-042), the NSFocus security team has found this update does introduce a new vulnerability.

This vulnerability can be exploited remotely by sending an overly-long URL to the browser.

This issue has been assigned the name: CVE-2006-3869

See here for the full details: NSFOCUS Security Advisory (SA2006-08)

See here for the advisory from microsoft and the updated patch: Microsoft Security Bulletin MS06-042.

The last Microsoft Office version appears to contain lots of vulnerabilities; so much in fact that many experts fear a new macro-virus like Melissa is quite likely to appear very soon.

Since the end of 2005, about 20 vulnerabilities have been found in Office; that’s more than enough for the virus and worm writers out there to find an easy to exploit one and to take over all the machines with the lastest Office (Word, Excel, PowerPoint, Outlook, and, for professional users, Access) installed.

The problem is even more accute that in takes an average of 4 months to Microsoft to issue patches fixing security problems; so as the number of known vulnerabilities increases tons of systems remain vulnerable.

Read more here: Flaw finders lay siege to Microsoft Office

I’ve already featured some tools here like Nmap, OSSEC and Honeytrap, but I’m not talking about security tools nearly enough.

So this time let me introduce you to OSSIM. OSSIM stands for Open Source Security Information Management and aims to unify network monitoring, security, correlation, and qualification in one single tool. It combines Snort, Acid, MRTG, NTOP, OpenNMS, nmap, nessus and rrdtool to provide the user with full control over every aspect of networking or security. It has always been long and painfull to install and maintain many security tools at once and OSSIM allows to benefit from the best security tools in an easy and integrated way.
OSSIM has been under heavy development for a few years now and the last release (0.9.9rc2) is much easier to install than the previous versions.

If you’re in doubt you can get a feel at how it looks by looking at those OSSIM screenshots.

Links:

• OSSIM homepage
• Download OSSIM

It’s always great to have new tools to protect our assets from attackers and when those tools are free it’s even better (honeytrap is licenced under the GNU GPL licence).

Honeytrap is still a very new tool but it already provides neat services to its users by allowing to collects information regarding known or unknown network-based attacks and therefore provide early-warning information to the network/security administrator.

Honeytrap usage shouldn’t be a problem as the program is well documented. This software should also run on any “standand Unixish” operating system.

Just click here to download honeytrap!

There aren’t enough good open source security related software so new ones are always welcome.

On the heels of Snort and Prelude, we know have OSSEC.

Here are the version 0.8 release notes:

OSSEC HIDS is an Open Source Host-based Intrusion
Detection System. It performs log analysis, integrity
checking, rootkit detection, time-based alerting and
active response.
It runs on most operating systems, including Linux,
OpenBSD, FreeBSD, Solaris and Windows.

This is the first version offering native support for
Windows (XP/2000/2003). It includes as well a new set
of log analysis rules for sendmail, web logs (Apache
and IIS), IDSs and Windows authentication events.

The correlation rules for squid, mail logs, firewall
events and authentication systems have been improved,
now detecting scans, worms and internal attacks.
The active-responses were also refined, with support
to IPFW (FreeBSD) added.

See here for the OSSEC homepage.

NMap, the invaluable tool for smart port scanning and network mapping got a new version released yesterday. NMap 4.03 is mostly a bugfix release of 4.01, but there are a few new features and improvments (now works better in chroot environments, improved error logging, etc…)

See the Release Notes from Fyodor for the full details and download location.