patch

You are currently browsing articles tagged patch.

Vista suffers another bullet to the chest

September 13, 2009 in security by Daniel Nyström | No comments

From Securityfocus:

An independent security consultant publicized this week the details to a critical flaw in the server message block version 2 (SMB2) component of Microsoft’s Windows Vista, Windows Server 2008, and the release candidate for Windows 7.

The researcher, Laurent Gaffié, claimed in his advisory that the vulnerability causes a Blue Screen of Death, a pernicious crash on Windows system, but other researchers have subsequently concluded that the flaw is actually remotely exploitable, a more serious issue.

And more from the same source (different article):

In December 2007, Microsoft patched the file- and printer-sharing functionality in Windows Vista to fix a medium-severity vulnerability. Unfortunately, the company inadvertently added a critical flaw, a security researcher said on Friday.

In an e-mail interview with SecurityFocus, Laurent Gaffié — the researcher that disclosed a critical flaw in Microsoft’s Server Message Block (SMB) version 2 code earlier this week — said that further research pinpointed the specific patch that added the vulnerability to Windows Vista. The patch, which fixed a remote execution flaw in SMBv2 signing, was rated Important by Microsoft because the vulnerable feature was not turned on by default. The vulnerability that the patch allegedly introduced could allow an attacker to exploit an affected system in its default configuration, which usually merits a Critical rating from Microsoft.

So, it seems that Microsoft has shipped yet another remotely exploitable security hole in their operating system(s). Hopefully it won’t be wormable to any greater extent, but we’ll find that out real soon.

This helps illustrate the point I tried to make in my last post, that no client machines can be trusted. They are all compromised sooner or later.

Also, if you are trying to be compliant with some policy, your risk ratings just peaked if you are using Vista… in particular if you have mobile workstations being carried in and out of your network. How do you manage that threat? Firewall port 139 and 445 on all clients, thereby loosing the possibility of remote administration and breaking functionality that might be needed by your business systems?

And this is just one hole… I sure hope that you have control over the Acrobat Reader’s and Flash installations on your clients ;)

Tags: , , , , ,

Conficker worm growing…

January 9, 2009 in malware, networking, security by Daniel Nyström | 2 comments

Panda Security/work related post. This is a personal blog but from time to time I’m posting things that may relate to my employer. More info, read “About this blog”.
Pink Sherbet Photography on Flickr - http://flickr.com/photos/pinksherbet/
Photo: Pink Sherbet Photography on Flickr. CC Attribution.

Conficker, the network worm exploiting the MS08-067 vulnerability that I’ve mentioned previously, has continued to evolve and several new variants (.B/.C most prominent) has been discovered.

The impact this worm is making is becoming bigger, but here in Panda Sweden we haven’t drowned in work yet. The stories I’ve heard so far is the usual ones with users and consultants bringing infected units (or USB-sticks) into the network and then infecting unpatched machines that had previously been hiding behind the corporate firewall. So far it doesn’t seem too bad here though and I’m holding my thumbs that people learned to patch their machines back in 2004 ;)

That’s also all that it comes down to. Patching your machines. If you’re here looking for and easy solution to the mass infection in your network you’re probably too late. You should have thought about patching before you got infected. Not after. However, what you need to do now in order to resolve your situation is to:

- Patch your workstations and servers. Read MS Security Bulletin MS08-067. Patching can be done in a million ways. If you’re currently lacking a patching solution, look into Microsoft WSUS for a free (as in free beer, not freedom) solution. To identify unpatched or in other ways insecure systems, you can use the Microsoft Baseline Security Analyzer. This tool will also identify weak passwords, something that Conficker uses to spread in local networks.

- Disinfect the infected machines. Again, this can be done in several ways depending on your current situation and I would recommend contacting your anti-malware/anti-virus vendor for exact instructions. Some of us have specialized tools available for rapid deployment through scripts etc. so you don’t have change into your jogging shoes ;) A good start before you call is to make sure the machines actually have protection installed and updated though. If not, install it and make sure it’s updated. If you’re a single user you can clean your machine using online scanners such as ActiveScan 2.0. If using Panda Security solution you can find your local office here.

- Learn from your mistakes. Get a patch routine going and a monitoring system running. Make sure your anti-malware solution is up & working, and then implement a process to ensure that it’ll do so in the future as well.

Also keep in mind that Conficker, except the normal worm behaviour and what I’ve mentioned in previous posts, infects USB-sticks and other portable storage as well. It does this by placing malicious files on the media and auto-running them using the autorun and autoplay features when they’re connected to a computer.

More information: Panda Security 2, Panda Research, PC1News, Sophos, CA, Harry Waldron, F-Secure 2 3, MS Malware Protection Center, RegistryCleanerz.

Tags: , , , ,