Come Join Us, We’re Now Blogging on BeyondTrust!
Leave a commentYes, we’re still alive and kicking! And yes, I know we haven’t posted on the eEye blog in quite some time. Trust me, we’re still blogging and sharing like mad, we’ve just moved it all to another location. So come share the love and visit the BeyondTrust Blog (be sure to add us to your feed reader, too!) to read the latest in security news, Microsoft Patch Tuesday updates, product releases/information, events, promotions, and awards! We are having a blast over there…it’s about time you joined us.
Visit the BeyondTrust blog now.
See you there!
Batchwiper: How I Learned to Worry Less and Love Least Privilege Security
Leave a commentWith news coming from Iran’s CERT of a nasty (but not really nasty) new piece of malware designed to wipe drives and desktop contents on a specific date, we took the straightforward approach of examining what common, easily implemented security best practices could have stopped Batchwiper in its tracks…
As far as malware goes, Batchwiper is very rudimentary in its execution and capabilities, yet it still has the capacity to cause damage – so how might someone defend themselves from Batchwiper? Simple: run with least privileges. Running as non-administrator effectively neutralizes the dropper component of Batchwiper, specifically GrooveMonitor.exe (MD5 – f3dd76477e16e26571f8c64a7fd4a97b). The dropper is a self-extracting archive, which attempts to put files in the \WINDOWS\system32\ folder. If you’re running as non-admin, the dropper has no permissions to write to that location and the malware will simply fail to execute its intended payloads.
Least privilege defeats Batchwiper dropper.
If you are unfortunate enough to have a corporate IT environment that does not properly manage Administrative privileges, then the dropper will continue to execute by spawning a series of processes. This eventually leads to Batchwiper formatting drives D through I, performing a Disk Check on each drive (possibly to mask the cause of the data loss), and then deleting the current user profile’s desktop contents.
Batchwiper processes spawned by dropper.
This malware serves as another example in a long line of threats that are, in most cases, completely (if not severely) mitigated by good security configuration best practices such as practicing Least Privilege.
BeyondTrust has been at the forefront of championing the cause of Least Privilege for quite some time through our BeyondTrust PowerBroker solutions for both Windows and Unix/Linux. Customers leveraging BeyondTrust’s PowerBroker for Windows will mitigate a large majority of malware that affects companies on a day-to-day basis, including this recent Batchwiper malware. You can find out more about our Least Privilege solutions here: http://www.beyondtrust.com/Products/PowerBrokerForWindows/
JRE 6 automatic upgrade to JRE 7, coming soon
Leave a commentStarting this month, Oracle will be automatically replacing Java Runtime Environment (JRE) 6 installations with JRE 7 installations on a small amount of users’ systems (the users are randomly chosen). This will be done to ensure that the automatic upgrading mechanism is working properly. In February 2013, the last public version of JRE 6 (Java SE 6 Update 39) will be made available.
So what does this mean to you? It means attackers will have a harder time exploiting your system. Due to the fact that JRE 6 does not have Address Space Layout Randomization/Data Execution Protection (ASLR/DEP) support, many exploit writers use it to successfully compromise systems through browser-based exploits. Since JRE 7 utilizes ASLR/DEP, it takes away one of the handy tools that attackers use to compromise systems. The end result is that attackers will have fewer resources at their disposal as they attempt to exploit systems.
As always, we recommend using the latest version of software that is available, so this change is in line with our recommendations. If you are currently using JRE 6 and wish to upgrade, you can grab the latest version from Oracle’s Java download page.
December 2012 Patch Tuesday: Oracle Outside In, TrueType, and more
Leave a commentDecember’s Patch Tuesday brings us a great collection of vulnerabilities, ranging from Oracle Outside In vulnerabilities within Exchange to TrueType vulnerabilities in every version of Windows. It seems like these are the vulnerabilities that just keep giving. Along with these, other bugs were squashed in Internet Explorer, Microsoft Word, Windows File Handling, DirectPlay, and IP-HTTPS.
The WebReady component in Exchange, which uses Oracle Outside In libraries, has previously seen attention back in August with MS12-058. It is making an appearance again this month in MS12-080. For those unfamiliar with the previous vulnerability, here’s a quick recap. Microsoft uses the Oracle Outside In libraries to parse and display documents in emails. Oracle recently patched a couple of vulnerabilities, which affect components of WebReady, thus making outlook Exchange vulnerable. These vulnerabilities affect the Outside In filters and the HTML Export SDK, which (if properly exploited) could allow an attacker to run code on the Exchange Server in the context of the LocalService account.
The other recurring vulnerability of significance is a TrueType font parsing vulnerability within the Windows Kernel. Stuxnet anyone? Duqu? Yeah, it’s the same type of bug being patched this month in MS12-078. We’ve continually seen TrueType and other font parsing bugs get patched over the past year, since the arrival of state-sponsored malware targeting these types of bugs. This is the most important patch to get rolled out this month, since malicious TrueType fonts can be embedded in documents as well as other mediums. This has been shown to be an effective method of exploitation, so be sure to patch this one immediately.
There is a good combination of vulnerabilities that can be mixed together to provide a good arsenal for client-side attacks. Internet Explorer 9 and 10 are both susceptible to three different vulnerabilities (MS12-077) that attackers can use to execute malicious code on a user’s computer. If the browser attacks don’t appeal to an attacker’s fancy, they still have the option of exploiting a vulnerability in Microsoft Word (MS12-079) that affects versions 2003, 2007, and 2010.
To finish off the month, a number of vulnerabilities were patched in various windows components. MS12-081 addresses a remote code execution vulnerability in the Windows File Handling Component. MS12-082 fixes a heap overflow in DirectPlay, which affects all versions of Windows, except for Windows RT. Lastly, MS12-083 plugs a hole in IP-HTTPS that permits a security feature bypass.
And don’t forget that when you’re doing your holiday shopping, be sure to consider that the new ARM-based tablets running Windows RT are not immune to vulnerabilities. This month marks the third bulletin being released to patch vulnerabilities in RT, fixing the fourth vulnerability since its release.
This December 2012 Patch Tuesday really stands for a good summary of the year in Microsoft vulnerabilities as a whole. At the end of the day, or year as it were, we still continue to see a consistent flow of vulnerabilities affecting everything from client and server applications to privilege escalations and everything in-between. While Microsoft continues to make strides to improve security, we see even their latest and presumably greatest code bases continue to have new vulnerabilities discovered, even within new flagship platforms such as Windows RT and Internet Explorer 10. At the end of the day, I think this December Patch Tuesday is a reminder that Microsoft security can be Scrooge all-year long with the vulnerability gift that keeps on giving even as Microsoft tries to continue to find their security hearts.
Update: You can detect vulnerable systems using Retina and Retina CS, via the following audits:
MS12-077
[17823] Microsoft Internet Explorer Cumulative Security Update (2761465) – IE 9/10
[17824] Microsoft Internet Explorer Cumulative Security Update (2761465) – IE 6/7/8
MS12-078
[17826] Microsoft Windows Kernel Mode Drivers (2783534) – KB2779030
[17827] Microsoft Windows Kernel Mode Drivers (2783534) – KB2753842 XP
[17831] Microsoft Windows Kernel Mode Drivers (2783534) – KB2753842 XP x64/2003
[17832] Microsoft Windows Kernel Mode Drivers (2783534) – KB2753842 Vista/2008
[17833] Microsoft Windows Kernel Mode Drivers (2783534) – KB2753842 7/2008R2
[17834] Microsoft Windows Kernel Mode Drivers (2783534) – KB2753842 8/2012
MS12-079
[17837] Microsoft Word RTF Vulnerability (2780642) – Word 2003
[17838] Microsoft Word RTF Vulnerability (2780642) – Word 2007
[17839] Microsoft Word RTF Vulnerability (2780642) – Word 2010
[17840] Microsoft Word RTF Vulnerability (2780642) – Word Viewer 2003
[17841] Microsoft Word RTF Vulnerability (2780642) – Compatibility Pack
[17842] Microsoft Word RTF Vulnerability (2780642) – Word Automation Services
[17848] Microsoft Word RTF Vulnerability (2780642) – Compatibility Pack x64
[17852] Microsoft Word RTF Vulnerability (2780642) – Office Web Apps 2010
MS12-080
[17835] Microsoft Exchange Multiple Vulnerabilities (2784126) – 2007
[17836] Microsoft Exchange Multiple Vulnerabilities (2784126) – 2010
MS12-081
[17828] Microsoft Windows Filename Vulnerability (2758857)
MS12-082
[17829] Microsoft DirectPlay Heap Overflow (2770660)
[17830] Microsoft DirectPlay Heap Overflow (2770660) – x64
MS12-083
[17825] Microsoft IP-HTTPS Bypass (2765809)
12 Days of Giveaways Starts Now! Join Our 12 Twitter Days of Christmas!
Leave a commentSay hello to holiday fun and frolic! Starting TODAY, we’re running our 2nd Annual 12 Twitter Days of Christmas campaign! It’s time to celebrate the season of magic and what a better way to do so than with 12 days of giveaways from BeyondTrust?
How to Participate in BeyondTrust’s 12 Twitter Days of Christmas:
Here’s how it works; each day, for the next 12 days, we’ll post a new Day of Christmas tweet. Throughout that day, you have full reign to tweet, promote and share that Day of Christmas tweet as often as you like. If you miss the tweets in the live feed just go to Twitter.com/BeyondTrust and you can retweet directly from there! At random, we’ll be selecting a winner for each Day of Christmas who will be awarded with an Amazon gift card. On December 21st, the last day of the campaign, we’ll give away a grand prize of an iPad mini! How’s that for Christmas spirit?
One winner will be announced daily through Twitter (Dec 6 – Dec 21)! No purchase necessary and must be a follower of @BeyondTrust to participate.
We’ll also be posting the daily tweets here so check back for updates! So what are you waiting for? Start tweeting our 12 Twitter Days of Christmas and you could be on your way to winning!
12/6: On the first day of Christmas BeyondTrust gave to me Context-Aware Security. The winner is @therantinggeek!
12/7: On the second day of Christmas BeyondTrust gave to me two Privilege Managements and some Context-Aware Security. The winner is @ETardieu!
12/10: On the third day of Christmas BeyondTrust gave to me three Server Compliances, two Privilege Managements and some Context-Aware Security. The winner is @Kelly62u!
12/11: On the fourth day of Christmas BeyondTrust gave to me four Databases, three Server Compliances, two Privilege Managements and some Context-Aware Security. The winner is @itsecuritymgr!
12/12: On the fifth day of Christmas BeyondTrust gave to me five Retina Insights, four Databases, three Server Compliances, two Privilege Managements and some Context-Aware Security. The winner is @Xsimpa!
12/13: On the sixth day of Christmas BeyondTrust gave to me six Identity Services, five Retina Insights, four Databases, three Server Compliances, two Privilege Managements and some Context-Aware Security. The winner is @MattLGraves!
12/14: On the seventh day of Christmas BeyondTrust gave to me seven PowerBroker Mobiles, six Identity Services, five Retina Insights, four Databases, three Server Compliances, two Privilege Managements and some Context-Aware Security. The winner is @AFairch!
12/17: On the eighth BeyondTrust gave to me eight Password Safes, seven PowerBroker Mobiles, six Identity Services, five Retina Insights, four Databases, three Server Compliances, two Privilege Managements and some Context-Aware Security. The winner is @LukeDonoho!
12/18: On the ninth BeyondTrust gave to me nine Compliance Reports, eight Password Safes, seven PowerBroker Mobiles, six Identity Services, five Retina Insights, four Databases, three Server Compliances, two Privilege Managements and some Context-Aware Security. The winner is @lubinski!
12/19: On the tenth day of Christmas BeyondTrust gave to me ten Cloud Assets, nine Compliance Reports, eight Password Safes, seven PowerBroker Mobiles, six Identity Services, five Retina Insights, four Databases, three Server Compliances, two Privilege Managements and some Context-Aware Security. The winner is @jsg1818!
12/20: On the eleventh day of Christmas BeyondTrust gave to me eleven Network Securities, ten Cloud Assets, nine Compliance Reports, eight Password Safes, seven PowerBroker Mobiles, six Identity Services, five Retina Insights, four Databases, three Server Compliances, two Privilege Managements and some Context-Aware Security. The winner is @HaroldBanks2!
12/21: On the twelfth day of Christmas BeyondTrust gave to me twelve Product Demos, eleven Network Securities, ten Cloud Assets, nine Compliance Reports, eight Password Safes, seven PowerBroker Mobiles, six Identity Services, five Retina Insights, four Databases, three Server Compliances, two Privilege Managements and some Context-Aware Security. The grand prize winner is @ryansmith298!
Please note, starting January 2013, we are merging our @eEye Twitter account with our @BeyondTrust. Start following @BeyondTrust today for up to date news and security information.
Retina CS 4.0 and Remedy Ticketing Integration
Leave a commentOverview
Retina CS enables teams to centrally manage organization-wide IT security and compliance initiatives from a single, web-based console. It provides discovery, prioritization, and remediation of security risks by delivering what matters the most – context.
Retina CS is the centerpiece of the BeyondTrust vision of Context Aware Security Intelligence which helps organizations answer the most pressing questions in security – what to fix first, what to fix next and how to fix a vulnerability.
Retina CS does this through unmatched security intelligence and analytics for your entire IT landscape and integrates with BMC Remedy to help complete the vulnerability lifecycle management picture.
Benefits of Integrating BMC Remedy Ticketing with Retina CS Threat Management Console
Retina CS offers centralized role based access to both the security and operations teams needed in any enterprise. Timely information and situational awareness are also tantamount to the Vulnerability Lifecycle Management picture. Integration with BMC Remedy provides detailed asset and vulnerability information to operational teams to help see the ‘big picture’ and ensures risk reduction across the enterprise.
How it Works
Retina CS facilitates integration with BMC Remedy’s Ticketing system to provide asset and vulnerability data to Remedy web services. This allows for complete Vulnerability lifecycle management leveraging Remedy’s powerful ticketing engine for vulnerability tracking. This integration requires ticket generation to be performed within the configuration of the Remedy solution and familiarity with the Remedy product is necessary to fully understand the Retina CS integration.
From Retina CS users simply need to set up the ‘Export Connector’ for BMC Remedy and fill out the appropriate Web Service URL, Field Mappings, Target Namespace, etc. for connectivity.
Using Retina CS’s powerful Smart Rules engine users can determine which asset and which audit data will be sent to the Remedy Web Service(s) for ticket population.
Data is now available in the Remedy ticketing system.
Sample Remedy Ticket – Remedy Administrators would design/customize report fields/layouts.
Microsoft SCCM Integration with Retina CS Threat Management Console
Leave a commentOverview
Retina CS enables teams to centrally manage organization-wide IT security and compliance initiatives from a single, web-based console. It provides discovery, prioritization, and remediation of security risks by delivering what matters the most – context.
Retina CS is the centerpiece of the BeyondTrust vision of Context Aware Security Intelligence which helps organizations answer the most pressing questions in security – what to fix first, what to fix next and how to fix a vulnerability.
Retina CS does this through unmatched security intelligence and analytics for your entire IT landscape and integrates with SCCM to help complete the vulnerability lifecycle management picture.
Download the software for evaluation and testing in your environment.
Benefits of Integrating SCCM with Retina CS Threat Management Console
Third-party client side exploits continue to be a favored attack vector especially in widely deployed tools like Adobe Reader and Internet browsers. Recent studies show that third-party programs are responsible for 69% of the vulnerabilities on a typical endpoint.
Retina CS offers centralized role based access to both the security and operations teams needed in any enterprise vulnerability management solution. The Patch Management Module provides built-in application patching for Microsoft and non-Microsoft applications by extending Microsoft SCCM functionality which many organizations already use today. Prioritize and deploy patches with integrated, automated patching. Quickly fix weaknesses using common deployment features used within SCCM today and see the big picture with end-to-end reporting on the entire patch management cycle.
How it Works
Retina CS integrates with SCCM to provide centralized visibility to available Microsoft and various non-Microsoft applications using native SCCM API’s and Beyondtrust’s integration with WSUS (for 3rd party applications). The connector pulls back relevant SCCM data including computer groups (which can be used for targeted patch deployment), package deployment status and provides the ability to leverage common package deployment options from a single console. Third Party application deployment is facilitated through the use of Microsoft’s WSUS as a back-end to SCCM. This feature extends the capabilities of SCCM to provide package deployment of various 3rd party applications that are commonly exploited.
Next steps: Download the software for evaluation and testing in your environment.
Adobe Flash Player and Air (APSB12-24) Critical Memory Vulnerabilities – November 2012
1 CommentNine new audits are being released in our Retina vulnerability scan engine to help customers identify a security vulnerability that can enable an attacker to gain control of a vulnerable system (CVE-2012-5274, CVE-2012-5275, CVE-2012-5276, CVE-2012-5277, CVE-2012-5278, CVE-2012-5279, CVE-2012-5280) These nine new audits have been released with Retina Network Community and the commercial version of Retina Network. Users can include these new checks in a general vulnerability scan, or can create a targeted scan to specifically look for these specific vulnerabilities using the following Retina audits:
17585 – Adobe Flash Multiple Vulnerabilities (20121107) – IE
17586 – Adobe Flash Multiple Vulnerabilities (20121107) – IE 10
17587 – Adobe Flash Multiple Vulnerabilities (20121107) – Mozilla/Opera
17588 – Adobe Flash Multiple Vulnerabilities (20121107) – Linux Player
17589 – Adobe Flash Multiple Vulnerabilities (20121107) – Mac OS X Player
17591 – Adobe Flash Multiple Vulnerabilities (20121107) – Adobe AIR – Windows
17592 – Adobe Flash Multiple Vulnerabilities (20121107) – Adobe AIR – Mac OS X
17593 – Adobe Flash Multiple Vulnerabilities (20121107) – Android Flash
17594 – Adobe Flash Multiple Vulnerabilities (20121107) – Android AIR
If you have concerns of the security posture of your desktop, server or mobile environments feel free to download and try out our community version to discover, assess and gain remediation guidance in our simple to use standalone scanner. In addition to standard assessment of patches, insecure configurations and zero-days, the commercial version of Retina solutions also provides in-depth credentialed database, web application, virtual, cloud and mobile scanning.
We should also mention that our new version of the Retina Network Community scanner includes a complete user interface overhaul and allows users to select from a list of built-in profiles to align the product to your specific job function.
Android: Latest alpha (4.2) promises big security improvements | Mobile Monday Update
3 CommentsAn early teardown of Android’s latest alpha release shows some very promising security improvements including: client side malware protection, Security Enhanced Linux, and always-on VPN.
App Check
Early this year Google made news with the announcement of Bouncer – an automated server side malware scanning service—in the hopes of cleaning up Android’s reputation as being a less secure platform compared to Apple’s App Store. While bouncer saw some initial success, an expose at Blackhat 2012 showed how malware writers could rather easily defeat Bouncer. App Check is Bouncer’s client-side counterpart and proactively analyzes new and previously downloaded packages for signs of malware.
MS SQL Cross-Site Scripting (XSS) News – October 2012
Leave a commentEight new audits are being released in our Retina vulnerability scan engine to help close a security vulnerability that can enable an attacker to gain control of a MS SQL Database Server running SQL Reporting Services via Cross-Site Scripting (CVE-2012-2552, MS12-070). These eight new audits have been released with Retina Network Community and the commercial version of Retina Network. Users can include these new checks in a general vulnerability scan, or can create a targeted scan to specifically look for these specific vulnerabilities using the following Retina audits:
- Audit ID 17269 Microsoft SQL Server Privilege Escalation (2754849) – 2000
- Audit ID 17270 Microsoft SQL Server Privilege Escalation (2754849) – 2005
- Audit ID 17271 Microsoft SQL Server Privilege Escalation (2754849) – 2008
- Audit ID 17272 Microsoft SQL Server Privilege Escalation (2754849) – 2012
- Audit ID 17281 Microsoft SQL Server Privilege Escalation (2754849) – 2005 x64
- Audit ID 17282 Microsoft SQL Server Privilege Escalation (2754849) – 2008 x64
- Audit ID 17283 Microsoft SQL Server Privilege Escalation (2754849) – 2012 x64
- Audit ID 17284 Microsoft SQL Server Privilege Escalation (2754849) – 2000 x64
If you have concerns of the security posture of your MS SQL environment feel free to download and try out our community version to discover, assess and gain remediation guidance in our simple to use standalone scanner. In addition to standard assessment of patches, insecure configurations and zero-days, the commercial version of Retina Network also provides in-depth credentialed database scanning for Oracle, Microsoft and My SQL to examine permissions and stored procedures for errors or internal mis-configurations.
https://www.eeye.com/purchase/compare-products
We should also mention that our new version of the Retina Network Community scanner includes a complete user interface overhaul and allows users to select from a list of built-in profiles to align the product to your specific job function. In this case a “Database Profile” to ensure that you have complete and relevant information to your database world.
