Vulnerability Expert Forum eEye Research April 14, 2010.

Slides:

Advertisements

Similar presentations

Thank you to IT Training at Indiana University Computer Malware.

Advertisements

1 Computer and Internet Security JCCAA Presentation 03/14/2009 Yu-Min (Phillip) Hsieh Sr. System Administrator Information Technology Rice University.

By Hiranmayi Pai Neeraj Jain

Mobile Code Security Aviel D. Rubin, Daniel E. Geer, Jr. MOBILE CODE SECURITY, IEEE Internet Computing, 1998 Minkyu Lee

Microsoft Windows XP SP2 Urs P. Küderli Strategic Security Advisor Microsoft Schweiz GmbH.

Current Security Threats WMO CBS ET-CTS Toulouse, France May 2008 Allan Darling, NOAA’s National Weather Service WMO CBS ET-CTS Toulouse, France.

PREVIOUS GNEWS. 11 Patches – 5 Critical Affecting most everything Other updates, MSRT, Defender Definitions, Junk Mail Filter –MS IE, Remote Execution.

Defense-in-Depth Against Malicious Software Jeff Alexander IT Pro Evangelist Microsoft Australia

Information for Developers Windows XP Service Pack 2 Information for Developers.

Computer Security and Penetration Testing

1 Presentation ISS Security Scanner & Retina by Adnan Khairi

Guide to Operating System Security Chapter 2 Viruses, Worms, and Malicious Software.

WebCCTV 1 Contents Introduction Getting Started Connecting the WebCCTV NVR to a local network Connecting the WebCCTV NVR to the Internet Restoring the.

To receive our video stream in LiveMeeting: - Click on “Voice & Video” - Click the drop down next to the camera icon - Select “Show Main Video” Dial-in.

To receive our video stream in Live Meeting: - Click on “Voice & Video” - Click the drop down next to the camera icon - Select “Show Main Video” Dial-in.

Security Risk Management Marcus Murray, CISSP, MVP (Security) Senior Security Advisor, Truesec

Website Hardening HUIT IT Security | Sep

2851A_C01. Microsoft Windows XP Service Pack 2 Security Technologies Bruce Cowper IT Pro Advisor Microsoft Canada.

Microsoft October 2004 Security Bulletins Briefing for Senior IT Managers updated October 20, 2004 Marcus H. Sachs, P.E. The SANS Institute October 12,

RFC6520 defines SSL Heartbeats - What are they? 1. SSL Heartbeats are used to keep a connection alive without the need to constantly renegotiate the SSL.

Vulnerabilities. flaws in systems that allow them to be exploited provide means for attackers to compromise hosts, servers and networks.

Security Audit Tools Project. CT 395 IT Security I Professor Igbeare Summer Quarter 2009 August 25, 2009.

Partnering For Profitability Growing your business with Microsoft Forefront Security Solutions Mark Hassall Director Security & Access BG Microsoft Corporation.

Trojan Horse Implementation and Prevention By Pallavi Dharmadhikari Sirisha Bollineni VijayaLakshmi Jothiram Vasanthi Madala.

Working with Applications Lesson 7. Objectives Administer Internet Explorer Secure Internet Explorer Configure Application Compatibility Configure Application.

To receive our video stream in LiveMeeting: - Click on “Voice & Video” - Click the drop down next to the camera icon - Select “Show Main Video” Dial-in.

MSIT 458 – The Chinchillas. Offense Overview Botnet taxonomies need to be updated constantly in order to remain “complete” and are only as good as their.

Copyright © 2002 ProsoftTraining. All rights reserved. Operating System Security.

© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public ITE PC v4.0 Chapter 1 1 Basic Security Networking for Home and Small Businesses – Chapter 8.

Brad Baker CS526 May 7 th, /7/ Project goals 2. Test Environment 3. The Problem 4. Some Solutions 5. ModSecurity Overview 6. ModSecurity.

To receive our video stream in LiveMeeting: - Click on “Voice & Video” - Click the drop down next to the camera icon - Select “Show Main Video” Dial-in.

1 All Your iFRAMEs Point to Us Mike Burry. 2 Drive-by downloads Malicious code (typically Javascript) Downloaded without user interaction (automatic),

W HAT DOES EXPLOIT MEAN ? A ND THE S ASSER WORM Seminar on Software Engineering, Short Presentation Christian Gruber.

Virtual techdays INDIA │ 9-11 February 2011 Security Discussion: Ask the Experts M.S.Anand │ MTC Technology Specialist │ Microsoft Corporation Anirudh.

EEye Digital Security    On the Frontline of the Threat Landscape: Simple configuration goes a long way.

Honeypot and Intrusion Detection System

BLENDED ATTACKS EXPLOITS, VULNERABILITIES AND BUFFER-OVERFLOW TECHNIQUES IN COMPUTER VIRUSES By: Eric Chien and Peter Szor Presented by: Jesus Morales.

3-Protecting Systems Dr. John P. Abraham Professor UTPA.

Software Security Testing Vinay Srinivasan cell:

1 Internet Browsing Vulnerabilities and Security ECE4112 Final Lab Ye Yan Frank Park Scott Kim Neil Joshi.

1 CHAPTER 3 CLASSES OF ATTACK. 2 Denial of Service (DoS) Takes place when availability to resource is intentionally blocked or degraded Takes place when.

Network and Perimeter Security Paula Kiernan Senior Consultant Ward Solutions.

ANTIVIRUS SOFTWARE.  Antivirus software is the most widespread mechanism for defending individual hosts against threats associated with malicious software,

Conducting Security Assessments Dan Elder Security Engineer Novacoast Eron Howard Manager Development Services Novacoast.

Interception and Analysis Framework for Win32 Scripts (not for public release) Tim Hollebeek, Ph.D.

Week 10-11c Attacks and Malware III. Remote Control Facility distinguishes a bot from a worm distinguishes a bot from a worm worm propagates itself and.

CSCE 548 Secure Software Development Taxonomy of Coding Errors.

To receive our video stream in LiveMeeting: - Click on “Voice & Video” - Click the drop down next to the camera icon - Select “Show Main Video” Dial-in.

Vulnerability Scanning Vulnerability scanners are automated tools that scan hosts and networks for known vulnerabilities and weaknesses Credentialed vs.

Retina Network Security Scanner

CNIT 124: Advanced Ethical Hacking Ch 10: Client-Side Exploitation.

Security fundamentals Topic 9 Securing internet messaging.

MANAGED SECURITY TESTING PROACTIVELY MANAGING VULNERABILITIES.

Understand Network Isolation Part 2 LESSON 3.3_B Security Fundamentals.

Role Of Network IDS in Network Perimeter Defense.

Writing Security Alerts tbird Last modified 2/25/2016 8:55 PM.

Active X and Signed Applets Chad Bollard. Overview ActiveX  Security Features  Hidden Problems Signed Applets  Security Features  Security Problems.

Vulnerabilities in Operating Systems Michael Gaydeski COSC December 2008.

Vulnerability Expert Forum eEye Research February 10, 2010.

Information Systems Design and Development Security Precautions Computing Science.

Vulnerability / Cybersecurity Research Discussion Dwayne Melancon, CISA Chief Technology Officer and VP of Research & Development.

Windows Vista Configuration MCTS : Network Security.

Get Full Protection on Microsoft Azure with Symantec™ Endpoint Protection 12.1 MICROSOFT AZURE ISV PROFILE: SYMANTEC Symantec™ Endpoint Protection is an.

Amol Sarwate Director of Vulnerability Labs, Qualys Inc State of Vulnerability Exploits.

WannaCrypt Ransomeware Customer Guidance

WannaCry/WannaCrypt Ransomware

Chapter 6: Securing the Cloud

Critical Security Controls

Operating System Security

Severity and Exploitability Index

Presentation transcript:

Vulnerability Expert Forum eEye Research April 14, 2010

Title Agenda  About eEye’s Research and Development  eEye Preview Overview  Microsoft’s April Security Bulletins  Security Landscape – Other InfoSec News  Securing Your Networks  Q&A

Title “Having a great R&D team issuing advisories and being on the ‘front lines’ of discovering security issues is assuring and was a primary decision factor in choosing eEye when migrating from ISS”. Robert Timko, Information Security Director  eEye has discovered more high risk vulnerabilities than any other Research Team  eEye’s Research Team regularly consults with government agencies and congressional committees  R&D discoveries and innovation drives unrivaled capabilities of eEye products  eEye’s Research Team provides leading edge insight, tools and resources, defining the security industry Vulnerability Research Powerhouse

Title  eEye Preview Security Intelligence Advanced Vulnerability Information Full Zero-Day Analysis and Mitigation Custom Malware Analysis eEye Research Tool Access Includes Managed Perimeter Scanning  eEye AMP Any Means Possible Penetration Testing Gain true insight into network insecurities “Capture-The-Flag” Scenarios  eEye Custom Research Services Exploit Development Malware Analysis Forensics Support Compliance Review eEye Research Services

Title Microsoft March Security Bulletins  2 total bulletins; 8 Issues Fixed  Vulnerability in Windows Movie Maker Could Allow Remote Code Execution (975561)  Vulnerabilities in Microsoft Office Excel Could Allow Remote Code Execution (980150)  1 Security Advisory – 0day Vulnerability  Vulnerability in Internet Explorer Could Allow Remote Code Execution (981374)

Title Microsoft’s Security Bulletin: MS Vulnerabilities in Windows Could Allow Remote Code Execution (981210)  Two vulnerabilities fixed in bulletin WinVerifyTrust Signature Validation Vulnerability - CVE Cabview Corruption Validation Vulnerability - CVE  Criticality: Critical  What Does It Affect? How critical is it? Allows attackers to modify code within signed binaries, thus making them appear to be trusted when in actuality they are trojanized. In some scenarios this can lead to auto-execution of arbitrary code.  Mitigation Apply the patch immediately, as this is the only available work around for this vulnerability.

Title Microsoft’s Security Bulletin: MS Vulnerabilities in SMB Client Could Allow Remote Code Execution (980232)  5 Vulnerabilities fixed in bulletin – 1 previously 0day SMB Client Incomplete Response Vulnerability - CVE – ex-0day vulnerability SMB Client Memory Allocation Vulnerability - CVE SMB Client Transaction Vulnerability - CVE SMB Client Response Parsing Vulnerability - CVE SMB Client Message Size Vulnerability - CVE  Criticality: High  Scope of attack and exploitability These are client side vulnerabilities – which would require some form of social engineering to allow client’s to connect to a malicious SMB share. 4 of these are RCE and 1 DoS – Code is executed at ring0/kernel privileges.  Mitigation Apply Patch ASAP Use Blink Professional / Personal

Title Microsoft’s Security Bulletin: MS Vulnerabilities in Windows Kernel Could Allow Elevation of Privilege (979683)  8 Vulnerabilities fixed in bulletin Windows Kernel Null Pointer Vulnerability - CVE Windows Kernel Symbolic Link Value Vulnerability - CVE Windows Kernel Memory Allocation Vulnerability - CVE Windows Kernel Symbolic Link Creation Vulnerability - CVE Windows Kernel Registry Key Vulnerability - CVE Windows Virtual Path Parsing Vulnerability - CVE Windows Kernel Malformed Image Vulnerability - CVE Windows Kernel Exception Handler Vulnerability - CVE  Criticality: Moderate to High  Relatively Easy Kernel Level Exploits Several API/Functionality abuse scenarios that malware could take advantage of Attackers will likely piggyback these exploits with client side exploits to produce drive- by rootkit scenarios  Mitigation Apply Patch ASAP

Title Microsoft’s Security Bulletin: MS Vulnerability in VBScript Scripting Engine Could Allow Remote Code Execution (981169)  Single Vulnerability fixed in bulletin (previously 0day) VBScript Help Keypress Vulnerability - CVE  Criticality: Critical – Patch Immediately  Use of this exploit in the wild Attackers have been using this vulnerability in the wild in order to compromise machines and install botnet trojans on systems. Even though it required user-interaction – this still proved to be a very effective exploit  Mitigation Apply Patch ASAP Use Blink Professional / Personal Disable Windows Help Subsystem using CACLs on %windir%\winhlp32.exe

Title Microsoft’s Security Bulletin: MS Vulnerability in VBScript Scripting Engine Could Allow Remote Code Execution (981169)  Single Vulnerability fixed in bulletin (previously 0day) VBScript Help Keypress Vulnerability - CVE  Criticality: Critical – Patch Immediately  Use of this exploit in the wild Attackers have been using this vulnerability in the wild in order to compromise machines and install botnet trojans on systems. Even though it required user-interaction – this still proved to be a very effective exploit  Mitigation Apply Patch ASAP Use Blink Professional / Personal Disable Windows Help Subsystem using CACLs on %windir%\winhlp32.exe

Title Microsoft’s Security Bulletin: MS Vulnerability in Microsoft Office Publisher Could Allow Remote Code Execution (981160)  Single Vulnerability fixed in bulletin Microsoft Office Publisher File Conversion TextBox Processing Buffer Overflow Vulnerability - CVE  Criticality: Moderate – Patch Only Where Necessary  Why Moderate vs Critical Publisher is not installed in many locations – not even in most Office installations.PUB files are not auto-executed from the web.PUB files are easily to block at firewall / web gateway Attackers are not likely going to develop exploits for this vulnerability primarily  Mitigation Apply Patch where necessary Use Blink Professional / Personal Prevent.PUB files from being downloaded via or browsers

Title Microsoft’s Security Bulletin: MS Vulnerabilities in Microsoft Exchange and Windows SMTP Service Could Allow Denial of Service (981832)  Two Vulnerabilities fixed in bulletin – 1 public SMTP Server MX Record Vulnerability - CVE SMTP Memory Allocation Vulnerability - CVE  Criticality: High – Patch were possible ASAP  Very Critical Patch Attackers can trigger a persistent DoS against servers Attackers can also potentially read random content  Mitigation Apply Patch where necessary Use Blink Professional / Personal

Title Microsoft’s Security Bulletin: MS Vulnerability in Microsoft Windows Media Services Could Allow Remote Code Execution (980858)  Single Vulnerability fixed in bulletin Media Services Stack-based Buffer Overflow Vulnerability - CVE  Criticality: High – For Windows 2000 Only  Network Based Exploit Unauthenticated Network Based Exploit for systems running Windows Media Services Exploitability is relatively easy (No DEP, ASLR) Attackers will likely develop exploits for this in order to compromise machines on networks once they gain a foothold there  Mitigation Apply Patch where necessary Use Blink Professional / Personal Turn off Windows Media Unicast service where it is not necessary (nsunicast)

Title Microsoft’s Security Bulletin: MS Vulnerability in Microsoft MPEG Layer-3 Codecs Could Allow Remote Code Execution (977816)  Single Vulnerability fixed in bulletin – 1 public MPEG Layer-3 Audio Decoder Stack Overflow Vulnerability - CVE  Criticality: High – Patch ASAP  Ideal Client-side Exploit Attackers are actively looking to develop an exploit for this vulnerability Exploitability is relatively easy and code execution is reliable Attackers will use this exploit in web-drive by attacks (browse and get owned) scenarios and then potentially use the Kernel vulnerabilities to install rootkits on systems  Mitigation Apply Patch Immediately Use Blink Professional / Personal Use CACLs on all client systems to disable l3codeca.acm and l3codecx.ax

Title Microsoft’s Security Bulletin: MS Vulnerability in Windows Media Player Could Allow Remote Code Execution (979402)  Single Vulnerability fixed in bulletin Media Player Remote Code Execution Vulnerability - CVE  Criticality: High – Patch ASAP as well  A Very Dangerous Vulnerability to IE users Same class of vulnerability as MS Only Internet Explorer is vulnerable – Requires ActiveX Easily Disabled – so not as critical as MS  Mitigation Apply Patch Immediately Use Blink Professional / Personal Killbit Windows Media Player (clsid:6BF52A52-394A-11d3-B153-00C04F79FAA6)

Title Microsoft’s Security Bulletin: MS Vulnerabilities in Microsoft Visio Could Allow Remote Code Execution (980094)  Two Vulnerabilities fixed in bulletin Visio Attribute Validation Memory Corruption Vulnerability - CVE Visio Index Calculation Memory Corruption Vulnerability - CVE  Criticality: Moderate – Patch where possible  Similar to the Publisher Vulnerability this month Same class of vulnerability as the Publisher vulnerability this month Attackers are not likely targeting this vulnerability unless its very targeted scenarios.VS* files are easily blocked from the network  Mitigation Apply Patch Immediately Use Blink Professional / Personal Prevent.VS* files from being downloaded via web or

Title Microsoft’s Security Bulletin: MS Vulnerability in Windows ISATAP Component Could Allow Spoofing (978338)  A Single Vulnerability fixed in bulletin ISATAP IPv6 Source Address Spoofing Vulnerability - CVE  Criticality: Low to Moderate  IP Address spoofing This is an IP Address Spoofing vulnerability within encapsulated IPv6 traffic Attackers are not likely targeting this vulnerability unless its very targeted scenarios Only affects systems implementing IPv6 traffic and ISATAP  Mitigation Apply Patch Immediately Use Blink Professional / Personal Block IP Protocol Type 41 (ISATAP) at the firewall Disable ISTAP IPv6 interfaces

Title Security Landscape - More Than A Microsoft World  CTO/CSO/CxO News Palm Inc Looking For Buyers – Lenovo, Cisco, Nokia all potential buyers IBM and Verizon develop Cloud-based Vault system Yahoo of Journalists’ Hacked – Targeted Attacks from China Google and Microsoft Push For Fixing Privacy Laws  IT Admin News 88 percent of Fortune500 show Zeus botnet activity Adobe and Oracle Patches Apache.org Compromise Microsoft Windows Vista SP0 EOL’d  Researcher News RIP – Microsoft Windows DEP – it was a nice run Sun Java 0day Flaw PHP 6.0 0day Flaw Tool of the Month - USBlyzer

Title eEye Digital Security – Award Winning Products Retina® Network Security Scanner Unsurpassed vulnerability assessment & remediation Blink® Unified Client Security with Anti-virus Multi-layer threat mitigation & system protection Iris® Network Traffic Analyzer Visual data monitoring & reassembly SecureIIS ™ Web Server Protection Proactive web server security

eEye Research - eEye Research Service Inquiries – CONTACT