Presentation is loading. Please wait.

Presentation is loading. Please wait.

Vulnerability Expert Forum eEye Research April 14, 2010.

Published byRachel O’Connor’ Modified over 8 years ago

Similar presentations

Presentation on theme: "Vulnerability Expert Forum eEye Research April 14, 2010."— Presentation transcript:

1 Vulnerability Expert Forum eEye Research April 14, 2010

2 Title Agenda  About eEye’s Research and Development  eEye Preview Overview  Microsoft’s April Security Bulletins  Security Landscape – Other InfoSec News  Securing Your Networks  Q&A

3 Title “Having a great R&D team issuing advisories and being on the ‘front lines’ of discovering security issues is assuring and was a primary decision factor in choosing eEye when migrating from ISS”. Robert Timko, Information Security Director  eEye has discovered more high risk vulnerabilities than any other Research Team  eEye’s Research Team regularly consults with government agencies and congressional committees  R&D discoveries and innovation drives unrivaled capabilities of eEye products  eEye’s Research Team provides leading edge insight, tools and resources, defining the security industry Vulnerability Research Powerhouse

4 Title  eEye Preview Security Intelligence Advanced Vulnerability Information Full Zero-Day Analysis and Mitigation Custom Malware Analysis eEye Research Tool Access Includes Managed Perimeter Scanning  eEye AMP Any Means Possible Penetration Testing Gain true insight into network insecurities “Capture-The-Flag” Scenarios  eEye Custom Research Services Exploit Development Malware Analysis Forensics Support Compliance Review eEye Research Services

5 Title Microsoft March Security Bulletins  2 total bulletins; 8 Issues Fixed  Vulnerability in Windows Movie Maker Could Allow Remote Code Execution (975561)  Vulnerabilities in Microsoft Office Excel Could Allow Remote Code Execution (980150)  1 Security Advisory – 0day Vulnerability  Vulnerability in Internet Explorer Could Allow Remote Code Execution (981374)

6 Title Microsoft’s Security Bulletin: MS10-019 Vulnerabilities in Windows Could Allow Remote Code Execution (981210)  Two vulnerabilities fixed in bulletin WinVerifyTrust Signature Validation Vulnerability - CVE-2010-0486 Cabview Corruption Validation Vulnerability - CVE-2010-0487  Criticality: Critical  What Does It Affect? How critical is it? Allows attackers to modify code within signed binaries, thus making them appear to be trusted when in actuality they are trojanized. In some scenarios this can lead to auto-execution of arbitrary code.  Mitigation Apply the patch immediately, as this is the only available work around for this vulnerability.

7 Title Microsoft’s Security Bulletin: MS10-020 Vulnerabilities in SMB Client Could Allow Remote Code Execution (980232)  5 Vulnerabilities fixed in bulletin – 1 previously 0day SMB Client Incomplete Response Vulnerability - CVE-2009-3676 – ex-0day vulnerability SMB Client Memory Allocation Vulnerability - CVE-2010-0269 SMB Client Transaction Vulnerability - CVE-2010-0270 SMB Client Response Parsing Vulnerability - CVE-2010-0476 SMB Client Message Size Vulnerability - CVE-2010-0477  Criticality: High  Scope of attack and exploitability These are client side vulnerabilities – which would require some form of social engineering to allow client’s to connect to a malicious SMB share. 4 of these are RCE and 1 DoS – Code is executed at ring0/kernel privileges.  Mitigation Apply Patch ASAP Use Blink Professional / Personal

8 Title Microsoft’s Security Bulletin: MS10-021 Vulnerabilities in Windows Kernel Could Allow Elevation of Privilege (979683)  8 Vulnerabilities fixed in bulletin Windows Kernel Null Pointer Vulnerability - CVE-2010-0234 Windows Kernel Symbolic Link Value Vulnerability - CVE-2010-0235 Windows Kernel Memory Allocation Vulnerability - CVE-2010-0236 Windows Kernel Symbolic Link Creation Vulnerability - CVE-2010-0237 Windows Kernel Registry Key Vulnerability - CVE-2010-0238 Windows Virtual Path Parsing Vulnerability - CVE-2010-0481 Windows Kernel Malformed Image Vulnerability - CVE-2010-0482 Windows Kernel Exception Handler Vulnerability - CVE-2010-0810  Criticality: Moderate to High  Relatively Easy Kernel Level Exploits Several API/Functionality abuse scenarios that malware could take advantage of Attackers will likely piggyback these exploits with client side exploits to produce drive- by rootkit scenarios  Mitigation Apply Patch ASAP

9 Title Microsoft’s Security Bulletin: MS10-022 Vulnerability in VBScript Scripting Engine Could Allow Remote Code Execution (981169)  Single Vulnerability fixed in bulletin (previously 0day) VBScript Help Keypress Vulnerability - CVE-2010-0483  Criticality: Critical – Patch Immediately  Use of this exploit in the wild Attackers have been using this vulnerability in the wild in order to compromise machines and install botnet trojans on systems. Even though it required user-interaction – this still proved to be a very effective exploit  Mitigation Apply Patch ASAP Use Blink Professional / Personal Disable Windows Help Subsystem using CACLs on %windir%\winhlp32.exe

10 Title Microsoft’s Security Bulletin: MS10-022 Vulnerability in VBScript Scripting Engine Could Allow Remote Code Execution (981169)  Single Vulnerability fixed in bulletin (previously 0day) VBScript Help Keypress Vulnerability - CVE-2010-0483  Criticality: Critical – Patch Immediately  Use of this exploit in the wild Attackers have been using this vulnerability in the wild in order to compromise machines and install botnet trojans on systems. Even though it required user-interaction – this still proved to be a very effective exploit  Mitigation Apply Patch ASAP Use Blink Professional / Personal Disable Windows Help Subsystem using CACLs on %windir%\winhlp32.exe

11 Title Microsoft’s Security Bulletin: MS10-023 Vulnerability in Microsoft Office Publisher Could Allow Remote Code Execution (981160)  Single Vulnerability fixed in bulletin Microsoft Office Publisher File Conversion TextBox Processing Buffer Overflow Vulnerability - CVE-2010-0479  Criticality: Moderate – Patch Only Where Necessary  Why Moderate vs Critical Publisher is not installed in many locations – not even in most Office installations.PUB files are not auto-executed from the web.PUB files are easily to block at firewall / web gateway Attackers are not likely going to develop exploits for this vulnerability primarily  Mitigation Apply Patch where necessary Use Blink Professional / Personal Prevent.PUB files from being downloaded via email or browsers

12 Title Microsoft’s Security Bulletin: MS10-024 Vulnerabilities in Microsoft Exchange and Windows SMTP Service Could Allow Denial of Service (981832)  Two Vulnerabilities fixed in bulletin – 1 public SMTP Server MX Record Vulnerability - CVE-2010-0024 SMTP Memory Allocation Vulnerability - CVE-2010-0025  Criticality: High – Patch were possible ASAP  Very Critical Patch Attackers can trigger a persistent DoS against email servers Attackers can also potentially read random email content  Mitigation Apply Patch where necessary Use Blink Professional / Personal

13 Title Microsoft’s Security Bulletin: MS10-025 Vulnerability in Microsoft Windows Media Services Could Allow Remote Code Execution (980858)  Single Vulnerability fixed in bulletin Media Services Stack-based Buffer Overflow Vulnerability - CVE-2010-0478  Criticality: High – For Windows 2000 Only  Network Based Exploit Unauthenticated Network Based Exploit for systems running Windows Media Services Exploitability is relatively easy (No DEP, ASLR) Attackers will likely develop exploits for this in order to compromise machines on networks once they gain a foothold there  Mitigation Apply Patch where necessary Use Blink Professional / Personal Turn off Windows Media Unicast service where it is not necessary (nsunicast)

14 Title Microsoft’s Security Bulletin: MS10-026 Vulnerability in Microsoft MPEG Layer-3 Codecs Could Allow Remote Code Execution (977816)  Single Vulnerability fixed in bulletin – 1 public MPEG Layer-3 Audio Decoder Stack Overflow Vulnerability - CVE-2010-0480  Criticality: High – Patch ASAP  Ideal Client-side Exploit Attackers are actively looking to develop an exploit for this vulnerability Exploitability is relatively easy and code execution is reliable Attackers will use this exploit in web-drive by attacks (browse and get owned) scenarios and then potentially use the Kernel vulnerabilities to install rootkits on systems  Mitigation Apply Patch Immediately Use Blink Professional / Personal Use CACLs on all client systems to disable l3codeca.acm and l3codecx.ax

15 Title Microsoft’s Security Bulletin: MS10-027 Vulnerability in Windows Media Player Could Allow Remote Code Execution (979402)  Single Vulnerability fixed in bulletin Media Player Remote Code Execution Vulnerability - CVE-2010-0268  Criticality: High – Patch ASAP as well  A Very Dangerous Vulnerability to IE users Same class of vulnerability as MS10-026 Only Internet Explorer is vulnerable – Requires ActiveX Easily Disabled – so not as critical as MS10-026  Mitigation Apply Patch Immediately Use Blink Professional / Personal Killbit Windows Media Player (clsid:6BF52A52-394A-11d3-B153-00C04F79FAA6)

16 Title Microsoft’s Security Bulletin: MS10-028 Vulnerabilities in Microsoft Visio Could Allow Remote Code Execution (980094)  Two Vulnerabilities fixed in bulletin Visio Attribute Validation Memory Corruption Vulnerability - CVE-2010-0254 Visio Index Calculation Memory Corruption Vulnerability - CVE-2010-0256  Criticality: Moderate – Patch where possible  Similar to the Publisher Vulnerability this month Same class of vulnerability as the Publisher vulnerability this month Attackers are not likely targeting this vulnerability unless its very targeted scenarios.VS* files are easily blocked from the network  Mitigation Apply Patch Immediately Use Blink Professional / Personal Prevent.VS* files from being downloaded via web or email

17 Title Microsoft’s Security Bulletin: MS10-029 Vulnerability in Windows ISATAP Component Could Allow Spoofing (978338)  A Single Vulnerability fixed in bulletin ISATAP IPv6 Source Address Spoofing Vulnerability - CVE-2010-0812  Criticality: Low to Moderate  IP Address spoofing This is an IP Address Spoofing vulnerability within encapsulated IPv6 traffic Attackers are not likely targeting this vulnerability unless its very targeted scenarios Only affects systems implementing IPv6 traffic and ISATAP  Mitigation Apply Patch Immediately Use Blink Professional / Personal Block IP Protocol Type 41 (ISATAP) at the firewall Disable ISTAP IPv6 interfaces

18 Title Security Landscape - More Than A Microsoft World  CTO/CSO/CxO News Palm Inc Looking For Buyers – Lenovo, Cisco, Nokia all potential buyers IBM and Verizon develop Cloud-based Vault system Yahoo Email of Journalists’ Hacked – Targeted Attacks from China Google and Microsoft Push For Fixing Privacy Laws  IT Admin News 88 percent of Fortune500 show Zeus botnet activity Adobe and Oracle Patches Apache.org Compromise Microsoft Windows Vista SP0 EOL’d  Researcher News RIP – Microsoft Windows DEP – it was a nice run Sun Java 0day Flaw PHP 6.0 0day Flaw Tool of the Month - USBlyzer

19 Title eEye Digital Security – Award Winning Products Retina® Network Security Scanner Unsurpassed vulnerability assessment & remediation Blink® Unified Client Security with Anti-virus Multi-layer threat mitigation & system protection Iris® Network Traffic Analyzer Visual data monitoring & reassembly SecureIIS ™ Web Server Protection Proactive web server security

20 eEye Research - skunkworks@eeye.comskunkworks@eeye.com eEye Research Service Inquiries – services@eeye.com services@eeye.com CONTACT

Download ppt "Vulnerability Expert Forum eEye Research April 14, 2010."

Similar presentations

Thank you to IT Training at Indiana University Computer Malware.

Thank you to IT Training at Indiana University Computer Malware.
1 Computer and Internet Security JCCAA Presentation 03/14/2009 Yu-Min (Phillip) Hsieh Sr. System Administrator Information Technology Rice University.

1 Computer and Internet Security JCCAA Presentation 03/14/2009 Yu-Min (Phillip) Hsieh Sr. System Administrator Information Technology Rice University.
By Hiranmayi Pai Neeraj Jain

By Hiranmayi Pai Neeraj Jain
Mobile Code Security Aviel D. Rubin, Daniel E. Geer, Jr. MOBILE CODE SECURITY, IEEE Internet Computing, 1998 Minkyu Lee 2007. 04. 23.

Mobile Code Security Aviel D. Rubin, Daniel E. Geer, Jr. MOBILE CODE SECURITY, IEEE Internet Computing, 1998 Minkyu Lee
Microsoft Windows XP SP2 Urs P. Küderli Strategic Security Advisor Microsoft Schweiz GmbH.

Microsoft Windows XP SP2 Urs P. Küderli Strategic Security Advisor Microsoft Schweiz GmbH.
Current Security Threats WMO CBS ET-CTS Toulouse, France 26-30 May 2008 Allan Darling, NOAA’s National Weather Service WMO CBS ET-CTS Toulouse, France.

Current Security Threats WMO CBS ET-CTS Toulouse, France May 2008 Allan Darling, NOAA’s National Weather Service WMO CBS ET-CTS Toulouse, France.
PREVIOUS GNEWS. 11 Patches – 5 Critical Affecting most everything Other updates, MSRT, Defender Definitions, Junk Mail Filter –MS10-018 - IE, Remote Execution.

PREVIOUS GNEWS. 11 Patches – 5 Critical Affecting most everything Other updates, MSRT, Defender Definitions, Junk Mail Filter –MS IE, Remote Execution.
Defense-in-Depth Against Malicious Software Jeff Alexander IT Pro Evangelist Microsoft Australia

Defense-in-Depth Against Malicious Software Jeff Alexander IT Pro Evangelist Microsoft Australia
Information for Developers Windows XP Service Pack 2 Information for Developers.

Information for Developers Windows XP Service Pack 2 Information for Developers.
Computer Security and Penetration Testing

Computer Security and Penetration Testing
1 Presentation ISS Security Scanner & Retina by Adnan Khairi 100183586.

1 Presentation ISS Security Scanner & Retina by Adnan Khairi
Guide to Operating System Security Chapter 2 Viruses, Worms, and Malicious Software.

Guide to Operating System Security Chapter 2 Viruses, Worms, and Malicious Software.
WebCCTV 1 Contents Introduction Getting Started Connecting the WebCCTV NVR to a local network Connecting the WebCCTV NVR to the Internet Restoring the.

WebCCTV 1 Contents Introduction Getting Started Connecting the WebCCTV NVR to a local network Connecting the WebCCTV NVR to the Internet Restoring the.
To receive our video stream in LiveMeeting: - Click on “Voice & Video” - Click the drop down next to the camera icon - Select “Show Main Video” Dial-in.

To receive our video stream in LiveMeeting: - Click on “Voice & Video” - Click the drop down next to the camera icon - Select “Show Main Video” Dial-in.
To receive our video stream in Live Meeting: - Click on “Voice & Video” - Click the drop down next to the camera icon - Select “Show Main Video” Dial-in.

To receive our video stream in Live Meeting: - Click on “Voice & Video” - Click the drop down next to the camera icon - Select “Show Main Video” Dial-in.
Security Risk Management Marcus Murray, CISSP, MVP (Security) Senior Security Advisor, Truesec

Security Risk Management Marcus Murray, CISSP, MVP (Security) Senior Security Advisor, Truesec
Website Hardening HUIT IT Security | Sep 30 2011.

Website Hardening HUIT IT Security | Sep
2851A_C01. Microsoft Windows XP Service Pack 2 Security Technologies Bruce Cowper IT Pro Advisor Microsoft Canada.

2851A_C01. Microsoft Windows XP Service Pack 2 Security Technologies Bruce Cowper IT Pro Advisor Microsoft Canada.
Microsoft October 2004 Security Bulletins Briefing for Senior IT Managers updated October 20, 2004 Marcus H. Sachs, P.E. The SANS Institute October 12,

Microsoft October 2004 Security Bulletins Briefing for Senior IT Managers updated October 20, 2004 Marcus H. Sachs, P.E. The SANS Institute October 12,
RFC6520 defines SSL Heartbeats - What are they? 1. SSL Heartbeats are used to keep a connection alive without the need to constantly renegotiate the SSL.

RFC6520 defines SSL Heartbeats - What are they? 1. SSL Heartbeats are used to keep a connection alive without the need to constantly renegotiate the SSL.

Similar presentations

Ads by Google