Posted on 06/13/2012 9:39:00 PM PDT by OldEarlGray
Summary: Microsoft expects to see exploit code targeting at least one of the vulnerabilities within the next 30 days.
Microsoft today warned that cyber-criminals could soon aim exploits at critical security flaws in Internet Explorer browser and Windows to hijack and take complete control of vulnerable machines.
The warning comes as part of this months Patch Tuesday where Microsoft released 7 bulletins with fixes for at least 26 documented vulnerabilities affecting the Windows ecosystem.
The company is urging users to pay special attention to MS12-037 and MS12-036, which provides cover for remote code execution vulnerabilities that could be used in worm attacks and drive-by downloads without any user interaction.
MS12-037, which affects all supported versions of the IE browser, fixes 13 vulnerabilities that expose users to computer hijack attacks if a user simply surfed to a rigged web site. Microsoft expects to see exploit code targeting at least one of the vulnerabilities within the next 30 days.follow Ryan Naraine on twitter
The company warned that information on one of the browser flaw is already publicly available which means that hackers have already gotten a head start on preparing attacks. [ Exploit code published for RDP worm hole; Does Microsoft have a leak? ]
The second high-priority bulletin is MS12-036, which covers a dangerous flaw in the way Microsoft implements the Remote Desktop Protocol (RDP) in Windows. Attack vectors for this issue include maliciously crafted websites and e-mail, the company warned.
This is the second major RPD flaw haunting Windows in the space of a few months.
According to Marc Maiffret, CTO at BeyondTrust, the Internet Explorer and RDP issues present the more immediate exploitable threats.
Given the value of Remote Code Execution on RDP there will surely be a lot of folks trying to weaponize that vulnerability. Only time will tell if people are successful with this RDP flaw where they were not with the one in March, Maiffret added.
Windows users and administrators will also want to treat the MS12-038 bulletin with the highest possible priority. From the bulletin:
This security update resolves one privately reported vulnerability in the Microsoft .NET Framework. The vulnerability could allow remote code execution on a client system if a user views a specially crafted webpage using a web browser that can run XAML Browser Applications (XBAPs). Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights. The vulnerability could also be used by Windows .NET Framework applications to bypass Code Access Security (CAS) restrictions.
Microsoft also expects to see exploit code for this vulnerability within the next 30 days.
In addition to the security bulletins, Redmonds security response team is also releasing an automatic updater feature for Windows Vista and Windows 7 untrusted certificates.
The new automatic updater feature provides a mechanism that allows Windows to specifically flag certificates as untrusted.
With this new feature, Windows will check daily for updated information about certificates that are no longer trustworthy. In the past, movement of certificates to the untrusted store required a manual update. This new automatic update mechanism, which relies on a list of untrusted certificates known as a Disallowed Certificate Trust List (CTL), is detailed on the PKI blog. We encourage all customers to install this new feature immediately.
In August, Microsoft is also planning to release a change to how Windows manages certificates that have RSA keys of less than 1024 bits in length. Once this key length update is released, we will treat all of these certificates as invalid, even if they are currently valid and signed by a trusted certificate authority, Microsoft explained.
These changes follow the incredible discovery that attackers with nation-state backing hacked the Windows Update utility to spoof certificates and spread the Flame malware within Windows networks
I agree that hardware acceleration is an excellent solution, if it is installed in a project from inception. If the system is not equipped with the hardware cards already then it usually means scaling the existing infrastructure by some multiplier. I find your observation about government inability to decipher might be interpreted more as a political constraint rather than a technical limit. That said, I would expect conservative thinkers to reject a government decryption snoop on everything we do. I admire your well thought-out post, you hit the target.
I find your observation about government inability to decipher might be interpreted more as a political constraint rather than a technical limit. That said, I would expect conservative thinkers to reject a government decryption snoop on everything we do.
I've been interested in cryptography for quite a while, and I've watched a lot of the discussions that have surrounded it, especially as it concerns government agencies. The government really doesn't like crypto at all. I don't know if you're aware, but but cryptography used to be heavily controlled as an export product. (still is to some degree - figures, the government doesn't think foreigners can do math). Phil Zimmerman, the guy who wrote PGP was under threat of federal charges for quite some time because he open-sourced the code to the program. The uncertainty and roadblocks generated by FedGov were a major reason the internet didn't develop stronger privacy protections in the days before the net was noticed by the vast majority of the public. The main conclusion I took from this was that they believe in privacy that goes one way, and that is their way. Extracting information from FedGov is like pulling teeth (See Fast & Furious), but they want to be able to read anything you send on the net. You might be surprised at how much of the internet passes through points that FedGov has direct access to. Anyone who thinks they aren't snooping hasn't been paying attention.
I admire your well thought-out post, you hit the target.
Gee thanks! Doesn't happen often. Trust me. :-)
"Home users read the news, email and download music. Some, but fewer, use the PC for creating and managing files of various form. for those who meddle with pirated software.. well, they get what they deserve"
"Malware can be a thing of the past of you familiarize yourself with and use a program called "Sandboxie". "--FunkyZero (Aka Wile E Coyote, Suuuper Administrator)
Something like what MS is supposedly doing with Windows 8 -- where the signing cert is in hardware, and everything from bios-boot forward will (supposedly) be verified as trustable. Unless of course there's a little problem with the MS Root certificate itself being untrustable...
Horses Out. Check.
Barndoor Closed. Check.
Security from the geniuses who thought VB Script in Email was a great idea. Check.
Which of course is why...
"This attack from an unknown source but likely related to Stuxnet, disabled one of the lists and thereby interrupted an important source of information for power plants and factories.[24]"
Oops.
And then there's the more general issue of the Stuxnet / Duqu / Flame methodology being reverse engineered and COPIED, presumably by some entity operating in a framework of governance that is not constrained by our specified pupose for American governance:
"TO SECURE THESE RIGHTS, governments are instituted among men.".
[A third option would be to secure them on a different level not involving the user]
Windows 8 PCs will ship with Microsofts certificate stored in UEFI (and possibly other certificates, depending on the manufacturer). UEFI will check the boot loader before launching it and ensure its signed by Microsoft if a rootkit or another malware program does replace your boot loader, UEFI wont allow it to boot. This prevents malware from hijacking your boot process and concealing itself from your operating system.
http://www.howtogeek.com/116569/htg-explains-how-windows-8s-secure-boot-feature-works-what-it-means-for-linux/
Thats a good start.
In addition, MS needs to implement process specific claims assignment instead of the ridiculous notion of UserIDs operating in a full trust contract with the rights of whatever groups they happen to be assigned to.
[but don't ever insinuate that I participate in illegal activity again.]
I'm not the one shilling "free"ware with the idea that music should be downloaded from within a SandBoxie, Wiley.
You remind me of folks who think they're protected from AIDs because some pharmaceutical snake-oil company sold them a pill to protect them from the due penalty for their perversions.
http://www.ehealthme.com/ds/lamivudine/pseudomyxoma+peritonei
See Wiley, there's that "sa-God" complex vs the 1st commandment conflict articulated in Romans 1:20++, again.
That's a behavioral problem rooted in the calibration of the moral compass the operator's framework is booted with.
You sure you're not an apple administrator?
"Go ahead, take a byte, it's "free"..."
>>There are currently over 8600 windows devices on my network
8600 windoze devices on the ACME botnet ehh Wiley? {yawn}
30,000 -- Well, thats a little more impressive... for a non-government-sponsored bot-net anyhow.
Both MasterCard and Visa also had their public websites knocked offline by a hive of as many as 3,000 activists who had downloaded Web-attacking software, which was then turned on different websites.
{Sigh} Alas! If only Visa and Mastercard had worn a pair of these here ACME Sand-Boxers...
...the malware attacking them would've been a thing of the past and the organized cyber-criminals who perpetrate such mischief would've been discouraged from skimming their way out of Cyberia ever again. Alas!/s
As for the problem with it being freeware, my entire desktop is nothing but freeware, from the OS up. Given the utility and security it provides me I fail to find that as a charge against it. Yes, it's probably not a really good idea to take the top hit on Google for something like this, but I also figure that if you're going to take the time to implement sandboxing, it would make a wee bit of sense to also take the time to figure out if it is a good solution for you.
As for getting the VM solution by those who created the OS, that's a pretty iffy statement. As far as security goes, Microsoft, as a vendor doesn't exactly have a sterling history. Of the VM solutions out there, I personally like VMware better, because I like the feature set and stability. I don't have any particular animus towards virtualPC, but last time I took the time to look at it, it was several years behind VMware. That may not be true now, as microsoft has a history of continuing to slog along with inferior products until they finally get it right.
Having choice in the marketplace for different solutions is a Good Thing IMO, because not every solution will fit every need. Sometimes it takes time and effort to even determine what your needs are, and a little trial and error to discover what fills them. I'm just glad we have options and don't have to take just whatever it is that a single vendor decides to make available. Do you recall what happened with Internet Explorer once Microsoft had driven Netscape out of business? They sat on their asses for years while the rest of the world who wanted a browser that actually worked and had things like tabs passed them by. I still think IE is a steaming pile of crap that has market space primarily because of the inertia provided by the lazy and clueless who don't even know about the alternatives. That's my own personal opinion though, given my personal experiences with it. YMMV.
HAND!
"This attack from an unknown source but likely related to Stuxnet, disabled one of the lists and thereby interrupted an important source of information for power plants and factories.[24]"
Yup. sucks to be attacked by your own government. I expect such things will happen more in the future. Not much to be done about it though, because they are willing to use their guns, and we apparently aren't.
Bookmark
Ok, now you’re just creeping me out. Please stop with the messages, I’m getting off this crazy train right here.
"Malware can be a thing of the past of you familiarize yourself with and use a program called "Sandboxie"."
FAIL.
NO SALE.
>>sucks to be attacked by your own government.
I wouldn’t characterize it as being attacked by our own government - but rather a probable case of unintended collateral damage.
But now that the cat is out of the bag and third parties are reverse engineering the technology, it’s only a matter of time before weapons like these are in somebody else’s arsenal.
Are we prepared?
Ping
I wouldnt characterize it as being attacked by our own government - but rather a probable case of unintended collateral damage.
I have never before been accused of rhetorical excess in all of my life. Never! I tell you, Never!
I’m not joking. Stop with the messages. You are practically stalking me at this point as it appears you have done to others. Knock it off and leave me alone.
Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair use of copyrighted works.