by Peter Tippett and David Kennedy

The acetaminophen and antacid consumption in enterprise IT staffs is likely on the increase due to the recent release of two Security Bulletins by Microsoft, one for Internet Explorer and one for Visual Studio. This security problem has the potential to be both far-reaching and subtle in nature.  We would like to offer a dose of reason in hopes that your stress-induced ailments will at least be caused by wrestling with the real problem. The biggest risk is not from attacks; lost productivity dealing with the scope and confusion around the ATL issue is the greatest risk from these announcements.

To be clear, we do expect attacks but do not believe they will be novel or pervasive. We have seen hundreds of browser vulnerabilities over the years and the pattern of successful exploits is well understood:  such attacks mainly result in home-user machines being absorbed into large-scale botnets.  Our series of Data Breach Investigations Reports, covering nearly 600 breaches studied over five years, consistently finds that browser vulnerabilities rarely contribute (even incidentally) to significant enterprise data breaches.

(more…)

The Microsoft Active Template Libraries (ATL) issue described in MS09-035 has revealed that a great many Component Object Model (COM) programs may be vulnerable to exploitation in a way the developers of those programs may not have realized. Internet Explorer is not the only program that hosts COM programs, but it is the most likely primary attack vector for criminals to exploit vulnerable programs via ActiveX controls as is the case with the current criminal activity using the Microsoft Video Control that was the subject of MS09-032 recently.

MS09-034 includes two significant new features, both intended to provide security enhancement to IE to allow it to protect users from exploitation of vulnerable controls.

(more…)

Executive Summary

Security-related issues exist in some of the programs written using the Microsoft Active Template Library (ATL) that could allow code execution by browsing to a web site under criminal control. If a programmer created a code object using the ATL, the final product could potentially have an exploitable vulnerability. We say “Potentially” has a vulnerability because, at this time, no systematic attack is known to exist. However, many popular programs used in conjunction with Internet Explorer (IE) are vulnerable. At this time at least three discrete ActiveX controls are being exploited and used to compromise systems. Enterprises should assess the mission impact of preventing vulnerable controls from running. This is best achieved by using Group Policy Object (GPO) to allow only Administrator-approved ActiveX controls to run and by supplying a white list of known good, or patched, controls.

Update 2009-07-29:  The reader’s attention is invited to additional information immediately above the tags in the full article.

(more…)

by William Murray

Not so long ago, but in a different era, the rogue hackers were building tools to automate the creation of viruses and worms to exploit newly publicized vulnerabilities.  They boasted that these tools were enabling them to develop malicious code faster and faster and that soon they would be able to create an attack within twenty-four hours of the identification of a vulnerability. Thus was born the idea of the “zero-day” attack.  Note that “zero-day” is a term of art, that it modifies attack, and that it is relative to the identification of the vulnerability.  

While it is sometimes used to refer to a previously unknown vulnerability, the words have no meaning in that context. “Zero-day” relative to what?  To yesterday?  The term has lost its original meaning without gaining a new one.  It became an expression that, not only carried no meaning of its own, but confused the meaning of any terms with which it was used.  This aggravates the general problem in security that our terms of art, e.g. threat, attack, vulnerability, and risk are used without distinction, not to say interchangeably.  Multiple times a week I find myself parsing quotes about security in the media, in a sometimes vain attempt to figure out what the source intends.

(more…)

Today we published a notification to our security customers advising them that the latest Microsoft vulnerability, discovered only after in-the-wild criminal attacks, should be treated as “Hot.” Hot is our term for something which needs to be addressed within seven days.

In June we published a similar advisory regarding the DirectShow vulnerability, also discovered only after in-the-wild criminal attacks, wherein we advised the issue as “Important.” Important means to take action within thirty days.

Both issues were discovered only after in-the-wild criminal attacks, so why would we rate them different?

(more…)

Bryan Sartin, our Director of Investigative Response, has a post over on Verizon’s “Think Forward” blog. If you’ve got the time, it’s an interesting read and related to many of our discussions here.