There seems to be a lot of discussion regarding the 7 years it took for Microsoft to patch against SMBRelay (the name of a tool published in 2001.) There’s some speculation that Microsoft is only now addressing the issue because a Metasploit module was added in 2007 to exploit the vulnerability. Here’s our take.

Should Microsoft have patched SMB sooner? Why? Who has been adversely affected by the vulnerability? We’ve never had an Incident Response case that involved abuse of it. Given the fact that we now know there was a solution to the puzzle, chances are that solution was stumbled upon by accident in one of those “Eureka” moments. Once that idea was finally conceived, of course, it made sense for them to produce a patch, but do try to appreciate just what was at stake as they attempted to implement it and test it. Thousands, if not hundreds of thousands of 3rd party applications are based on SMB working just the way it does. Break it while patching the vulnerability and you’d have a lot of upset people.

(more…)

Today Microsoft released a patch for the “click-jacking” vulnerability announced by Robert Hanson in September. The issue, as you may remember, was that exploiting this vulnerability (in all versions of XMLHTTP but 3.0) allowed him to cause your click on a web page to be directed at anything he wanted. So you might have thought you were clicking a URL to http://securityblog.verizonbusiness.com, but you’d visit http://Ive_Got_You_Now_Sucker.com.

(more…)

From January to July 2008 Microsoft’s technologies disinfected just over 8 million more computers than it did in the previous six month period according to their just released 5th Security Intelligence Report.

Such a statement will make many jump to the conclusion that the state of crimeware is getting worse. But such a conclusion may not be accurate. For example, the increase in distinct computers cleansed in this latest period is just under 50%, whereas in the 2H07 report the increase was just over 79%. The increase in 1H07 was 95%. So the percentage increase this time around is smaller than it has been previously. The same can be said for the number of distinct infections cleansed. 1H08 was 47% higher than 2H07, but 2H07 was 219% higher than 1H07 and 1H07 was 80% higher than 2H06.

(more…)

Microsoft rarely releases these out of cycle patches, but when they do lots of people get excited. It should come as no surprise that we aren’t.

If you want to get an idea of what could happen as a result of this vulnerability, think MS06-040/Graweg/Mocbot/SDBot/August-September 2006. MS06-040 was a similar vulnerability which allowed criminals to gain control of systems they could reach via Server Message Block (SMB). Of course if you can get to someone’s machine via SMB, there’s a lot of harm that could possibly be done.

(more…)

By Wade Baker

“Attacks vary, therefore risk management doesn’t work.” To be fair, that’s not a direct quote from a recent Dark Reading article entitled “Why Risk Management Doesn’t Work”, but it is an accurate expression of its message. Like us (and Alex Hutton of RMI), you may be thinking that something about that message doesn’t seem quite right. Congratulations – you’re a logician.

Non sequitur is a Latin phrase meaning “it does not follow.” It applies to an argument where the conclusion does not logically follow from the premise. Need a good example? Check out the Dark Reading article which discusses our 2008 Data Breach Investigations Supplemental Report. Actually, the article itself isn’t bad; it does a fine job covering some of the findings from our report. My main objection is with the logical conclusion implied in the title which, oddly, doesn’t seem to square with what the article spends most of its time discussing.
(more…)

by Dave Kennedy

We humans introduce risk regardless of our good intentions.  We security types tend to be a paranoid lot, thinking every unfortunate event is evidence someone is out to get us.  Yet we are regularly reminded of Hanlon’s Razor, quoted above.  Recently, we have two high-profile “oopsies” which demonstrate the premise of Hanlon’s Razor, namely that not all bad outcomes have an evil-doer involved.

Last week, a colleague at Verizon Business wanted to inform his customers and colleagues that we had published a supplement to our Data Breach Investigations Report. He crafted an e-mail message and used a list of addresses from a public (non-Verizon) website for the “To:” line in Outlook.  Oops.  He had intended to use the blind carbon copy (BCC) address line to ensure privacy of the recipients, but this did not happen. Certainly, in this case, his actions counted more than intentions.  Of course, he knows this is an easy-to-make error and thus one to guard against.  The earliest instance I’ve found of this bcc mishap dates back to 2001, but we can be pretty sure this mistake is older than that.

(more…)

By Wade Baker

Today, we released a supplement to our 2008 Data Breach Investigations Report (DBIR) that focuses on four major industry groups. As many of you know, the original document compiled four years of data from over 500 cases worked by our Investigative Response team and was intended to be a kind of “state of the union” look at recent security breach and data compromise trends.

(more…)

How many times have you been asked about the Return On Investment (ROI) for some security product you were thinking of purchasing? For most of you, it’s probably a great deal. And determining ROI has likely not been easy either. How much productivity might be lost due to a breach? How do I count the time? Do I base it on wages, lost sales, reputation, or damage?

(more…)

For those of you just returning from vacation, you’ll be pleased to see that there are only four patches this month for your consideration. Verizon Business believes that patch application is something which is done better when you fully understand what the patch is for, what it does, and what risks exist while you’re unpatched. This knowledge and consideration lets you more appropriately schedule patches to avoid business disruption.

(more…)

by Russ Cooper

This month gives us numerous Microsoft Office patches (MS08-042, MS08-043, MS08-044 and MS08-051), including at least one (MS08-042) that addresses a vulnerability which has reportedly been used in another highly targeted attack.

We’ve also been given a patch (MS08-041) to address the Access Snapshot Viewer ActiveX control that is being actively targeted by criminals. Luckily, this control is rarely deployed so the actual number of victims is believed to be quite low.

Meanwhile, our concern is with the Cumulative Internet Explorer Update (MS08-045) and the IPsec Policy issue (MS08-047.) In the IE patch is a vulnerability involving memory allocation. This vulnerability cannot be mitigated by disabling Active Scripting, and also affects IE systems configured to run in the Enhanced Security mode. Details of how to exploit this vulnerability have not yet, however, been publicly disclosed so we can only hope that exploits do not arise before the patch can be installed.

As for the IPsec Policy issue, networks that use IPsec and believe they are encrypting their traffic may not in fact be encrypting. The problem is likely to be very rare at this point, given that a requirement is that the client system gets its IPsec policy information from a Windows Server 2008 system. Never-the-less, verifying that traffic you expect to be encrypted is actually encrypted is a good idea.

We have two patches (MS08-044 and MS08-046) pertaining to image format file parsing again. Even with numerous image vulnerabilities in the past we still do not see any exploits of this type, leading us to believe that the risk of attacks against these new ones is low.

Patches for Outlook Express and Windows Mail (MS08-048) normally don’t concern us very much because they’re rarely used in a corporate environment, but this one does cause some concern due to the fact that it involves MIME HTML (MHTML), which can be invoked via IE.

A vulnerability in COM+ Event System (MS08-049) and a Windows Messenger ActiveX control (MS08-050) round out the month’s offerings. Neither is terribly worrisome.

All in all, a busy month, but not really that much to worry about.