.blog

Microsoft is offering a free antivirus program called Security Essentials. It includes protection against viruses, spyware and other malware. I’ve just begun testing it in order to see if I would recommend it. The installation was simple, hassle free and it seems like it runs smoother than AVG, especially when opening documents in Microsoft Word (AVG occasionally hangs when working with documents). Security Essentials also has a “very good detection score” of 98.4% according to this article on PC World.

You can download Security Essentials for free from Microsoft here.

There is a really great list of repair tools for the conficker worm here on the conficker working groups site and they have a pretty cool infection test.

I personally think the conficker worm is overhyped. The two main methods of infection have both been patched. Those two methods being a buffer overflow in the services process (which was patched way back with MS08-067) and the Autorun vulnerability (i mentioned that earlier in the blog). If your network admin is worth his salt then you have nothing to worry about because the risk is easy to mitigate. Home users are also probably safe if auto-update enabled and autorun has been disabled.

It also bothers me a little when i see the alerts go off like this for a threat that is overhyped. Why are they raising red flags now and not six months ago?

there is a highly publicized flaw in Adobe Reader that has been actively exploited since at least early Februrary. According to Adobe’s Security Bulletin they are not planning on releasing a patch until March 11. In lieu of that patch I’d like to point out a few solutions that are currently available.

The first work around is to turn off JavaScript. Do this by selecting Edit > Preferences > Javascript an then uncheck ”Enable Acrobat JavaScript’. This works because even though the exploit itself is not in JavaScript the attack code generally does use it.

If you are responsible for the security for several computers you may wish to disable JavaScript via the registry. The guys at PhishLabs have pointed out how to do this. According to their blog you can disable JavaScript in Adobe Reader in this registry key:

HKCU\Software\Adobe\Acrobat Reader\9.0\JSPrefs\bEnableJS

The second work around is to install a patch by Lurene Grenier, a vulnerability researcher at Sourcefire. You can download the patch from their blog here. I do not generally recommend this as it may complicate Adobe’s update in the future and disabling JavaScript should be enough.

Of course I should mention that I don’t even use Adobe Reader. For PDF reading I use the alternative reader by Foxit ( here ). It is a great lightweight reader that isn’t as high profile as Adobe (providing a lower attack-payoff).

If you are like most network administrators you have had to deal with USB virii as of late. CERT even issued an advisory about it (CERT Vulnerability Note VU#889747) labeling the autorun functionality a vulnerability. There are several work arounds, none of them useful if you do not have Administrative privileges on the machine in question.

I think for most people this is the reality of the situation. For example, at my work the network I run is only a small part in a larger organization. Unfortunately the guys who run the rest aren’t really up to par when it comes to security and even general maintenance. I do not control all of the machines I come into contact with.

To address the issue with those other machines I have written a small tool called neverRun. This user mode application sit’s in your system tray until a new usb or network drive is connected to your machine. Once this is detected it scans the drive for any autorun.inf file and renames it. It does not clean any virus that might be present but it will stop you from getting infected unless you purposely execute it.

Download the source code and the application here (For Windows XP).

You might have seen the headlines about the recent successful attack against digital certificates signed using the MD5 hashing algorithm. This weakness affects everything from email to banking and it is important to be conscientious about what sites and certificates you trust. Fortunately there are a few things you can do to protect yourself.

The First thing you want to do is to tell your web browser to check for server certificate revocation. This ensures that the issuing CA has not revoked the server certificate. If someones certificate is forged and that certificate is revoked you don’t want your browser to continue to trust it. To enable this option you need to open up the Options Tab, view Under the Hood and scroll down to the Computer-wide SSL settings.

Another thing you might want to do is ensure your trusted website is not depending on the flawed algorithm. You can view the signature algorithm by first clicking on the secure connection icon in the omnibar.

This will display the security information for the website. Click Certificate Information to view details on the server certificate.

You want to examine the Signature algorithm in the details tab. As long as your trusted website is not using MD5 (md5RSA) you should be ok.

This means that your bank or email provider is not depending on the flawed algorithm. The only catch to this is that a phisher could forge this part of the certificate to provide misleading information. So only use this technique to verify that your currently trusted site is not depending on MD5.

If you find that a site you trust is using MD5 then my recommendation is not to use that online service, because even if the certificate hasn’t been compromised the security of the site is inadequate and those responsible for the security of the site haven’t taken the precautionary steps to ensure your online safety.

I had never heard of threatfire until this weekend, and to be honest I wish that I could forget the experience. Threatfire is a security monitoring system that hooks into you systems and watches for malicious activity. It installs several filter drivers, including TfKbMon.sys which is installed as a Keyboard filter driver (a legitimate keylogger).

What had happenned is this driver either malfunctioned or didn't uninstall properly, which rendered the keyboard useless. Actually, the keyboard was ok, it’s just that the filter driver was intercepting calls to the default ps2 windows driver (i8042prt.sys).

To correct the problem i ran the threatfire removal utility which uninstalled the driver but left quite a bit in the registry, including the entry that called it as the upper filter driver for the keyboard. Now just the fact that this program has a removal utility aside from the regular uninstall routine should be a crapware warning sign in itself…norton also has a removal utility… coincidence?

anyways, after a bit of searching (regscanner is a great tool for this) I found this key

HKLMSYSTEMControlSet001ControlClass
{4D36E96B-E325-11CE-BFC1-08002BE10318}

which defines the UpperFilters for your keyboard. A normal configuration will only have kbdclass set for UpperFilters in this key. So I reset that and then imported a good registry entry for the i8042prt services and the kbdclass (download).

of course, to make things very difficult all this was done with the on on screen keyboard, one click at a time…and when u type over seventy words a minute that is just aggravating!

the vulnerability behind MS08-067 has been generating alot of noise on the wire lately. This vulnerability could allow remote code execution through RPC and does not require authentication. One thing that many people are not mentioning is that a default XP/SP2 install is not vulnerable because the service is protected by the firewall. The attack vector just isn’t available thanks to that one improvement Microsoft made many years ago. Here is the Vulnerable Function, the POC and the Security Bulletin.

earlier this week i received the latest CERT Advisory in my inbox (TA08-100A) reporting a number of critical vulnerabilities in adobe flash (Adobe Security advisory APSB08-11) which could allow remote code execution. Whenever I read something like this I just hit the delete key and forget about it. I’m more concerned with a vulnerability in the OS or in a high profile application (like a web-browser). I’m wrong in being so dismissive of the security risk imposed by these kind of applications I think.

Recently, in the high profile “PWN to OWN” challenge from CanSecWest, Quicktime lead to the compromise of the Mac machines. The vulnerability wasn’t in the OS. It wasn’t in the browser. It was in a client-side application, a browser-plugin. Similar in function and in the same class of applications (client-side) to TA08-100A’s vulnerable Flash application.

browser-plugins have a long history of security problems. Active-X, Quicktime, Flash all can lead to the compromise of your machine. The horrible thing is that many people (myself included) don’t have these applications on their ‘things to patch’ list. I mean, really, when was the last time you updated your Real Player? If you run a network, when was the last time you made sure your network had the latest version of flash installed on all browsers?