MS07-046 Update

Just wanted to make sure everyone saw the update to MS07-046.  Version 1.1 of the security bulletin was released today which offers a registry key modification in order to mitigate this vulnerability.  eEye Research first released information regarding this registry key mitigation in this month's VERSA newsletter (http://www.eeye.com/html/resources/newsletters/versa/VE20070822.html) and Vulnerability Expert Forum (http://www.eeye.com/html/resources/vef/index.html).  We suggest you give the newsletter a read and subscribe for future issues and VEF's to get some good insight into the state of computer security.

Administrators should be paying close attention to this patch, and Considering that a proof-of-concept exploit for this vulnerability has been released (http://www.milw0rm.com/exploits/4337), they should be on even higher alert, Windows administrators should see the described registry workaround as a potential mitigation for this vulnerability, but should definitely weigh all of the potential issues caused by the registry key modification as described in the MS07-046 bulletin.

As always, if you have any questions regarding this blog entry or anything related to information security, don't hesitate to contact us directly at skunkworks@eeye.com.

Free ePO Vulnerability Scanner

Just wanted to give a quick heads-up that the eEye R&D team has put together a free Class C scanner (available here: http://www.eeye.com/html/downloads/other/ePOScanner.html) for the latest vulnerabilities found within McAfee ePO, CMA, and ProtectionPilot. These are some pretty serious vulnerabilities with a very large impact in networks where ePO/CMA/PP are installed, therefore warranting the free scanner.

For those of you that are using Blink, blink will protect you from the four vulnerabilities if you happen to have the ePO/CMA agent installed on the same host. For those of you using Retina, Retina has already been updated with this vulnerability audit allowing you to scan your entire network for vulnerable hosts. To read up on the vulnerabilities, check out the CVEs:

CVE-2006-5271
CVE-2006-5272
CVE-2006-5273
CVE-2006-5274

eEye Research is currently monitoring for any widespread exploitation attempts against any of these vulnerabilities. You can send any questions regarding the scanner or security in general directly to us at skunkworks@eeye.com.

BrightStor Code Execution Zero-Day, BootRoot, & Versa

Hey readers,

We have a few notable updates regarding eEye Research projects and findings:

• BrightStor PoC Released: This vulnerability was original reported as a denial of service, but with a minor change to the proof-of-concept, an exploitable condition is reached.  eEye Research is keeping a close eye on exploits for this vulnerability, and will update the ZDT entry as more information becomes available.
• eEye BootRoot Update: We've included source code for two of our BootRoot-derivative works, SysRq and PiXiE.  Both projects are known to have problems with certain BIOSes, and the PiXiE source code is incomplete, but we hope releasing the code will encourage further development on the BootRoot concept.
• Versa Newsletter: This monthly installment of Versa includes an interesting article regarding the shift from network-based attacks to client-side ones.  Although this shift that has been occurring over quite some time, we have seen an increase in these trends over recent months.

As always, you can send any questions directly to us at skunkworks@eeye.com.

Zero-Day Alert: Microsoft DNS RPC

Microsoft DNS Servers are currently being attacked by a zero-day stack-based buffer overflow.  eEye Research is currently investigating the vulnerability and exploitation.  The most current information is available at the eEye Zero-Day Tracker.  DNS administrators are urged to use the referenced mitigation techniques provided by Microsoft until a patch or another form of mitigation is available.

.ANI Patch Update

Hey Everyone,

Just wanted to give a heads up regarding the .ANI patch.  We have noticed a bypass for our patch posted to milw0rm.  We have since updated the patch to protect from this bypass and version 1.1 was available April 1.

Also, be sure to cancel any plans you had for Tuesday as Microsoft is releasing an out-of-band patch for this vulnerability.  Since this will be affecting all supported Windows platforms (including Vista) administrators can look forward to two fun Patch Tuesdays in a row.

Windows ANI Zero-Day With eEye Patch

Hey Readers,

Pretty serious happenings on the zero-day front today so we’ll keep it short and sweet.  Today marked the release of the Windows .ANI Processing zero-day.  This zero-day vulnerability represents one of the most potent zero-days recorded by the Zero-Day Tracker.  Since the vulnerability lies within Windows and is exposed by countless applications, exploit vectors are plentiful for attackers to launch reliable attacks against user32.dll.

eEye’s Blink Personal (LOOK, IT’S FREE!!) was already protecting against this vulnerability with its generic Intrusion Prevention System, so Blink users have nothing to worry about.  For those that may not have Blink installed, eEye Research has diligently been plugging away and has released a patch to mitigate this vulnerability while it remains unpatched by Microsoft.  This patch successfully disabled ALL attack vectors from exploiting users while not causing a disruption in normal use.  As always we suggest that administrators quickly test this against internal web applications prior to installing within their environment.  Or, maybe you should just install Blink and join the many users that don’t have anything to worry about.

You can find all of the technical information as well as the patch here: http://research.eeye.com/html/alerts/zeroday/20070328.html.

Patch Tuesday - February 2007

Hey Readers,

Now that the dust has started to settle (and our livers are recovered from RSA), we just wanted to give a quick heads up from this Patch Tuesday.  Microsoft has patched 6 of the ZDT entries, which only leaves 6 active zero-days.  Most notably they've patched 4 Word zero-days, leaving only one Word zero-day remaining.  You can read our take on each of the patches in our security bulletin.  Also, feel free to go ahead and register for tomorrow's Vulnerability Expert Forum for a better look at the security landscape.

As always, you can send any questions directly to us at skunkworks@eeye.com.

eEye Research Update

Just wanted to give a heads-up on some updates to the eEye Research Portal:

1 - New Tool: UFuz3 - Yuji Ukai has written a pretty cool integer overflow file fuzzer that can be used against any binary-file format.  It also has a nice 'point-and-click' GUI and an included demo, so it's pretty easy for everyone to quickly use and understand.

2 - New Zero-Day Entry: Word Unspecified Exploit(3) - Yet another Word zero-day is being exploited in the wild which bring the grand total up to 4.

3 - New Zero-Day Entry: Office Unspecified Exploit - Although this one is attacking Excel directly, all signs point to a shared resource available for all Office applications (mso.dll?).  So, keep an eye out for ALL office attachments.

As of right now, there are 10 active high-impact zero-day vulnerabilities, all belonging to Microsoft. Hopefully we'll see this number drop next Patch Tuesday, Feb 13th, but we also were hoping for that on Jan 9th, so I guess we shall see.

Also, for those of you attending RSA, eEye has a booth (#805) during the conference to announce the release of Blink 3.0.  A few of our lead researchers and developers will also be manning the booth to answer some of your more technical questions.  So come by for some eEye schwag and maybe even bring your resume as we are looking for some good applicants to join our team.

Public Vista 0-day Exploit

Happy New Year everyone!  We have a few updates for our research portal with regards to publicly disclosed zero-days.

A new exploit has been posted to Full Disclosure which describes an attack which allows a logged in user to elevate their privileges to SYSTEM.  eEye Research has verified that this public exploit does work as advertised.  This exploit represents the first public exploit for the Vista platform, which is attacking the first public zero-day for Vista as well.  The technical nitty-gritty for this vulnerability can be found on the eEye Research ZDT. 

Also, we have added the first Month of Apple Bugs entry as well, as it is an easily exploitable vulnerability with a large user-base.  As of now, there is minimal mitigation provided as we are still researching attack vectors.  Of course, we will be monitoring MoAB for other high-impact zero-day vulnerability disclosures.

Happy New Year!  Hopefully these disclosures are not a sign of things to come for 2007.

Word Trifecta

Hey Readers, just wanted to give you a couple of site updates for research.eeye.com, and most notably the zero-day tracker.  We'll start with the good news...

Good News: eEye Research has added another vulnerability to its upcoming advisories page.  The vulnerability is locally-exploitable on Windows which will allow for arbitrary code to be executed with greater than SYSTEM-level privileges.

Good News: eEye Research has published its Patch Disclosure Analysis for the month of December.  You'll find good insight into what was released this month from Redmond, as well as some extra mitigation that wasn't found in the bulletins.

Good News: The eEye Research blog now accepts anonymous comment without needing a typepad account.  Feel free to post any comments you have to the blog or to skunkworks@eeye.com directly.

BAD NEWS: eEye Research has added another zero-day vulnerability for Microsoft Word today from a recent proof of concept posted by Disco Jonny.  Because there is no public information regarding the previous two zero-day vulnerabilities (covered here and here), this vulnerability is presumed to be a separate vulnerability altogether.  Therefore, this vulnerability represents the third active zero-day affecting Microsoft Word at this very instant.

As usual, feel free to direct any questions regarding research.eeye.com or the eEye Research Team in general to skunkworks@eeye.com.