Microsoft released its pre-announcement for the upcoming patch Tuesday. The summary indicates a total of 5 bulletins, 2 are critical with remote code execution and 3 Important with a mix of security feature bypass and elevation of privileges. The announcement is available here.
Guy Bruneau IPSS Inc. gbruneau at isc dot sans dot edu(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Thanks for reading the ISC Diary! I hope you find useful information in the diary posts. I, and the other handlers, work hard to try and bring you the latest news as it develops, as well as point out interesting new research that affects our industry and our ability to protect our networks. BUT don’t stop with the diary. Quite often the MOST interesting part of the article is in the comments from the readers. Consider the following:
About a year ago I did a post entitled “What can you do with funky directory names?” https://isc.sans.edu/forums/diary/Challenge+What+can+you+do+with+funky+directory+names/12958
The post is about creating a “.. “ (Dot Dot Space) directory. You can even create a funky directory name that will cause windows to generate an error dialog message and go into an error condition. This is COOL STUFF right? Well, yeah but not nearly as interesting as the mostly overlooked last comment on the page. An anonymous ISC reader posted this comment:
“It's also easy to use similar file name tricks to make your malicious binary appear to be Microsoft signed. Name your malware file "svchost.exe " (note trailing space) and put it in the same folder as the legitimate file. Attempted reads of your malicious file will "miss" your file and instead hit the legitimate (and signed) binary. (This is because win32 will auto-remove the trailing space.)
The nice thing about CreateProcess is that it launches the malicious process just fine.”
What does this mean? Well, if you create a executable on the hard drive that ends with a SPACE and then execute it some interesting things happen. Applications such as Microsoft Sigcheck, Mandiant Redline, Process hacker and other tools that will check the digital signatures of the processes in the process list check the incorrect file. The malware is “svchost.exe “. But when these tools turn to the hard drive to read the executable digital signature the underlying API trims the trailing space and they read the signature on the real “svchost.exe”. The result is that those security tools find a legitimate digital signature and incorrectly believe the file “svchost.exe “ has been digitally signed by Microsoft.
Matt Graeber (@mattifestation) did a write up on his testing of the issue here http://www.exploit-monday.com/2013/02/WindowsFileConfusion.html
I have found this technique to be useful for fooling Non-Microsoft tools that rely on digital signatures. So don't stop with the article! Read the comments from our brilliant readers. Please TEST your HIPS, Whitelisting applications, Forensics tools and other digital signature based tools using the process outline by Matt Graeber. Is it vulnerable? Post a comment (responsible disclosure is encouraged) and other brilliant insights in the comments!
Follow me on Twitter: @markbaggett
There are a couple of chances to sign up for SANS Python programming course. The course starts from the very beginning, assuming you don't know anything about programming or Python. The course is self paced learning and we cover the essentials before we start building tools you can use in your next security engagement. You will love it!! Join me for Python for Penetration testers in Reston VA March 17-21 or at SANSFire in Baltimore June 23-27.
Yes, Windows XP is about to Xpire. This sunset has been a while in the making, and has even been paused so that the world could admire it a while longer. But now, it really is upon us, on April 8, the earth rotation will stop for a second or three, and then move on.
If you don't know whether you are running Windows XP, you are probably not reading SANS ISC, but for the off chance that you are, Microsoft now have a cute site http://AmIRunningXP.com to tell you. I wonder how many Mac users connect to that site, just to make sure :).
If you are still running XP anywhere, the current MSFT Blog states that users of XP who have "auto-update" turned on will see a *Warning* come March 8. So ... expect grandma to call and ask about the weird pop-up. It was anyway overdue that you talked to her. Kudos to Microsoft for keeping us connected with our family!
Long story short: If you are still on XP, get off it. The mentioned blog is now even offering migration tools, though that "free" offer is somewhat of a trojan: If you want to move applications in addition to your data, it comes with a 23$ price tag. But why anyone would opt to "migrate" applications rather than go for a clean re-install is anyway beyond me .. as is using a "migration tool" black-box without knowing what is actually being migrated.
Here's my XP migration 101:
(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.