August 2006 saw the disclosure of a fairly interesting attack against the RSA encryption algorithm (most famously being used in SSL - protecting online transactions). While it didn't target the actual algorithm, which still has not been broken, it is a so-called side channel attack, targeting the peculiarities associated with implementing the algorithm on various computing hardware.

The team behind the initial disclosure have recently submitted a modified approach to the attack, resulting in almost-astronomical improvements in attack efficiency.

In basic terms, the attacks rely upon a phenomenon known as 'Branch Prediction Analysis', where a program / attacker is able to predict what other software is doing as it passes through the CPU of a system.

In the first iteration of the described attack, the method required snooping on what was happening with the CPU for a relatively long period (or number of cycles), and certain software that implemented SSL protection (OpenSSL) quickly introduced patches to protect against this listening attack.

While many hardware manufacturers and Operating System developers have introduced defensive mechanisms to try and prevent this sort of attack taking place, it has been discovered that Pentium-IV (PIV) chips with Hyper-Threading enabled still have two caches that are not adequately protected. The new iteration of the attack, using a technique dubbed 'Simple Branch Prediction Analysis' (SBPA) targets both of these caches and can extract almost the complete secret SSL key in just one cycle. Running as an unprivileged user, this method can also target and extract data from any other software processes running on the system (SSL is an example in this case).

The technical black magic of how a branch predictor attack works can be explained as follows. Although modern CPUs are very quick, they still can't process absolutely every bit of information that they need to without a queue building up. This queue of instructions / data waiting for processing sits in a cache next to the CPU and they are executed in order of priority / time spent in the queue (various tuning settings come into play). By attempting to monopolise the CPU's attention, and filling the cache, the miniscule timing differences between when instructions from the same process are executed can give hints about what other instructions and data are moving through the CPU. Being able to interpret what this data is exactly, is key to branch prediction.

Mitigating the issue is the requirement to be running secure and insecure processes on the same processor at the same time, and for the attacker being able to run their process as a local user. Due the spying process capturing almost 100% CPU continuously while it is running, normal system monitoring software should be alerting administrators to something out of the ordinary running on the system.

What real-world threat exists for this relatively esoteric attack? Shared-server installations. It would be possible for a lesser-privileged account holder on a shared server to run the spying process while other account holders are negotiating SSL connections. A well timed attack will allow them to run their spying process once (and thus minimise the attention drawn to it), and then be able to effectively intercept SSL communications directed at the target.

According to the McAfee Avert Labs (http://www.avertlabs.com/research/blog/?p=132), an interesting new worm has recently been discovered circulating in the wild. This particular worm attacks all Real Media content that it can find, modifying them to launch a website when they are viewed with the Real Media player. While the payload of the malicious website that is opened has not been disclosed, the 'Realor' worm is an interesting addition to the collection of malicious software that targets non-executable files.

Users should be applying the same level of caution and filtering to non-executable files as they do to executable files, and ensure that they maintain current antivirus protection (also being aware of the weaknesses in a range of antivirus products).

As expected, the day after Microsoft released their November round of patches, the exploits started arriving. Although there were known exploits for some of the vulnerabilities prior to the patch release, exploit code has begun circulating for the WinZip vulnerability patched by MS06-067, and exploit code for the Workstation service vulnerability (MS06-070) is also available. Detailed technical descriptions of the attackable vulnerability have been released, and it is only a matter of time until workable exploits surface.

A number of sources have been covering the appearance of what appears to be random files and directories (folders) on computer systems following the application of Microsoft's November security patches. The folders appear to be randomly named strings of hex and appear to contain a log file that relates to the MS XML patch (MS06-071).

While the directories and files do not appear to be harmful in any way, their appearance has come as a bit of a surprise to people who closely manage their systems. Users who do not normally delve into the detailed levels of their hard drive structure will probably not even notice the directory and leftover files at the top level (C:\). A growing consensus is that the installation process was a little messy and failed to completely clean up after it had finished.

-- Products Affected --
        NetGear WG111v2 Wireless Driver
        NetGear devices with MA521 drivers (the MA521 device is a PCMCIA card).

        -- Technical Description --
        Malicious beacon or probe responses as part of an 802.11 frame can lead to arbitrary kernel-level code execution on a vulnerable system. The underlying vulnerability is specifically the way that the driver handles the 'rates information' element while the device is in active scanning mode (no information has been released about whether it is vulnerable while not in this mode). Fully automated exploit code is readily available and NetGear were not notified about the issue prior to disclosure. The second vulnerability is due to poor handling of over-sized beacon data responses.

        -- Description --
        Two serious vulnerabilities have been disclosed with NetGear devices. A number of NetGear products have been found to be vulnerable to an attack that can allow an attacker on the same wireless network to run software of their choice on a vulnerable system. NetGear were not notified at the time of the vulnerability and code release.

        -- Recommended Action --
        Apply caution when enabling NetGear wireless cards, and consider the use of alternate vendor cards if possible.

        -- Source --
        http://projects.info-pull.com/mokb/MOKB-16-11-2006.html
        http://projects.info-pull.com/mokb/MOKB-18-11-2006.html

        -- Threat Matrix --
                        U O
        Home User 9 9 (Critical)
        Corporate 9 9 (Critical)

-- Products Affected --
        Windows 2000, XP, 2003

        -- Technical Description --
        Sample exploit code for the Workstation service vulnerability patched by MS06-070 has begun circulating. Mitigating the effect of the current code is the necessity to have an accurate IP and Domain Name. Code samples have been distributed to Sûnnet Beskerming technical partners to assist with the development of effective protection mechanisms.

        -- Description --
        Well-developed exploit code that targets the vulnerability patched by MS06-070 (released November 14), and which was initially targeted at the Chinese version of Windows, has begun circulating amongst various websites and security mailing lists. The rapid spread of the code suggests strong interest from developers and researchers keen to better understand the vulnerability mechanism. Worryingly for end users, this particular vulnerability can be targeted through remote attack, and can easily lead to serious compromise of networks and systems.

        -- Recommended Action --
        Apply MS06-070 as soon as possible

        -- Source --
        Multiple Sources

        -- Threat Matrix --
                        U O
        Home User 10 10 (Highly Critical)
        Corporate 10 10 (Highly Critical)

-- Products Affected --
        Broadcom Wireless Driver version 3.50.21.10 and earlier
        Products that use this include devices from Linksys, Zonet, Dell, HP, Gateway, eMachines, and others.
        A similar vulnerability affects D-Link products

        -- Technical Description --
        A stack-based buffer overflow attack against the SSID field can lead to arbitrary code execution at the highest system privilege levels. The particular issue is due to poor handling of lengthy content in the SSID field. Exploit code is readily available, and has been available since this vulnerability was first disclosed a couple of days ago. It is claimed that DEP, as implemented by Windows, may be enough to prevent the current exploit code from functioning correctly. Although the most common target will be Windows systems, Linux and FreeBSD users may be at risk if they are using this driver through the ndiswrapper utility.

        -- Description --
        A serious problem was recently disclosed with a popular wireless card driver that is supplied with many current PCs, from a range of manufacturers (including, but not limited to: HP, Dell, Gateway, eMachines, and other computer manufacturers, as well as Linksys, Zonet, and other wireless card manufacturers) . The vulnerability allows an attacker that is connected to the same wireless network to take complete control of a victim's system. Due to the need for physical proximity of the attacker (on the same wireless network), the Threat Matrix has only been set at Critical. Exploit code is readily available, and has been available publicly since the date of initial disclosure.

        -- Recommended Action --
        Concerned users should apply the latest updates from their system distributors. Alternatively, the updates from Linksys can be applied by following the guidance provided at the ZDnet link.

        -- Source --
        http://projects.info-pull.com/mokb/MOKB-11-11-2006.html
        http://blogs.zdnet.com/Ou/?p=365

        -- Threat Matrix --
                        U O
        Home User 9 9 (Critical)
        Corporate 9 9 (Critical)

-- Products Affected --
        Windows 2000, XP, 2003
        Internet Explorer
        Microsoft Office 2000, XP (2002), 2003, 2004, v.X

        -- Technical Description --
        MS06-066 - Memory corruption leading to arbitrary code execution and Denial of Service in Netware Client Services. Moderate
        MS06-067 - ActiveX (DirectAnimation) and HTML rendering memory corruption leading to arbitrary code execution with Internet Explorer. Patch also sets the ActiveX killbit on the control associated with WinZip 10.0, and permanently sets the ActiveX activation setting to 'notify before use', in line with the change attempted earlier this year. Exploits have been circulating for some time. Critical
        MS06-068 - Microsoft Agent (which includes Clippy) contains a buffer overflow that can lead to arbitrary code execution. Although this is ActiveX related and can be activated from Internet Explorer, Microsoft have not linked it to MS06-067. Critical
        MS06-069 - Adobe Flash Player (formerly Macromedia Flash Player) has several vulnerabilities that can lead to a buffer overflow condition and arbitrary code execution. Critical
        MS06-070 - Workstation service has a buffer overflow that can lead to arbitrary code execution. Critical
        MS06-071 - XML Core Services (XMLHTTP ActiveX object) has a vulnerability that leads to arbitrary code execution. Critical

        -- Description --
        Microsoft have issued six patches for the November Security Patch Update. All but one of the patches are rated as Critical, but all patches address serious vulnerabilities that allow an attacker to take complete control of a vulnerable system. Users and administrators should be aware that Microsoft has ceased supporting Windows systems derived from the 9x kernel (95, 98, ME), and have also ceased supporting the Windows XP SP1 system. Exploits have been circulating, with detailed source code, for a number of the patched vulnerabilities, so it is considered essential that patches are applied as soon as possible.

        -- Recommended Action --
        Apply the numerous patches from Microsoft at the earliest opportunity.

        -- Source --
        Multiple, including
        feed://blogs.technet.com/msrc/atom.xml
        http://www.beskerming.com/premium/patch_pack.html
        http://store.eSellerate.net/s.asp?s=STR3448907936&Cmd=BUY&SKURefnum=SKU10225855655
        http://www.microsoft.com/technet/security/Bulletin/MS06-066.mspx
        http://www.microsoft.com/technet/security/Bulletin/MS06-067.mspx
        http://www.microsoft.com/technet/security/Bulletin/MS06-068.mspx
        http://www.microsoft.com/technet/security/Bulletin/MS06-069.mspx
        http://www.microsoft.com/technet/security/Bulletin/MS06-070.mspx
        http://www.microsoft.com/technet/security/Bulletin/MS06-071.mspx

        -- Threat Matrix --
                        U O
        Home User 10 10 (Highly Critical)
        Corporate 10 10 (Highly Critical)

-- Products Affected --
        Safari on at least OS X 10.4.8

        -- Technical Description --
        A new denial of service type attack against Apple's Safari web browser has been disclosed, leading to a browser crash, and possible arbitrary code execution (claimed only at this stage).

        -- Description --
        A new issue with Apple's Safari Internet browser has been disclosed on a security mailing list. The disclosed vulnerability leads to an application crash in browsers that have JavaScript support enabled (by default), and it is claimed that it could lead to arbitrary code execution, though there is little evidence to support this claim at the moment (will be upgraded as circumstances direct).

        -- Recommended Action --
        Disable support for JavaScript (Safari->Preferences->Security->Enable JavaScript (deselect))

        -- Source --
        jbh_cg yahoo.fr

        -- Threat Matrix --
                        U O
        Home User 4 4 (Low - Moderate)
        Corporate 4 4 (Low - Moderate)

New exploit code is available and circulating for vulnerabilities in OpenBase on OS X (local root exploits), and for the current XMLHTTP and WMI Object Broker ActiveX control vulnerabilities. Exploit code had previously only been available to a limited number of individuals (mainly attackers), and the recent change has been the public availability of this code from a number of sites.

Administrators and users who are seeking to defend against these attacks should be able to find appropriate IDS/IPS signatures and antivirus definitions updates from their respective vendors. It should be understood that exploits that have been heavily obfuscated before use may not be detectable, even with these protection mechanisms in place.

Find out about this information and more, when it happens, with Sûnnet Beskerming Security Notification Services.

Continuing with their disclosure of security issues on MySpace, Mashable.com have reported that over a thousand MySpace user accounts are being used to spread malware from noted adware purveyors Zango. Posing as fake video links to YouTube, the images presented on the MySpace pages redirect to an adult site before installing (following a licence agreement) adware from Zango.

While the ratio of MySpace accounts that are exploiting this dubious ethical process are extremely small when compared to the tens of millions of valid accounts, comments posted in response to the Mashable article suggest that the process has been in use since the start of October, and has only recently had action taken on it.

Find out about this information and more, when it happens, with Sunnet Beskerming Security Notification Services.

Claims have been made already that Microsoft's next-generation Operating System and Office Productivity Suite, Vista and Office 2007 respectively, have had their registration mechanism cracked. That is, if you believe the files that can be downloaded through a number of file trading / sharing / downloading services. Given that the software has only just been declared 'Gold' and released to the manufacturing plants for production into retail boxes, this rapid release of files should be relatively easy for Microsoft to track down - given the low numbers of people that should have hands-on availability of the software.

A slightly positive outcome is that it appears that the cracked Vista install that is available has not been completely cracked. It bypasses the need for a valid Vista product key by replacing the different authentication elements with those from Vista Beta. As pointed out in the linked article, this should be fairly simple for Microsoft to identify and shut down - they already know the keys that were issued for the Beta testing phase, and it will be a straight forward process to prevent them from being used for final product activation.

The more concerning aspect is the Office 2007 cracked version that is available. The Enterprise version of the office productivity suite has been made available, and because it uses Volume Activation, there is no need for an activation key.

Microsoft will be releasing their November round of security patches next Tuesday (14 November), and have advised that there will be six patches to be released. It is already known that one of the patches is for an issue that has been under active attack for several days - the MS XML 0-day vulnerability that was initially disclosed a week ago. Unsurprisingly, Microsoft have identified that this patch is a Critical update, which is their most serious vulnerability rating.

Besides the MS XML patch, there will be five patches for other issues within Microsoft Windows, with at least one patch also rated Critical by Microsoft. Although Microsoft have not identified what elements of Windows will be receiving an update, they have hinted at upcoming patches for Internet Explorer (including the just-released IE 7), and there have been other serious vulnerabilities that have been under active attack for several weeks. This means that Wednesday (dubbed 0-day Wednesday by some) the 15th of November is likely to not see a lot of new exploit code posted / released to the world, as there are plenty of current examples of unpatched critical vulnerabilities.

Sûnnet Beskerming Security mailing lists will be covering brief details of the patches after they have been released, but readers are recommended to sign up (annual or one-off subcription) to the 'Security Patch Briefing' service offered by Sûnnet Beskerming. As an extra incentive, all subscribers who join prior to the middle of November are entitled to the 'Home User / Microbusiness' rate, a saving of 50% for most readers, and up to several thousand percent for major clients. The briefing packs released through this service will contain in depth guidance on just what is being patched, what the issues at hand are, and any known issues with installing and managing the patches.

A number of hacker-friendly mailing lists and sites have recently been publishing details of sites that are vulnerable to Cross Site Scripting attacks (XSS), including many large sites that should really know better (including many Information Security vendors and large banks). It is now fairly well accepted that an XSS vulnerability with a site can be used to present fake site content (relevant for media and Information Security sites), steal a user's session or authentication details (relevant for financial sites, and any site that maintains user accounts), or even hide the true source of malicious material (relevant for an site).

Many users now know that it is important for them to manually type in the address of their bank / online stock broker and other critical sites, or to go to them via a known good link (such as might be saved in their Bookmarks). The problem now, is that many sites overload the end of their legitimate intra-site URLs with content that makes little sense to anyone trying to validate the address as accurate. This plays directly into the hands of the attacker that is attempting to exploit an XSS vulnerability - they hide their malicious data inside one of these odd-looking bit of text appended to a site address. The now-malicious URL is sent to victims through a number of methods, in an effort to get the victim to follow the link and activate the payload.

Even various anti-phishing filters fail to pick up on these XSS attacks, as many only consider the component of the site address prior to the appended text - treating the malicious link as a legitimate address.

The best advice, as it always has been, is to be cautious of following links that have been randomly presented to the user, and to always manually enter / use a trusted link in order to access sites that the user cares about their data on.

-- Products Affected --
        Apple Macintosh OS X systems with Orinoco-based Wireless cards (Powerbooks 1999-2003, iMacs)

        -- Technical Description --
        When the Airport card is placed into active scanning mode (but it is hinted that they can be attacked when not in this mode), an attacker can send a corrupted probe response frame (specifically the Information Element fields after the header) to write over kernel memory that is then executed by the Operating System.

        -- Description --
        After the bickering and arguments that followed the apparent disclosure of OS X wireless networking vulnerabilities at the 2006 Black Hat Briefings in Las Vegas there were many doubts about the presence of any attackable vulnerabilities affecting the core system (the vulnerabilities were later shown to be related to third party drivers and devices). Noted security expert, HD Moore, has released details of a vulnerability affecting Apple's own Airport devices that were shipped with certain systems over the last several years. The disclosed vulnerability allows an attacker to run software of their choice on a victim's system.

        -- Recommended Action --
        Concerned users should avoid putting their Wireless cards into active scanning mode, and should disconnect the card if there is no need to connect to a wireless network.

        -- Source --
        http://kernelfun.blogspot.com/2006/11/mokb-starts-mokb-01-11-2006-apple.html

        -- Threat Matrix --
                        U O
        Home User 9 9 (Critical)
        Corporate 9 9 (Critical)

-- Products Affected --
        Visual Studio 2005 (except on default Windows 2003 installs, and IE 7 users who have not accepted use of the vulnerable ActiveX Control).

        -- Technical Description --
        The MSRC have reported that there is public proof of concept exploit code (currently not available through normal exploit code sources) and the possibility of limited attacks against a vulnerability affecting the 'WMI Object Broker control' (WmiScriptUtils.dll), which is installed as part of Visual Studio 2005. Successful exploitation of this vulnerability can lead to arbitrary code execution for the attacker.

        -- Description --
        Microsoft's Security Response Centre (MSRC) has recently disclosed the discovery of a new '0-day' attack that is targeting Visual Studio 2005 users through a vulnerable ActiveX control that is installed as part of the development suite. According to the MSRC, the issue can lead to a remote attacker being able to run code of their choice on a victim's system, provided that they have been tricked into viewing malicious web or email content that has the attack code embedded in it. The Threat Matrix has been set at 'Very High - Critical' due to reports of public exploit attempts. Microsoft are planning to issue a Security Update to address the issue.

        -- Recommended Action --
        Concerned users should follow the advice provided at the Technet site reference if they are worried about this issue. Until Microsoft are able to provide a detailed patch for the issue, the best mitigation step is likely to be setting the killbit for the following CLSID {7F5B7F63-F06F-4331-8A26-339E03C0AE3D}.

        -- Source --
        http://www.microsoft.com/technet/security/advisory/927709.mspx
        http://blogs.technet.com/msrc/archive/2006/11/01/microsoft-security-advisory-927709-posted.aspx

        -- Threat Matrix --
                        U O
        Home User 8 9 (Very High - Critical)
        Corporate 8 9 (Very High - Critical)