Welcome to Delicate template
Header
Just another WordPress site
Header

You know it’s a bad week when circumstances warrant two Security Advisory posts.  There is a zero-day vulnerability making the rounds that affects Adobe Acrobat and Acrobat Reader versions 9.  The exploit arrives in a PDF file and exploits the ability of Acrobat to run JavaScript embedded in PDF files.  The vulnerability can be completely mitigated by disabling the execution of JavaScript in PDF files (such a PDF is very rare, anyways).

Unfortunately, there is no easy way to affect this Acrobat configuration change across all of your corporate PCs at once.  It does make me wish that Adobe provided a Active Directory Group Policy plug-in to enforce certain configuration settings on a domain-wide basis.

Suggestions:

  1. As the PDF is an otherwise well-formed document, there is no easy way to detect a malicious document with any signature-based network monitoring like True’s NSM service.  The best advice I can provide is to ensure that all anti-virus signatures are up-to-date across your enterprise although the AV vendors are playing catch-up at this point, and I cannot find any definitive answer as to whether any of them can detect this exploit yet.  Some people are saying that Symantec may possibly detect this in some form.
  2. I suspect that the largest number of deliveries of a malicious PDF would arrive via e-mail, and so I would also recommend that you remind your users via e-mail to avoid opening PDFs which arrive unexpectedly in e-mail, are from untrusted (non-business related) sources, and/or are named in such a way as to suggest that they are recreational and non-business in nature.

By far the quickest, easiest and likely (at this point) most-effective action you can take is to notify your users via e-mail as I describe in
suggestion #2.

Brett Edgar

Brett Edgar

Brett is a Founder and the former Director of Managed Security Services at TRUE. He has been working in the system and network forensics field since graduating from the University of Tulsa with a B.S. Computer Science in 2003. He speaks hexadecimal fluently and is TRUE's resident human Ethernet transceiver. He holds CISSP, CSSLP, and CNSS 4011-4015 certificates, loves MLB and NCAA Football, and when he gets tired of hexadecimal, he goes home to hang out with his wife and kid.

More Posts - Twitter

Microsoft recently released a patch for security issue MS09-002 which is a vulnerability in Internet Explorer 7 that allows remote code execution.  There is now an exploit in the wild for this vulnerability.  The current version of this exploit steals personal data and exfiltrates it to a remote site.  I would expect that RBN and BotNet infection vectors would also appear in short order.

If you are one of our NSM customers, please be assured that our NSM processes will be looking for this exploit code and we will be alerting you as necessary; however, this is a new exploit and is likely to change quickly as different malicious entities obtain the exploit code and change it to fit their nefarious needs.  As such, it will be difficult to detect all versions of the exploit for several days.

I want to encourage you to ensure that all workstations on your corporate network are patched against this vulnerability, if at all possible.  This occasion is an excellent reminder that it is always a good idea to update workstations (not servers) within one or two days of Microsoft’s Patch Tuesday security releases.

If you have no method of pushing patches to machines, I would encourage you to send an e-mail to your users reminding them to refrain from visiting non-business-related websites as much as possible to reduce the risk of infection by this (and other) exploits.

The patch for MS09-002 is available via Windows Update and/or Windows Software Update Services (WSUS) if your organization distributes patches internally.

Brett Edgar

Brett Edgar

Brett is a Founder and the former Director of Managed Security Services at TRUE. He has been working in the system and network forensics field since graduating from the University of Tulsa with a B.S. Computer Science in 2003. He speaks hexadecimal fluently and is TRUE's resident human Ethernet transceiver. He holds CISSP, CSSLP, and CNSS 4011-4015 certificates, loves MLB and NCAA Football, and when he gets tired of hexadecimal, he goes home to hang out with his wife and kid.

More Posts - Twitter

Legitimately bad

February 16th, 2008 | Posted by Dominic Schulte in Logs | Monitoring | Security - (0 Comments)

I have spent a fair amount of time over the last several months analyzing the Security Information Management (SIM) market to see how products like Arcsight[arcsight.com], QRadar[q1labs.com], SecureVue[eiqnetworks.com], and enVision[rsa.com], could benefit us (and our customers) as a Managed Security Service Provider (MSSP)[truedigitalsecurity.com]. I was intrigued, then, when I picked up the December issue of The ISSA Journal and saw an article entitled, “Logs Do Not Lie.”

While there are many advertised benefits to SIM solutions (log management, forensics, threat management, compliance, etc.), one of the take-aways I had from this article regarding the benefits of using a SIM solution was the idea that authorized activity is not always the same thing as safe or legitimate activity.

The two examples provided by the article to illustrate this point involve website mirroring and file transfers. Website mirroring looks a lot like regular web browsing, except it is usually complete (every page is visited) and the pages are viewed in rapid succession. Firewalls and web servers typically log traffic suspected of mirroring the site, but it is not usually treated as actionable information because it is so similar to legitimate activity. Website mirroring is interesting, however, because it could be a precursor to a phishing attack, especially if the source of the mirroring is not a regular client or is located in an interesting geographic region.

The file transfer example is related to Network Behavior Anomaly Detection (NBAD), a feature provided in one form or another by many SIM products. The idea with this illustration is that a given network user may routinely transfer information via external File Transfer Protocol (FTP) servers. If, however, this user’s typical exchanges are around 10K and a 600M exchange is identified, it is noteworthy and probably merits further investigation.

Both examples illustrate the value in collecting information from the various sources on your network (routers, firewalls, servers, IDSs, etc.) in order to analyze and report on that information. Judging by the customer lists on the SIM vendor websites, it would appear that there are quite a few organizations already seeking to take advantage of this information.

Dominic Schulte

Dominic Schulte

Dominic Schulte currently serves as the Managing Director of Security Services & Consulting at TRUE, where he is responsible for the execution of a wide range of security and regulatory compliance services. Previously, Dominic worked with the National Security Agency (NSA) as a Global Network Exploitation and Vulnerability Analyst in the National Security Incident and Response Center (NSIRC). He holds CISSP, QSA and CNSS 4011-4015 certifications.

More Posts