Security Now 258

From The Official TWiT Wiki
Jump to: navigation, search
Security Now
Episode 258


Security Now 258: Five Years Of Vulnerabilities

News & Errata

3:41 - 30:15

  • There's a really bad Windows 0 day vulnerability
  • This bug has been in Windows for at least 10 years
  • There's a error in the way the Windows shell displays the icons of .lnk files (windows short cut files)
  • A researcher found that this was being used in the wild to attempt to take over control systems for electric power utilities
  • The target was Siemens SCADA systems used in major control systems
  • These systems has a hard coded password which was in the malware that was being installed
  • The root kit installed two .sys drivers one to hide itself and the second to attempt to exploit the fixed passwords in these systems
  • These .sys files were signed with Realtechs digital certificate
  • This means that Realtechs private key which it signs its certificates with has been discovered
  • Microsoft, Verisign and Realtech worked together to revoke this certificate so Windows no longer honours drivers signed with this certificate
  • Then someone spotted the same exploit signed with J Micron Technology groups certificate
  • A research noted both J Micron and Realtech share the same science park in Taiwan
  • This bug is now thoroughly understood
  • It has been propagating with USB thumb drives once the USB drive has been in a infected computer ANY computer you put it in from then on and view the contents becomes infected even with auto run disabled
  • Microsoft have acknolwedged this bug
  • Fave Icons can now be used exploit this bug
  • There is no patch currently for this bug
  • there is a work around but it breaks all of your shortcuts and it is not clear that this actually fixes this problem
  • This bug may have been in Windows since the beginning but Microsoft do not still support all versions of Windows most notably Windows XP SP2
  • Microsoft Security Bulletin MS10-046 - Critical
  • Vulnerability in Windows Shell Could Allow Remote Code Execution (2286198)

30:16 - 37:12

  • Adobe are working with Microsoft to use some of Microsoft's sandboxing technology for a future version of Reader
  • When Reader launches it would strip itself of every possible access right to Windows that it doesn't need

39:12 - 46:44

  • Truecrypt v7.0 has been released
  • Intel Core i5 and i7 processors have a set of 6 instructions which perform a macro of the fundamental AES round
  • There's another set of instructions for key generation
  • Truecrypt v7.0 supports hardware accelerated AES
  • They say it increases performance by 4 - 8 times
  • Truecrypt v7.0 has the notion of favourites for external USB devices
  • You can add specific USB devices to the Truecrypt favourites and automount these volumes
  • They also added large sector support
  • Hibernation file encryption now uses the official hibernation file API

46:47 - 53:51

  • @oihorse sent Steve a message about WPACracker.com
  • For a fee of $17 and up you can get in 40 minutes what a strong state of the art workstation could do in 5 days
  • They will pound on a packet capture from a Wifi sniffer to try and crack the encryption
  • You do have to pay whether they succeed or not though
  • Based on their technique Steve recommends changing your SSID as well as using a strong non-dictionary-word password

53:52 - 54:55

  • Winamp has a exploit due to its Flash parsing in versions prior to v5.58
  • An update is available

54:56 - 57:34

  • An addon called "Mozilla Sniffer" was uploaded to http://addons.mozilla.org and added to the list of optional Firefox addons on June 6 2010
  • It was downloaded 1,800 times according to Mozilla
  • On July 17th 2010 it was discovered to be sending to a remote server all the form data from any page the user visited
  • It has now been blacklisted to anyone who has it installed will be alerted

57:35 - 01:05:22

  • A new attack has surfaced called a DNS Rebinding attack
  • At Blackhat it will be used in a presentation called 'How to attack millions of routers'
  • Proof of concept code will also be released
  • Routers from most major manufactures and using DD WRT are vulnerable
  • Steve will talk about how it works in two weeks
  • NoScript may provide some protection against this attack
  • The way the attack works:
    • To visit a site your browser has to get that site's IP address from a DNS server
    • If that site has control of its own DNS server, then the script which is running on that site is [due to the sandbox that exists for javascript] called the same. Origin policy prevents the script from being able to run against any other sites so it keeps it local
    • This script then makes another query out to the same domain and it's been set up with the DNS server for that domain to return the IP of your router
    • Its not uncommon for a DNS server to return multiple IPs
    • By having the script make a second query to the same domain it now believes your router is in the same domain as the site you are visiting, which gives it access to your router, and if you have the default login for your router [and 50% do] it can login and take over your network

01:05:23 - 01:06:58

  • A German man was arrested for spying on 150 girls through their webcams
  • A webcam spying trojan had been installed on their computer through ICQ messenger

01:06:59 - 01:10:22

  • v2 of Microsoft Security essentials is in beta
  • It adds a better, smarter protection and clean up engine
  • It can turn the firewall on
  • It integrates more deeply with Internet Explorer to protect against internet threats
  • It will be able to protect against network based attacks

01:10:23 - 01:14:27

  • Amazon announced that E Book sales have overtaken paper books

Spinrite Story

01:14:28 - 01:15:40 Darren (Unknown)

Spinrite fixed a broken computer

Five Years Of Vulnerabilities

01:15:41 - 01:31:08

  • Secunia which created "Secuina PSI" a program which checks if your software is up to date produced a report based on data from 5 years of use of the program
  • It monitors 29,000 products
  • There isn't a clear trend towards more or fewer problems based on the 29,000 programs
  • The top 50 installed programs have a clear trend of more problems
  • The top 3rd party program ranked by number of vulnerabilities in 2009 are:

1) Firefox

2) Safari

3=) Sun Java Runtime Engine

3=) Chrome

5) Adobe Reader

6) Adobe Acrobat

7=) Adobe Flash Player

7=) Adobe Air

9) iTunes

10) Mozilla Thunderbird


  • Of the 50 most prevalent programs, 26 are from Microsoft; 24 are non-Microsoft tools from 14 different vendors.
  • The highest level of installation of course was Internet Explorer because it's pervasive. It's in every version of Windows.
  • The low in terms of this 24 non-Microsoft programs was Cyberlink's PowerDVD.
  • During the two years from 2007 to 2009, during which time Secunia was looking at all this, the number of vulnerabilities in these top 50 programs, so the ones that are most installed in people's machines, those vulnerabilities typically doubled from 220 to 420.
  • So far during the first six months of 2010, we are already at 380 vulnerabilities.
  • So we're at 89 percent, year-to-date, as of now, of all of 2009. So if we extrapolate, if we assume the rest of the year is going to go like it has so far, we would be at 760 vulnerabilities this year, up from 420 last
  • Secunia ranks them in five different categories, from supercritical, then to highly critical, moderately critical.
  • They only had 1 percent in the supercritical category.
  • But they did have 50 percent of the vulnerabilities ranging between high and moderately critical.
  • And interestingly, 80 percent of these are remote attacks.
  • Only 20 percent were local non-remotely exploitable attacks.
  • XP and Vista had no essential difference in the rate or the severity of vulnerabilities.

Sponsors

Go To Meeting

Production Information

  • Edited by: Erik
  • Notes:
Info.png This area is for use by TWiT staff only. Please do not add or edit any content within this section.