Hacking Windows of Vulnerability

On Friday, July 25, the security research group Xfocus published exploit code for the Last Stage of Delirium's Windows RPC DCOM vulnerability (MS03-026) that affects all current versions of Windows NT, Windows 2000, Windows XP, and Windows Server 2003. Due to the serious threat posed by the presence of this public exploit, coupled with the fact that a patch for the vulnerability had only been available for a short time, eEye Digital Security released a free scanning utility to help network administrators detect vulnerable systems in need of patching.

Prior to the release of the exploit, eEye’s Retina® Network Security Scanner contained a non-intrusive audit for the RPC DCOM vulnerability; however, the audit required administrative privileges on the machine being scanned. The exploit code released that day provided specific details on the vulnerability that were previously unavailable, which allowed the eEye research team to start work on a new audit, still non-intrusive, that could be performed remotely without domain credentials.

After several hours of intense research, studying how internal test machines at various patch levels reacted to the exploit, the research engineers outlined the methodology for the new Retina audit. The key to creating the audit, the engineers discovered, was that different Operating Systems at different patch levels respond uniquely to various RPC commands. Collecting information on the machine being scanned and then analyzing its response to particular RPC calls proved to be the most effective way of establishing vulnerability.

Using this alternative method of discovery, rather than relying on registry entries, allowed for an extremely accurate check that worked for all platforms regardless of access level. Eight hours after the release of the exploit, early Saturday morning, the eEye QA and product release teams updated Retina with the new audit and made available the free utility on the eEye website. Similar tools from other security organizations were made available four days later.

eEye’s heavy investment in security research was the main factor in being able to release this audit so quickly when it was most necessary. The energy, knowledge and experience of the eEye research team carries over to every vulnerability audit in eEye’s Retina scanner as well as the other eEye products.

So why is measuring response time in hours versus days critical in the security industry?

Once a vulnerability or exploit is announced on the Internet, attackers depend on a window of opportunity that exists between the announcement of a vulnerability and the time it takes organizations to find and patch all their vulnerable systems. This period of time is sometimes referred to as the "window of vulnerability". For the developers of vulnerability assessment products, response time for creating an accurate, non-intrusive audit is crucial. The providers of these products are the key to pulling the windows of vulnerability shut. Involvement in the security community, constant monitoring of security sites, and a commitment to quick response enables eEye to provide the strongest backing to the best in security software.

Jim Marczyk
Senior Quality Assurance Engineer
eEye Digital Security

Computerworld: Calculating Security ROI is Tricky Business
"IT departments have traditionally been viewed as cost centers, though they have learned to provide a business-case analysis for IT initiatives. Information security departments are trying to figure out how to do the same thing." Full Article

InformationWeek: No Time To Relax
"More U.S. companies say they're spending enough to win the information-security battle. Have companies found the right balance of risk and cost, or are they dropping their guard just as threats get more vicious?" Full Article

News.Com: FBI Targets Net Phoning
"Internet telephone calls are fast becoming a national security threat that must be countered with new police wiretap rules, according to an FBI proposal presented quietly to regulators this month." Full Article

InfoWorld: Hacker Tips CERT's Hand on Linux/PDF Flaw
"Confidential vulnerability information managed by the CERT Coordination Center has again been leaked to the public, following a flurry of such leaks in March." Full Article

Q: How can Retina claim to be so fast but not flood my network or hosts?

A: Retina uses an advanced technology which eEye has termed "Adaptive Rate Scanning". This technology enables Retina to monitor the rate of communication to each IP that is being audited. Using a proprietary algorithm, Retina then determines the safest speed at which to begin auditing.

During the course of a scan, if Retina notices a host is beginning to respond slower (due to the remote host experiencing high CPU load, increased network traffic, etc.) then it will reduce the rate at which packets are being sent to the host. If and when the host begins to respond faster, Retina will again increase its communication to the fastest and safest scan rate.

Have a question you would like answered? Send it to versa@eEye.com, and win an eEye t-shirt if we select your question for an upcoming newsletter.

FREE Scanner to Combat RPC DCOM Vulnerability
Due to the RPC DCOM exploit posted last Friday (see this issue's Tech Talk), eEye augmented the existing RPC DCOM audit already in Retina Network Security Scanner and simultaneously created a free scanning utility. The free Retina RPC DCOM scanning utility enables security professionals to identify and fix assets vulnerable to the critical flaw, and is available for immediate download. Full Article

eEye Discovers Critical Microsoft DirectX Vulnerability
Microsoft provides a component called QUARTZ.DLL that allows various Windows applications (e.g. Windows Media Player and Internet Explorer) to play MIDI music through a common interface. eEye Digital Security released an advisory on July 23, 2003 identifying a pair of flaws in all versions of QUARTZ.DLL that would allow a specially-crafted MIDI file to cause the execution of arbitrary code when played. Full Article

SecureIIS™ Personal Edition Now Available
Earlier this month, eEye announced the availability of SecureIIS Web Server Protection – Personal Edition. Available at no cost for personal, non-commercial usage, the Personal Edition of SecureIIS provides unmatched application protection and intrusion prevention for guarding Microsoft web servers against worms, buffer overflow vulnerabilities, hybrid attacks, and other types of known and unknown security threats. SecureIIS Personal Edition is available for direct download by visiting: Full Article

High-Tech Votes Can Be Hacked, Scientists Say
Software flaws in a high-tech voting system could allow vandals to tamper with election results in several U.S. states. More

US Election Fraud Scandal Looms?
"Explosive conjectures" on rigging electronic elections. More

HOW TO SUBSCRIBE
To subscribe to this and other eEye newsletters, please visit: http://www.eeye.com/html/resources/newsletters/subscribe.html

FEEDBACK
The eEye newsletter staff welcomes any comments, questions or suggestions from our readers. We hope that you will not hesitate to contact us with any feedback you may have. Send all feedback to versa@eeye.com.

DISCLAIMER
The information within this newsletter may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties with regard to this information. In no event shall the author be liable for any damages whatsoever arising out of or in connection with the use or spread of this information. Any use of this information is at the user's own risk.

NOTICE
Permission is hereby granted for the redistribution of this newsletter electronically. It is not to be edited in any way without the express consent of eEye. If you wish to reprint the whole or any part of this newsletter in any other medium excluding electronic medium, please email versa@eeye.com for permission.