MS08-067 – The Need for Increased Technical Awareness

When Microsoft released information about an out-of-band patch being pushed out on October 24th, 2008, many researchers, administrators, and C-level executives were concerned and had little information regarding the severity of the patch. Typically, Microsoft only releases out-of-band patches for serious vulnerabilities that are in the process of being exploited in-the-wild. Although there are a few zero-day vulnerabilities within Microsoft programs, none of them merited such a serious patch to be released.

Immediately after the release, eEye customers were concerned and were asking for more information. How serious is the vulnerability? Is it already being exploited? Perhaps most nostalgic, Is this going to be a worm? Unfortunately, like every other researcher, we were left with only the information that had been disclosed by Microsoft regarding the vulnerability. It was clear, October 24th, 2008 was going to be an ugly day.

With any Microsoft related patch, eEye Research does a deep-dive in order to gain a better understanding. MS08-067 was no exception. As soon as the binary was released, eEye Research Engineers started the binary analysis of the patches and were able to identify the vulnerability. The next step was to produce a proof-of-concept test-tool to reach the vulnerable code, and finally develop a full remote-code-execution (RCE) exploit. Throughout the process, eEye Research Engineers were documenting their every move and all findings into an eEye Preview security intelligence document. Phone calls were immediately placed to all Preview customers to let them know about eEye Research findings and to help them start assessing their network. This allowed for a complete understanding of technical information for our Preview customers. This is beneficial to Preview customers as most of them do not have the adequate staffing to accomplish what a developed and experienced research team is able to.

Why is it important not to roll out the patch and assume you’re protected?

Well I would like to pressure administrators to roll out this patch, there are plenty of unique one-offs situations that could cause issue.

• Snapshot VM images without the patch coming online
• Old desktop images still being rolled out across the network without this patch
• Unmanaged workstations

Administrators responsible for enterprise-sized networks needed some help with MS08-67. This had the potential to be self-replicating (as seen in some samples), so administrators were first checking their perimeter to make sure these packets couldn’t get through. This day in age, that’s pretty much a given.

Next, administrators were worried about the “insider threat”. At eEye, we consider that a bit different than the espionage-laden images produced by many pundits. Instead, we refer to the insider threat as any system on the internal network that has the potential to infect others. This could be an HR computer that opened a malicious PDF document a year ago that is still under control of the attacker. A single system could allow a smart attacker to enter into your network, and with a zero-day exploit such as this one, administrators were no longer able to rely on their network-based IPS.

What is the solution? Administrators need to emulate an attacker and test some systems for themselves (i.e. “penetration test”). They need to get a copy of a reliable exploit and start testing their own server and workstation configurations (whether they’re hardened or simply have a HIPS installed). On top of that ,they need to be aware of all of the uses of the exploit that are seen by attackers in-the-wild and what other potential opportunities this exploit might offer that haven’t been seen yet.

VERSA articles are normally vendor/product-neutral, but eEye Research delivers a unique service that allows administrators to outsource much of this complicated and technically-aggressive work to the well-educated research team at eEye. With the eEye Preview Exclusive service, administrators were able to call upon an eEye Researcher (not an operator) and get up-to-the-minute updates on ALL aspects of this vulnerability. This included full vulnerability identification details available within 2 hours of the patch, samples of all malware associated with this exploit, known attacking IP address and/or DNS names, as well as exploit tools.

Any administrator with the eEye Preview service was able to immediately assess their network security posture against this major threat and start formulating their plan-of-action for this vulnerability. Many times, doing this entire process based on a Microsoft advisory would not be full informed. However, with the eEye Preview service, administrators were able to gain the insight necessary to fully understand and mitigate this very serious threat to their networks.

NOTE: The Preview service is being offered for a limited time pilot trial for $10,000 for 30 days. This includes full access to the eEye Preview service over the next month to help administrators understand the full value of Preview as it related to MS08-067 and other threats that might occur over the next 30 days. This pilot fee is fully refunded upon signing a one-year contract for Preview exclusive. If you are interested in this service, please contact services@eeye.com and mention “MS08-067 discount” to redeem this offer.

Source: Andre Derek Protas, Director of Research and Preview Services

SC Magazine: Security Blink Professional
"SC Magazine reviews eEye's Blink endpoint security product as being feature-rich and able to replace many other pieces of software." Full Article

SC Magazine: Group Test- Vulnerability Assessment
"SC Magazine reviews the eEye Retina Security Management Appliance as a Best Buy providing solid performance, good value and a venerable pedigree." Full Article

Blink 4.0 Video Review
"David Strom performs a video reviews eEye's Blink Professional 4.0" Full Article

View All Media Coverage
"eEye and its security solutions have been covered by numerous press and media associations" Full Article

Q: What is your favorite exploit framework?

A: eEye Research is standardized on Core Impact for a variety of reasons, most notably its effectiveness for enterprise-sized penetration testing engagements. Immunity Canvas and Metasploit are both very powerful exploit frameworks that could be just as powerful as Core in the right hands, but eEye Research prefers to standardize on one set of tools and Core has been chosen because of its power when it comes to custom module development. eEye Research regularly develops (and releases to eEye Preview customers) extended modules for Core Impact that assist in many of the supplemental aspects of penetration testing.

Have a question you would like answered? Send it to versa@eEye.com, and win an eEye t-shirt if we select your question for an upcoming newsletter.

eEye Unveils New Partner Program to Offer Growth Opportunities for Security Resellers
Pre-sales support, training, lead referral program, tech support hotline, incentives and discount opportunities define the new eEye Partner Program Full Article

eEye Retina Network Security Scanner Passes NSS Labs’ PCI Suitability Testing
Retina is able to support 16 of 16 direct PCI DSS Requirements in NSS Labs PCI Suitability Testing Full Article

eEye Receives top Rating and Earns ‘Best Buy’ Title in Security Product Shoot-Out
SC Magazine awards Retina Security Management Appliance 5-star award for Vulnerability Assessment Group Test Full Article

eEye To Offer 25% Discount Channel Conversion Incentive to Entice Symantec Partners
eEye to offer a 25% discount to former Symantec resellers who join the eEye Partner Program or change a Symantec renewal opportunity into an eEye purchase Full Article

Stay Up-to-Date with eEye Research
eEye Research has seen some staggering results from the recent influx in Blink Personal/Neighborhood Watch users. This data is offering eEye Research a distinct insight into host-based vulnerability and attack trends to offer enhanced protection into Blink. Keep an eye on the eEye Research Portal http://research.eeye.com/ for future projects that have arisen because of the mass use of Blink Personal including Neighborhood Watch reports and attack trends. More

Vulnerability Expert Forums
The monthly Vulnerability Expert Forum focuses on recently announced critical vulnerabilities - from Microsoft and other software vendors. eEye's Internet security experts will describe the actions necessary to protect your systems from the threats that target these vulnerabilities. More

HOW TO SUBSCRIBE
To subscribe to this and other eEye newsletters, please visit: http://www.eeye.com/html/resources/newsletters/subscribe.html

FEEDBACK
The eEye newsletter staff welcomes any comments, questions or suggestions from our readers. We hope that you will not hesitate to contact us with any feedback you may have. Send all feedback to versa@eeye.com.

DISCLAIMER
The information within this newsletter may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties with regard to this information. In no event shall the author be liable for any damages whatsoever arising out of or in connection with the use or spread of this information. Any use of this information is at the user's own risk.

NOTICE
Permission is hereby granted for the redistribution of this newsletter electronically. It is not to be edited in any way without the express consent of eEye. If you wish to reprint the whole or any part of this newsletter in any other medium excluding electronic medium, please email versa@eeye.com for permission.