-
March 13th, 2009, 06:53 PM
#1
When *almost* everyone fail's .. (Web application security related / IIS)
This was a good read today morning..
The three main actors in this movie were a web application with a security vulnerability, Microsoft’s server class operating systems with an unpatched local privilege escalation vulnerability and the last line of everyone’s defense, the AV vendors.
Here's the brief : virustotal 0 detection - It's unpatched from over 10 months (Published: April 17, 2008 | Updated: October 9, 2008) - Most other security appliances will never pick it up..
Finally, the AV vendors should be more proactive (instead of reactive) and follow exploit research developments so they can add detection for similar exploits early and protect their customers.
Life isn’t easy, thanks to Microsoft!
Source : http://isc.sans.org/diary.html?storyid=6010
Parth Maniar,
CISSP, CISM, CISA, SSCP
*Thank you GOD*
Greater the Difficulty, SWEETER the Victory.
Believe in yourself.
-
March 14th, 2009, 02:46 AM
#2
Secunia
Nice post ByTeWrangler,
I think that one of the major players was left out though?............ the inept systems administrator?
At this point I am going to suggest that that interested parties check out this product:
http://secunia.com/vulnerability_scanning/personal/
I have only tested the free for personal use version, but have been very impressed with it, so would expect the commercial version to be as good, if not better.
It scans your system and tells you about stuff that has security updates, or is no longer supported.
In defence of Microsoft (OMG! am I really typing this?), I would say that it is not their problem if a web application is insecure........... that was the "open door" was it not?
They did publish mitigations.........if your SysAdmin doesn't follow those, why are you employing him?
As for the AV providers.........well you need to understand what AV doesn't do, and that is your job basically?
This stuff runs as SYSTEM..................do you want the performance hit of the AV checking that?
Life isn’t easy, thanks to Microsoft!
They have kept me in beer for many years
Now, had it been a Linux box, this would never have happened.......... but the webapp wouldn't have worked either.......... we all "know" that you don't need AV on a Linux box................ so that leaves us with the SysAdmin?
Floggings at dusk; hangings at 10.00hrs (Royal Navy tradition there )
-
March 14th, 2009, 08:17 AM
#3
think that one of the major players was left out though?............ the inept systems administrator?
Precisely why I wrote “almost everyone” .. Microsoft, AV vendor *did* fail and so did the administrator of the server that was being investigated. I blame Microsoft for not releasing a patch for *so* long but they did release an article highlighting the problem and with suggested workaround. Security administrator should have followed up too. He could have tested the workaround and deployed it..
Also the fact that Microsoft hasn’t patched up a security vulnerability on their server grade OS definitely $ucks..
Parth Maniar,
CISSP, CISM, CISA, SSCP
*Thank you GOD*
Greater the Difficulty, SWEETER the Victory.
Believe in yourself.
-
March 14th, 2009, 01:02 PM
#4
ByTe~,
Precisely why I wrote “almost everyone”
Yes, glad that I passed the test, and apologies if I spoilt your little quiz
I totally agree that suppliers of server side software should take a very responsible approach to their products; after all, if you infect the server you now own the clients in most cases?
Unfortunately, there seem to be two counter-productive influences here?
1. The "percentage player", which basically says that I don't think that will happen very often or to very many of my customers.
2. What I call the "in-tray syndrome". This is where items are semi-prioritised and stuff from the top of the tray gets done first. More stuff comes in each day and low priority items never surface
Just watch: if the White House, Pentagon, or a major financial institution get hit by this; there will be a fix by sunset
-
March 14th, 2009, 05:51 PM
#5
In God We Trust....Everything else we backup.
-
March 14th, 2009, 06:42 PM
#6
Hey Ron,
Over the years I have used all sorts of bits and bobs for hardware and applications support and such.
Do you think that it would be worthwhile starting a thread on this?
Like with links to the stuff where you can get free or a trial period?
-
March 14th, 2009, 06:53 PM
#7
Over the years I have used all sorts of bits and bobs for hardware and applications support and such.
Yeah, me 2 and I am sure many others.
Do you think that it would be worthwhile starting a thread on this?
Yes, but... It would be tough to keep it current and organized. That said, if we had a sticky somewhere where we all posted links I suppose could try. I suspect it will get infected with all sorts of junk. But then again, the moderators could do the cleanup.
Let's try it and see how it goes.
In God We Trust....Everything else we backup.
-
March 15th, 2009, 10:32 AM
#8
OK, I will try a sticky in "Tips & Tricks"
Here is another one that I sometimes find useful, particularly when re-installing an OS on an unknown machine.
http://www.zhangduo.com/udi.html
It is called the "Unknown Device Identifier"
A lot of hardware analysis tools just read the BIOS/OS rather than go and look for themselves, so if you have an unknown device, you are pretty much screwed?
-
March 15th, 2009, 10:56 PM
#9
shame on you nihil for suggesting that particular app :P
huntersoft ripped it off from Halfdone many many years ago...
Halfdone: SOTW: Huntersoft is a Thief
http://www.halfdone.org/SOTW/Message2Huntersoft
Halfdone: SOTW: Unknown Device Identifier Ripoff
http://www.halfdone.org/SOTW/UnknownDevicesRip
I think at one point there was even a half baked attempt at a trojan in an early version
-
March 16th, 2009, 12:05 AM
#10
Secunia Software Inspector
I too use the Secunia tool at home and I think it is great. Especially for reviewing if things like Java, Flash, Acrobat etc are vulnerable or not. When I ran this for the first time I was surprised by having multiple versions of Java and Flash on my system at home, when I applied updates or more accurately upgrades old versions kept hanging around. These are things everyone has on their systems but Windows update doesn't manage.
I have also done an evaluation of the Network or Enterprise version. It too was very good with a lot of good reporting options and history tracking options. One thing to be aware of is that you can get it in two "versions". The first and cheaper up front version basically means you scan your devices locally but scans are managed from, and results are uploaded to, the remote Secunia servers for correlation and reporting. The second version which is more expensive up front basically gives your enterprise its own version of the scanning server and means that it is all manageable and maintainable in house without having to rely on the Secunia servers (other then updating the vulnerability database from the Secunia servers).
The govt organisation I was working for would never have agreed to send its vulnerability data (I details on what machines are vulnerable to what exploits) to an external source.
When I looked at it there was also no support for Linux scanning, Secunia said they were working on it but not sure of its status now (I was evaluating 6 months ago).
Similar Threads
-
By nightcat in forum The Security Tutorials Forum
Replies: 9
Last Post: May 28th, 2005, 02:47 AM
-
By SDK in forum Miscellaneous Security Discussions
Replies: 4
Last Post: July 22nd, 2004, 11:05 PM
-
By xmaddness in forum Miscellaneous Security Discussions
Replies: 5
Last Post: October 31st, 2002, 01:59 AM
-
By xmaddness in forum Miscellaneous Security Discussions
Replies: 0
Last Post: September 25th, 2002, 08:53 PM
-
By xmaddness in forum Security News
Replies: 1
Last Post: August 15th, 2002, 03:07 AM
Posting Permissions
- You may not post new threads
- You may not post replies
- You may not post attachments
- You may not edit your posts
-
Forum Rules
|
|