Page 1 of 2 12 LastLast
Results 1 to 10 of 16

Thread: When *almost* everyone fail's .. (Web application security related / IIS)

  1. #1

    When *almost* everyone fail's .. (Web application security related / IIS)

    This was a good read today morning..


    The three main actors in this movie were a web application with a security vulnerability, Microsoft’s server class operating systems with an unpatched local privilege escalation vulnerability and the last line of everyone’s defense, the AV vendors.
    Here's the brief : virustotal 0 detection - It's unpatched from over 10 months (Published: April 17, 2008 | Updated: October 9, 2008) - Most other security appliances will never pick it up..

    Finally, the AV vendors should be more proactive (instead of reactive) and follow exploit research developments so they can add detection for similar exploits early and protect their customers.
    Life isn’t easy, thanks to Microsoft!



    Source : http://isc.sans.org/diary.html?storyid=6010
    Parth Maniar,
    CISSP, CISM, CISA, SSCP

    *Thank you GOD*

    Greater the Difficulty, SWEETER the Victory.

    Believe in yourself.

  2. #2
    Senior Member nihil's Avatar
    Join Date
    Jul 2003
    Location
    United Kingdom: Bridlington
    Posts
    17,188

    Secunia

    Nice post ByTeWrangler,

    I think that one of the major players was left out though?............ the inept systems administrator?

    At this point I am going to suggest that that interested parties check out this product:

    http://secunia.com/vulnerability_scanning/personal/

    I have only tested the free for personal use version, but have been very impressed with it, so would expect the commercial version to be as good, if not better.

    It scans your system and tells you about stuff that has security updates, or is no longer supported.

    In defence of Microsoft (OMG! am I really typing this?), I would say that it is not their problem if a web application is insecure........... that was the "open door" was it not?

    They did publish mitigations.........if your SysAdmin doesn't follow those, why are you employing him?

    As for the AV providers.........well you need to understand what AV doesn't do, and that is your job basically?

    This stuff runs as SYSTEM..................do you want the performance hit of the AV checking that?

    Life isn’t easy, thanks to Microsoft!
    They have kept me in beer for many years

    Now, had it been a Linux box, this would never have happened.......... but the webapp wouldn't have worked either.......... we all "know" that you don't need AV on a Linux box................ so that leaves us with the SysAdmin?

    Floggings at dusk; hangings at 10.00hrs (Royal Navy tradition there )


  3. #3
    think that one of the major players was left out though?............ the inept systems administrator?
    Precisely why I wrote “almost everyone” .. Microsoft, AV vendor *did* fail and so did the administrator of the server that was being investigated. I blame Microsoft for not releasing a patch for *so* long but they did release an article highlighting the problem and with suggested workaround. Security administrator should have followed up too. He could have tested the workaround and deployed it..

    Also the fact that Microsoft hasn’t patched up a security vulnerability on their server grade OS definitely $ucks..
    Parth Maniar,
    CISSP, CISM, CISA, SSCP

    *Thank you GOD*

    Greater the Difficulty, SWEETER the Victory.

    Believe in yourself.

  4. #4
    Senior Member nihil's Avatar
    Join Date
    Jul 2003
    Location
    United Kingdom: Bridlington
    Posts
    17,188
    ByTe~,

    Precisely why I wrote “almost everyone”
    Yes, glad that I passed the test, and apologies if I spoilt your little quiz

    I totally agree that suppliers of server side software should take a very responsible approach to their products; after all, if you infect the server you now own the clients in most cases?

    Unfortunately, there seem to be two counter-productive influences here?

    1. The "percentage player", which basically says that I don't think that will happen very often or to very many of my customers.

    2. What I call the "in-tray syndrome". This is where items are semi-prioritised and stuff from the top of the tray gets done first. More stuff comes in each day and low priority items never surface

    Just watch: if the White House, Pentagon, or a major financial institution get hit by this; there will be a fix by sunset

  5. #5
    AO's Filibustier Cheap Scotch Ron's Avatar
    Join Date
    Nov 2008
    Location
    Swamps of Jersey
    Posts
    378
    In God We Trust....Everything else we backup.

  6. #6
    Senior Member nihil's Avatar
    Join Date
    Jul 2003
    Location
    United Kingdom: Bridlington
    Posts
    17,188
    Hey Ron,

    Over the years I have used all sorts of bits and bobs for hardware and applications support and such.

    Do you think that it would be worthwhile starting a thread on this?

    Like with links to the stuff where you can get free or a trial period?


  7. #7
    AO's Filibustier Cheap Scotch Ron's Avatar
    Join Date
    Nov 2008
    Location
    Swamps of Jersey
    Posts
    378
    Over the years I have used all sorts of bits and bobs for hardware and applications support and such.
    Yeah, me 2 and I am sure many others.

    Do you think that it would be worthwhile starting a thread on this?
    Yes, but... It would be tough to keep it current and organized. That said, if we had a sticky somewhere where we all posted links I suppose could try. I suspect it will get infected with all sorts of junk. But then again, the moderators could do the cleanup.

    Let's try it and see how it goes.
    In God We Trust....Everything else we backup.

  8. #8
    Senior Member nihil's Avatar
    Join Date
    Jul 2003
    Location
    United Kingdom: Bridlington
    Posts
    17,188
    OK, I will try a sticky in "Tips & Tricks"

    Here is another one that I sometimes find useful, particularly when re-installing an OS on an unknown machine.

    http://www.zhangduo.com/udi.html

    It is called the "Unknown Device Identifier"

    A lot of hardware analysis tools just read the BIOS/OS rather than go and look for themselves, so if you have an unknown device, you are pretty much screwed?

  9. #9
    Senior Member
    Join Date
    Feb 2002
    Posts
    1,210
    shame on you nihil for suggesting that particular app :P

    huntersoft ripped it off from Halfdone many many years ago...

    Halfdone: SOTW: Huntersoft is a Thief
    http://www.halfdone.org/SOTW/Message2Huntersoft

    Halfdone: SOTW: Unknown Device Identifier Ripoff
    http://www.halfdone.org/SOTW/UnknownDevicesRip

    I think at one point there was even a half baked attempt at a trojan in an early version

  10. #10

    Secunia Software Inspector

    I too use the Secunia tool at home and I think it is great. Especially for reviewing if things like Java, Flash, Acrobat etc are vulnerable or not. When I ran this for the first time I was surprised by having multiple versions of Java and Flash on my system at home, when I applied updates or more accurately upgrades old versions kept hanging around. These are things everyone has on their systems but Windows update doesn't manage.

    I have also done an evaluation of the Network or Enterprise version. It too was very good with a lot of good reporting options and history tracking options. One thing to be aware of is that you can get it in two "versions". The first and cheaper up front version basically means you scan your devices locally but scans are managed from, and results are uploaded to, the remote Secunia servers for correlation and reporting. The second version which is more expensive up front basically gives your enterprise its own version of the scanning server and means that it is all manageable and maintainable in house without having to rely on the Secunia servers (other then updating the vulnerability database from the Secunia servers).

    The govt organisation I was working for would never have agreed to send its vulnerability data (I details on what machines are vulnerable to what exploits) to an external source.

    When I looked at it there was also no support for Linux scanning, Secunia said they were working on it but not sure of its status now (I was evaluating 6 months ago).

Similar Threads

  1. Apache, PHP, MySQL with basic security settings.
    By nightcat in forum The Security Tutorials Forum
    Replies: 9
    Last Post: May 28th, 2005, 02:47 AM
  2. The weakest security link? You
    By SDK in forum Miscellaneous Security Discussions
    Replies: 4
    Last Post: July 22nd, 2004, 11:05 PM
  3. NEWS: This weeks Security News 10/30/02
    By xmaddness in forum Miscellaneous Security Discussions
    Replies: 5
    Last Post: October 31st, 2002, 01:59 AM
  4. NEWS: This weeks security news
    By xmaddness in forum Miscellaneous Security Discussions
    Replies: 0
    Last Post: September 25th, 2002, 08:53 PM
  5. NEWS: This weeks security news.
    By xmaddness in forum Security News
    Replies: 1
    Last Post: August 15th, 2002, 03:07 AM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •