When almost everyone fail's .. (Web application security related / IIS)

Printable View

March 13th, 2009, 06:53 PM
ByTeWrangler

When *almost* everyone fail's .. (Web application security related / IIS)

This was a good read today morning..

Quote:

The three main actors in this movie were a web application with a security vulnerability, Microsoft’s server class operating systems with an unpatched local privilege escalation vulnerability and the last line of everyone’s defense, the AV vendors.

Here's the brief : virustotal 0 detection - It's unpatched from over 10 months (Published: April 17, 2008 | Updated: October 9, 2008) - Most other security appliances will never pick it up..

Quote:

Finally, the AV vendors should be more proactive (instead of reactive) and follow exploit research developments so they can add detection for similar exploits early and protect their customers.

Life isn’t easy, thanks to Microsoft!

Source : http://isc.sans.org/diary.html?storyid=6010
March 14th, 2009, 02:46 AM
nihil

Secunia

Nice post ByTeWrangler,

I think that one of the major players was left out though?............ the inept systems administrator?

At this point I am going to suggest that that interested parties check out this product:

http://secunia.com/vulnerability_scanning/personal/

I have only tested the free for personal use version, but have been very impressed with it, so would expect the commercial version to be as good, if not better.

It scans your system and tells you about stuff that has security updates, or is no longer supported.

In defence of Microsoft (OMG! am I really typing this?), I would say that it is not their problem if a web application is insecure........... that was the "open door" was it not?

They did publish mitigations.........if your SysAdmin doesn't follow those, why are you employing him?

As for the AV providers.........well you need to understand what AV doesn't do, and that is your job basically?

This stuff runs as SYSTEM..................do you want the performance hit of the AV checking that?

Quote:

Life isn’t easy, thanks to Microsoft!

They have kept me in beer for many years :drink:

Now, had it been a Linux box, this would never have happened.......... but the webapp wouldn't have worked either.......... we all "know" that you don't need AV on a Linux box................ so that leaves us with the SysAdmin?

Floggings at dusk; hangings at 10.00hrs (Royal Navy tradition there :D)

:lildevil:
March 14th, 2009, 08:17 AM
ByTeWrangler

Quote:

think that one of the major players was left out though?............ the inept systems administrator?

Precisely why I wrote “almost everyone” .. Microsoft, AV vendor *did* fail and so did the administrator of the server that was being investigated. I blame Microsoft for not releasing a patch for *so* long but they did release an article highlighting the problem and with suggested workaround. Security administrator should have followed up too. He could have tested the workaround and deployed it..

Also the fact that Microsoft hasn’t patched up a security vulnerability on their server grade OS definitely $ucks..
March 14th, 2009, 01:02 PM
nihil

ByTe~,

Quote:

Precisely why I wrote “almost everyone”

Yes, glad that I passed the test, and apologies if I spoilt your little quiz :)

I totally agree that suppliers of server side software should take a very responsible approach to their products; after all, if you infect the server you now own the clients in most cases?

Unfortunately, there seem to be two counter-productive influences here?

1. The "percentage player", which basically says that I don't think that will happen very often or to very many of my customers.

2. What I call the "in-tray syndrome". This is where items are semi-prioritised and stuff from the top of the tray gets done first. More stuff comes in each day and low priority items never surface ;)

Just watch: if the White House, Pentagon, or a major financial institution get hit by this; there will be a fix by sunset :cool:
March 14th, 2009, 05:51 PM
Cheap Scotch Ron

Quote:

http://secunia.com/vulnerability_scanning/personal/

Excellent! Thanks Nihil.
March 14th, 2009, 06:42 PM
nihil

Hey Ron,

Over the years I have used all sorts of bits and bobs for hardware and applications support and such.

Do you think that it would be worthwhile starting a thread on this?

Like with links to the stuff where you can get free or a trial period?

:)
March 14th, 2009, 06:53 PM
Cheap Scotch Ron

Quote:

Over the years I have used all sorts of bits and bobs for hardware and applications support and such.

Yeah, me 2 and I am sure many others.

Quote:

Do you think that it would be worthwhile starting a thread on this?

Yes, but... It would be tough to keep it current and organized. That said, if we had a sticky somewhere where we all posted links I suppose could try. I suspect it will get infected with all sorts of junk. But then again, the moderators could do the cleanup. ;)

Let's try it and see how it goes.
March 15th, 2009, 10:32 AM
nihil

OK, I will try a sticky in "Tips & Tricks"

Here is another one that I sometimes find useful, particularly when re-installing an OS on an unknown machine.

http://www.zhangduo.com/udi.html

It is called the "Unknown Device Identifier"

A lot of hardware analysis tools just read the BIOS/OS rather than go and look for themselves, so if you have an unknown device, you are pretty much screwed?
March 15th, 2009, 10:56 PM
sumdumguy

shame on you nihil for suggesting that particular app :P

huntersoft ripped it off from Halfdone many many years ago...

Halfdone: SOTW: Huntersoft is a Thief
http://www.halfdone.org/SOTW/Message2Huntersoft

Halfdone: SOTW: Unknown Device Identifier Ripoff
http://www.halfdone.org/SOTW/UnknownDevicesRip

I think at one point there was even a half baked attempt at a trojan in an early version
March 16th, 2009, 12:05 AM
cabby80

Secunia Software Inspector

I too use the Secunia tool at home and I think it is great. Especially for reviewing if things like Java, Flash, Acrobat etc are vulnerable or not. When I ran this for the first time I was surprised by having multiple versions of Java and Flash on my system at home, when I applied updates or more accurately upgrades old versions kept hanging around. These are things everyone has on their systems but Windows update doesn't manage.

I have also done an evaluation of the Network or Enterprise version. It too was very good with a lot of good reporting options and history tracking options. One thing to be aware of is that you can get it in two "versions". The first and cheaper up front version basically means you scan your devices locally but scans are managed from, and results are uploaded to, the remote Secunia servers for correlation and reporting. The second version which is more expensive up front basically gives your enterprise its own version of the scanning server and means that it is all manageable and maintainable in house without having to rely on the Secunia servers (other then updating the vulnerability database from the Secunia servers).

The govt organisation I was working for would never have agreed to send its vulnerability data (I details on what machines are vulnerable to what exploits) to an external source.

When I looked at it there was also no support for Linux scanning, Secunia said they were working on it but not sure of its status now (I was evaluating 6 months ago).
March 16th, 2009, 10:57 PM
nihil

Quote:

huntersoft ripped it off from Halfdone many many years ago...

That's as maybe but it is virtually abandonware and I doubt if the two products are similar these days. Huntersoft last released a stable version in May 2003 and a beta in June 2007 which has progressed no further.

Quote:

I think at one point there was even a half baked attempt at a trojan in an early version

Not really a trojan, just a booby trap for people who tried to reverse engineer it:D

The last two versions (and they do update at least once a year) are clean.
March 17th, 2009, 01:09 PM
Cider

Secunia is very impressive Nihil, thanks for the heads up.

Was very shocked when scanning my work computer.
March 18th, 2009, 04:46 AM
phishphreek

I've remembered that Secunia has provided many nice security reports in the past. When I scanned my home computer, there were two problems. The first was flash and the second was reader. Simple fix. uninstall both... again. Scan my work computer (shhhh) and those alerts are not there!

I've had a growing hatred for adobe over the past several years. I'm sick and tired of having to patch their software manually. Seeing as how frequently they have security updates, the ability to run an update server is not asking too much. Especially for admins who have dozens or hundreds of boxes to patch.

Well, I've taken care of them. I've use System Center Configuration Manger 2007 to restrict ANY workstation in my company from using ANY Adobe product. FsCk Adobe. I know I could use SSCM2K7 to patch Adobe, but I figured the first *good* thing I'd do with it was to remove their junk. Same goes to Apple's crapware.

There are plenty of alternatives that are less bloated and OSS for all the junk I've removed. Oh joy!

/rant
March 18th, 2009, 02:26 PM
Cider

ROFL!

Well I had about 6 issues on my work PC, yes all were related to adobe except one for Sun ...
March 18th, 2009, 02:54 PM
nihil

Hey! I bet the Sun one was for Java :D

Java has just updated, and Secunia reported that it had uninstalled the previous version.................you used to have to do that manually until now?

I haven't had a chance to check it out yet.
March 19th, 2009, 01:46 PM
Cider

Ya Ya,

Anyone using the network version?

When *almost* everyone fail's .. (Web application security related / IIS)

When almost everyone fail's .. (Web application security related / IIS)