Patch Tuesday - 2 more from MS

[RoadClosed]

I have three flat screens on my desk with real time traffic analysis of my perimeter firewalls. The one used for Exchange and general internet access started acting weird on Monday. At about 8am the traffic pattern shifted. I watch it everyday and it completely went 180 on me. A few minutes later the phone rang with Administrators saying they are getting errors accessing the web. FRUCK ME, I said and went to work. Not knowing about this patch until this morning I had to isolate the problem which appeared to be a DOS attack or Spam attack on Exchange. The SMTP traffic would build in about 5 minutes to gobble up the ENTIRE T1 every time I turned on the virtual SMTP server. Long boring story short... any way I worked all night tearing down the firewall tracking all sorts of DNS items and generally reconfiguring and changing passwords etc and tracking and blocking potential bad IPs. Then all day yesterday reconfiguring and checking exchange and the whole system so... FU MS. I stopped it got it all back up to find a patch ready. ACK!

[Relyt]

RoadClosed

Sorry you got hosed by all this, but thanks much for sharing your damage control etc., we don't always get to have hands on or hear enough about the crisis management end of it. So if anyone else get hammered by the latest or future crap, please share it with us. Thanks


cheers

[Relyt]

RoadClosed

Sorry you got hosed by all this, but thanks much for sharing your damage control etc., we don't always get to have hands on or hear enough about the crisis management end of it. So if anyone else get hammered by the latest or future crap, please share it with us. Thanks


cheers

[dynamoo]

Errr this is a bit long.

Patch report
I applied the TNEF patch to two legacy Exchange 5.5 SP4 servers OK, although one did require a reboot. Definitely time to move from *that* platform though as that was the last patch for 5.5.

Further reading
There's a good article here outlining the seriousness of this flaw. It's definitely worth reading and bringing to the attention of your management team - and there are two very chilling paragraphs:

"You could take over an Exchange server with a single, simple email," he said. "From there you could target all the clients accessing that server. You would 'own' any Outlook client that connects to that server. Then an attacker could grab the Outlook users' address books.

"If you did it right, you could own every Outlook user in the world within a week," he said.

This is why I mentioned the Witty Worm in an earlier post (see this analysis of its spread if you don't know about it). Witty targetted firewalls and permiter security servers and basically infected 100% of vulnerable systems within a few hours and destroyed them. It was an unusual worm.. not just because of the speed it spread at and its destructiveness, but the fact that it targetted infrastructure rather than client PCs. You can see that it would be quite possible for a worm to target Exchange Servers only and spread at an incredibly fast rate untill all vulnerable servers because infected. Add a malicious payload onto the worm and... well.. it doesn't bear thinking about.

That's just the servers - of course the clients are vulnerable too and patching Office is a real pain in the backside unless you've upgraded to WSUS or some other patch management tool.. if you're still running SUS then you're gonna have to come out with an alternative plan to get systems patched.

Outlook versions
Worse still, I know a lot of people are still running Outlook 97 and 98. There's no mention of these on the MS web site, but we've all seen how these flaws go aaaaallllllllll the way back, so it's quite likely that these older systems are vulnerable too.

Workarounds
And I think the workarounds for this vulnerabilty suck. Filtering or blocking RTF formatted emails would lead potentially lead to too many important lost messages.

I put a filter on our incoming messages to take a copy of anything with "MS-TNEF" in the mail headers at the moment it looks like around 4% of incoming messages are formatted in this way. Still, it's worth considering as an option in case things start to go pear shaped. (For the record, I'm using Postini to do this).


I think this has the potential for being an extremely serious and hard to contain threat.

[dynamoo]

Errr this is a bit long.

Patch report
I applied the TNEF patch to two legacy Exchange 5.5 SP4 servers OK, although one did require a reboot. Definitely time to move from *that* platform though as that was the last patch for 5.5.

Further reading
There's a good article here outlining the seriousness of this flaw. It's definitely worth reading and bringing to the attention of your management team - and there are two very chilling paragraphs:

"You could take over an Exchange server with a single, simple email," he said. "From there you could target all the clients accessing that server. You would 'own' any Outlook client that connects to that server. Then an attacker could grab the Outlook users' address books.

"If you did it right, you could own every Outlook user in the world within a week," he said.

This is why I mentioned the Witty Worm in an earlier post (see this analysis of its spread if you don't know about it). Witty targetted firewalls and permiter security servers and basically infected 100% of vulnerable systems within a few hours and destroyed them. It was an unusual worm.. not just because of the speed it spread at and its destructiveness, but the fact that it targetted infrastructure rather than client PCs. You can see that it would be quite possible for a worm to target Exchange Servers only and spread at an incredibly fast rate untill all vulnerable servers because infected. Add a malicious payload onto the worm and... well.. it doesn't bear thinking about.

That's just the servers - of course the clients are vulnerable too and patching Office is a real pain in the backside unless you've upgraded to WSUS or some other patch management tool.. if you're still running SUS then you're gonna have to come out with an alternative plan to get systems patched.

Outlook versions
Worse still, I know a lot of people are still running Outlook 97 and 98. There's no mention of these on the MS web site, but we've all seen how these flaws go aaaaallllllllll the way back, so it's quite likely that these older systems are vulnerable too.

Workarounds
And I think the workarounds for this vulnerabilty suck. Filtering or blocking RTF formatted emails would lead potentially lead to too many important lost messages.

I put a filter on our incoming messages to take a copy of anything with "MS-TNEF" in the mail headers at the moment it looks like around 4% of incoming messages are formatted in this way. Still, it's worth considering as an option in case things start to go pear shaped. (For the record, I'm using Postini to do this).


I think this has the potential for being an extremely serious and hard to contain threat.

[dynamoo]

I've had some further thoughts on possible attack vectors for the TNEF flaw on Exchange servers.

Looking back to the Witty Worm again, there was a definite feeling that very many of the vulnerable servers had been enumerated before the attack began - allowing the initial spread of the worm to be much quicker than a standard "organic" spread.

Now, the Bad Guys are probably reverse engineering the TNEF Exchange patch as we speak (and in any case, full disclosure of the flaw will be made in 90 days or so.) We can assume that it's going to take some time to get a working exploit together - however, in the meantime they start to collect a target list of Exchange servers.

I believe that all you would need to do to identify an Exchange server is send a mail message to an invalid address on the Exchange server and then wait for the bounce message to come back. Since most mail servers identify themselves in the bounce message, it would be relatively trivial to generate a list of domains running potentially vulnerable servers. This type of probing event would most likely be low key enough to escape detection.

Then, when the exploit is fully ready, it can be spammed out to potentially vulnerable servers from a botnet. Now, working on a worst-case-scenario of needing just one message to infect a server, you could potentially be looking at a large proportion of all vulnerable servers being infected before anyone can react.. certainly before IP addresses can be blacklisted and anti-virus signatures produced.

It looks like the latest figures for the market share of Exchange Server in corporates stands at 44% or so. How many systems will remain unpatched and vulnerable to attack? Even if you are *not* vulnerable to the TNEF flaw, you can see that there's potential for widespread business disruption.

[dynamoo]

I've had some further thoughts on possible attack vectors for the TNEF flaw on Exchange servers.

Looking back to the Witty Worm again, there was a definite feeling that very many of the vulnerable servers had been enumerated before the attack began - allowing the initial spread of the worm to be much quicker than a standard "organic" spread.

Now, the Bad Guys are probably reverse engineering the TNEF Exchange patch as we speak (and in any case, full disclosure of the flaw will be made in 90 days or so.) We can assume that it's going to take some time to get a working exploit together - however, in the meantime they start to collect a target list of Exchange servers.

I believe that all you would need to do to identify an Exchange server is send a mail message to an invalid address on the Exchange server and then wait for the bounce message to come back. Since most mail servers identify themselves in the bounce message, it would be relatively trivial to generate a list of domains running potentially vulnerable servers. This type of probing event would most likely be low key enough to escape detection.

Then, when the exploit is fully ready, it can be spammed out to potentially vulnerable servers from a botnet. Now, working on a worst-case-scenario of needing just one message to infect a server, you could potentially be looking at a large proportion of all vulnerable servers being infected before anyone can react.. certainly before IP addresses can be blacklisted and anti-virus signatures produced.

It looks like the latest figures for the market share of Exchange Server in corporates stands at 44% or so. How many systems will remain unpatched and vulnerable to attack? Even if you are *not* vulnerable to the TNEF flaw, you can see that there's potential for widespread business disruption.