The Glider

Google Feb. 1 began using its Web services and cloud computing infrastructure for a new cause: bringing 1,000 art works from more than 400 artists whose work is featured in 17 of the world's most famous art galleries. Google Art Project employs the search engine's Street View Web imagery technology, Google Picasa Web photo functionality and the Google App Engine cloud computing software to showcase the art online for people who might not otherwise get to visit Metropolitan Museum of Art and MoMA in New York, Tate Britain & The National Gallery in London, the Uffizi Gallery in Florence. The Art Project isn't just another pretty Website with pictures of classical art. Though the project was developed by Googler Amit Sood in his 20% time, it is packed with the type of useful information art lovers are accustomed to seeing on placards in the museums themselves, including content about the artist, painting, not to mention YouTube videos describing the works. Join eWEEK for this tour of the Art Project Website, whose wares will be expanding over time. - ...

Posted by Zach C. on Feb 17

Well, just playing devil's advocate here, mind you, I think much of the
irritation from MustLive's postings comes from the following three reasons:

1.) MustLive is primarily a web-application specialist (for the sake of
argument)
2.) The vulnerabilities he finds are of a class of vulnerabilities that are
most common in his field. (Consider: someone searching for vulnerabilities
in internet services directly and doing the binary analysis will...

Hey guys, Today we have launched our new website PasswordForensics - a division of SecurityXploded.com - is a dedicated portal for everything related

Simply browsing the sites would be enough to cause infection, Websense says

Dell SecureWorks and Damballa discuss the role do-it-yourself kits and pay-per-install operations are playing in the growth of botnets on the Web. - Spam levels may have dropped, but botnets are still busy. In fact, security researchers at this year's RSA Conference highlighted a mix of botnets both famous and unheard of that are growing on the strength of do-it-yourself kits and pay-per-install (PPI) systems. Joe Stewart, director of mal...

Google One Pass is geared to kneecap Apple's App Store subscription service for the iPad, iPhone and iPod touch. Publishers will keep 90 percent of sales, vs. 70 percent from Apple's service. - Seeking to undercut Apple's subscription service, Google Feb. 16 unveiled a payment service to let publishers set their own prices and terms for digital content they serve on tablets, smartphones and Websites. Google One Pass allows readers to purchase newspapers and magazines from publishers usin...

U.S senators will introduce legislation this year targeting websites that traffic in digital piracy or counterfeited goods, said the primary sponsor of a controversial bill proposed in 2010 that would give government agencies more authority to shut down those sites.

Mikael wrote us yesterday, telling us about a site claiming to have a zero day for SMBon both Windows 7 and Windows Server 2008 R2. Thanks for the pointer Mikael, Laurent Gaffi is the original author of this bit of code.
However, after a first try, we found that the code didn't run as posted. Nothing major, one required line of code was missing, and some formatting issues. Given what this code does, these omissions might have been intentional, to give Microsoft a chance to get a fix in before this disseminates. The code does in fact work. The sequence to see the exploit is:
1/ On a linux machine, ensure that port 445 is open or that your firewall is down - ensure that the target windows host and the linux host have connectivity (a quick ping does the trick here)
2/ On that linux box, run the resulting code - sudo python w7spolit.py . Note that you need sudo to open a tcp service, and we're using a linux box for this because of course port 445 is taken on most windows hosts.
3/ On the target Windows box, do a net use x.x.x.x, where x.x.x.x is the ip address of the linux box.
You'll see that the Windows host is now frozen - no mouse, no keyboard, and completely unresponsive on the network as well. This works on both Windows 7 and Windows Server 2008 R2, with the very latest patches applied. A link to a server running this code could easily be embedded in a web page or email, pointing out to a poisonhost on the internet - so this exploit is not isolated to corporate networks doing file sharing. As the author states, disabling SMBv2 does not give even temporary protection. Here's hoping Microsoft scrambles the troops to get this patched before it's out in the wild.
==========================================================================================================================
Since the original post, there's been a lot of QA back and forth, and also some mis-information floating around as well, I'm hoping that the QA below helps clarify things:



Is the original Windows 2008 affected by this?

No - the only 2 affected operating systems are Windows 7 and Windows 2008 R2



What patch levels have been tested? Is this a problem in one patch or another?

We've only tested the 2 affected operating systems, fully patched as of 12 Nov 2009.



If I disable SMBv2, I'm not affected right?

Wrong. This affects hosts whatever version of SMB they are running. We've tested hosts with SMBv2 disabled with both the registry method and the sc method (singly and in combination), and all are equally affected.



How does this thing spread?

It has no mechanism for propagation. Unless somebody embeds this in a worm, this is more of a curiosity than anything else. This vulnerability in itself does not have the potential to steal information or compromise system integrity. It crashes hosts, plain and simple.



Is IPv6 affected? Is this an IPv6 problem?

This is an SMB issue (tcp/445). All testing so far has been on IPv4, we haven't tested IPv6 specifically, but there's no reason to think that running SMB over IPv6 would behave any differently



What about the firewall on windows? Does that help?

Remember that this works by you browsing to a UNC on a poison host. The windows firewall has no affect on this



How can I mitigate against this in Windows? Is there a registry key or a patch I can apply?

At this time, there is no host based mitigation available. We're hoping that Microsoft comes out with a patch for this quickly. Your best protection is the same safe computing advice that we'd give any other day:

Don't browse from your servers. Ever.
Don't browse indiscriminately from your workstation (don't click links from strangers).
Don't browse to UNC's that aren't under your control (i.e. on the public internet). Ever.



Can I protect myself in any way?

YES. Your best protection in a corporation is an egress filter on your firewall. This has been a long-standing recommendation, and not just from SANS. There is no reason you should browse to Microsoft file sharing ports on the internet, so blocking this activity outbound on a corporate firewall is a great way to knock this problem on the head, at least as far as your corporation is concerned. Egress filters are also a wonderful way to stop the propagation (both inbound and outbound) of other malware. There are a number of papers in the SANS Reading Room ( http://www.sans.org/reading_room/ ) that deal with this subject if you want more info.



Why haven't you post a link to the original code?

As a policy, ISC simply can't post links to zero day code. We need to report this as an important story, getting the word out to prevent the spread of FUD is key in situations like this. However, pointing to the author's blog just wouldn't be responsible. If you'd like to try this code out yourself, most search engines should be able to help you with that.





Finally, remember again that this is not like the vulnerabilities that have recently seen widespread adoption by malware. This vulnerability does not infectWindows, it simply crashes the host. Crashing hosts is not good business for criminals - remember, they write their malware to make money, and crashing your victim's host does not make any money most days. Also, it requires action by someone on the target host - they need to browse to a UNC resource on the attacker's poison host. While this vulnerability is a serious issue, I can't see a good reason for malware authors to include it in their suite. I don't expect that we'll see widespread use of this in the wild (except on security blogs of course ...)

Recent visitors to the Web site of Malaysia's Ministry of Foreign Affairs may have come away with something other than a better understanding of Malaysian foreign policy or the country's visa requirements. The Web site was compromised by an unknown attacker and used to redirect visitors to another site containing malicious code.

Ludovic Petit (OWASP France Leader and Vice-Chair) has just sent to France OWASP mailing list a note about the OWASP SSB project. The Security Spending Benchmarks Project seeks to produce guidance and an industry accepted benchmark for justifying overall Web application security spending. We want to quantify how many dollars and human resources should be allocated towards the software development life-cycle, security training, security software/tools, independent third-party reviews, Web (...) - Security Tools / Owasp, Methodology