The Glider

Microsoft and Nokia have formed an historic partnership that will see Nokia phones running Windows Phone and ditching the Symbian operating system. Admittedly, it isn't much of a surprise, since rumors have been swirling about that possibility for months. But it is an important decision on the part of both companies that could have a real and meaningful impact on their businesses and the entire mobile industry. But before the folks over at Microsoft and Nokia try to claim that the relationship between the companies will be nothing but good, it's important to pause and closely evaluate this partnership. Two major companies will be working together in a way that they never have before. Although the decision came down to expected growth and profit potential, it could eventually end quite badly for both parties. Read on to find out why the marriage between Microsoft and Nokia might seem like a good deal at first, but will likely prove to be a serious blunder for just about every stakeholder. -  ...

Microsoft is downplaying the threat posed to Windows users by a recently-revealed vulnerability, saying it's unlikely the bug could be exploited to compromise a computer.

Just because a business is small in headcount doesnt mean that its needs dont require enterprise-quality software. In many ways, a small business needs a reliable and easily supported platform for core business services far more than a sprawling multinational. At the very least, the need exists for something thats both powerful and simple. Windows Small Business Server 2011 delivers both power and relative simplicity, using Windows Server 2008 R2 Standard as the core of the package. SBS 2011 is meant for providing collaboration, file, mail, patch and print services to a single domain of up to 75 users. But the software in the package with Windows Server will make SBS attractive to a small business: Exchange, SharePoint Foundation, Windows Server Update Services and more. Windows Small Business Server 2011 is a solid platform that wont require a lot of handholding to get up and running. It offers customers a selection of enterprise-class tools that arent compromised in function. - ...

Switchers - those who have decided to leave the Windows world for Max OS X - can get up close with Parallels Desktop Switch to Mac Edition as eWEEK Labs Technical Director Cameron Sturdevant takes a few minutes to delve into his review of the product. Sturdevant reviewed the product when it released in August 2009 and has a few tips for IT managers and end users who have decided to take the Mac plunge but who also still need to use one or more Windows-only applications.
- Video Content....

Mikael wrote us yesterday, telling us about a site claiming to have a zero day for SMBon both Windows 7 and Windows Server 2008 R2. Thanks for the pointer Mikael, Laurent Gaffi is the original author of this bit of code.
However, after a first try, we found that the code didn't run as posted. Nothing major, one required line of code was missing, and some formatting issues. Given what this code does, these omissions might have been intentional, to give Microsoft a chance to get a fix in before this disseminates. The code does in fact work. The sequence to see the exploit is:
1/ On a linux machine, ensure that port 445 is open or that your firewall is down - ensure that the target windows host and the linux host have connectivity (a quick ping does the trick here)
2/ On that linux box, run the resulting code - sudo python w7spolit.py . Note that you need sudo to open a tcp service, and we're using a linux box for this because of course port 445 is taken on most windows hosts.
3/ On the target Windows box, do a net use x.x.x.x, where x.x.x.x is the ip address of the linux box.
You'll see that the Windows host is now frozen - no mouse, no keyboard, and completely unresponsive on the network as well. This works on both Windows 7 and Windows Server 2008 R2, with the very latest patches applied. A link to a server running this code could easily be embedded in a web page or email, pointing out to a poisonhost on the internet - so this exploit is not isolated to corporate networks doing file sharing. As the author states, disabling SMBv2 does not give even temporary protection. Here's hoping Microsoft scrambles the troops to get this patched before it's out in the wild.
==========================================================================================================================
Since the original post, there's been a lot of QA back and forth, and also some mis-information floating around as well, I'm hoping that the QA below helps clarify things:



Is the original Windows 2008 affected by this?

No - the only 2 affected operating systems are Windows 7 and Windows 2008 R2



What patch levels have been tested? Is this a problem in one patch or another?

We've only tested the 2 affected operating systems, fully patched as of 12 Nov 2009.



If I disable SMBv2, I'm not affected right?

Wrong. This affects hosts whatever version of SMB they are running. We've tested hosts with SMBv2 disabled with both the registry method and the sc method (singly and in combination), and all are equally affected.



How does this thing spread?

It has no mechanism for propagation. Unless somebody embeds this in a worm, this is more of a curiosity than anything else. This vulnerability in itself does not have the potential to steal information or compromise system integrity. It crashes hosts, plain and simple.



Is IPv6 affected? Is this an IPv6 problem?

This is an SMB issue (tcp/445). All testing so far has been on IPv4, we haven't tested IPv6 specifically, but there's no reason to think that running SMB over IPv6 would behave any differently



What about the firewall on windows? Does that help?

Remember that this works by you browsing to a UNC on a poison host. The windows firewall has no affect on this



How can I mitigate against this in Windows? Is there a registry key or a patch I can apply?

At this time, there is no host based mitigation available. We're hoping that Microsoft comes out with a patch for this quickly. Your best protection is the same safe computing advice that we'd give any other day:

Don't browse from your servers. Ever.
Don't browse indiscriminately from your workstation (don't click links from strangers).
Don't browse to UNC's that aren't under your control (i.e. on the public internet). Ever.



Can I protect myself in any way?

YES. Your best protection in a corporation is an egress filter on your firewall. This has been a long-standing recommendation, and not just from SANS. There is no reason you should browse to Microsoft file sharing ports on the internet, so blocking this activity outbound on a corporate firewall is a great way to knock this problem on the head, at least as far as your corporation is concerned. Egress filters are also a wonderful way to stop the propagation (both inbound and outbound) of other malware. There are a number of papers in the SANS Reading Room ( http://www.sans.org/reading_room/ ) that deal with this subject if you want more info.



Why haven't you post a link to the original code?

As a policy, ISC simply can't post links to zero day code. We need to report this as an important story, getting the word out to prevent the spread of FUD is key in situations like this. However, pointing to the author's blog just wouldn't be responsible. If you'd like to try this code out yourself, most search engines should be able to help you with that.





Finally, remember again that this is not like the vulnerabilities that have recently seen widespread adoption by malware. This vulnerability does not infectWindows, it simply crashes the host. Crashing hosts is not good business for criminals - remember, they write their malware to make money, and crashing your victim's host does not make any money most days. Also, it requires action by someone on the target host - they need to browse to a UNC resource on the attacker's poison host. While this vulnerability is a serious issue, I can't see a good reason for malware authors to include it in their suite. I don't expect that we'll see widespread use of this in the wild (except on security blogs of course ...)

Conficker Worm Targets Microsoft Windows Systems

Intels strong quarterly numbers should indicate good things as other IT vendors get ready to release their results, analysts said. The Intel numbers also are an indication that OEMs like HP, IBM and Dell are optimistic about the second half of the year. Part of Intels second-quarter success stemmed from the company replenishing inventory, but other factors including Microsofts upcoming release of Windows 7, the increasing age of PCs now in use and a loosening of capital spending should help drive sales up, the analysts said.
- Intels healthy quarterly numbers indicate that things may be looking up for an IT industry battered by the global recession, according to analysts. However, it also means that systems makers are betting that the second half of 2009 will look a lot better than the first half, and are beginning to or...

An ISC reader wrote in about a change that occurred this month with the Windows Security Center (WSC) where Microsoft expired the grace period used by vendors to report AV, firewall or anti-spyware status to the WSC. The new WSC API used to report to the WSC was supposed to expire in September 2009. The new API is a result of an interface change introduce in Windows Vista SP1 and part of Windows 7, replacing the API that was part of Vista's original release.



If you are seeing a red shield in the bottom right corner, your Malware Protection tab maybe indicating your AV is on but it is reporting its status to Windows Security Center in a format that is no longer supported. Use the program's automatic updating feature, or contact the program manufacturer for an updated version.



The grace period to update to the new API to report the correct status to the WSC in Vista SP1 has expired earlier than anticipated, causing confusion on whether your vendor security software is protecting your PC.



This does not mean your AV, firewall or anti-spyware is not working and protecting your system but that it is no longer able to report correctly its status through the WSC. Monitor the WSC status regularly to ensure your AV, firewall or anti-spyware are updated on schedule and functioning properly.
Guy Bruneau IPSS Inc. gbruneau at isc dot sans dot org
Teaching Comprehensive Packet Analysis in Ottawa, ON this coming September

Update1: The vulnerability is being actively exploited on web sites. More to follow.
Microsoft has released an advisory related to an Office Web Components ActiveX vulnerability, it is available here. This vulnerability exists in the ActiveX control used by IE to display Excel spreadsheets. The CVE entry for the vulnerability is CVE-2009-1136. Microsoft mentions that they are aware of active exploits against this vulnerability, although we at the SANS Internet Storm Center haven't seen it used or mentioned in public as of yet (this has changed, we are seeing active exploit pages). Which may tend to indicate it has been used in targeted rather than broad based attacks. At the moment there is no patch, there is a workaround, and it can be automated for enterprise deployment. The specific CLSIDs to set the killbit for are:
{0002E541-0000-0000-C000-000000000046}

{0002E559-0000-0000-C000-000000000046}
Start working on this on ASAP. The impact is remote code execution with the privileges of the logged in user running Internet Explorer, and might not require user intervention. As in browse to a nasty web site and be pwn3d.
Advisory: http://www.microsoft.com/technet/security/advisory/973472.mspx
KB article: http://support.microsoft.com/kb/973472
SRD blog: http://blogs.technet.com/srd/archive/2009/07/13/more-information-about-the-office-web-components-activex-vulnerability.aspx
MSRC blog: http://blogs.technet.com/msrc/archive/2009/07/13/microsoft-security-advisory-973472-released.aspx
There is a long list of affected products:

Microsoft Office XP Service Pack 3;
Microsoft Office 2003 Service Pack 3;
Microsoft Office XP Web Components Service Pack 3;
Microsoft Office Web Components 2003 Service Pack 3;
Microsoft Office 2003 Web Components for the and
Microsoft Office Small Business Accounting 2006.

For information on how to prevent ActiveX controls from running check out this Microsoft KB article on modifying the registry. This article describes how to deploy using Active Directory. If you have administrative privileges on a single system and are running Internet Explorer, you can click on this 'fixit' link to set the killbit and mitigate the vulnerability on a home computer for example.
Update1: The vulnerability is being actively exploited on web sites. More to follow.
Update2: One other obvious mitigation step is to use an alternate web browser (as in other than IE) that does not make use of ActiveX.
Update3: We have raised the Infocon to yellow for 24 hours due to the active exploitation of this vulnerability.
Update4:We will be updating our existing diary post of domains to block with domains that are hosting this exploit as well. You can see that diary entry at the following url. http://isc.sans.org/diary.html?storyid=6739 (newly added domains are in yellow) - AndreL
Update5: Attack vectors used to exploit this vulnerability.

The now known public attempts to exploit the vulnerability, attackers just modify the code with a fresh download and payload to slightly modified malware.
A .cn domain using a heavily obfuscated version of the exploit - which may become an attack kit (think MPACK)and is similar to recent DirectShow attacks.
A highly targeted attack against an organization earlier today who received a Microsoft Office document with embedded HTML. This one was particularly nasty, it was specifically crafted for the target - with the document being tailored with appropriate contact information and subject matter that were specific to the targeted recipient. Analysis of the document and secondary payload found the attacker used a firewall on the malicious server so that all IP traffic outside of the targeted victim's domain/IP range would not reach with the server.

Update6: This blog has additional information, with examples of code that may have been used in this attack. hxxp://safelab.spaces.live.com/blog/cns!A6B213403DBD59AF!1463.entry (obscured on purpose, some AV products will trigger accessing the page. Another example is here: hxxp://xeye.us/blog/2009/07/one-0day/
One part of a signature looking for the exploit would be ActiveXObject(OWC10.Spreadsheet), which could also be used for legitimate web applications trying to open a spreadsheet.
Update7: attempt at snort sigs (until something better comes along):
alert tcp $EXTERNAL_NET $HTTP_PORTS - $HOME_NET any (msg:MS 0day Excel ActiveX1 CVE-2009-1136 ref isc.sans.org/diary.html?storyid=6778 content:0002E559-0000-0000-C000-000000000046 pcre:/OBJECTs+[^]*classids*=s*[x22x27]?s*clsids*x3as* x7B?s*0002E559-0000-0000-C000-000000000046/si)



alert tcp $EXTERNAL_NET $HTTP_PORTS - $HOME_NET any (msg:MS 0day Excel ActiveX2 CVE-2009-1136 ref isc.sans.org/diary.html?storyid=6778 content:0002E541-0000-0000-C000-000000000046 pcre:/OBJECTs+[^]*classids*=s*[x22x27]?s*clsids*x3as* x7B?s*0002E541-0000-0000-C000-000000000046/si)
Update8: Metasploit have released a module exploiting the vulnerability.
Update9: Matt Hrynkow and John Silvestri have submitted .ADM files for use in Active Directory GPO templates for setting the ActiveX killbits for last week's and this weeks vulnerabilities. Here is the one for The MS Office Web Object 973472 CVE-2009-1136.
--Start here--
CLASS MACHINE



CATEGORY Windows Components



CATEGORY Internet Explorer

POLICY Internet Explorer - ActiveX Compatibility Disable for Microsoft Office Web Components

#if version = 3

EXPLAIN !!EXPLAIN1

#endif

KEYNAME SOFTWAREMicrosoftInternet ExplorerActiveX Compatibility{011B3619-FE63-4814-8A84-15A194CE9CE3}

VALUENAME Compatibility Flags

VALUEON NUMERIC 1024

VALUEOFF NUMERIC 0

ACTIONLISTON

KEYNAME SOFTWAREMicrosoftInternet ExplorerActiveX Compatibility{0002E541-0000-0000-C000-000000000046}

VALUENAME Compatibility Flags VALUE NUMERIC 1024

KEYNAME SOFTWAREMicrosoftInternet ExplorerActiveX Compatibility{0002E559-0000-0000-C000-000000000046}

VALUENAME Compatibility Flags VALUE NUMERIC 1024

END ACTIONLISTON

ACTIONLISTOFF

KEYNAME SOFTWAREMicrosoftInternet ExplorerActiveX Compatibility{0002E541-0000-0000-C000-000000000046}

VALUENAME Compatibility Flags VALUE NUMERIC 0

KEYNAME SOFTWAREMicrosoftInternet ExplorerActiveX Compatibility{0002E559-0000-0000-C000-000000000046}

VALUENAME Compatibility Flags VALUE NUMERIC 0

END ACTIONLISTOFF

Internet Explorer - ActiveX Compatibility Disable for OWC10_and_OWC11



Windows Components



CLASS USER

[Strings]

EXPLAIN1 =Enable this policy to implement workaround documented for Microsoft Security Advisory (973472)nnnhttp://www.microsoft.com/technet/security/advisory/973472.mspxnhttp://isc.sans.org/diary.html?storyid=6778n

--End here--
Update10: This MSDN blog has 32 and 64 bit versions of the Active Directory GPO ADM files and .reg files that should mitigate this vulnerability: http://blogs.msdn.com/askie/archive/2009/07/14/group-policy-adm-template-to-implement-the-workaround-from-security-advisory-973472.aspx The one posted above in Update9 apparently only works on 32 bit, and is missing the backslashes. Thanks Jim and Brian for letting us know.



If you see exploit code for this vulnerability, or have knowledge of it being used in an attack please let us know via our contact page.
Thanks to all who have contributed to this diary!
Cheers,

Adrien de Beaupr

EWA-Canada.com
Teaching SANS Cutting-Edge Hacking Techniques in Ottawa this September.