Microsoft Patch Tuesday Roundup - July 2010 - "Jedi Mind Trick Edition"

by Paul Asadoorian
July 15, 2010

Which Vulnerabilities Are You Looking For?

When Microsoft releases their patches each month, I find it interesting to review the criticality of each vulnerability. Microsoft has, in their typical fashion, used some very interesting wording to describe the latest batch of vulnerabilities. When reading each security bulletin, I try to imagine the worst-case scenario and look at the glass as half empty. Microsoft seems to paint a picture and believes the glass to be half full by using phrases such as:

In MS10-042: "The vulnerability cannot be exploited automatically through e-mail." - I believe what they are stating here is that the user can't just open up an email to have the exploit trigger. Instead, the user has to either open an attachment or click on a link. I can tell you from first-hand experience that it’s not difficult to get someone to click on a link. Typically, you just need to tell them that they've qualified for a free iPad. Getting the user to open an attachment is a little bit trickier, and usually requires more research about the target audience and/or organization. However, this does not mean the attack can't scale to trick thousands of people, as did an email appearing to come from the World Cup with an Excel document attached. The Excel document posed as a schedule for the World Cup, but really contained malware that attempted to infect the end-user's computer.


"These aren't the vulnerabilities you're looking for. You can go about your business."

Detecting Recurring Vulnerabilities

by Ron Gula
July 14, 2010

One of the advantages of Tenable’s suite of Unified Security Monitoring products is that continuous vulnerability monitoring can be used to find reintroduced security issues. Vulnerabilities that were once mitigated but are now back again represent process and organizational issues that must be handled differently. Simply reporting the vulnerability again and waiting for it to be patched does not address the fundamental flaw in the process. This blog entry discusses how recurring vulnerabilities are detected, some of the reasons why they may be recurring and how you can track and report on them with Tenable’s SecurityCenter.

Microsoft Patch Tuesday - February 2010 - "From Microsoft with Love" Edition

by Paul Asadoorian
February 10, 2010

Patch Tuesday Gives Birth to "Zombie Wednesday"

The Tenable research team spent the night writing 14 new plugins to check for the latest round of Microsoft patches. While many will have to schedule patch installations, those who run with full automatic updates enabled are theoretically all patched by now. However, it doesn't hurt to check with a quick Nessus patch audit.

Microsoft is in Love With the Word "Could"

There are several terms used by Microsoft throughout their advisories that spread uncertainty about the risk of the vulnerabilities presented. The excessive use of the world "could" is one such example. In the MS10-002 bulletin Microsoft states:

"An attacker who successfully exploited this vulnerability could gain the same user rights as the local user. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights."

I “could” also win the lottery, inherit millions of dollars and walk on water. In the case of this exploit "could" is an exceptionally bad word choice as there are several example videos showcasing the exploit in action using open-source software. The other issue with the above statement is the obligatory "users with less rights on the system will be less impacted". Someone should tell the Microsoft PR team that there are two privilege escalation exploits on the list this month, and one has been widely publicized for almost a month. On that note, let’s take a closer look at the 14 bulletins and 26 vulnerabilities that were patched this month.

Putting OSVDB to work for Nessus Vulnerability Management

by Brian Martin
January 20, 2010

A customer recently asked us to provide a count of patches issued in 2009 for various Unix and Linux-based operating systems. To honor their request, we turned to OSVDB, the Open Source Vulnerability Database. OSVDB covers over 60,000 vulnerabilities, spans over 26,000 products and has a powerful search engine that can produce search results based on disclosure date(s), vendor and/or product, CVSSv2 scores, references, vulnerability classifications and more. When generating any statistic regarding vulnerabilities, it is important to qualify the statistics and understand they are only as good as the data set that generated them. While OSVDB does not have a complete data set, it is the only Vulnerability Database (VDB) that provides powerful and flexible search capabilities.

Top 10 Nessus Plugins For 2009

by Paul Asadoorian
December 24, 2009

Plugins, Glorious Plugins

In 2009, Tenable released over 8,100 new plugins (and the year isn’t over yet!). These plugins have covered several different types of vulnerabilities, including web applications, embedded systems, local checks for operating systems and much more. We polled Tenable employees in our research and content groups to find some of our favorite plugins released this year,and compiled the following list:

Microsoft Patch Tuesday - December 2009 - "Specially Crafted" Edition

by Paul Asadoorian
December 11, 2009

Another Tuesday, another round of security bulletins from Microsoft. Are you patched? Nessus contains credentialed local checks for all Microsoft security bulletins.

"Specially Crafted"

I have always wondered what the term "specially crafted" really means. What is "special"? Merriam-Webster defines it as "distinguished by some unusual quality". "Unusual" is relative, and means that someone has defined what "usual" means. This is where we start to enter a grey area. How do we determine what is "special" if the "usual" is not clearly defined? In this case, I'm talking about RFCs, the documents used to define what "usual" means with respect to Internet protocols. One of the vulnerabilities this month has to do with IPSec and specifically ISAKMP, the key management protocol. Apparently a "specially crafted" packet will cause this service to eat up CPU cycles and cause a DoS condition. These flaws are common, but my concern is that this condition may not always be caused by a malicious attacker using a tool such as Scapy. For example, a VPN client might send "specially crafted" packets because the programmer, who wrote the client software, misinterpreted the RFC. I wish that Microsoft would be a little more forthcoming regarding the details of the flaw, particularly how difficult it is to exploit.

"Could Allow"

I am also somewhat puzzled by the term "could allow". When using it in the context of remote exploits, it’s even more confusing. A vulnerability either allows or does not allow remote code to be executed. Sure, there are mitigating factors, but if the vulnerability does allow for remote code execution, then Microsoft should just come out and say it. When you are reading security bulletins from Microsoft, keep in mind that "could allow" really means "allows under certain circumstances".

Tips For Using Nessus In Web Application Testing

by Paul Asadoorian
April 27, 2009

While Nessus has traditionally been a network vulnerability scanner, it contains quite a bit of functionality that can be used to identify vulnerabilities in custom web applications. This is not to say that Nessus will replace your favorite web application testing tool (or methodology), but it does provide useful information that can be used as the foundation for web application assessments or to indicate that deeper testing is warranted.

There are two different approaches when performing web application testing. The first is part of a larger so-called "blind" test, where you are given a range of IP addresses and asked to test the devices and systems within those ranges. The web applications running within this space will usually be tested generically, but they may not specifically test for web vulnerabilities in a general scan. You need to first find and enumerate which web applications are running and then run targeted scans that specifically look for web vulnerabilities. The second form of testing is when you are given the URL, and typically credentials, to the web application and asked to test it specifically. Nessus can help with both of these tasks, and provide valuable information that will help with your testing. Nessus provides some of the first steps to web application testing, such as identifying the web server software and technologies, detecting vulnerabilities in common/popular web application software and rudimentary CGI application testing. This post focuses on using Nessus for network-based testing, and describes several compliance based checks that provide very thorough testing of web application environments, including scanning to test for the OWASP PHP security specifications and Apache CIS Benchmarks.

nessuscmd Tip: Finding Open SMB File Shares

by Paul Asadoorian
April 1, 2009

Penetration testers spend a lot of time searching for software vulnerabilities, such as buffer overflows or SQL injection. However, there are many other ways in which networks and systems can present vulnerabilities. Open SMB file shares can disclose sensitive information about an organization: I've found everything from student grades to bank account numbers using this technique. A great way to check for the presence of open SMB shares is to run a quick Nessus scan from the command line as follows:

How did you test for MS08-067?

by Ron Gula
December 9, 2008

Microsoft recently released a critical security bulletin, MS08-067 that described a privately reported vulnerability in the Server service and provided a patch for this vulnerability. What was unusual was that this bulletin was released independently of Microsoft’s usual patch notification process and caused quite a bit of concern for many organizations. Tenable used this opportunity to help a number of organizations monitor their networks to determine if this issue had been mitigated.