Normally I advocate caution in major patches. This hole however is so important that i am going to immediately patch and then workaround any issues this is going to cause. Again on mOnday htis patch gets released. PATCH IMMEDIATLY!!! Read the previous advisories I posted about this here.
Archive for July, 2010
I had my server setup as best as i could. I had a RAID 1 mirror on both of my drives. Not only that I had shadow copies being made on the array. Finally I had everything being backed up to an external hard drive. Last night my server started acting funny. Putting a ear next to it revealed what I thought at second glance: I had a hard disk failing. Luckily the system had backed itself up the night before and i had not added any new files since then. “No problem”, I thought “I’ll just boot off the mirror drive and move right along”. Well of course the drive had totally gone offline, broken the mirror and all attempts to resynch the two had failed. This means my mirror copy was corrupted beyond usefulness. It also turns out that the Microsoft server backup in server 2008 foundation is about as useful as it is inside of SBS2k8..aka it isn’t a viable DR recovery option. Twice now it’s proven this to me. So now I rebuild from scratch and manually restore..:) At least I can recover using the backup this time..just folder by folder..:)
After some internal testing and research i can honestly say that virtualization may not be the best solution except for larger deployments. For the same money(or less) than either upgrading one server to be able to host multiple vm’s or the purchase of a new server that’s capable of doing that I can build two machines around Intel Atom d510′s that together would draw less at MAX load than the new or upgraded machine will draw at half load. When i do my own server refresh(and for client’s as well) i’ll be looking at the Atom solutions instead of virtualization. If the client in question has a more cpu intensive workload than the Atom can handle then virtualization might be an option. However, from what I am seeing in various forums the Atom based servers can handle quite a bit more than most folks give them credit for.
This is the primary reason Unix folks remove the computer, make an image for forensics, and then rebuild from a known good source. Windows folks have yet to figure this one out. I take the same philosophy towards malware that Unix admins do..nuke the box…because you can’t trust it’s clean once it’s been compromised.
In one incident, a sports bar in Miami was targeted by attackers who used a custom-designed rootkit that installed itself in the machines kernel, making detection particularly difficult. The rootkit had a simple, streamlined design and was found on a server that handled credit card transactions at the bar. It searched for credit card track data, gathered whatever it found and dumped the data to a hidden folder on the machine. The attacker behind the rootkit took the extra step of changing a character in the track data that DLP software looks for in order to identify credit card data as its leaving a network, making the exfiltration invisible to the security system.
via Persistent, Covert Malware Causing Major Damage | threatpost.
Steve Gibson talks about this issue in a very understandable manner. Look at my previous post at the bottom..aka update 3.
Well the vulnerabilities threat profile has expanded:
http://www.f-secure.com/weblog/archives/00001994.html
If the .lnk is inside a document windows will execute the code. Again..i hope this fizzles..if it doesn’t I want folks to be aware.
Well the vulnerabilities threat profile has expanded:http://www.f-secure.com/weblog/archives/00001994.htmlIf the .lnk is inside a document windows will execute the code. Again..i hope this fizzles..if it doesn’t I want folks to be aware.
http://www.emmanuelcomputerconsulting.com/archives/2421
The podcast software crashed so I was able to make a written update to the post with the help of Arstechnica.com. Go checkout the updated post.
I am going to provide you with the summary from Ars Technica as it’s the clearest explanation of the problem I have seen:
The attack uses specially crafted shortcut (.lnk) files, which trick Windows into running code of an attacker’s choosing. Any Windows application that tries to display the shortcut’s icon—including Explorer—will cause exploitation, so even the mere act of browsing a directory with the malicious shortcuts is sufficient for a system to be exploited. Analysis suggests that the shortcuts are not improperly formed; rather they depend on a flaw in the way that Windows handles shortcuts to Control Panel icons.
The first reports of the problem came last month from Belorussian security company VirusBlokAda. The company found systems infected with the flaw through infected USB keys. The keys use the flaw to install a rootkit to hide the shortcuts, dubbed Stuxnet, including kernel-mode drivers, and a malicious payload. The rootkit is itself noteworthy: the drivers it installs are signed. The certificate used to sign them belongs to Realtek, suggesting that somehow the attackers have access to Realtek’s private key. The certificate used to sign the rootkit has now been revoked by Verisign.
The current in-the-wild attacks are using USB keys to distribute the shortcuts, but the attack could equally use network shares or local disks. The malware payload appears to be designed to specifically compromise the databases used by Siemens’ SIMATIC WinCC software. WinCC is SCADA software, used to control and monitor industrial systems, found in manufacturing plants, power generation facilities, oil and gas refineries, and so on. Siemens’ software uses hardcoded passwords, making attack particularly simple.
The best option for mitigating the flaw is to disable Windows’ ability to show shortcuts’ icons; details on how to do this are provided in Microsoft’s security bulletin. However, this mitigation comes at some cost; it removes all the icons from the Start menu, for example, which is sure to be detrimental to usability. Disabling Autorun provides slight protection, as it prevents Explorer windows from opening automatically when a USB key or CD is inserted.
This one has the potential to be very very bad. What I am going to do is put some of the links below. I am going to record a podcast tonight about this and have it posted in the next 24 hours. While the threat right now is low the potential for this one to explode is very very high. I do not get concerned about Windows exploits very often..this one has the very real potential to be on the scale of sasser, code red, or conficker. ECC is gearing up for this to be a widespread event and I am hoping it fizzles(which is dependent on a timely patch from Microsoft.) As of right now there is no anti-anything that will stop the .LNK vulnerability itself and any malware that appears WILL be able to leverage this before the a/v vendors can react as of right now. I am sure the security companies will be able to catch up..however we really need a patch from Microsoft on this one. The big problem for Microsoft is this is endemic to their ENTIRE codebase from Windows 95 on up. They have to now re-engineer every version of Windows to protect against this flaw. This is one time that if it takes Microsoft more than a week to come up with a fix there’s a very good reason. The following operating systems will NOT get a patch from Microsoft:
Windows 95
Windows 98
Windows ME
Windows NT
windows 2000(all versions)
Windows XP below SP3(this includes XP 64-bit which is now end of life..no support)
Windows VistaRTM (all versions). Vista SP1 is still supported until July 12 2011. You really should upgrade to SP2 of Vista.
I have some of the links below I have been following for this:
*UPDATE* Microsoft has posted their workaround. This nukes ALL shortcuts on the system though. If you want to guarentee your protection use this patch..but you won’t be able to easily launch anything.
*UPDATE 2*
Well the vulnerabilities threat profile has expanded:
If the .lnk is inside a document windows will execute the code. Again..i hope this fizzles..if it doesn’t I want folks to be aware.
*UPDATE3* List to this videocast from Steve Gibson..it’s well explained.
There are several attack vectors. It can be triggered via a webpage. it may even be able to be done from within any browser…not just IE. I just just got done informing a client that this could have many more attack vectors due to this being a problem with the core of windows.
*UPDATE 4* Normally I advocate caution in major patches. This hole however is so important that i am going to immediately patch and then workaround any issues this is going to cause. Again on mOnday htis patch gets released. PATCH IMMEDIATLY!!! Read the previous advisories I posted about this here.
This is very good reading. IF you decide to go with a cloud solution the big question is..are you in control of your data or are you at the total mercy of the cloud vendor? This has significant ramifications for your business if the cloud vendor either fails to provide proper service or worse..goes totally and permanently dark. Redhat’s CEO warns, and properly so, that the cloud can result in more lock-in than was ever possible on the desktop. He is absolutely correct.
Here’s serveral article about cloud lock-in
5-10 years ago the answer was…yes to the first question as the second one didn’t apply. As I have been watching the evolution of hardware over the years things of course are more complex. In a nutshell going with a low power server(or maybe a desktop CPU for workstation users) actually harms performance more than any increased power. In fact with the newest CPU’s from Intel(AMD is a bit behind) running Windows in the “Balanced” power profile actually HURTS both power savings and significantly inhibits overall performance. One the desktop the roles are a bit reversed…the absolute power savings most likely would be worth the performance hit IF you aren’t worried about complex, real world tasks(like real time rendering, financial analysis..etc etc etc)).