BadBIOS: Worst fears realized or just fearing the worst?

Last week, word hit about a piece of malware referenced as BadBIOS.  Reported by Dragos Ruiu, founder of the Pwn2Own contest and a respected member of the security community, it’s said to be able to communicate with other infected systems by the sound hardware, similar in some ways to a modem.

There are still a TON of questions about this. As far as I’ve read, few if any other people have seen the hardware, but the researcher himself is considered trustworthy. I’ve seen a lot of reports that get the information wrong, like a report that BIOS was infecting BIOS via the sound capabilities, which is not (so far as I can tell) what is being claimed. It seems that what is present is an incredibly resilient and persistent malware that can communicate to other similarly-infected systems via the sound card, and apparently to affect more than one operating system, having successfully affected Apple’s OS X and Windows, as one might expect, but also Linux and even OpenBSD, the latter of which is a very unusual target.

This is, in some ways, what was feared by many when Intel said it wanted to move from BIOS to EFI/UEFI.  Intel had some very good reasons for this as the capabilities of BIOS were interfering in general computing hardware advancement, but when you put what amounts to an operating system in the firmware with room to expand, there stands a good chance that it’s going to be abused.  UEFI sits under everything, and while it’s not quite a virtual machine host (yet), it has many of those same capabilities as it can read what’s going between hardware easily, giving it the ability to alter data at many points.  It also makes it extremely difficult to pry out as few if any malware detection mechanisms can look into the hardware.

Based on a recent (mediocre) book series I’ve been reading, the thought crossed my mind that it may have been secretly sent to one or more researchers so that they would find it specifically in order to derail some secret capability developed by a state-sponsored agency or group. That’s getting into conspiracy theory, something I don’t tend to do, but those happen online more than they happen in meatspace.

In any case, it’s still something I’m watching, and I’m sure there are researchers working to develop similar capabilities. It’s not something I worry about hitting my systems, because the complexities of doing so are enormous. Most computer hardware is built to handle very specific information, but the microphones still start and speakers still end as analog, and the quality of both diverges significantly from one system to the next, even within the same model of hardware. I can see how data can be delivered via sound–we’ve done it for decades with modems–but aside from targets picked very carefully, I have difficulty believing that this could be used for something widespread, especially since the infection mechanism needs a different entry point.

It’s an interesting piece of targeted malware (if real), but it’s not going to take over the world.

Free Microsoft e-books

Here are some links I found a while back to free ebooks from Microsoft on a ton of topics including Windows (desktop and server), SQL Server, SCCM, Sharepoint, and application development.  The selection covers the range from beginners to advanced.

Large collection of Free Microsoft eBooks for you, including: SharePoint, Visual Studio, Windows Phone, Windows 8, Office 365, Office 2010, SQL Server 2012, Azure, and more.

Another large collection of Free Microsoft eBooks and Resource Kits for you, including: SharePoint 2013, Office 2013, Office 365, Duet 2.0, Azure, Cloud, Windows Phone, Lync, Dynamics CRM, and more.

Huge collection of Free Microsoft eBooks for you, including: Office, Office 365, SharePoint, SQL Server, System Center, Visual Studio, Web Development, Windows, Windows Azure, and Windows Server

Facepalm: Microsoft (sort of) sends patches via e-mail

In general, I think most companies are doing better in security than before.  They at least are admitting that they have to pay attention to it, and Microsoft has made huge changes in its programming and business practices that have made it far more difficult to break into systems than it used to be.  But there’s still room for improvement, and it’s a change that needs to happen sooner rather than later because it’s undermining a key aspect of user security awareness.

Continue reading “Facepalm: Microsoft (sort of) sends patches via e-mail”

Microsoft Patch Overview for February 2013

These are based in part on my experiences watching Microsoft software and reflect my own opinion where it deviates from Microsoft’s advice. There may be some people interested in an alternate, practical view from someone who will look to target these kinds of things in the future.  I try not to get too technical, but for something like this, there’s only so much techno-jargon that can be removed before it gets distilled down to “Just patch!”  But if none of the following makes sense to you, that’s probably a good path to follow just in case.

Notes and Observations

  • Twelve bulletins were released covering 57 vulnerabilities.
  • This isn’t quite as bad as it sounds (but you should still patch them all).  One of the vulnerabilities, MS13-009, addresses more than a dozen vulnerabilities in Internet Explorer and should be patched pretty much immediately.  Another, MS13-016, addresses 30 in the kernel-mode driver, but these are tricky race conditions that allow privilege escalation and don’t worry me all that much.
  • However, MS13-010 is being used to some extent in the wild.  There is a component of the vulnerability that can be used for information disclosure.  This may be why Microsoft issued two patches for IE instead of one.  If you can’t install -009, at least install -010.
  • The apparent focus du jour for vulnerability researchers is the Use After Free vulnerability.  I’ll admit that I’m not up to date on this particular one, but I’ll see what I can come up with in the near future.
  • There’s a patch for an Exchange Server vulnerability that involves viewing Paradox database files in Outlook Web Access.  I haven’t seen mention of Paradox in years.  But I mention this not just for the historical oddity.  There really is the ability to view such files, and Microsoft admits that it’s not documented.  Be aware of this not just with Microsoft, but with other companies that can read many file formats.  They have to have parsers, and they’re often not as good as the original vendor’s (and some of them aren’t that good, either).
  • Nevertheless, I grouped it as one of two items to patch sometime in the next 90 days.  I’m really not that concerned that someone is going to try to craft a Paradox DB file for this when there are better ways to attack the user.  The other one I’m not worried about is a Network File System (NFS) issue since almost no one uses it in this context.

Continue reading “Microsoft Patch Overview for February 2013”

Some critical software end-of-life dates

In my last post on Java, I mentioned that versions of Java older than Java 6 have been end-of-life (or unsupported) for some time.  This invariably starts people wondering about end-of-life dates for other major software products, so here are a few of note.  It’s not comprehensive, but hits some of the software that’s most commonly used.  Not all of the products listed are unsupported: some are currently supported but the vendors have published end-of-life dates, sometimes (but not always) far into the future.  If you’re using something unsupported, you really should try to move to something on the support list (and preferably not something in yellow on the chart).  For things like Office that may be expensive, there are usually options such as LibreOffice that are free to use.

A couple of points of note:

  • Windows XP is coming up on its last patches in April 2014, about 15 months away and soon after Patch Tuesday for that month (Office 2003 support ends on Patch Tuesday for that month).  I hope you’re all planning to be ready for that day.
  • I couldn’t find specific end-of-life dates for Flash.  I did find that the basic supported versions are 10.3 and 11.5, except that there’s also support for 11.3 on Windows 8 (presumably the Flash version built into IE10) and 11.2 for Linux.  Anything else is considered unsupported.
Vendor Product Line Product Version End-of-Life Date
Microsoft Windows Windows 3.1 31 Dec 2001
Windows 95 31 Dec 2001
Windows 98/98SE/ME 11 Jul 2006
Windows 2000 13 Jul 2010
Windows XP 18 Apr 2014
Windows Vista 11 Apr 2017
Windows 7 14 Jan 2020
Windows 8 10 Jan 2023
Windows Server Windows Server 2003 14 Jul 2015
Windows Server 2008 14 Jan 2020
Windows Server 2012 10 Jan 2023
Office Office 95 31 Dec 2001
Office 97 28 Feb 2002
Office 2000 14 Jul 2009
Office XP 12 Jul 2011
Office 2003 08 Apr 2014
Office 2007 and later Not yet set
Adobe Flash Flash Player Unclear; always update to current
Reader Reader 7 28 Dec 2009
Reader 8 03 Nov 2011
Reader 9 26 Jun 2013
Reader X 18 Nov 2015
Reader XI Not yet set
Oracle Java Java 2 Std Ed (J2SE) 1.3 11 Dec 2006
J2SE 1.4 30 Oct 2008
J2SE 5 30 Oct 2009
J2SE 6 Feb 2013
J2SE 7 Jul 2014

Key:

  • White: Still supported for some time
  • Yellow: Still supported, end of support within the next 18 months
  • Red: No longer supported

Microsoft Patch Overview for January 2013

This is based on something that I used to do for a former workplace, usually on patch release day. Patch release day is the second Tuesday of each month, also known as Black Tuesday, especially since other companies have taken to releasing on the same day. It’s not uncommon to see Adobe release Flash and Reader updates on the same day.

These are based in part on my experiences watching Microsoft software and reflect my own opinion where it deviates from Microsoft’s advice. There may be some people interested in an alternate, practical view from someone who will look to target these kinds of things in the future.  I try not to get too technical, but for something like this, there’s only so much techno-jargon that can be removed before it gets distilled down to “Just patch!”  But if none of the following makes sense to you, that’s probably a good path to follow just in case.

Updated 14 Jan 2013 at 17:15 CST: Microsoft released MS13-008 today to address a flaw in Internet Explorer.  The post has been updated to address that.

Notes and Observations

  • Seven bulletins were released covering 12 vulnerabilities. One of the vulnerabilities, MS13-002, has numerous patches depending on the version(s) of XML Core Services installed on a system.
  • The first bulletin, MS13-001, is a print spooler vulnerability that allows code to run as SYSTEM. Print spoolers have been prime targets in the past. This should be a priority for patching on all of your systems.
  • An additional patch, MS13-008, for Internet Explorer 6, 7, and 8 has been released out-of-band on 14 January 2013.  It addresses a vulnerability that is widely and currently being exploited by attackers.  This should be a priority for patching
  • The patch for MS13-007 appears to simply change a default setting. This strikes me as a problem because it might be turned back on by someone who may or may not know of the potential consequences or by someone who has an ulterior motive. Troubleshooting may become difficult at that point if it’s enabled to set up a denial of service condition. A check of the box will show that it’s completely patched but the system is still experience resource exhaustion. This seems to me more a band-aid than a patch.
  • There is no Internet Explorer patch this month. The vulnerability affecting Internet Explorer 6, 7, and 8 that was discovered and publicized at the end of December is still not formally patched, exploit code is public, and its use has been seen in the wild. Microsoft has published a “one-click” fix for it, but it has to be implemented separately from automatic patch downloads.
    • Advice for enterprise users: If possible, make sure that you have something newer than IE8. This isn’t always possible either because you’re on Windows XP or you have software that doesn’t work with anything newer. You also may not be able to use an alternate browser. In this case, look into rolling out the fix above or installing the Enhanced Mitigation Experience Toolkit (EMET). The benefit of EMET is that it works against a wide variety of attacks for which there may be no fix. Support is limited and it’s not perfect, but it can help in some cases before the attack is even known.
    • Advice for home users: Make sure you have the newest available version of Internet Explorer available. For Windows XP, this is IE8. For Vista and 7, this is IE9. For Windows 8 and RT, this is IE10. If you have Windows XP, try to use a different browser (Firefox, Chrome, Opera, or Safari) if at all possible. Installing EMET probably wouldn’t hurt, either.
  • Of the five patches that affect a swath of Windows products, only two of them affect Windows XP. I’m not sure if this is just an oddity or a sign that XP’s code has reached a new maturity level. I suspect it’s the former, but it will still be interesting to watch.
  • Microsoft finished up last year with 83 bulletins. That sounds like a lot, but it’s better than the 100 published the year before and many of the 2012 bulletins were variations on a library load path vulnerability. They started last year with seven bulletins, the same as this year. Maybe this year will see a continued decline.

Chart Guidance

  • Enterprise Severity denotes the timetable in which I believe enterprises should try to patch the affected vulnerabilities and may differ from Microsoft’s severity decision. Differences are usually based on historic targeting habits of attackers who go after certain vulnerabilities (SMB, RDP, print spoolers) more often. The need for effective patch review is not removed, of course, and different businesses have different needs. In some cases, there may be mitigating factors that may allow a somewhat more relaxed timetable. Nevertheless, those rated with a severity of 1: Critical should be considered to be priority in almost any environment.
    • Enterprise Severity Levels:
      1. Critical: Currently being exploited, publicly available exploit code, and/or likely to be easily exploitable in the very near future. Patch within 7 days.
      2. High: Not known to be public or public with strong mitigating factors. Patch within 30 days.
      3. Low: Not known to be public and not likely to be a reliable exploit. Patch on next scheduled update cycle or within 90 days.
  • Home Severity is not included because it is almost always the same: patch it as soon as it’s released! It’s extremely rare for a patch to break things (only one patch that I can think of was re-released last year for breaking something, and even then it affected a minority of users), so it’s best to just install every patch as it’s released.
  • Patches are almost always published right around 10:00 Pacific Time on the second Tuesday of each month. Occasional out-of-band patches are also published, but these are uncommon and address vulnerabilities known to be widely exploited.

January 2013 Microsoft Security Bulletin Overview

ID Affected Products Title and Summary Severity/
Impact
Notes Enterprise Severity
MS13-001 Windows 7

Windows Server 2008
(Core affected)
Vulnerability in Windows Print Spooler Components Could Allow Remote Code Execution Critical
Remote Code Execution

EI: 1
Addresses 1 issue

Not known to be public

Flaw in handling specially-crafted print jobs

Code executes with system privileges

Likely to be a target for potential attackers

1: Critical

Patch within 7 days
MS13-002 Windows XP
Windows Vista
Windows 7
Windows 8
Windows RT

Windows Server 2003
Windows Server 2008
Windows Server 2012
(Core affected)

Office 2003
Office 2007
Office Compatibility Pack
Word Viewer

Expression

WebGroove Server 2007
Sharepoint Server 2007

Vulnerabilities in Microsoft XML Core Services Could Allow Remote Code Execution Critical
Remote Code Execution

EI: 1

Addresses 2 issues

Not known to be public

Code executes with current user privileges

2: High

Patch within 30 days

MS13-003 System Center Operations Manager 2007 Vulnerabilities in System Center Operations Manager Could Allow Elevation of Privilege Important
Elevation of Privilege

EI: 1

Addresses 2 issues

Not known to be public

Reflected cross-site scripting (XSS) vulnerability in SCOM Web Console allows attacker to take action or retrieve information as logged-in user.

2: High

Patch within 30 days

MS13-004 Windows XP
Windows Vista
Windows 7
Windows 8
Windows RT

Windows Server 2003
Windows Server 2008
Windows Server 2012
(Core affected)
Vulnerabilities in .NET Framework Could Allow Elevation of Privilege Important
Elevation of Privilege

EI: 1

Addresses 4 issues

Not known to be public

An attacker could perform one of several actions against a system including reading otherwise inaccessible memory contents or taking complete control of a system. This applies to both servers running a .NET web application and to clients using a browser to access that web application.

2: High

Patch within 30 days

MS13-005 Windows Vista
Windows 7
Windows 8
Windows RT

Windows Server 2008
Windows Server 2012
(Core affected)
Vulnerability in Windows Kernel-Mode Driver Could Allow Elevation Important
Elevation of Privilege

EI: 1


Addresses 1 issue

Not known to be public

Code may be run at a higher privilege.  An attack against an administrative user could take complete control of the system.  An attack against a lower-privilege user could still gain privileges usually denied.

2: High

Patch within 30 days

MS13-006 Windows Vista
Windows 7
Windows 8
Windows RT

Windows Server 2008
Windows Server 2012
(Core affected)
Vulnerability in Microsoft Windows Could Allow Security Feature Bypass Important
Security Feature Bypass

EI: N/A

Addresses 1 issue

Not known to be public

A man-in-the-middle attacker can force a silent downgrade of encrypted traffic to SSLv2 which may allow the use of weak, breakable ciphers.

3: Low

Patch on next cycle or within 90 days

MS13-007 Windows Vista
Windows 7
Windows 8
Windows RT

Windows Server 2008
Windows Server 2012
(Core affected)
Vulnerability in Open Data Protocol Could Allow Denial of Service Important
Elevation of Privilege

EI: 3

Addresses 1 issue

Not known to be public

Using a few specially-crafted HTTP requests, an attacker can trigger replication of data and exhaust system resources, triggering a denial of service.

The patch disables WCF Replace by default and can still be enabled even with this patch installed.

3: Low

Patch on next cycle or within 90 days

MS13-008 Internet Explorer 6
Internet Explorer 7
Internet Explorer 8
Security Update for Internet Explorer Critical
Remote Code ExecutionEI: 1
Addresses 1 issueKnown to be public and to be currently and widely exploited
Code executes with current user privileges
 1: CriticalPatch within 7 days

Exploitability Index:
1. Consistent code exploit likely
2. Inconsistent code exploit likely
3. Functioning exploit code unlikely

Highest exploitability of a cumulative patch