Last night I attended the Microsoft Security Response Team webcast regarding the Out Of Band patch for the ASP.net padding Oracle vulnerability discovered by Juliana Rizzo and Thai Duong 11 days before.
My main objective in watching the webcast (which is not my usual habit) was to find out if systems that have the described workaround applied still need to apply the patch. The webcast did not give a definitive answer but this YouTube video and the Netifera website and the twitter accounts Thai Duong provide the answer: Yes you should apply the patch a.s.a.p!
However the Q&A section of the talk did give me, as a security operations guy, quite some food for thought. I made some notes in my own Twitter feed, which I have summarized here.
Q: Why did Microsoft release and OOB update for a vulnerability rated “only” as important?
A: The vulnerability itself is rated as Important because it is not a vulnerability that directly leads to remote code execution on the vulnerable system, however exploitation of the vulnerability will lead to disclosure of all information in the webroot including web.config. This information can be used for session hijacking, compromising backend databases and to attack associations between websites, e.g. the association of a website with PayPal. Hence an out of band patch was warranted.
Q: Why only release to the download center and not to WSUS etc?
A: We felt we needed to get this update out quickly, the people that need to apply this patch quickly are mainly enterprises who are capable of applying patches without the aid of WSUS. Developing the WSUS capabilities would add another few days of delay to the deployment of this patch.
Q: Is the attack actively used?
Read more…
Categories: Microsoft, Security, WSUS Tags: .net, 32-bit, 32bit, 64-bit, 64bit, ASP.net, cluster, Download center, Frank Breedijk, Juliana Rizzo, MachineKey, Microsoft, MS10-070, msftsecresponse, Netifera, oob, Out of band, Padding Oracle, Padding Oracle Vulnerability, patch, patch tuesday, Patches, Patching, Schuberg Philis, Scott Gurthrie, Security, Thai Duong, webcast, Windows, WSUS
By Paul Assodorian
Paul is best know for his PodCast: Paul dot com and his work as product evangalist for Tennable.
So what do you need to take over the world?
- Money – Bribes and stuff
- Power – Ability to control resources to control people
- Stealth – You don’t want people to know.
So lets work on the first step, how can you use embedded systems to make money? Well, embedded systems are part of video games, settop boxes, wireless routers and printers and faxes. All these systems are used to perform transactions.
Read more…
By Mikko Hypponen – Chief Research Officer – F-Secure Corporation
Mikko’s talk is an overview of how a the anti-malware
1986 first PC virus found called Brain. Which was actually by todays standard a “root kit” even if we did not call virusse that at this time.
In 1991 Mikko analysed his first virus the “Omega” virus.
The first viruses actually announced themselves like the V sign virus, Josh, Walker, Yankee Doodle Yankee, Casino, etc.
Read more…
Last week Schuberg Philis organized an internal (official) VMware troubleshooting training (VST). I had personally already followed this training two months ago. However, as I found the training extremely useful and very dynamic (the training is never quite the same) I decided to follow the last two days of the training again. Another very good reason for me to do so was the fact it was given by superstar Eric Sloof (aka @esloof on twitter). He adds a tremendous amount of value to the VMware community as a whole with his blogposts on ntpro.nl which, if you ask me, should be part of your daily reading material. He’s also given trainings for Schuberg Philis before. From my experience he’s a very knowledgeable and patient trainer who is able to explain the material in a very easy to comprehend form while keeping the pace high. Added bonus: a couple of days before the training he was awarded best freelance VCI (VMware Certified Instructor) of the quarter!
VST is a very good balance between theory and lots and lots of hands-on troubleshooting. Each part will start with some theory, followed by labs. Some labs are the typical ‘type this and see that’ but most value are those where ‘random’ things are broken which you then have to find and fix. Especially the last two days are mostly these kind of labs. The experience with VMware specific troubleshooting you gain here is invaluable and is something which would normally take up months if not years of your professional life. The most valuable lesson of all (as with everything): know the product and your setup and structure you troubleshooting accordingly. This will save you hours of random troubleshooting and creating new issues in the process. Of course, it also helps having the trainer around who can sometimes give a hint and steer you back in the right direction. Don’t want the training to take weeks…
If you are thinking about doing your VCP, this training will allow you to do the exam. If you already have real-world experience with VMware I would advise you to skip ICM (Installation, Configuration and Management) and go straight for VST. One important note to make is that the VST training material only partially matches the exam material. Most training centers however will add an extra exam training as a package (Schuberg Philis arranged this with Eric as well). Combine the two and you get much more value out of your training budget. And, with a bit of luck, you get a training from a VMware celebrity 
.
