Old Software Vulnerabilities Never Die

SANS has an interesting blog posting regarding recent activity regarding the Conficker worm.  Oh yes, the worm has been and still is active.  Conficker has lost a lot of media attention lately because the worm has not delivered a payload to systems.

It has been almost one year since Microsoft announced an out-of-band patch in regards to a nasty software vulnerability affecting their Operating Systems.  The software vulnerability was exploited months later by the Conficker worm.  It is amazing how many people are still being affected by this vulnerability.  A lot of media attention goes to the latest and most current threats, but old software vulnerabilities still warrant Administrator’s attention.  When patching, be sure to look for all vulnerabilities, not just the current threats announced by software vendors.  It is important to keep your AV definitions up to date as well.  Patching is a proactive security method as it will prevent viruses from exploiting your machines.  Although anti-virus programs are a reactive security measure, Administrators should ensure they have the latest viruses definitions at all times.  Nobody likes to spend their day cleaning up from a virus outbreak.

Need Your Help!

So, we are real close in releasing Shavlik NetChk Protect 7.1, but we need your help.

I would like to get 3 to 5 customers who are currently running 6.5.2 to do a full upgrade to 7.1 for us. If you are ready to try the 7.x platform and have not gone to 7.0, email me at craig.munson@shavlik.com and I will have one of our support engineers contact you and get the latest build. For those customers that help us out I am offering a brand new Shavlik golf shirt for upgrading and providing us your feedback on the upgrade process. Hurry, I only have 5 shirts available!

Thanks!

Fixing The Apple Application Support Error

***UPDATE: 2/18/2011***
If you have issues fixing Apple Application Support from this blog posting, please check out the latest IT.Shavlik offering that fixes the issue.  You can read more about it in this blog posting.

***********************

For those of you who have deployed Apple iTunes 9 or Apple QuickTime 7.6.4 and received the “Please Install Apple Application Support”, we have found a workaround that fixes this.  Installing the Apple Application Support part of the product on affected machines will result in a working program.  (AppleApplicationSupport.msi)

You can get the AppleApplicationSupport.msi by either:

a)  Run a compression program such as WinRAR against the installer, extract AppleApplicationSupport.msi

-or-

b)  Run the install application and leave the program idle at its menus.  Navigate to your temporary director and look for a folder named IXPxxx.tmp (xxx is a random number).  The MSI program will be located in that folder.  Please note:  You must leave the installer running.  If you close the installer, it will delete the temporary directory.

Holding out hope that Apple addresses this issue is getting slim.  Apple released iTunes version 9.0.1 yesterday.  This version also fails for the same reason when using a silent deployment switch.

Oh, and we had a follow up conversation with Apple.  They are now claiming that installing via a silent switch is not supported.  It does, and it did.

At least they did not hang up on us this time.

Prove It…

One of the ever present questions that continues to plague most IT organizations centers around the ability to accurately measure and report on ones current state of security. There are so many influencing factors that have to be taken into consideration when answering the question; “how secure am I”, so many that it boggles the mind. During a typical day for me, I spend most of my time discussing this very subject with customers. When I ask the question, “can you tell me how secure you are” – they usually respond with a great deal of laughter. The funny thing…to them, outwardly they’re laughing, but on the inside – they telling themselves that I really don’t know.

There are so many things that have to be taken into consideration when discussing this subject, here are just a few:

• Do I have a good understanding of number of systems I currently have, especially with the advent of VMware?
• Is Anti-virus running on all my systems, and are the signature files up-to-date?
• Are my systems patched properly?
• When we deploy a system (server or workstation), are they properly configured / hardened?
• How can I tell where I stand when I don’t have any form of good reporting that offers some form of measurability?

There are many more things to consider beyond this list in terms of ensuring the proper level of security. The key message here; establishing the ability to prove things are secure! To accomplish this, there are many solutions one could choose to address this challenge – however, the keys to success are;

• The ability to accurately assess your potential for risk (identifying the existence of every system, and current state)
• The ability to automatically remediate any know / identified vulnerabilities (missing patches, poorly configured systems, unwanted applications or malware)
• And, most importantly, the ability to assemble a set of reports that clearly illustrate your current security posture

By focusing on these key areas, you’ll have a much better understanding of your risk posture, but more importantly (if ever asked), you could PROVE IT!

Dave Eike
Shavlik Technologies

Apple's New Painful Patching Methodology

A few weeks ago, Apple released a new version of iTunes, version 9.  We noticed an error message when launching iTunes 9 after upgrading from a previous version.  Upon launching the program, the message “Please Install Apple Application Support” appears.  If you install iTunes 9 by simply double clicking the install package, the program will install and launch without errors.

If you are a home user, yes, you will simply double click the installer.  But what if you are an administrator on a corporate network that needs to install this application/patch to hundreds of machines?  You will want to script the install (or use patch management software) to install silently on desktops.  This requires the use of command line switches on the installer, such as quiet installation switches to silently deploy the package.  The use of deployment switches in patch management is not uncommon in large corporate networks. 

After extensive research, we found the problem exists with this specific switch.  The silent switch breaks the installer.  Although the main iTunes application will be installed silently, the Apple Application Support program fails to install.  Apparently, iTunes will not run without this application installed.  Apple has bundled Apple Updater with their products for a while and that did not cause any installation issues.  Apple Application Support is now a third program they are bundling with their products.

We have not yet figured out just exactly what this new program is or its intended purpose.  Apple has updated their iTunes deployment guide with this warning:

Important: iTunes requires QuickTime and Apple Application Support. Apple Application Support must be installed before installing iTunes. Apple Mobile Device Services (AMDS) is necessary to use an iPod touch or iPhone with iTunes.

Now, we are getting reports that Apple QuickTime 7.6.4 is having the same issue.

Apple has obviously changed their install packages and for the worse.  Want to use silent switches?  You can’t…  Is this an accidental mistake by Apple in their install packages?  I certainly hope so.  All of the Apple forum postings from their users have gone unanswered.  We attempted to call Apple support on this to work through the issue.  They walked us through uninstalling the application and reinstalling.  We told them we wanted to install silently with the quiet switch.  They hung up on us.

Apple has software with critical vulnerabilities and they need to stop focusing bundling products and start focusing on the vulnerabilities.

 

-Jason

Shavlik Antivirus Capabilities

As some of you may be aware, we have partnered with Sunbelt Software to greatly improve our malware coverage by leveraging Sunbelt’s data into our new agent in the Shavlik NetChk Protect 7.x platform.  In addition to the Malware protection that we had in our previous version, we added full client side Anti-Virus.  This next generation antimalware engine performs standard antivirus functions, including signature- and heuristic-based threat detection and remediation, behavioral analysis, and whitelisting.

Be sure to check out our video on Agent configuration located here, to see how to configure the new agent with Anti-virus.

Please be aware when deploying agents with Anti-virus, if you already have an anti-virus solution on your target machine, make sure you uninstall it, as with most anti-virus programs, they do not work well with other active virus programs and can cause unfavorable results when both are installed together.

Microsoft speaks up on Advisory 975497

Mark Wodrich and Jonathan Ness from Microsoft’s Security Research and Defense team have provided updates regarding the SMBv2 zero-day vulnerability (Security Advisory 975497).
Some highlights:

  • The exploit can be detected by intrusion detection systems (IDS) and firewalls that have signatures for the vulnerability being targeted (CVE-2009-3103).
  • This exploit code from Immunity is only available to a small group of companies and organizations who will use it to determine the risk to their own networks and systems, or those of their customers. (We are aware that other groups are actively working on exploit code which is likely to be made public when it is completed).
  • Even with the above mitigations, we’re not slowing down our investigation, and are working on an update that can be delivered for all customers. The product team has built packages and are hard-at-work testing now to ensure quality. It takes more testing than you might think to release a quality update.  For this update, the product team has so far already completed over 10,000 separate test cases in their regression testing.  They are now in stress testing, 3rd-party application testing, and fuzzing.  We’d sure like to complete all that testing before the update needs to be released.  We are keeping a close eye on the changing landscape and balancing this against the remaining test actions to determine the best ship schedule to bring a quality update to customers.

I am sure everyone is eagerly waiting for the patch from Microsoft.  Everything that is coded needs to be tested, and that takes time.  Imagine if Microsoft released a patch that adversely affected SMBv2 instead of fixing the vulnerability.  The pain would be immense.  Not to mention, imagine fixing a vulnerability and not properly testing the fix, consequently introducing a completely new vulnerability.  The biggest key here is there are no reports of worms or viruses taking advantage of this software vulnerability.  Of course if one does come about, we may see additional urgency from Microsoft on this patch.

Sheer panic is not any type of solution when dealing with software vulnerabilities without patches available.  Staying informed of the situation is more powerful.

You can find the full blog posting here.

 

-Jason Miller

Microsoft Security Advisory 975497 Updated

Microsoft has updated the Microsoft Security Advisory 975497.  The article has been updated to provide more details around what exactly SMBv2 does on a Windows Vista or 2008 computer.

In addition, Microsoft has released a Microsoft Fix It tool.  This tool is an executable that will provide the manual workaround for the software vulnerability.  The tool will disable SMBv2 on target systems.  There is also a tool that will undo the workaround.  Microsoft usually advises consumers to un-apply the workaround when a security patch is released for the vulnerability.

If you choose to deploy the workaround, be forewarned.  You could break critical functionality on your target system.  The following Windows services require SMBv2 on Windows Vista and 2008:

  •  Applications that use SMB (CIFS)
  • Applications that use mailslots or named pipes (RPC over SMB)
  • Server (File and Print Sharing)
  • Group Policy
  • Net Logon
  • Distributed File System (DFS)
  • Terminal Server Licensing
  • Print Spooler
  • Computer Browser
  • Remote Procedure Call Locator
  • Fax Service
  • Indexing Service
  • Performance Logs and Alerts
  • Systems Management Server
  • License Logging Service

The software vulnerability (MS09-067) the Conficker worms exploited also relied on similar services.  Please, do some deep researching before blindly applying this workaround.

There were also some reports today of a penetration testing company that has successfully implemented reliable working exploit code for this vulnerability.  Other security researchers are getting close to also producing this code.  It can be found on Ryan Naraine’s blog.

Phone Menus and You

How many of you have ever had something like this happen to you when you called tech support?

While this is obviously meant to be funny, it is clear that the majority of the population run into poor support menu’s and IVR’s that make it difficult to get where you want.  Here at Shavlik, we have always strived to minimize the amount of menu selections you need to make to get to solving your issue, and before the end of this month, we are going to make that even easier.  We will be rolling out a new menu for our phone support that will simply get you to a technical support agent right away.

Please feel free to leave any comments on our support and our current phone system!

How to Ensure Excellent Compliance Reporting

With mounting regulatory pressure, and the sheer number of vulnerabilities on the rise, organizations today must have a mechanism in place to monitor and audit themselves to ensure compliance with their own policies and standards – as well as any applicable regulation. Thus the importance of good Compliance Reporting! Before any type of meaningful reporting can be constructed – there are a few key things to consider:

Information Security Policy:

Do you have an information security policy in place? If you do…is it measurable? If you’re struggling in this area…you’re not alone! A good set of measurable policies (controls) can be quickly established leveraging “security best practices” – which is a great place to start. There are many directions you could take at this juncture (in terms of a standard of reference), but the direction I would recommend taking leverages one of the most widely recognized policy frameworks available – which is the ISO standard (http://www.iso.org/iso/home.htm)  The ISO standard consists of a well understood set of controls and objectives, which can be used to establish and measure control (or policy) effectiveness – and thus measure the level of compliance.

Assess Your Risk:

Once your policy is in place, you need a means to accurately assess your risk, and determine any deficiencies or issues that may cause you to drift into a non-compliant state. This is where automation comes in! With good automated tools…you can quickly (with very little user impact) assess your level of risk. In order to get the best possible results, the frequency at which these assessments occur is very important. Anything less than a quarterly assessment – puts you in a very vulnerable position, so the more frequent, the better! Much like the value of any financial statement (in this case a “security balance sheet”) – frequent vulnerability assessments provide a picture in time of your current state. So what’s important at this stage is the ability to establish a regimented, automated process which will ensure an accurate assessment of your current level of risk, while at the same time allowing you to actively address any issues in a timely fashion.

Automate Remediation of Discovered Risks:

Next up (and this is very important) is the ability to automate the remediation of any discovered form of risk. Good reporting, absent of the ability to remediate is like eating French fries without ketchup…it still tastes good, but you sense something important is missing. Without remediation…the function of compliance reporting becomes less than automatic. Once the assessment of risk is complete and risks identified…if there isn’t some form of automated remediation in place…the remediation process gets bogged down, and the chance for errors (especially if humans are involved) goes way up! Reporting (post assessment) will clearly illustrate the potential for risk. The ability to take some form of actionable, automated steps to solve matters presents enormous value. It can also have a direct impact any organizations ability to proactively address any sudden, unexpected issues (example: Conficker). Interesting link: http://shavlik.typepad.com/mark_shavliks_blog/2009/03/confickerc-will-this-virus-make-us-april-fools.html.

Compliance Report:

Now, with your policies in place, and the assessment and remediation process well defined, we can now move on the all important “Compliance Report”. Reporting is only as good as the accuracy of the data being reported, not forgetting the importance of its “consumability”. Whether the report is for internal use, or something that will be used to address the requirements of the most stringent of auditors…it has to be comprehensive, easy to understand, and most importantly easy to generate. Falling back on what I discussed earlier, a well establish set of policies that leverage any form of well recognized framework standard (like ISO), creates clear measurability – which is the basis for good compliance reporting.

So…in closing, good compliance reporting, supported by the right levels of automation is critical. With measurability comes proof, and with proof – compliance can’t be far behind!

Dave Eike
Shavlik Technologies