All Posts

4 posts

Countdown to Black Hat: Top 10 Sessions to Attend — #9 and #10

With Black Hat USA 2019 now in progress, we wrap up this blog series with our final two session recommendations: Attacking and Defending the Microsoft Cloud and Practical Approach to Automate the Discovery and Eradication of Open-Source Software Vulnerabilities at Scale.

Attacking and Defending the Microsoft Cloud, which focuses on protecting Office 365 and Azure Active Directory, explores the most common attacks against the cloud and describes effective defenses and mitigation. While it focuses on Microsoft, some topics apply to other providers. The speakers — Trimarc CTO Sean Metcalf, and Mark Morowczynski, a Principal Program Manager at Microsoft, will cover topics including account compromise and token theft; methods to detect attack activity; and secure cloud administration.

Meanwhile, Practical Approach to Automate the Discovery and Eradication of Open-Source Software Vulnerabilities at Scale, outlines how Netflix identifies and eliminates vulnerabilities in the open source software components it uses in its applications at scale. The speaker, Aladdin Almubayed, is a Senior Application Security Engineer at Netflix who will describe the stages in Netflix’s automation strategy and the tools it uses.

Continue reading …

New DOS Attack on PHP, ASP, Java Disclosed at CCC Congress – Updated

Update:
Microsoft just advised they will provide an out-of-band update tomorrow for KB2659883 and other vulnerabilities. Details at the usual ANS page MS11-Dec

Original:
Earlier today at the CCC Congress in Berlin, Alexander Klink and Julian Wälde, two German security researchers, explained how to (ab)use the hashtable functionality present in many web server platforms to cause CPU exhaustion on the server.

The attack uses the HTTP POST protocol to submit variables to a server, which the server automatically keeps track of. By submitting hundreds of thousands of variables with specifically chosen names that cause name collisions in the hashtables used to store the variables, the CPU of the server is kept active. This attack mechanism is simple and elegant, causing the server to spend minutes to hours for a single HTTP request.

PHP has published a patch that enables a workaround for the condition. It limits the number of variables that can be submitted in a single POST to 1,000, a similar strategy to the one employed the newest Tomcat 7.0.23. Microsoft published its advisory KB2659883 today and advises to set the maximum size of the POST request to a limited value (20KB or 200KB depending on viewstate usage) in order to reduce the number of variables that can be passed into ASP.NET. Microsoft’s SRD blog has a lot of additional information, including Snort signatures for the attack.

We will closely monitor the development around the vulnerability and will keep you updated on new developments. At the moment, we recommend limiting the request size, which seems to be a countermeasure that is universally available.

The 60 minute talk itself is online on Youtube and very much worth watching for its background information on how the researchers found the vulnerability and the applicability to other platforms (Spoiler: Phython: yes, Ruby: somewhat, Perl: no). They also talk a bit about further research into other attack methods (JSON, for example) and other areas where hashtables are used (OS kernels, for example). The advisory by oCERT lists the vulnerable platforms and a detailed technical advisory can be found at the site of nruns, the company where Alexander works.

Silent Updating for Internet Explorer

Good security news this morning…

Microsoft announced that in 2012 Internet Explorer will be updated "silently" to its newest possible version. This new silent update will eliminate the pop-up window that currently allows users to opt-out or postpone the update.

Silent updating is generally seen as a big improvement to security on the Internet; just take a look at the study done at the Swiss Technical University ETH by Stefan Frei. Being on the newest possible Internet Explorer (IE8 on WIndows XP, IE9 on Vista/Win7) brings a significant increase in security and robustness to malware infections due to better architecture, sandboxing and the included URL filtering feature.

Microsoft is not alone in moving to silent updates. It follows Google’s Chrome browser which pioneered the concept of silent updating in 2009, and more recently Mozilla Firefox has revealed that they are working on a "Firefox Updater Service" that will allow for silent updates as well. Overall this change is in line with the new update mechanisms coming in Windows 8, which will make the overall update experience much smoother for Windows users.

As expected, Enterprise users that control their patches tightly will not be affected by the change; they will continue to have full control over the versions of their browsers. For anybody interested in staying on their old browser, Blocker Toolkits for both IE8 and IE9 upgrades are available for download at Microsoft and their settings will continue to be honored.

The roll out starts in Australia and Brazil in January 2012 and I am looking forward to see the feedback data from Microsoft on what the level of success will be.

Thumbs Up to Project Quant to Quantify Patching

2 months ago at RSA 2009, Rich Mogull from Securosis mentioned an interesting project that they are working on: Project Quant. The project focuses on measuring the patch management process in all stages involved, from monitoring for new threats and patches, to evaluation and testing, through deployment and verification. Now that they have refined this lifecycle, they need input from you – real life production users that can tell how much time is spent on each of these activities. He has published an online survey, which is the first step of gathering production data.

This is an exciting project and the results will be made publicly available. I expect them to provide high quality insight into the cost of patching. Recommended.

PS: The full scope and intentions of the project are outlined in the initial post