Qualys Blog

An Interview with SSL Expert and SSL Labs Founder Ivan Ristić

Even though SSL/TLS is critical for the privacy, integrity, and security of internet communications, the protocol is implemented in an optimal way in only a small percentage of web servers, meaning that most websites and web apps aren’t as secure as they could be.

It doesn’t have to be that way, which is why Ivan Ristić, a security researcher, engineer, and author known for his expertise on various aspects of InfoSec, has spent years contributing to the field of SSL/TLS.

He launched SSLLabs.com in 2009 to provide SSL/TLS tools, research and documentation, brought it with him when he joined Qualys in 2010, and ran it until mid-2016, when he became an advisor. Under his leadership, SSLLabs.com became a de-facto standard for secure server assessment and the go-to site for organizations looking for help improving their SSL/TLS configurations.

Ristić also wrote an entire book about the topic titled “Bulletproof SSL and TLS: Understanding and Deploying SSL/TLS and PKI to Secure Servers and Web Applications.” We recently had a chance to catch up with Ivan and pick his brain about SSL/TLS challenges, best practices and trends. Here’s what he told us.

Continue reading …

Update 3:
Today, February 20, Adobe released the patch APSB13-07 for Adobe Reader and Acrobat. It addresses 2 CVEs (CVE-2013-0640, CVE-2013-0641) and should be rolled out immediately due to the attacks in the wild. Excellent turn-around time by Adobe.

Update 2:

Adobe announced a patch for Adobe Reader and Acrobat for next week, the week of February 18.

Update:
Users of the newest version of Adobe Reader, XI can enable "Protected View" to mitigate the attack by going to Preferences, Security (Enhanced). Protected View opens the file in an additional Sandbox that disables most Adobe Reader XI advanced features, but should be sufficient to read normal PDF documents.

Original:
Adobe has acknowledged reports of a new 0-day for its Adobe Acrobat and Adobe Reader line. According to the initial report by FireEye researchers that detected the attack all currently supported versions 9, 10 and 11 are affected.

There is currently no information on workarounds available, short of not using PDF documents. Stay tuned for more updates.

Today Microsoft published its Advance Notice for this month’s Patch Tuesday. But more importantly Adobe released out-of-band a new version of its Flash Player that fixes two vulnerabilities that are already being exploited in the wild on both Windows and Mac OS X. Update your Flash installations as quickly as possible – Users of Google Chrome and Internet Explorer 10 will get their Flash update automatically from Google and Microsoft respectively.

Now back to Microsoft itself. We are looking at a little bit heavier Patch Tuesday with 12 bulletins that will address a total of 57 vulnerabilities. Five of the bulletins have a severity of critical, including bulletin 1 and bulletin 2, which both address Internet Explorer vulnerabilities affecting all versions of IE from 6 – 10, including on Windows RT running on the Surface tablet. Bulletin 3 is a critical Operating System level bulletin for Windows XP, 2003 and Vista, whereas users of the newer versions of Windows will not be affected. Bulletin 4 is the expected Patch to Microsoft Exchange, which uses the Outside-In software library from Oracle that contains critical vulnerabilities and that Oracle updated in last month’s Critical Patch Update (CPU). The last critical vulnerability is covered by Bulletin 12 and affects only Windows XP, so again, users of the newer versions of Windows will be spared from having to apply that patch.

The remaining bulletins are all rated important and are mostly "Local Elevation of Privilege" type of vulnerabilities, meaning that one already has to be on the targeted computer to be able to attack them. One exception is Bulletin 5, which can be used for Remote Code Execution. It affects the FAST Indexing server for Sharepoint and it also caused by Oracle’s update of the Outside In libraries that are used by Microsoft for document conversion processes.

Update
Great explanation and technical detail on how to exploit MS12-052 through use-after-free with heapspray by Derek Soeder.

Orginal
On this month’s Patch Tuesday, Microsoft released nine bulletins addressing a total of 26 vulnerabilities. In addition, Adobe also released new versions of its Adobe Acrobat and Adobe Reader(APSB12-16), Shockwave (APSB12-17) and Flash (APSB12-18) products. Taken together, both workstation and server administrators will have their hands full.

All of the Adobe bulletins and five of the Microsoft bulletins are rated "critical" and at least the first four in our list deserve an even higher urgency due to their potential impact on workstations and servers:

• MS12-060 fixes a vulnerability that is already being exploited in the wild. The vulnerability is located in the Windows Common Control and can be triggered through Office documents and through malicious web pages. The currently known attacks have been targeting Word and WordPad through RTF files attached to e-mail messages.
• APSB12-18 is a fix for a single vulnerability in the Adobe Flash Player. According to Adobe the vulnerability is currently being used in targeted attacks. The known attack vector is a Word document with an embedded ActiveX Flash object.
• MS12-054 addresses a flaw in the Remote Administration Protocol (RAP) of Windows Networking, that an attacker can use to spread quickly within enterprise networks. The attacker first needs to gain access to a machine on the network and then needs to share a resource (say a printer) with a specifically crafted name that encodes the exploit for the vulnerability. All Windows machines will periodically query the network for shared resources and automatically execute the exploit code contained in the resource name. The vulnerability allows Remote Code Execution only for Windows XP and 2003; if you are on a current version, you are not affected. Microsoft published a detailed post with more background information on the SRD blog.
• MS12-058 patches the flaw in the Exchange Server disclosed three weeks ago in KB2737111. The popular Outlook Web Access (OWA) Exchange component uses a vulnerable module from Oracle’s Outside In product to perform document conversions. An attacker who can lure a user to look at a malicious document through OWA can gain access to the Exchange server at a low privilege level. The attacker would have to combine the exploit with a second exploit, a local privilege escalation to gain full control over the server. Again, Microsoft published more details on the SRD blog.
• MS12-052 is a new version of Internet Explorer (IE) that addresses two critical vulnerabilities. All versions of IE from 6 to 9 are affected. Web browsing is one of the most common attack entry points and this new version should be included in the initial patch rollout. Remember that Microsoft in July implemented an accelerated rollout cycle for IE, so from now on you can expect to get an update for IE every rather than every other month.
• MS12-053 is a fix for a remote desktop protocol (RDP) vulnerability in Windows XP running Terminal Services. This is the third RDP vulnerability this year (MS12-020, MS12-04X) and we are hopeful that most organizations have been cataloging their externally exposed RDP services and will be able to patch this vulnerability as quickly as possible.

These five vulnerabilities together with the Adobe updates should be on your priority list of updates to evaluate and install where applicable. Also don’t forget that the vulnerable Oracle Outside In is used in other industry software packages; that will have to be patched eventually. For a list of software known to contain Outside In see the list at US CERT.

The remaining Microsoft bulletins are rated "important" and address a local privilege escalation vulnerability Windows (MS12-055), a file format problem in Visio DXF format (MS12-059), a problem in Javascript on 64 bit machines (MS12-056) and a fix for the Office CGM, a graphics file format (MS12-057). They are lower priority and their installation can be postponed until a fitting maintenance window becomes available.

For a more technical background on the Adobe Reader vulnerabilities, take a look at the blog post by Mateusz Jurczyk and Gynvael Coldwind.

We blogged about the DNS Changer malware in January, but there are only a couple of days left until July 9th, when the DNS Changer Working Group will stop operating the DNS servers used by the DNS Change malware. According to the latest stats there are still 300,000 machines infected. These machines will lose Internet access once the servers are shut down.

I know that you as professionals and readers of this blog are most likely not in the affected group, but you are probably the IT resource for many of your friends and relatives, so please remind them one more time that BrowserCheck is an easy way to find out whether one is infected. In case of infection have them head over to the Fix page of DNS Changer Working Group. Please make sure that they turn on "System Checks" as the DNS Changer Malware detection is grouped with the other system level checks, such as AV, Updates and Firewalls.

This week Brian Krebs posted some important news – according to his sources, the BlackHole exploit kit has been equipped with an exploit for the Java vulnerability CVE-2012-0570, released a mere month ago on Feb. 14 by Oracle. BlackHole is a widely disseminated, exploit kit, commercially available in the underground. It allows interested groups with basic computer knowledge to implement an operation to attack target machines through their web browsers by setting up malicious web sites. Used in conjunction with a malware kit such as Zeus or SpyEye, these groups can build botnets that can then be used to harvest personal information for sale, rented out for SPAM or DDoS operations or handed over to pay-per-install operators.

The quality of exploit kits play an important role in such a setup, as it concentrates the rather sophisticated attack knowledge. The kit has to select the correct exploit based on the user’s configuration and the detected vulnerabilities. Most included exploits focus on older and well-known vulnerabilities (such as CVE-2010-1885 in Internet Explorer or CVE-2011-2110 in Adobe Flash), because they are the most stable and well-researched. A well-maintained target machine can usually not be penetrated with one of these off-the-shelf toolkits, as all software components are at the latest level. However, Java is difficult to update and the addition of an exploit for such new vulnerability in Java sharply increases the risk of an attack for the Internet population at large.

Our recommendation: update your Java installation to the latest version available. There are a number of tools available to help you to find out the version of Java you are running, including Oracle’s own version checker. I recommend our own tool, BrowserCheck. Just point your browser to https://browsercheck.qualys.com and get a precise diagnostic on the state of your browser and its plugins, including Java and other attacker favorites such as Adobe Flash and Adobe Reader.

If you cannot update Java (or you want to make your machine or the ones that you are responsible for more resilient to future attacks) there is a configuration setting in Windows that can be used to limit Java to a few selected and trusted sites. This requires a simple modification of the Windows Registry: changing Registry Value 1C00 to Setting 0 in Zone 3 (Subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3) which prohibits the Java from running in the Internet Zone.

Sites that need Java can be whitelisted under Internet Options/Security/Trusted Sites. This works across all versions of IE and is non-overridable. Google Chrome has a similar mechanism, but I like the Internet Explorer better than Google’s implementation, which prompts the user for a decision on whether to run the plugin. Unfortunately most users will opt-in just to get rid of the prompt and continue to load the site, which has the potential to increase their security exposure.

Verizon released yesterday its 2012 Data Breach Investigations Report (DBIR), full of interesting data. For the first time, Verizon distinguished between small and large organizations in the data and we see a clear difference in the maturity of their security implementations. That distinction alone offers quite a number of hints on where to focus our attention as security professionals.

The main lessons for security professionals from this report: 1) the overall results represent a continuation on the trends from the reports of previous years; and 2) many of the problems documented are within the security industry’s ability to address – for both smaller and larger organizations. That’s really good news.

Here’s a recap of what I consider to be the most important findings for security professionals:

• 97 percent of breaches (96 percent for both preceding years) could have been avoided with simple controls.
• The types of beneficial controls cover the same areas for both small and larger organizations, but vary in their details.
• Small organizations' biggest issues are default passwords on their remote access applications (think RDP, VNC, pcAnywhere).
• Large organizations seem to have overcome the default password problem on their remote access applications but are faced with stolen login credentials and brute forcing.
• Both small and large organizations are victims of malware that criminals install to maintain access to the breached network and to send the stolen data to their servers. In small organizations, the malware is installed largely by hand, whereas large organizations face more advanced infection mechanisms: close to 50 percent were infected through e-mail attachments, drive-by-downloads and web-borne malware.

Fortunately, we have the technical solutions available today for both small and large organizations to resolve all of these issues. The challenge to the solution often lies in the lack of knowledge, rather than complexity or cost. As a security community, it’s up to all of us to make successful implementations more visible and effectively promote the architects and operators who are doing it right. For an example see the work done at the US Department of State in recent years.

You can find the full DBIR report here.

Last week Symantec published a whitepaper "pcAnywhere Security Recommendations" which recommended increased security measures to all users who are managing pcAnywhere installations. The whitepaper was prompted by the recent disclosure of Symantec source code announced by the hacker group "Lords of Dharmaraja" affiliated with Anonymous, and it points out the increased risk associated with pcAnywhere given that attackers can now search the source code for flaws.

Somewhat surprisingly, the whitepaper’s first recommendation is to uninstall the product, of course only if it is not absolutely required. Personally I am a big fan of uninstalling unnecessary software, and it is always sound advice to minimize one’s software footprint and related attack surface. If uninstalling pcAnywhere is not an viable option, Symantec recommends a number of additional security configurations, including moving Internet exposed pcAnywhere installations behind a VPN gateway, blocking standard pcAnywhere ports 5631 and 5632 on the firewall and to disable the autostartup of pcAnywhere.

Last week Symantec also released patches for the currently supported versions 12.5, 12.0.x and 12.1.x in advisory SYM12-02. The patches address CVE-2011-3478, a remote code execution vulnerability with CVSS base score of 8.3 and CVE-2011-3479, a local file tampering vulnerability with CVSS base score of 6.8.

We recommend installing these patches as quickly as possible if you have pcAnywhere installed.

QualysGuard users can scan for Qualys ID 119873 for pcAnywhere installations that lack the latest patch, or use Qualys ID 38448 to find all pcAnywhere instances in their networks. Alternatively you can also use Qualys ID 42017 to scan for remote access in general and gain a complete understanding of all remote access applications, which is very helpful in these type of situations.

Update:
Only a couple of days left until the DNS Changer Working Group will stop operating the DNS servers used by the DNS Change malware. According to the latest stats there are still 300,000 machines infected. These machines will lose Internet access once the servers are shut down.

You can use BrowserCheck to check whether you are in the affected group.

Original:
January marked half-time for the folks at the DNS Changer Working Group (DCWG) who are now running the DNS servers originally used in the Rove botnet. Ever since a multi-national task force dismantled the gang in Operation Ghost Click in early November of 2011, the DCWG has been in charge of running the servers at the heart of the botnet in order to keep the infected machines that depend on these servers. In its four years of existence, Rove managed to infect around four millions machines. Its mode of operation is simple: it replaces the DNS servers registered on the infected machine with its own servers, which allows it to redirect almost all of the traffic of the infected machines to its own services. This gives the attackers almost unlimited power over the infected machines, as they intercept almost all requests made to the Internet. They could for example, replace all download requests for a certain software, say iTunes, with a backdoor’d version of iTunes, that for all effects and purposes behaves the same, but installs for the attackers an additional remote administration tool. They were also able to reorder your search results and influence your purchase decisions, and to exchange the ads that are displayed to you favoring their affiliates.

But the DCWG’s mission is time-limited. In November they were tasked operate the servers for a total of 120 days. They will shutdown the servers in March and anybody who is still using those servers will then lose access to the Internet, as DNS is the service that translates your requests for a certain website, say "www.facebook.com," into its IP address equivalent: 69.171.229.16. Once DNS stops working you will get a screen similar to:

Fortunately it is relatively easy to verify whether a machine is affected by Rove. All one needs to do is verify whether its DNS servers fall into the five ranges that were under control of the Rove operators. The easiest way to do this, at least under Windows is to run the Qualys BrowserCheck plug-in which we recently equipped with Rove detection capabilities (see screenshot)

If your machine shows as insecure under the DNS Changer heading, you need to perform a few simple steps to correct the situation. We provide more information on how to correct the DNS servers by clicking on the FixIt button, but basically you need to reset the DNS servers that you use. On Windows the Control Panel is used to modify the DNS servers. Click on Start, Control Panel, Network Connections, then right click on the icon that identifies your connection, and select Properties, then select Internet Protocol (TCP/IP) and click on the Properties button. This will bring you to the screen where the DNS servers are set. Here you should select Obtain DNS server address automatically and then close the Windows by pressing Ok and Close.

Once done you should register the infection at the FBI’s website, as it will help strengthen the case against Rove’s operators.

2012’s first Patch Tuesday has seven bulletins, including the postponed bulletin from December 2011 that addresses the BEAST style information disclosure. Talking about changes in schedules, Microsoft also released a bulletin MS11-100 for ASP.NET originally planned for this January between Christmas and New Years of 2011, which you might have missed.

Our highest priority is MS12-004, which fixes two vulnerabilities in Windows Media Player, one critical in MIDI playing, one important in the closed caption (CC) interpretation. The vulnerabilities are relatively easy to trigger and require a specially crafted media input file. Attacks against these vulnerability can be both through e-mail or hosting the media file on a website. They have the potential to be used in a drive-by-download attack.

Next on our list is MS12-005, a vulnerability in the Windows .NET packager that can be triggered through a malicious Microsoft Office Word or PowerPoint document. Microsoft rates it only as 'important', but we consider vulnerabilities that only rely on a user opening a file critical enough to move them up in priority.

MS12-006 is the mentioned fix for the BEAST attack and should be deployed on all of your webservers. BEAST was first demonstrated at the September 2011 Ekoparty conference in Buenos Aires and is a crypto attack against SSL/TLS that allows the attacker to decode and eavesdrop on HTTPS sessions. If you did miss the MS11-100 release over the holidays, now is a good time to take the opportunity to bundle both together. Tools for triggering MS11-100 are actively being researched and are very simple to build, meaning that they will soon get added to the common DoS tools, maybe even to the one advertised here by Crista (http://www.youtube.com/watch?v=ySdaJbgO5gc via @mikko).

MS12-001 is the bulletin that was tagged as addressing a 'Security Feature Bypass' flaw. This is a new category and Microsoft has written a blog post explaining the details involved. In summary: a certain version of Visual-C (2003 RTM) implemented the the SAFESEH security measure in a way that Windows XP, 2003, Vista, Win7 and 2008 were unable to read the information and fell back to run the binary without the SAFESEH handler. Binaries compiled with the later versions of Visual-C (starting with SP1) are generated correctly and MS12-001 now changes the affected Windows Operating systems to be able to read the older format as well. There is no direct vulnerability here, but an attacker would have to identify a software compiled with the old version of Visual-C, find a vulnerability in it and code an exploit that would use the SEH exploit mechanism. Install it when you can, as it is a useful defense-in-depth measure.

Please also take a look at Adobe’s release today of a new version of Adobe Reader 9 and X. It will cover CVE-2011-4369 for Adobe Reader X, which they had already addressed for Adobe Reader 9 out-of-band due to exploits in the wild on December 16th plus a security enhancement that allows for better control of embedded JavaScript.