Posts Tagged ‘cisco’

Summary:

On July 6th, 2009 a zero day vulnerability in a component of the Windows operating system controlling
MPEG2 videos became publicly distributed. The attack code is currently present on several malware
servers in Asia and being used to infect unwitting clients who have been redirected to these servers. This
vulnerability will allow the remote control of clients who are pushed to malicious web servers via XSS or
phishing techniques. Microsoft has not issued a patch for this vulnerability, but they have recommended a
common workaround for dealing with ActiveX vulnerabilities which we have included below under
‘Recommended Preventative Actions’. Only older versions of Windows (2000, XP, 2003) are vulnerable to
this, as Vista and later operating systems have architecture which prevents the vulnerable code from being
exposed to the malicious control object. Major IDS/IPS/AV vendors have released signatures to detect
exploits against this vulnerability.

Severity: MEDIUM

We consider this to be a ‘medium’ severity event. We have not, to this date, seen high infection ratesamongst our monitored networks, but vendors are just now releasing signatures to detect the exploit comingback from a malicious webserver to a vulnerable client. This exploit is not related to any worms, but isbeing used to install Trojan software which may then perform additional attacks on vulnerable hosts viaother exploit vectors. While normally we would give ActiveX exploits a low severity, there over the past 18months there have been a proliferation of SQL Injection attacks resulting in legitimate ASP.NET sitesunwittingly serving up malicious javascript, that ‘trusting’ the intention of a site is no longer prudent forsurfing behavior We feel the multitude of the hacked web environments hosting up active pages with malicious javascript inclusions, coupled with newer methods of attack obfuscation, added to the knowledgethat MPEG2 is an EXTREMELY popular media format justifies this severity.

How to Determine Whether You Are Vulnerable:

All 2003 and XP systems will be vulnerable to this unless specific actions have been taken to:
[1] Disable ActiveX altogether (not recommended in many environments)
[2] Are not using Internet Explorer at all
[3] Disabled Windows Media Software by some 3rd party application
[4] Have updated A/V software which detects the attack and mitigates it
[5] Have set the kill-bit for ActiveX Control Object (CLSID 0955AC62-BF2E-4CBA-A2B9-
A63F772D46CF)
[6] Perform an automated Scan on hosts that are in the Windows 2003/XP tranche of Operating Systems.

Recommended Preventive Actions:

Oddly, Microsoft has discovered that no ActiveX control objects which interface with MSvidctl.dll are
needed by Internet Explorer. On Windows XP and 2003 systems they may all be safely disabled by using
the tool Microsoft provides for at URL: http://support.microsoft.com/kb/972890. Later systems such as
Windows Vista, 2008, v7 do not appear to be vulnerable.

How to Detect Potential Attacks:

Intrusion Detection Systems which have recently come out withsignatures to detect some facet of this attempted exploit. We are currently investigating efficacy of these signatures and will be updating managed and monitored devices according.
Snort
SourceFire
McAfee
Tipping Point
IDP
Cisco
Popular Antivirus Software are detecting attacks as ‘JS/Exploit.CVE-2008-0015.A.Gen trojan

What to do if You Have Been Attacked:

Typically workstations, laptops and desktops running XP or 2003 are the ones likely to fall victim to this
type of attack. Recommend consulting your security policy for the Incident Response
procedure as it pertains to the asset which is compromised. Infection should be considered serious, and
Windows MSRT may or may not be enough to remove the Trojan Software that the attacker has installed.

Detailed Analysis:

From Microsoft:
Customers who are using Windows Vista or Windows Server 2008 are not affected because the
ability to pass data to this control within Internet Explorer has been restricted.
By default, Internet Explorer on Windows Server 2003 and 2008 runs in a restricted mode that is
known as Enhanced Security Configuration. Enhanced Security Configuration is a group of
preconfigured settings in Internet Explorer that can reduce the likelihood of a user or administrator
downloading and running specially crafted Web content on a server. This is a mitigating factor for
Web sites that you have not added to the Internet Explorer Trusted sites zone. See also Managing
Internet Explorer Enhanced Security Configuration.
By default, all supported versions of Microsoft Outlook and Microsoft Outlook Express open
HTML e-mail messages in the Restricted sites zone. The Restricted sites zone helps mitigate
attacks that could try to exploit this vulnerability by preventing Active Scripting and ActiveX
controls from being used when reading HTML e-mail messages. However, if a user clicks a link in
an e-mail message, the user could still be vulnerable to exploitation of this vulnerability through
the Web-based attack scenario.
In a Web-based attack scenario, an attacker could host a Web site that contains a Web page that is
used to exploit this vulnerability. In addition, compromised Web sites and Web sites that accept or
host user-provided content or advertisements could contain specially crafted content that could
exploit this vulnerability. In all cases, however, an attacker would have no way to force users to
visit these Web sites. Instead, an attacker would have to persuade users to visit the Web site,
typically by getting them to click a link in an e-mail message or Instant Messenger message that
takes users to the attacker’s Web site.
An attacker who successfully exploited this vulnerability could gain the same user rights as the
local user. Users whose accounts are configured to have fewer user rights on the system could be
less impacted than users who operate with administrative user rights.

Suggested Reading:

http://www.microsoft.com/technet/security/advisory/972890.mspx
http://blogs.technet.com/srd/archive/2009/07/06/new-vulnerability-in-mpeg2tunerequest-activexcontrol-
object-in-msvidctl-dll.aspx

http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-0015

Advertisements

Network Security Superheroes Battle Threats in “The Realm”

realm

On the Digital Earth, a new breed of criminal has emerged for battle with network security, to ensure these viscous attackers don’t stand a chance, a select team of Cisco engineers were appointed to develop the ultimate digital crime fighting organization… Do you dare to enter “The Realm”?

Dun…dun…dun…

“The Realm” is a completely virtual campaign that projects superhero qualities to not only the heroes in flashy costumes (or products) but also the engineers, the backbone of network security products, who convey a mastermind-like quality when designing the ammunition needed to battle such network threats as: Botnets, Malware, Spam and Intruders.

The campaign aims motivate and inspire a new generation of network professionals, as well as seasoned engineers, in a language and visual expression that is entertaining and they can relate to. Positivity and encouragement are crucial in this economy and “The Realm” reminds us that IT professionals can be the heroes of the future.

The Realm, Episode 1

The webisode series is tied to an ongoing Human Network campaign, which Cisco has been laying the ground work for years, to communicate that the network is what makes our digital lives and visual networking possible. The notion that Cisco is purely an enterprise company is hardly the case these days and while “The Realm” focuses on network security at the enterprise level, it is also an example of what Cisco is doing to defer this perception.

Long past are the days of metal marketing. Do you remember seeing a metal box on a poster paired with a short slogan? Metal marketing please meet “The Realm.” The first two webisodes are live at www.cisco.com/go/ realm. A third episode will be released later this month and the finale will be released leading up to the RSA security conference in late April.

The mission of “The Realm” superheroes is to assure the safety and security of every citizen on the human network. Here are your heroes and the superpowers the own to protect you:

Defender Trace
1. Splits into multiple forms to monitor sectors simultaneously
2. Superhuman data analyzation
3. Protects the Realm perimeter and all traffic ways

Defender Wall
1. Energy wave force field
2. Super strength to enforce network access
3. Extrasensory authentication abilities

Defender Vixa
1. Manipulates sound waves to create physical forces
2. Subliminal encryption powers
3. Light-speed response to detected threats

Defender Jux
1. SensorBase Control
2. Headquarters shield protection
3. Genious analyzation of threat conspiracies

The Realm, Episode 2

The Realm, Episode 3

The Realm, Episode 4

Is there an area of technology you feel deserves superhero attention?

You can interact more with “The Realm” heroes on Facebook, where they each host their own page: Defender Trace, Defender Wall, Defender Vixa, Defender Jux

Click here to learn more about how Cisco provides visual networking for consumers and we invite you to join our conversation on Twitter and Facebook.

http://blogs.cisco.com

Cisco Packet Tracer 4.1

Packet Tracer 4.1 is a standalone, medium-fidelity, simulation-based learning environment for networking novices to design, configure, and troubleshoot computer networks at a CCNA-level of complexity. Packet Tracer supports student and instructor creation of simulations, visualizations, and animations of networking phenomena. Like any simulation, Packet Tracer 4.1 relies on a simplified model of networking devices and protocols. However, real computer networks remain the benchmark for understanding network behavior. Packet Tracer was created to help address the “digital divide” in networking education, where many students and teachers lack access to equipment, bandwidth, and interactive modes of learning networking.

http://rapidshare.com/files/66565829/Packet_Tracer_4.1.part1.rar
http://rapidshare.com/files/66566390/Packet_Tracer_4.1.part2.rar