SecDigest – 07-09-2008
Big day for security researchers, vendors, administrators with Microsoft’s Patch Tuesday release. The release of the patch for DNS cache poisoning attack simultaneously by major vendors makes it all the more interesting and keeps us all busy. I must say a well coordinated effort by vendors.
Current Activities:
1. Vulnerabilities in DNS Could Allow Spoofing (953230) – MS08-037
2. Vulnerability in Windows Explorer Could Allow Remote Code Execution (950582) – MS08-038
3. Vulnerabilities in Outlook Web Access for Exchange Server Could Allow Elevation of Privilege (953747) –
4. Vulnerabilities in Microsoft SQL Server Could Allow Elevation of Privilege (941203) – MS08-040
5. Sun’s advisory on DNS cache poisoning issue
6. Cisco’s advisory on DNS cache poisoning issue
7. Microsoft Word Unspecified Remote Code Execution Vulnerability – 953635
8. Vulnerability in the ActiveX Control for the Snapshot Viewer for Microsoft Access Could Allow Remote Code Execution – 955179
DNS Cache poisoning issue:
Almost all the vendors are affected, this being an issue with the protocol implementation. The first issue is with the entropy for DNS Transaction ID and the second issue is UDP source port being constant for all queries. This makes it easy for the attackers to guess and alter the cache redirecting the DNS queries to a different location.
The issue of randomness for Transaction ID was addressed by Microsoft (MS08-020) and BIND earlier. With the latest patches, they have introduced port randomization as well. Caution to be exercised while deploying this patch,
1. Firewall rules may need a review
2. Custom implementations of DNS clients may require a review and rework.
As of now, Microsoft, BIND, SUN, Cisco, Debian, Ubuntu have released advisories, look for more advisories in the coming days.
Slightly exaggerated headline,
ActiveX Control for the Snapshot Viewer for Microsoft Access – 955179
Any ActiveX related issue, set the kill bit. We have been seeing number of these. This doesn’t solve the problem but, stops one of the attack vectors.