Robert Hensing's Blog

Bluehat V8: Mitigations Unplugged

rhensing — Tue, 02 Dec 2008 18:15:00 GMT

I first got to see Matt Miller speak in person a few Bluehat's ago when he was talking about 'Temporal return addresses' . . . ah yes - the talk was entitled "Temporal Chronomancy" according to Mr. Shostack's blog and it was all the way back in 2005. The basic premise behind the talk was that there are various counters / timers etc. that reside in a processes memory space that at specific dates and times become interesting 'op-codes' that can be used by exploit writers to do interesting things . . . IF they performed their exploit at exactly the right time . . . the talk freaking blew my mind . . . it was perhaps the best / most memorable Bluehat talk I've ever seen.

Anyways - I told you that story to set some precedent for this one. Matt Miller works at Microsoft now - on my extended team and he recently spoke again at Bluehat v8 (didn't get to attend sadly) and he delivered a talk on Mitigations Unplugged where he goes into GS / DEP / ASLR etc. etc. You'll have to trust me that these are topics that he's more than qualified to speak about. :) I haven't watched the video yet (it's 45 minutes) but I plan on making some time this week - if you have more free time than me - you should definitely check it out: http://technet.microsoft.com/en-us/security/dd285253.aspx

TIP: Be on the lookout for future blog posts from Matt over on the SVRD blog . . .

Interesting stuff and the end is near (for my blog)

rhensing — Wed, 19 Nov 2008 19:17:00 GMT

First off - OneCare is dead - long live . . . OneCare . . . err Morro?
http://news.cnet.com/8301-1009_3-10101582-83.html?tag=newsLeadStoriesArea.1

Next up - Zune 3.1 is out - download it - love it.
http://www.engadget.com/2008/11/18/zune-3-1-update-out-today-now-featuring-sudoku/
Also - the flash memory based Zunes are getting price chopped from $10 - $30 in time for Christmas:
http://www.engadget.com/2008/11/18/microsoft-ratchets-down-pricing-on-flash-based-zunes/

Things I loved about the 3.1 update are the new games (Checkers, etc.) and the ability to play with other players wirelessly. My 8 year old kicked my ass in Checkers last night playing wirelessly from his Zune 30. I was both proud and embarassed at being outsmarted by an 8 year old. :) I was too scared to try my luck at NLHE against him (yes he already knows how to play Poker - I'm not proud of that b.t.w.)

Also came across a new commerical I hadn't seen yet for the 360 today: http://www.xbox.com/NR/rdonlyres/79EB42A4-BB6F-4CDE-9DA1-1759D3EE8A18/0/vidxboxtvadgh3hi.asx

Finally - all good things must come to an end - and my blog is no exception. :)

I'll probably be done blogging real soon now . . . security (which unfortunately is one of my favorite topics) is a topic full of blog-landmines . . . only they move around frequently . . . and after stepping on them - they reset so you can step on them again, and again if you have short term memory problems and a learning problem. :) Not to mention it's time consuming when done properly and I've been busy as hell lately working on work - and overclocking my car (installed a piggyback EMU and self-tuned it a bit, installing some stage 2 cams this weekend - wish me luck - you may find a used overclocked 2001 IS300 on eBay Monday in need of a new engine with a low low reserve!).

So that said - my farewell post will probably be an explanation of why I have 'El Conquistador' in my display name since it's probably the most frequently asked question I get. :)

This week's Fail Open Goat Award goes to - Credit Card Processing

rhensing — Sun, 02 Nov 2008 16:43:00 GMT

http://www.veracode.com/blog/2008/10/credit-cards-failing-open/

Microsoft SideSight?

rhensing — Wed, 29 Oct 2008 18:53:00 GMT

Looks cool: http://www.gearlog.com/2008/10/microsofts_sidesight_something.php

SmoothHD

rhensing — Wed, 29 Oct 2008 18:44:00 GMT

Akamai / IIS7 / SilverLight 2.0 / VC-1 == HD over broadband happiness. It's sort of cool - the video started off a tad blurry and then got sharper after a few seconds and I didn't have a single glitch.
Pretty impressive stuff: http://www.smoothhd.com/
Also see: http://www.akamai.com/smoothhd

Mass SQL Injection : The Chinese Way

rhensing — Thu, 23 Oct 2008 16:20:00 GMT

The blog pretty much speaks for itself: http://www.circleid.com/posts/20081022_sql_injection_attacks_chinese_way/

Client-side browser vulns are of little use without an effective way of spreading them to the victims - unfortunately - it's still relatively easy for the miscreants to spread them around using tools like this.
Interesting the comment about SQL injection via cookies . . .

Out of band security update planned for today (MS08-067)

rhensing — Thu, 23 Oct 2008 15:28:00 GMT

Updated 10/23/2008 @ 1:17pm EST
We have pushed the update live - here's the direct link to the bulletin:http://www.microsoft.com/technet/security/Bulletin/MS08-067.mspx (if it doesn't work for you - keep trying - it will be live real soon now).
Also note that the Microsoft Malware Protection Center also has generic detection for the malware dropped in the targeted attacks!
You can read more about it at the MMPC blog: http://blogs.technet.com/mmpc/archive/2008/10/23/get-protected-now.aspx
Finally my team has released a blog post with an interesting .C file linked at the end - for those who like to compile stuff and play around with ACLs: http://blogs.technet.com/swi/archive/2008/10/23/More-detail-about-MS08-067.aspx
---------------------------------------------

The MSRC, SWI and some Windows product team folks have been working really hard to get a critical security update out the door this week and they just pushed the advanced notification thing live early this morning (EST).

http://blogs.technet.com/msrc/archive/2008/10/22/advance-notification-for-out-of-band-release.aspx

http://www.microsoft.com/technet/security/bulletin/ms08-oct.mspx

It's likely that by the time many of you read this - the update will already be available for download via WU/MU/WSUS etc.
Be sure to go out and grab it - especially if you are running Windows XP or lower operating systems (as you can tell by the severity ratings in the advance notification thinger - it's critical on that platform).

As always we apologize in advance if this ruins anyone's weekend plans - I personally blame the miscreants. :)

P.S. Keep an eye on my team's blog later today for more technical information: http://blogs.technet.com/swi

Flash 10 & IE8b2 Per Site ActiveX

rhensing — Wed, 22 Oct 2008 22:28:00 GMT

So I've got IE8b2 installed on all of my machines and I've noticed that since installing Flash 10 that all web sites now prompt me before running Flash 10! The new gold bar experience users will see when they install Flash 10 on IE8 is described here (thanks to Eric Lawrence for the URL: http://blogs.msdn.com/ie/archive/2008/05/07/ie8-security-part-ii-activex-improvements.aspx).

Some people may hate this - I actually like that I can now selectively control which sites get to use Flash and that it defaults to OFF for all web sites. As long as you don't select to allow ALL web sites to run the ActiveX control - it will continue to be blocked behind a gold bar for every web site that wants to instantiate the control. You'll find that within hours of installing Flash 10 on IE8b2 that pretty much EVERY site on the entire Interwebs wants to instantiate Flash (mostly for supporting annoying ads) and you'll also find that having it blocked behind a gold bar really isn't so annoying. I personally plan on leaving the Flash 10 AX configured to run on a per-site basis (i.e. I won't be configure it to run on all web sites) since this makes me feel a bit more warm and fuzzy only allowing certain sites to run the control. I imagine the vast majority of users will choose to allow all web sites to run the control and that's fine with me - as long as *I* don't have to allow all web sites to run the control - I'm a happy camper.

Flash 10 is out - install it like . . . yesterday.

rhensing — Sat, 18 Oct 2008 02:50:00 GMT

If I were a bad guy and I wanted to pwn lots of people via the web - I'd probably focus my efforts on ubiquitous software guaranteed to give me a lot of bang for my buck (like Flash and Acrobat). Software like Flash would seem like a good target given that it's installed on just about everything these days. Adobe released Flash 10 recently and I'm just guessing it's got some security bug fixes in it that would probably be good to have. I'd install it ASAP.

Oh and has anyone else noticed that Acrobat 9 still:

Opens PDFs by default in a browser *without prompting* the user
Runs JavaScript by default (I'm sure it's 'sandboxed' - whatever - i still disable this by default on all my boxes).

And does this remind anyone of Office circa 2000 when we let VBA macros run by default and didn't prompt users before opening documents via the web? How is it possible that in 2008 this still happens with our competitors?

Win7 to officially be called . . . Win7?

rhensing — Tue, 14 Oct 2008 23:59:00 GMT

I actually for once - LOVE that we are keeping the name of the OS simple and leaving it at Win7. I will admit - I was somewhat disappointed when XP's name was announced internally (internally it was known as Whistler) and I was downright horrified when we decided to call Longhorn "Vista" (my friends call it "Veesta"). Longhorn sounds cool . . . manly . . . Vista is pretty much the exact opposite in my mind . . . it sounds serene and 'pretty'.

Anyhoo - we seem to be doing all the right things with Win7 (you'll know why I'm saying that soon enough <G>): http://windowsvistablog.com/blogs/windowsvista/archive/2008/10/14/why-7.aspx

Wish I could tell you more about it - but I can't. All I can say is that it freaking rocks. I already use it as my daily driver OS at work and can't wait until it's out in the public for testing (which it will be very soon at PDC / WinHec next week).