eEye Digital Security 1.866.339.3732 www.eEye.com info@eEye.com

Vulnerability Expert Forum

September 15, 2011

eEye Digital Security 1.866.339.3732 www.eEye.com info@eEye.com 2

Agenda

About eEye

Microsoft’s September Security Bulletins

Other Vendor Updates

Security Landscape: Other InfoSec News

Secure and Comply with eEye

Q&A

eEye Digital Security 1.866.339.3732 www.eEye.com info@eEye.com 3

Security Experts

Seasoned security professionals

Thousands of customers

Some of the largest VM installations in the

world

Award-Winning Solutions

Recognized product leadership

Securing companies of all sizes

Unparalleled services and support

eEye at a Glance

Industry Pioneers

Leaders in IT security since 1998

Developed one of the first vulnerability

scanners

Growing and profitable

Thought Leaders

World-renowned security research team

Trusted advisors to organizations

across industries and sizes

eEye Digital Security 1.866.339.3732 www.eEye.com info@eEye.com 4

Why eEye

Making the Complex Simple

Unified

Efficient

Effective

“Retina provides a solid feature set with easy-to-

use scanning controls. It’s an excellent

vulnerability scanner at a good price. This one

gets our Best Buy.”

“eEye Digital Security raises the standard in

enterprise endpoint protection with a management

console that could almost be called next

generation.”

“eEye’s security research team continues to

provide good Windows vulnerability coverage and

mitigation advice for zero-day vulnerabilities.”

“Retina has many desirable features…and an

extremely flexible reporting portal. The product is

also attractively priced.”

The Industry Experts Say…

eEye Digital Security 1.866.339.3732 www.eEye.com info@eEye.com 5

eEye Research Services

eEye Preview

• Advanced Vulnerability Information

• Full Zero-Day Analysis and Mitigation

• Custom Malware Analysis

• eEye Research Tool Access

• Includes Managed Perimeter Scanning

eEye AMP

• Any Means Possible Penetration Testing

• Gain true insight into network insecurities

• “Capture-The-Flag” Scenarios

eEye Custom Research

• Exploit Development

• Malware Analysis

Forensics Support

• Compliance Review

eEye Digital Security 1.866.339.3732 www.eEye.com info@eEye.com 6

Microsoft September Security Bulletins

5 Total Bulletins; 15 Issues Fixed

Vulnerability in WINS Could Allow Elevation of Privilege

(2571621)

Vulnerability in Windows Components Could Allow Remote

Code Execution (2570947)

Vulnerabilities in Microsoft Excel Could Allow Remote Code

Execution (2587505)

Vulnerabilities in Microsoft Office Could Allow Remote Code

Execution (2587634)

Vulnerabilities in Microsoft SharePoint Could Allow Elevation of

Privilege (2451858)

eEye Digital Security 1.866.339.3732 www.eEye.com info@eEye.com 7

Microsoft Security Bulletin: MS11-070

1 Vulnerability Fixed in Bulletin

WINS Local Elevation of Privilege Vulnerability - CVE-2011-

1984

Severity: Important

#WINS

Privately reported vulnerability

EoP possible if a user received a specially crafted WINS

replication packet

Attacker must have valid logon credentials to exploit the

vulnerability

Mitigations

No practical mitigations are available at this time

eEye Digital Security 1.866.339.3732 www.eEye.com info@eEye.com 8

Microsoft Security Bulletin: MS11-071

1 Vulnerability Fixed in Bulletin

Windows Components Insecure Library Loading Vulnerability -

CVE-2011-1991

Severity: Important

DLL PRELOADING IT NEVER ENDS

Publically disclosed vulnerability

Can be triggered by loading

.txt, .rtf or .doc files

Mitigations

Disable loading of libraries from WebDAV

Disable WebClient

Block TCP ports 139 and 445 at the firewall

eEye Digital Security 1.866.339.3732 www.eEye.com info@eEye.com 9

Microsoft Security Bulletin: MS11-072

5 Vulnerabilities Fixed in Bulletin

Excel Use after Free WriteAV Vulnerability – CVE-2011-1986

Excel Out of Bounds Array Indexing Vulnerability – CVE-2011-1987

Excel Heap Corruption Vulnerability – CVE-2011-1988

Excel Conditional Expression Parsing Vulnerability – CVE-2011-1989

Excel Out of Bounds Array Indexing Vulnerability – CVE-2011-1990

Severity: Important

Excel can help you balance your budget and serve as a backdoor!

Privately reported, triggered by a maliciously crafted Excel file

Mitigations

Set Office File Validation to disable the opening of files that fail

validation in Excel 2003 & 2007

Set Office File Validation to disable the edit in Protected View of files

that fail validation in Excel 2010

MOICE

eEye Digital Security 1.866.339.3732 www.eEye.com info@eEye.com 10

Microsoft Security Bulletin: MS11-073

2 Vulnerabilities Fixed in Bulletin Office Component Insecure Library Loading Vulnerability – CVE-2011-

1980

Office Uninitialized Object Pointer Vulnerability – CVE-2011-1982

Severity: Important

The Never Ending Vulnerability Two privately reported issues

Mitigations Disable loading of libraries from WebDAV

Disable WebClient

Block TCP ports 139 and 445 at the firewall

Use MOICE

Block the loading of binary files within Word, Excel, and PowerPoint

2007 and 2010

Definitely Falkor

eEye Digital Security 1.866.339.3732 www.eEye.com info@eEye.com 11

Microsoft Security Bulletin: MS11-074

6 Vulnerabilities Fixed in Bulletin XSS in SharePoint Calendar Vulnerability – CVE-2011-0653

HTML Sanitization Vulnerability – CVE-2011-1252

Editform Script Injection Vulnerability – CVE-2011-1890

Contact Details Reflected XSS Vulnerability – CVE-2011-1891

SharePoint Remote File Disclosure Vulnerability – CVE-2011-1892

SharePoint XSS Vulnerability – CVE-2011-1893

Severity: Important

Sharing… sometimes… is definitely not caring SharePoint does not properly parse and sanitize XML and XSL files

JavaScript in specific request parameters not handled correctly

Mitigations IE 8 & 9 XSS filter protects against the XSS attack

No other mitigations exist at this time

Apache Updates – August 2011

Byte-Range Filter Memory Exhaustion

Vulnerability when handling “Range” and “Request-Range” headers expressing

multiple overlapping ranges

Leading to denial of service condition due to memory resource exhaustion

Exploitation seen in-the-wild

Public exploit code has been released

Affects version Apache 2.0 prior to 2.0.65 and version 2.2 prior to 2.2.20

Fixed in versions 2.0.65, 2.2.20, or newer

Some other info

Version 2.2.20 fixes the issue but has side effects (i.e. protocol

defect/response)

Version 2.0.65 not yet released; expected September

Apache 1.3 is not vulnerable but could cause stress

LimitRequestFieldSize workaround is insufficient; newer mitigations involve

handling “Range” and “Request-Range” headers

Details on mitigations at http://wiki.apache.org/httpd/CVE-2011-3192

eEye Digital Security 1.866.339.3732 www.eEye.com info@eEye.com 12

Adobe Updates – September 2011

Adobe Reader and Acrobat (APSB11-24)

13 vulnerabilities leading to remote arbitrary code execution

• Local Privilege Escalation (10.x Windows Only)

• Numerous overflows (heaps and stacks)

• Use-after-free

• Others (“security bypass”, “logic error”, “memory leakage condition”)

• 3 image parsing and 2 font related vulnerabilities; the rest are unspecified

Incorporates last month’s Flash Player fixes (APSB11-21)

Fixed in 10.1.1, 9.4.6, and 8.3.1 for Windows and Mac OS X

APSB11-24 heads-up

Support for 8.x on Windows and Mac OS X ends November 3, 2011 (oh snap)

Reader 9.4.6 for UNIX scheduled for release November 7, 2011 (double snap)

Next quarterly update scheduled for December 13, 2011

eEye Digital Security 1.866.339.3732 www.eEye.com info@eEye.com 13

Cisco Updates – September 2011

CiscoWorks LAN Management Solution (SA-20110914-LMS)

Vulnerabilities when handling a crafted series of packets sent to TCP port 9002

Leading to remote unauthenticated arbitrary code execution

Versions 3.1, 3.2, and 4.0 are affected

No workarounds are available

Fixed in Cisco Prime LAN Management Solution version 4.1 and newer

Cisco Unified Service Monitor and Cisco Unified Operations

Manager (SA-20110914-CUSM)

Same vulnerabilities as SA-20110914-LMS

Vulnerabilities when handling a crafted series of packets sent to TCP port 9002

Leading to remote unauthenticated arbitrary code execution

Versions prior to 8.6 are affected

No workarounds are available

Fixed in CUSM and CUOM version 8.6 and newer

eEye Digital Security 1.866.339.3732 www.eEye.com info@eEye.com 14

Cisco Updates – September 2011 (continued)

Cisco Nexus Switches ACL Bypass (SA-20110907-NEXUS)

Cisco Nexus 5000 and 3000 Series Switches

Vulnerability when a remark is configured before a deny statement on an ACL

Could allow traffic to bypass “deny” statements in IP, VLAN, or MAC ACLs

All ACE’s after a remark are affected; can workaround by removing remarks

QoS classification and route-map ACLs are not affected

Nexus 3000 – fixed in NX-OS version 5.0(3)U1(2a), 5.0(3)U2(1), or newer

Nexus 5000 – fixed in NX-OS version 5.0(3)N2(1) or newer

Example of a IPv4 ACL remark ip access-list acl-ipv4-01

remark this ACL denies the 10.1.1.0/24 access to the 10.1.2.0/24 network

deny ip 10.1.1.0 0.0.0.255 10.1.2.0 0.0.0.255

eEye Digital Security 1.866.339.3732 www.eEye.com info@eEye.com 15

eEye Digital Security 1.866.339.3732 www.eEye.com info@eEye.com 16

Security Landscape - More than a Microsoft World

CTO/CSO/CxO News Android is No. 1 Target of Mobile Hackers

Coordinated ATM Heist Nets Thieves $13M

Kaspersky Accuses McAfee of Crying Wolf Over Shady RAT

CNET Hacker Chart

DigiNotar

IT Admin News Nations with Low Malware Rates have Better ISPs, Microsoft Research Finds

Linux Foundation & Linux.com Multiple Servers Compromised

Data Privacy ‘Should be Taught in Schools‘

20GB of Domain Typosquatting E-mails Nabbed

Researcher News Chinese Military TV Show Slip-up (Shows Hack in Progress)

Bitcoin Mining with Trojan.Badminer

Researchers Uncover the Email that Led to the RSA Hack

Air Traffic System Vulnerable to Cyber Attack

Lawmakers Call for Probe of Medical Devices After Researcher Hacks Insulin Pump

ATMs Open to Thermal Imaging Attack, Researchers Confirm

Retina Community

Powered by the renowned Retina

Network Security Scanner

technology, Retina Community is a

completely FREE vulnerability

assessment solution.

Scan up to 32 Unique IP

Addresses

Assessment Audits for Operating

Systems, Applications, Network

Devices, and Virtualized

Environments

SCAP Configuration Scanning

Vulnerability and Executive

Reporting

Exploit Identification from Core

Impact, Metasploit, and Exploit-

DB.com

Right-click Metasploit Integration

eEye Digital Security 1.866.339.3732 www.eEye.com info@eEye.com 17

Download Now: http://community.eeye.com

eEye Digital Security 1.866.339.3732 www.eEye.com info@eEye.com 18

eEye Unified Vulnerability Management

SECURITY RESEARCH

Automation and Efficiency = Minimized Risk and Lower TCO

MANAGE AND REPORT

• End-to-end vulnerability and compliance management

• Centralized management, reporting, and controls

• Assess, mitigate, and protect from one console

• Advanced trending and analytics

Vulnerability Scanning

Configuration Auditing

Asset Discovery & Inventory

Zero-Day Vulnerability Identification

Vulnerability Reporting

Compliance Auditing

ASSESS

Integrated Patch Management

Prioritized Mitigation

Risk Scoring

Security Alerts

Prescriptive Remediation Reporting

MITIGATE

Zero-Day Protection

Intrusion Prevention

Web Protection

Application Protection

System Protection

PROTECT

eEye Digital Security 1.866.339.3732 www.eEye.com info@eEye.com 19

Thanks! Connect with Us for More Great

Security Industry Content

http://blog.eeye.com

http://www.facebook.com/eEyeDigitalSecurity

http://www.twitter.com/eEye

http://www.YouTube.com/eEyeDigitalSecurity