Tag Archives: Microsoft

What’s wrong with patch-based Vulnerability Management checks?

My last post about Guinea Pigs and Vulnerability Management products may seem unconvincing without some examples. So, let’s review one. It’s a common problem that exists among nearly all VM vendors, I will demonstrate it on Tenable Nessus.

If you perform vulnerability scans, you most likely seen these pretty huge checks in your scan results like “KB4462917: Winsdows 10 Version 1607 and Windows Server 2016 October 2018 Security Update“. This particular Nessus plugin detects 23 CVEs at once.

What's wrong with patch-centric Vulnerability Management?

And, as you can see, it has formalized “Risk Information” data in the right column. There is only one CVSS score and vector, one CPE, one exploitability flag, one criticality level. Probably because of architectural limitations of the scanner. So, two very simple questions:

for which CVE (of these 23) is this formalized Risk Information block?
for which CVE (of these 23) exploit is available?

Ok, maybe they show CVSS for the most critical (by their logic) CVE. Maybe they somehow combine this parameter from data for different CVEs. But in most cases this will be inaccurate. Risk information data for every of these 23 vulnerabilities should be presented independently.

As you can see on the screenshot, one of these vulnerabilities is RCE the other is Information Disclosure. Vulnerability Management solution tells us that there is an exploit. Is this exploit for RCE or DoS? You should agree, that it can be crucial for vulnerability prioritization. And more than this, in the example there are 7 different RCEs in Internet Explorer, MSXML parser, Windows Hyper-V, etc. All this mean different attack scenarios. How is it possible to show it Vulnerability Scanner like one entity with one CVSS and exploitability flag? What can the user get from this? How to search in all this?

Continue reading →

Making CVE-1999-0016 (landc) vulnerability detection script for Windows NT

Leave a reply

The fair question is why in 2018 someone might want to deal with Windows NT and vulnerabilities in it. Now Windows NT is a great analogue of DVWA (Damn Vulnerable Web Application), but for operating systems. There are a lot of well-described vulnerabilities with ready-made exploits. A great tool for practising.

Making CVE-1999-0016 (landc) vulnerability detection script for Windows NT

Well, despite the fact that this operating system is not supported since 2004, it can be used in some weird legacy systems. 😉

Continue reading →

Vulnerability Databases: Classification and Registry

4 Replies

What publicly available Vulnerability Databases do we have? Well, I can only say that there are a lot of them and they are pretty different. Here I make an attempt to classify them.

It’s quite an ungrateful task. No matter how hard you try, the final result will be rather inaccurate and incomplete. I am sure someone will be complaining. But this is how I see it. 😉 If you want to add or change something feel free to make a comment bellow or email me@avleonov.com.

The main classifier, which I came up with:

There are individual vulnerability databases in which one identifier means one vulnerability. They try to cover all existing vulnerabilities.
And others are security bulletins. They cover vulnerabilities in a particular product or products. And they usually based on on patches. One patch may cover multiple vulnerabilities.

I made this diagram with some Vulnerability Databases. Note that I wanted to stay focused, so there are no exploit DBs, CERTs, lists of vulnerabilities detected by some researchers (CISCO Talos, PT Research, etc.), Media and Bug Bounty sites.

Vulnerability Databases classification

For these databases the descriptions of vulnerabilities are publicly available on the site (in html interface or downloadable data feed), or exist in a form of paid Vulnerability Intelligence service (for example, Flexera).

On one side there are databases of individual vulnerabilities, the most important is National Vulnerability Database. There are also Chinese, Japanese bases that can be derived from NVD or not.

On the other side we have security bulletins, for example RedHat Security Advisories.

And in the middle we have a Vulnerability Databases, for which it is not critical whether they have duplicated vulnerability IDs or not.

Continue reading →

Microsoft security solutions against ransomware and APT

Leave a reply

Last Tuesday I was invited to Microsoft business breakfast “Effective protection against targeted and multilevel attacks”. Here I would like to share some of my thoughts on this. Need to mention that the food was delicious and the restaurant of Russian Geographical Society is a very lovely place. 😉 Thanks, Microsoft!

Microsoft as a security vendor? O RLY?

Microsoft products are not actually my topic. To tell you the truth, personally I’d better live in a world without this massive Windows hegemony in desktop operating systems. I use Linux mostly. And even when I have to work in a Windows environment, it’s much easier for me to do all the work in some Linux virtual machine.

But in the real life almost every office network is build on Microsoft solutions. And if you are doing Vulnerability Management in any organization, you should deal with them too. The good news is that many security features are available out of the box in the MS products that you have already purchased. It’s just important to know about these features and use them right.

One more thing, why it’s interesting to learn more about Microsoft information security products. Microsoft developers, obviously, have direct access to Windows source code and know better how their own OS works. Many things are much easier for them to implement than for other security vendors. So, good chances that you will see in Microsoft products some interesting features, that other vendors don’t have (yet).

Drowning in data

The event began with an opening speech by Andrey Ivanov from Microsoft Russia.

Andrey Ivanov, "Effective protection against targeted and multilevel attacks"

I liked his thesis that “we are drowning in security data”:

Threat Intelligence from different sources that need to be implemented in your infrastructure and somehow validated. A good place to mention Vulners.com vulnerability feeds 😉
Threat Detection using logs, scanners, various protection tools, etc.
The overall number of SIEM inputs is growing faster than our resources. New IT system = new problems of SIEM configuration.

So, it would be nice if somebody, for example OS vendor, will provide all this as a service, right? 😉

Detect the undetectable

Then there was the keynote by Zbigniew Kukowski – one of the leading Microsoft information security experts.

Zbigniew Kukowski, "Effective protection against targeted and multilevel attacks"

Why is it necessary?

Here is what I would like to note from his report. First of all, great arguments why it is necessary. Ok, this is marketing. But the ability to explain (to sell) necessity of information security is important skill for any information security specialist now. It does not matter if you are working in a security vendor, integrator or customer.

Zbigniew mentioned an interesting case: some Polish company, that lost $ 4.3 million in recent the Petya attack in 4 days. The cost of Information Security measures will be much less than the potential losses of business.

Another argument – attacks are not the entertainment for some individuals any more. Now it’s a well-organized criminal business. Dozens of people are working on popular malware tools, like Petya. That’s why ransomware tools are so popular now – cyber-criminals just want to return their development costs.

Continue reading →

Processing .docx and .xlsx files with Python

1 Reply

MS Office documents are probably one of the most inconvenient and poorly formalized data sources. It’s much better to keep all the data in specialized databases or at least in wiki. But in real life, MS Office documents, especially Excel and Word, are in active use in nearly every organization. Simply because it is a flexible and easy tool that anyone can use. That’s why it’s important to know an automated ways for processing such files.

Processing MS office files with python

You can easily edit .docx files without any libraries. Technically it’s just a zip archive. So, you can unzip it, make a replacement in the document.xml file and make a zip it again. It’s much better than dealing with old binary .doc files. But there are even more elegant ways.

Let’s says, we need to read data from .xlsx document and generate .docx files based on some existing template. To work with .xlsx files I will use openpyxl python library.

Continue reading →

Why you can’t update it all at once?

Leave a reply

It’s the second part of our talk with Daniil Svetlov at his radio show “Safe Environment” recorded 29.03.2017. In this part we talk about vulnerabilities in Linux and proprietary software, problems of patch an vulnerability management, and mention some related compliance requirements.

How critical these vulnerabilities are? Are they really exploitable in our infrastructure?

Video with manually transcribed Russian/English subtitles:

Previous part “Programmers are also people who also make mistakes”.

Taking about the fact that if you use fully updated software and do not use some self-written scripts, programs, then in theory everything will be safe.

But recently there was some statistics that critical vulnerabilities stay in Linux kernel about 7 years from the moment they appeared as a result of a programmer’s error till the moment they were found by our white hat researcher.

But it is not clear during these seven years if cybercriminals have found them, used them and how many systems were broken using this vulnerabilities. Not to mention that some special government services may use it too.

For example: The latest Linux kernel flaw (CVE-2017-2636), which existed in the Linux kernel for the past seven years, allows a local unprivileged user to gain root privileges on affected systems or cause a denial of service (system crash). The Hacker News

Well yes. There is such a statistic. There is also some criticism from proprietary software developers. Like you say “many eyes that looks in code will find any error.” This is a quote from Linus Torvalds, if I’m not mistaken.

Not exactly. Linus’s Law is a claim about software development, named in honor of Linus Torvalds and formulated by Eric S. Raymond in his essay and book The Cathedral and the Bazaar (1999).[1][2] The law states that “given enough eyeballs, all bugs are shallow”; or more formally: “Given a large enough beta-tester and co-developer base, almost every problem will be characterized quickly and the fix obvious to someone.” Wikipedia

But in practice, yes, there are really old vulnerabilities that come up after many many years. Because apparently they did not looking for this vulnerabilities well enough.But we still don’t have anything else, except Linux kernel. Therefore, they can say anything, but they will use it anyway. It is in the first place.

Continue reading →

Programmers are also people who also make mistakes

1 Reply

It’s the first part of our talk with Daniil Svetlov at his radio show “Safe Environment” (or “Safe Wednesday” – kind of wordplay in Russian) recorded 29.03.2017. We were discussing why Software Vulnerabilities are everyone’s problem. Full video in Russian without subtitles is available here.

If we look at who commits, who adds vulnerabilities to the CVE database, they are very different people.

I added manually transcribed Russian/English subtitles to the video:

Why vulnerabilities are dangerous for business and for ordinary people?
How vulnerabilities appear in programs?
How to write code safely?
What motivates vulnerability researchers?
Vulnerabilities as a first step in writing malicious software

We wanted to talk today about software vulnerabilities. Tell me, what is it all about, why are they dangerous for business, for ordinary people and what are the difficulties with their remediation.

Speaking about vulnerabilities, it’s probably worth to tell how they generally appear in programs.

Let’s say we have a company. This company is developing some software. Some programmers work in it. Programmers are also people who also make mistakes. And if some mistakes that are directly related to the functionality of this application, can be detected quite simply in the testing process…

Are you talking about functional testing?

Yes, it is about functional testing.

QA specialists can quickly find these vulnerabilities, or these problems, these bugs. Some problems can not be detected in such a simple way. For example, some problems related to security.

Why? Because the main task of the programmers: the program should work.

Continue reading →