April 2004

Its the second Tuesday of the month again- and that means Microsoft Security Bulletins! This month Microsoft released four new Security Bulletins: MS04-011, MS04-012, MS04-013 and MS04-014.

MS04-011 is a security roll-up package. It is not a cumulative patch because it does not include ALL previous patches, but it does contain patches and updates to fix a number of very serious vulnerabilities in Windows.

The MS04-012 Security Bulletin does contain a cumulative patch which includes all prior patches and updates for the RPC / DCOM vulnerabilities (the flaws that were targeted by worms such as MSBlast and Nachi) as well as addressing a couple of newly discovered RPC / DCOM flaws.

MS04-013 is a cumulative security update for Outlook Express. This patch also addresses a new vulnerability that should concern just about every Windows user out there. The latest Outlook Express vulnerability is particularly critical because it has the potential to be exploited whether you actually use Outlook Express or not.

MS04-014 is related to a flaw in the Microsoft JET Database engine. An attacker who exploits this vulnerability may be able to take complete control of the vulnerable system. Before you start thinking this doesn’t apply to you, the JET Database engine is used by a number of products and may be installed on your system even if you aren’t aware of it.

Tags: 2004 by Tony Bradley
Comments Off

Metasploit Framework

The Metasploit Project is ostensibly a group formed to “provide useful information to people who perform penetration testing, IDS signature development, and exploit research.”

Their latest release, the Metasploit Framework version 2.0, claims to be “an advanced open-source platform for developing, testing, and using exploit code.”

While it is true that the tools and functionality built in to the Metasploit Framework might prove valuable for a security auditor or penetration tester to use in verifying the security of a system or network, it is probably as true or more so that script-kiddies and other wannabe hackers or developers of malicious code might put this tool to use as an express lane or fast track to help them create exploits and malware.

I don’t really know enough about the Metasploit Project or the developers who have worked on this utility to say whether their motives were pure. It seems that often the line between providing network security and breaking network security is a thin one and it doesn’t take much for some otherwise rational people to accuse security researchers or administrators of less than honorable intentions. Some presume that anyone in network security is also a hacker on the side and many question the true intent of tools which double as powerful weapons for script-kiddies.

Even if we assume that their goal truly is to provide useful information and tools to help further the cause of development and security research, it doesn’t change the fact that the tool is available for all to download and there is no way to predict or control what the end user will do with it.

The Metasploit Project says that their Metasploit Framework can be compared with expensive commercial products such as Immunity’s CANVAS or Core Security Technology’s Core Impact. These tools also provide the same or similar functionality. One of the main reasons that they have not come under the scrutiny that the Metasploit Framework has is the pricetag. Since few can afford these packages they pose little risk, but if you take that same power and distribute it freely there is a greater concern that the wrong people will use it for the wrong reasons.

The Metasploit Framework seems to be a powerful tool. I downloaded a copy myself to play with- on my own network against my lab computers. I think that for security administrators it may prove valuable in the battle to ensure your computer and network security and make sure you are protected. But, I think we may also start to see new exploits and malware hitting the streets once the script-kiddies start playing with this tool and learning just how powerful it can be as a weapon.

Tags: Vulnerability Scanners by Tony Bradley
Comments Off