Vulnerability Expert Forum

March 9, 2011

eEye Digital Security  1.866.339.3732  www.eEye.com  info@eEye.com

Agenda

 About eEye

 Microsoft’s March Security Bulletins

 Zero-Day Tracker

 Other Vendor Security Updates

 Security Landscape: InfoSec News

 Secure and Comply with eEye

 Q&A

eEye Digital Security  1.866.339.3732  www.eEye.com  info@eEye.com 2

 eEye at a Glance

 Industry Pioneers  Security Experts

 Leaders in IT security since 1998  Seasoned security professionals
 Developed one of the first vulnerability  Thousands of customers
scanners  Some of the largest VM installations in the
 Growing and profitable world
 Thought Leaders  Award-Winning Solutions
 World-renowned security research team  Recognized product leadership
 Trusted advisors to organizations  Securing companies of all sizes
across industries and sizes  Unparalleled services and support

eEye Digital Security  1.866.339.3732  www.eEye.com  info@eEye.com 3

Why eEye

The Industry Experts Say…

“Retina provides a solid feature set with easy-to-
use scanning controls. It’s an excellent
 vulnerability scanner at a good price. This one
gets our Best Buy.”

“eEye Digital Security raises the standard in

 enterprise endpoint protection with a management
console that could almost be called next
generation.”

“eEye’s security research team continues to

 provide good Windows vulnerability coverage and
mitigation advice for zero-day vulnerabilities.”

 Making the Complex “Retina has many desirable features…and an

Simple  extremely flexible reporting portal. The product is
also attractively priced.”
 Unified
 Efficient
 Effective
eEye Digital Security  1.866.339.3732  www.eEye.com  info@eEye.com 4
eEye Research Services


 eEye Preview
• Advanced Vulnerability Information
• Full Zero-Day Analysis and Mitigation
• Custom Malware Analysis
• eEye Research Tool Access
• Includes Managed Perimeter Scanning

 eEye AMP
• Any Means Possible Penetration Testing
• Gain true insight into network insecurities
• “Capture-The-Flag” Scenarios

 eEye Custom Research
• Exploit Development
• Malware Analysis

 Forensics Support
• Compliance Review

eEye Digital Security  1.866.339.3732  www.eEye.com  info@eEye.com 5

Microsoft March Security Bulletins

 3 Total Bulletins; 4 Issues Fixed

 Vulnerabilities in Windows Media Could Allow
Remote Code Execution (2510030)

 Vulnerability in Microsoft Office Groove Could Allow

Remote Code Execution (2494047)

 Vulnerability in Remote Desktop Client Could Allow

Remote Code Execution (2508062)

eEye Digital Security  1.866.339.3732  www.eEye.com  info@eEye.com 6

Microsoft Security Bulletin: MS11-015

 2 Vulnerabilities Fixed in Bulletin

 DirectShow Insecure Library Loading Vulnerability – CVE-2011-0032
 DVR-MS Vulnerability – CVE-2011-0042

 Severity: High
 Players goin’ play…
 DLL Hijacking & a file format vulnerability
 Attacker must convince a user to open a WTV, DVR-MS, MPG file, gain same
rights as the local user
 Typical file format vulnerability, event log entries will log crashes in SBE.dll

 Mitigations
 Disable the loading of DLLs from WebDAV and remote network shares
 Disable WebClient service
 Restrict access to Stream Buffer Engine (SBE.dll)
 Ensure “Desktop Experience” is disabled on Servers

eEye Digital Security  1.866.339.3732  www.eEye.com  info@eEye.com 7

Microsoft Security Bulletin: MS11-016

 1 Vulnerability Fixed in Bulletin

 Microsoft Groove Insecure Library Loading Vulnerability – CVE-2010-3146

 Severity: High
 Beware… Beware the Groove!
 DLL Hijacking
 Occurs when loading files with .vcg or .gta extension
 Configuration is key…

 Mitigations
 Disable the loading of DLLs from WebDAV and remote network shares
 Disable WebClient service

eEye Digital Security  1.866.339.3732  www.eEye.com  info@eEye.com 8

Microsoft Security Bulletin: MS11-017

 1 Vulnerability Fixed in Bulletin

 Remote Desktop Insecure Library Loading Vulnerability – CVE-2011-0029

 Severity: High
 RDC + RCE =<3
 DLL Hijacking
 Occurs when loading files with .rdp extension
 Configuration, configuration, configuration…

 Mitigations
 Disable the loading of DLLs from WebDAV and remote network shares
 Disable WebClient service

eEye Digital Security  1.866.339.3732  www.eEye.com  info@eEye.com 9

Microsoft Malware Protection Engine Privilege
Escalation Vulnerability – February 2011

 1 Vulnerability Fixed
 Error Caused by Scanning a Malformed Registry Key - CVE-2011-0037

 Details
 Error in the Malware Protection Engine caused by a crafted registry key
 Could allow an attacker to execute code in the context of SYSTEM
 Engine is a part of many Microsoft services:
• Antigen for Exchange, SMTP Gateway – Not Affected
• Defender, Forefront Client, Security Essentials

 Mitigating Factors
 Turn-around time for a fix was very tight, attack surface dried up quickly
 Attacker would need valid logon credentials, but since this was an privilege
escalation vulnerability, does not matter what account the attacker
compromised

eEye Digital Security  1.866.339.3732  www.eEye.com  info@eEye.com 10

Zero-Day Tracker

Known Days of Exposure

www.eeye.com/zdt

eEye Digital Security  1.866.339.3732  www.eEye.com  info@eEye.com 11

VEF Contest

 Congrats to Mike Katz from California on winning last month’s contest

 You must post a comment on the “What Do You Think About VEF”
blog post on the eEye blog found at http://blog.eeye.com
• http://blog.eeye.com
• We will pick someone at random from the responses posted
• Give us your Questions, Comments, and Suggestions!

 You must post your comment on the eEye Blog by Friday 03/11 at
noon PST

 Prize: New Amazon Kindle + $25 Amazon gift card

eEye Digital Security  1.866.339.3732  www.eEye.com  info@eEye.com 12

Oracle Java Updates – February 2011

 Java
 21 Total Vulnerabilities Fixed in JRE, JDK, and JDB
 8 Scoring a 10.0 CVSS v2 Base Score
 Vulnerabilities Affecting Deployment, Sound, Swing, HotSpot, Install, JAXP, 2D,
Java Language, JDBC, Launcher, Networking, XML Digital Signature, Security
sub-components.
 All except 2 Vulnerabilities are Exploitable Without Authentication

 Additional Information
 JRE/JDK 1.5.x/1.4.x/1.3.x updates are available only through Vintage Support
or Java SE for Business contracts.
 Other Vendors To Follow Suit with Updates

eEye Digital Security  1.866.339.3732  www.eEye.com  info@eEye.com 13

Mozilla Updates – March 2011

 Firefox and SeaMonkey

 11 Vulnerabilities Fixed in Firefox 3.6.14
 11 Vulnerabilities Fixed in Firefox 3.5.17
 10 Vulnerabilities Fixed in SeaMonkey 2.0.12
 Vulnerabilities could lead to CSRF Attacks, Remote Arbitrary Code Execution,
Arbitrary JavaScript Code Execution with Chrome Privileges, Forced Dialog
Responses, or Application Crashes
 Firefox 3.5.17 addresses CVE-2010-3777

 Thunderbird
 4 Vulnerabilities Fixed in Thunderbird 3.1.8
 Vulnerabilities could lead to Remote Arbitrary Code Execution, Arbitrary
JavaScript Code Execution with Chrome Privileges, or Application Crashes

eEye Digital Security  1.866.339.3732  www.eEye.com  info@eEye.com 14

Apple Updates – March 2011

 iTunes
 57 Total Vulnerabilities Fixed
 Vulnerabilities caused by crafted Web Content, Images, and XML Files.
 Vulnerabilities could lead to Arbitrary Code Execution, Denial of Service
Conditions, Information Disclosure, or Arbitrary Script/HTML Code Injection
 Java
 16 Total Vulnerabilities Fixed
 Vulnerabilities could lead to Arbitrary Code Execution Outside Java Sandbox or
Cause Denial of Service Condition
 Other Unspecified Vulnerabilities could affect Confidentiality, Integrity, and/or
Availability
 Safari
 62 Total Vulnerabilities Fixed
 Vulnerabilities could lead to Arbitrary Code Execution, Information Disclosure,
Cross-Origin CSS Injection, Cache Poisoning, Cross-Site Scripting Attacks

eEye Digital Security  1.866.339.3732  www.eEye.com  info@eEye.com 15

Security Landscape - More than a Microsoft World

 CTO/CSO/CxO News
 French Government Hacked
 Canadian Government Hacked
 South Korean Government DDoSed

 IT Admin News
 WHOIS Problem Reporting System Gains Privacy
 IPv6 Spam-Filtering Nightmare (Death of the Blacklist)
 Risk Metrics Are Cr@p

 Researcher News
 OSX Trojan
 Mac fail: SSD Security
 Android Malware Clean-up Exposes Reliance on Mobile
Carriers to Push Out Updates

eEye Digital Security  1.866.339.3732  www.eEye.com  info@eEye.com 16

Connect with eEye

 http://blog.eeye.com

 http://www.facebook.com/eEyeDigitalSecurity


 http://www.twitter.com/eEye


 http://www.YouTube.com/eEyeDigitalSecurity

eEye Digital Security  1.866.339.3732  www.eEye.com  info@eEye.com 17

 eEye Unified Vulnerability Management

MANAGE AND REPORT

• End-to-end vulnerability and compliance management • Assess, mitigate, and protect from one console
• Centralized management, reporting, and controls • Advanced trending and analytics

ASSESS MITIGATE PROTECT

 Vulnerability Scanning
 Configuration Auditing
 Asset Discovery & Inventory
 Zero-Day Vulnerability Identification
 Vulnerability Reporting
 Compliance Auditing
 Integrated Patch Management
 Prioritized Mitigation
 Risk Scoring
 Security Alerts
 Prescriptive Remediation Reporting
 Zero-Day Protection
 Intrusion Prevention
 Web Protection
 Application Protection
 System Protection

SECURITY RESEARCH

 Automation and Efficiency = Minimized Risk and Lower TCO

eEye Digital Security  1.866.339.3732  www.eEye.com  info@eEye.com 18

Start Today

Visit eEye
http://www.eEye.com
 About Us, Solutions, Awards, Resources, Downloads

Visitthe eEye Security Resource

Center http://www.eEye.com/Resources
 Demos, Guides, Whitepapers, Videos, Webinars, Events

Contact Us
1.866.339.3732 or research@eEye.com

eEye Digital Security  1.866.339.3732  www.eEye.com  info@eEye.com 19