Microsoft's eighth Blue Hat conference will take place on Thursday and Friday at the software giant's Redmond, Wash., campus. Entitled "C3P0wned," the invitation-only conference features two full days of sessions.
Day one features a select group of security researchers, with team members from Microsoft Security Development Lifecycle (SDL) presenting on the second day. It is an opportunity for Microsoft engineers to hear first hand from leading security researchers. The last Blue Hat conference was held in April.
Of interest on day one is a talk by Dan Kaminsky, director of penetration testing at IO Active, who will provide additional details on the DNS flaw he disclosed earlier this year. Other talks will touch on crimeware, profiling using the Internet, cascading style sheet (CSS) injections, visualizing software security, and how to use code characteristics to find security bugs.
Day two kicks off with a keynote from Scott Charney, corporate vice president of Trustworthy Computing. Other sessions that day include talks about threat modeling, "fuzzing," concurrency attacks on Web applications, analyzing threats before writing code, and how Microsoft mitigations currently work. Microsoft's Trustworthy Computing group will be heavily represented, with department members heading up several of those talks and panel discussions.
The complete Blue Hat schedule is posted here, and Microsoft has a related blog here.
With the release of Mac OS X 10.5.5 on Monday, the Cupertino, Calif., computer company provided patches for almost three dozen software flaws. Some of the fixes are specific to Apple features, such as image processing and Finder. Other fixes are updates to various open-source projects including Bind, ClamAV, OpenSSH, and Ruby.
Version 10.5.5 can be obtained from the Apple Software Downloads page.
ATS
This patch affects users of Mac OS X v10.4.11, Mac OS X Server v10.4.11, Mac OS X v10.5 through v10.5.4, and Mac OS X Server v10.5 through v10.5.4. The update addresses the issue in CVE-2008-2305 in which viewing a document containing a maliciously crafted font may lead to arbitrary code execution. Apple credits Chris Ries of Carnegie Mellon University Computing Services for reporting this vulnerability.
BIND
This patch affects users of Mac OS X v10.4.11, Mac OS X Server v10.4.11, Mac OS X v10.5 through v10.5.4, and Mac OS X Server v10.5 through v10.5.4. The update upgrades users to BIND version 9.4.2-P2, which addresses performance issues associated with BIND version 9.4.2-P1.
ClamAV
This patch affects users of Mac OS X Server v10.4.11 and Mac OS X Server v10.5 through v10.5.4. The update addresses the vulnerabilities detailed within CVE-2008-1100, CVE-2008-1387, CVE-2008-0314, CVE-2008-1833, CVE-2008-1835, CVE-2008-1836, CVE-2008-1837, CVE-2008-2713, and CVE-2008-3215 by updating Mac OS users to ClamAV version 0.93.3.
Directory Services
This patch affects users of Mac OS X v10.5 through v10.5.4 and Mac OS X Server v10.5 through v10.5.4. The update addresses the vulnerability detailed in CVE-2008-2329, in which a person with access to the log-in screen may be able to list user names. Apple says an information disclosure issue exists in Log-in Window when it is configured to authenticate users with Active Directory. "By supplying wildcard characters in the user name field, a list of user names from Active Directory may be displayed."
Directory Services II
This patch affects users of Mac OS X Server v10.4.11, Mac OS X Server v10.5 through v10.5.4. The update addresses the insecure file operation vulnerability within CVE-2008-2330, in which a local user may obtain the server password if an OpenLDAP system administrator runs slapconfig.
On Tuesday, Apple released iPod Touch version 2.1 to address several security issues. Among them are the DNS vulnerabilities first reported by Dan Kaminsky of IOActive in July. Other issues include vulnerabilities in Webkit, CoreGraphics, and the Application Sandbox.
Earlier on Tuesday, Apple released updates to its QuickTime media player.
Apple notes that this update is only available through iTunes as part of the iPod Touch updating process and will not appear in your computer's Software Update application, nor can it be found on the Apple Downloads site.
Application Sandbox
This patch affects users of iPod Touch v2.0 through v2.0.2. The update addresses the information disclosure vulnerability detailed within CVE-2008-3631. Apple says "the Application Sandbox does not properly enforce access restrictions between third-party applications. This may allow a third-party application to read files in another third-party application's sandbox and lead to the disclosure of sensitive information." Apple credits Nicolas Seriot of Sen:te and Bryce Cogswell for reporting the vulnerability. This issue does not affect iPod Touch versions prior to v2.0.
CoreGraphics
This patch affects users of iPod Touch v1.1 through v2.0.2. The update addresses the FreeType v2.3.5 vulnerabilities within CVE-2008-1806, CVE-2008-1807, CVE-2008-1808. Apple says the most serious of these vulnerabilities may lead to arbitrary code execution when accessing maliciously crafted font data.
mDNSResponder
This patch affects users of iPod Touch v1.1 through v2.0.2. The update addresses the cache poisoning vulnerability within CVE-2008-1447. Apple explains that mDNSResponder provides translation between host names and IP addresses for applications that use its unicast DNS resolution API. A weakness in the DNS protocol may allow a remote attacker to perform DNS cache poisoning attacks. As a result, applications that rely on mDNSResponder for DNS may receive forged information.
Networking
This patch affects users of CVE-2008-3612. The update addresses the memory corruption issue vulnerability details within CVE-2008-3626. Apple says the TCP initial sequence numbers are sequentially generated. Predictable initial sequence numbers may allow a remote attacker to create a spoofed TCP connection or insert data into an existing TCP connection.
WebKit
This patch affects users of iPod Touch v1.1 through v2.0.2. The update addresses a vulnerability detailed within CVE-2008-3632. Apple says that a use-after-free issue exists in WebKit's handling of CSS import statements. Visiting a maliciously crafted Web site may lead to an unexpected application termination or arbitrary code execution.
Apple on Tuesday released Bonjour for Windows 1.0.5., patching the DNS vulnerabilities first reported by Dan Kaminsky of IOActive in July. Bonjour for Windows can be found within iTunes. Earlier on Tuesday, Apple released DNS patches for iPod Touch. Bonjour for Windows 1.0.5 may be obtained downloading iTunes 8.0 or from Apple Software Downloads.
mDNSResponder 1
This patch affects users of Windows Vista, XP SP2, SP3, 2003, and 2000. The update addresses null pointer reference issue in CVE-2008-2326. Apple says the problem within Bonjour Namespace Provider lies in resolving a maliciously crafted ".local" domain name containing a long DNS label. Doing so may cause an unexpected application termination. This issue does not affect systems running Mac OS X.
mDNSResponder 2
This patch affects users of Windows Vista, XP SP2, SP3, 2003, and 2000. The update addresses the vulnerability detailed within CVE-2008-3635. Apple explains that "Bonjour for Windows provides Zero Configuration Networking, Multicast DNS, and Network Service Discovery for Windows users. It's also possible to use the Bonjour API to issue conventional unicast DNS queries. A weakness in the DNS protocol may allow a remote attacker to spoof DNS responses. As a result, if there are applications that use Bonjour for Windows for unicast DNS, those applications may receive forged information. However, there are no known applications that use the Bonjour APIs for unicast DNS hostname resolution." This issue does not affect systems running Mac OS X.
LAS VEGAS--Speaking before a packed audience, researcher Dan Kaminsky explained the urgency in having everyone patch their systems: virtually everything we do on the Internet involves a Domain Name System request and therefore is vulnerable.
Expectations were running high before Wednesday morning as Kaminsky, director of penetration testing for IOActive, had revealed little about his DNS vulnerability up till then. That didn't stop others from trying to figure it out. But that actually helped Kaminsky in the end; it meant during his speech, he was able to skip the what and go directly to the why.
Security researchers always thought it was hard to poison DNS records, but Kaminsky said to think of the process as a race, with a good guy and bad guy each trying to get a secret number transaction ID. "You can get there first," he said, "but you can't cross finish line unless you have the secret number."
The question is why would someone bother? Well, Kaminsky talked about how deeply embedded DNS is in our lives. Kaminsky said there are three ages in computer hacking. The first was attacking servers (for example FTP and Telnet). The second was attacking the browsers (for example Javascript and ActiveX). We're now about to enter the third age, where attacking Everything Else is possible.
We know that if we type a name.com into a browser, the DNS resolves it to its numerical address. But what we don't realize is that same process occurs when we send e-mail or when we log onto a Web site. These also require DNS lookup.
Kaminsky then detailed how various security methods on the Web can be defeated if one owns the DNS. For example, if a site wants to establish a Trust Authority Certificate with the Certificate Authorities, they use e-mail to confirm the identity of the requester. He also said that it's possible to poison Google Analytics and even Google AdSense, which also rely on DNS lookup.
Prior to the patch, the bad guy had a 1 in 65,000 chance of getting it because the transaction ID is based, in part, on the port number used. With the patch, the chances decrease to 1 in 2,147,483,648. Kaminsky said it's not perfect, but it's a good enough start.
LAS VEGAS--Black Hat 2008 is bigger, and some might say better. Occupying most of the third and fourth floors of the convention hall at Caesars Palace, the conference started on Saturday with two- and four-day training sessions that continue through Tuesday.
The "public" part of Black Hat runs Wednesday and Thursday and features speakers in 15 separate tracks. One of the tracks will consist of Turbo talks of 20 minutes each. After those, there will an opportunity for the audience to talk with some of the speakers in a another room.
Wednesday starts with a bang with Billy Rios and Nitesh Dhanjani reprising their Black Hat DC talk "Bad Sushi." Then high expectations are running high as Dan Kaminsky reveals more about his DNS vulnerability. Petko Petkov will be talking on Client-side security and Joe Stewart talking on the protocols and encryption of the Storm worm. Brian Chess and Jacob West will host the second annual Iron Chef Black Hat. Tom Stracener and Robert Hansen will present on vulnerabilities with Google Gadgets and Bruce Potter will talk about malware detection using network flow analysis. Then Jim Christy returns with the annual Meet the Feds panel with Federal agents from various agencies.
Events continue into the evening with the annual Hacker Court, a mock trial on some topical issue. At the same time there will be a presentation on recommendations for the 44th Presidency around cybersecurity.
Thursday starts with Shawn Moyer and Nathan Hamiel presenting Satan is on my Friends List, a talk about social networking evil. Then Billy Hoffman on Circumventing Automated JavaScript Analysis Tools. Lukas Grunwald on Federal Trojans. Karsten Nohl on MiFare hacking. Jeremiah Grossman and Arian Evans on making money on the Web, the Black Hat way. And Rob Carter and others will talk on a hybrid file format that combines GIF images with Java Archive Sets. Calling these files GIFARs, the speakers say this intersection of Javascript with images could pose a difficult problem in the near future. Christopher Tarnovsky will talk on exploiting Secure Smartcards and Microcontrollers.
Preceding the talks on both Wednesday and Thursday will be a keynote. On Wednesday, Ian Angell, Professor of Information Systems, London School of Economics, will talk on "Complexity in Computer Security--a Risky Business". On Thursday, Rod Beckström, director of the National Cyber Security Center (NCSC) will talk on "Natural Security."
So far the only controversy concerns Apple. Last week one researcher announced he would not present his talk on the Apple FileVault, then it was announced that a second talk on security practices at Apple was also withdrawn by the panel moderator.
For the first time, Black Hat 2008 will borrow the "Wall of Sheep," a display of unprotected wireless networks sniffed at the conference, from it's sister conference, Defcon, which begins on Friday at the Riveria, just up the street.
If you haven't heard about the current DNS vulnerability, here is a Reader's Digest-like summary. Security guru Dan Kaminsky found a vulnerability that could give the bad guys a relatively easy way to redirect Internet traffic. For example: You might think you are logging on to Bank of America's Web site. But instead, some hacker may have just exploited a domain name system vulnerability and is now in control of your identity.
Kaminsky deserves credit for finding this flaw and alerting the Internet community so it could fix the problem. This effort is well under way, but according to an article in yesterday's New York Times, Kaminsky believes that 41 percent of all DNS servers are still vulnerable, meaning that no one has patched these systems with new software that closes this gaping security hole.
The danger here is that most of the world will shrug its collective shoulders, dismissing this as a technology problem. The truth is that this is the Internet equivalent of a bridge collapse on Interstate 35W in Minneapolis. This disaster demonstrated that a critical piece of infrastructure was badly in need of repair. Unfortunately, the same is true of DNS, a critical but rickety technology.
Clearly the folks who control most of the Internet infrastructure get this. Comcast and Verizon have already patched their DNS servers, while AT&T is in the process of doing so. Great, but what about all of the companies with a large Internet presence? This is where the Internet may be most vulnerable, folks. According to ESG Research, 48 percent of large organizations (i.e. 1,000 employees or more) experienced at least one DNS outage in the past 12 months. What's more, 42 percent of these companies consider patching and upgrading DNS a time-consuming operational process. Given these statistics, my guess is that a lot of enterprises believe that the DNS problem doesn't really impact them, that it is really an Internet infrastructure problem. This is a misguided and dangerous perspective.
DNS anchors all Internet communications, thus it should be considered critical infrastructure. It's time that enterprise organizations realized this and started treating it accordingly. Hopefully Kaminsky's discovery will act as a change agent to fix the problem. Otherwise, we could all be in trouble.
Updated 2:50 p.m. PDT with comments from security researcher Rich Mogull.
Three weeks after the disclosure of a serious flaw within the Domain Name System (DNS), Apple has yet to patch its MAC OS X operating system, but the company may be able to look to a third party in defense.
In a posting to an Internet newsgroup on Monday, Paul Vixie of the Internet Systems Consortium (ISC) acknowledged that the Berkeley Internet Name Domain (BIND) DNS Server's recent -P1 releases may be unstable for some users. The BIND DNS Server is used on the vast majority of name serving machines on the Internet and provides an openly redistributable reference implementation of the major components of the Domain Name System.
Vixie, one of the researchers briefed in advance of the DNS flaw disclosure by Dan Kaminsky, said that once ISC learned of the problem, it began work immediately on a patch.
However, "during the development cycle we became aware of a potential performance issue on high-traffic recursive servers, defined as those seeing a query volume of greater than 10,000/queries per second. Given the limited time frame and associated risks we chose to finish the patches ASAP and accelerate our work on the next point releases that would address the high-volume server performance concerns."
Vixie underscored that having the DNS patch was more important than worrying about slow server problems. He said that ISC will be releasing versions of 9.3.5-P2, 9.4.2-P2, and 9.5.0-P2 at the end of this week.
Separately, security researcher Rich Mogull of Securosis.com echoed that having a DNS patch was better than not having one.
In a blog last week co-authored with Glenn Fleishman, Mogull commented on Apple's lack of a patch. He wrote: "Apple uses the popular Internet Systems Consortium BIND DNS server which was one of the first tools patched, but Apple has yet to include the fixed version in Mac OS X Server, despite being notified of vulnerability details early in the process and being informed of the coordinated patch release date."
In an e-mail to CNET News, Mogull said "Apple may be stuck between a rock and a hard place on this one, but they've chosen the worst possible option--remaining silent."
He went on to say that we don't know how the BIND instability affects the Mac OS X Server.
"If it were unstable, my recommendation would be to make a preliminary patch available that those using it as a recursive DNS server can apply. With an active exploit, no patch at all is not a viable option and places customers at high risk. Let the customers make their own risk decision."
Mogull suggests that those savvy with compiling code could still install their own version of 9.5.0-P1 to a Mac OS X Server or "reconfigure those servers to forward DNS requests to alternative platforms, such as BIND on Linux or Unix, or Microsoft servers, until Apple issues a patch."
Current attacks in the wild only affect DNS caching on Web servers, said Mogull in his blog, so desktop MAC OS X users need not be concerned just yet.
Apple had no comment to a request from CNET News regarding the status of a Mac OS X DNS patch.
In his first public comments since his Domain Name System (DNS) cache poisoning flaw was made public, Dan Kaminsky said in a conference call on Thursday he doesn't want to parse who said what when. He just wants everyone to understand that they must patch their systems now.
Speaking during the second pre-Black Hat security conference Webinar, Kaminsky, who's director of penetration testing for IOActive, provided the most information to date about the DNS flaw he found earlier this year but only disclosed in public on July 8. DNS is what translates the common name of a Web site into its numerical IP address, and is therefore a fundamental component to the Internet. His announcement coincided with a massive, multivendor patch release. But he withheld details, hoping that most people would get their systems patched before the bad guys got a hold of it.
Kaminsky said the word is getting out about the patches, but there are still many systems that are vulnerable. From the period of July 8 through July 13, 86 percent of the people testing their system on his Web site were vulnerable. Today it's 52 percent. "Not perfect; not even good enough," he said. But "I'll take 52 any day of week and twice on Sunday."
He started off by saying that he was trying to find a way to do content distribution using DNS when realized the problem. "How much trouble are we in? A lot."
Of the public discussion from individuals within the security community, Kaminsky said Halvar Flake's speculation was the closest. For those who said they knew of flaws in DNS before today, Kaminsky said "you didn't know this one."
Dan Kaminsky
(Credit: Declan McCullagh/CNET News)Kaminsky described the flaw he's been working on as containing three flaws; two have been known, but one was not. Security researchers always thought it was hard to poison DNS records. He said to think of the process as a race, with a good guy and bad guy each trying to get a secret number transaction ID. "You can get there first," he said, "but you can't cross finish line unless you have the secret number." The good guy will always have it, but the bad guy has a 1 in 65,000 chance of getting it because the transaction ID is based in part on the port number used.
One bug with DNS is that the bad guy can start the race anytime he wants. If he doesn't know the transaction number, he can always guess. Another fundamental flaw is that there will be multiple bad guys trying to guess the transaction number. The flaw Kaminsky found that builds on the first two is that not only can multiple bad guys participate in a single race, but there can also be multiple races. The example he gave was www.blackhat.com. A bad guy shouldn't just try to guess the transaction ID for that address, but also for 1.blackhat.com, 2.blackhat.com, etc.
Everyone thought, he said, if "one sets a long time to live (TTL), say, for one year, that would work." But Kaminsky found that going to look up 1.blackhat.com, 2.blackhat.com, etc, he can find the name server and then guess the transaction ID. Kaminsky said the process of getting a response is about 10 seconds.
"Patch is the way to go; it shuts down the attack vector," said Jerry Dixon, former director of National Cyber Security Division of DHS. This was echoed by Rich Mogul of Securosis, and by Joao Damas, a senior program manager at the Internet Systems Consortium.
Kaminsky said the current patch has made exploits thousands of times harder--one in several hundred million, "not infinity." The bug is core to the design; it's fundamental to the design."
What have we learned? "We learned what needs to be done to fix the Net in the future. I await the security community's judgment on what we've done."
As for the long-term "Where do we go from here?" Kaminsky said there's going to be an awesome debate about that.
On August 6, Kaminsky will present "End of Cache as we know it" at Black Hat in Las Vegas.
On Wednesday, an exploit code allowing someone to attack the domain name system (DNS) became available. No one has yet used the code, but the advice is simple: Patch. Now. While most of the burden is on the Domain Name System servers and the various systems that support them, the nature of the flaw is such that desktop clients also need to patch their software as well.
First, to determine whether your DNS system is vulnerable, use either of these tests:
If the test returns a message similar to "Your name server, at 2xx.2xx.1xx.1x, appears vulnerable to DNS Cache Poisoning," then you may need to patch your desktop system.
Windows users
If you automatically apply Microsoft Updates to your Windows computer, you should have received Microsoft Security Bulletin MS08-037; if you don't automatically apply updates, you should click the link and apply this patch ASAP.
ZoneAlarm users
If you use ZoneAlarm, however, make sure you are running the latest release, 7.0.48, before installing MS08-037. There is a known incompatibility with the Microsoft patch and older versions of ZoneAlarm.
Mac or Linux users
If you are running Mac OS or Linux, see this US CERT page for the latest patch details. As of Thursday, Apple has not issued a patch for its Mac OS X operating system.
Still, in the end, protection from any DNS exploit also depends on your upstream ISP providers. As of Monday, researcher Neal Krawetz was reporting that servers at several high-profile ISPs remained vulnerable.
