code execution Archives

Home » code execution

Microsoft looks back at MS08-067

Dave Farquhar security September 29, 2015September 27, 2015certification test, code execution, Information Assurance, vulnerability, windows 2000, Windows XP

The most infamous Microsoft patch of all time, in security circles at least, is MS08-067. As the name suggests, it was the 67th security update that Microsoft released in 2008. Less obviously, it fixed a huge problem in a file called netapi32.dll. Of course, 2008 was a long time ago in computing circles, but not far enough. I still hear stories about production servers that are missing MS08-067.

Last week, Microsoft took a look back at MS08-067, sharing some of its own war stories, including how they uncovered the vulnerability, developed a fix, and deployed it quickly. It’s unclear who besides Microsoft knew about the problem at the time, but one must assume others were aware of it and using it. They certainly were after the fall of 2008.

Dave Farquhar

David Farquhar is a computer security professional, entrepreneur, and author. He has written professionally about computers since 1991, so he was writing about retro computers when they were still new. He has been working in IT professionally since 1994 and has specialized in vulnerability management since 2013. He holds Security+ and CISSP certifications. Today he blogs five times a week, mostly about retro computers and retro gaming covering the time period from 1975 to 2000.

dfarq.homeip.net

Cross site scripting explained

Dave Farquhar security June 4, 2015April 3, 2021code execution, demonstration

In many security job interviews, the interviewer will ask about cross-site scripting, also known as XSS. Most descriptions of it are overly complex, however. The best description of it that I’ve ever heard is just five words long: Code execution in the browser. That’s cross site scripting explained as succinctly as possible.

That succinctly sums up the problem: You don’t want someone to be able to inject their code into your site.

Dave Farquhar

dfarq.homeip.net

What is Winshock?

Dave Farquhar security, Windows December 3, 2014December 2, 2014antivirus, code execution, excel, IBM, ips, Patch Tuesday, SSL, symantec, TLS, vulnerability, windows 7, windows 8, windows 9x, windows nt, Windows Server, Windows XP

So the other day I got blindsided with a question at work: What are we doing about Winshock. Winshock, I asked? I had to go look it up, and I found that’s what they dubbed what I’ve been calling MS14-066, the vulnerability in Schannel, which is Microsoft’s implementation of SSL/TLS for Windows.

Based on that, I’d argue it has more in common with Heartbleed than Shellshock, but I guess “Winshock” is catchier than “Winbleed.”

Then the lead of another team asked me to brief his team on Winshock. I actually managed to anticipate all but three of the questions they asked, too, which was better than I expected. Some of what I shared with them is probably worth sharing further.

Dave Farquhar

dfarq.homeip.net

Bash is worse than heartbleed! Oh noes!

Dave Farquhar security September 25, 2014September 24, 2014Blade, BSD, code execution, datacenter, debian, mac os x, os x, proprietary unix, SSH, unix, vulnerability

A really bad remote code execution bug surfaced yesterday, in Bash–the GNU replacement for the Unix shell. If you have a webserver running, or possibly just SSH, it can be used to execute arbitrary code. It affects anything Unixy–Linux, BSD, Mac OS X, and likely many proprietary Unix flavors, since many of them have adopted the GNU toolchain.

This could be really bad. Some people are calling it potentially worse than Heartbleed. Maybe. I’m thinking it’s more along the lines of MS08-067. But there’s an important lesson we must learn from this. Read more

Dave Farquhar

dfarq.homeip.net

More Home Depot details emerge

Dave Farquhar security September 22, 2014September 20, 2014antivirus, breach, Brian Krebs, code execution, Data breach, home depot, malware, Payment systems, Retailing, vista, vulnerability, Windows Server, Windows Server 2003, Windows Vista, Windows XP

Late last week, Home Depot finally released a statement about its data breach. At least they had the decency to call the attack “custom” and not spin it as “advanced” or “sophisticated.” Even “custom” is really a euphemism, as the attack wasn’t all that different from what other retailers experienced earlier in the year. It may have been as simple as recompressing the BlackPOS malware using a different compression algorithm or compression ratio to evade antivirus.

The breach involves about 56 million cards, making it a bigger breach than Target. Read more

Dave Farquhar

dfarq.homeip.net

Why you need to guard your Backup Exec servers

Dave Farquhar security March 4, 2014February 28, 2014Backup Exec, code execution, passwords, symantec

If you have a Windows domain, there’s a fairly good chance you have Backup Exec servers, because you probably want to take backups. Because you need them. (As a security guy, I no longer care how you get backups; just that you’re getting them somehow.) Backup Exec is a popular solution for that. But there’s a problem.

A security problem, that is. The quality of Backup Exec as a product hasn’t been my problem since 2005. The problem I have with it now is that Backup Exec stores its passwords in a database. The passwords are encrypted, but it’s possible to decrypt the backup copy, if you’re determined enough.

Dave Farquhar

dfarq.homeip.net

Time to update Flash again. This is a big one.

Dave Farquhar security February 6, 2014November 3, 2025Adobe Flash, Ars Technica, code execution, psi

There’s an exploit in Flash, on all platforms, being actively exploited in the wild. Adobe rushed out an update. It allows remote code execution, so this one is as bad as it gets.

Installing EMET is a potential mitigation against Flash exploits, so if you’re running Windows, protecting Flash with EMET is an extremely good idea. Uninstalling Flash is an even better idea, but I don’t think HTML5 is quite ready to replace this scourge of computing security just yet.

I noticed that Secunia PSI automatically updated Flash on all of my machines, which was nice.

See, security doesn’t have to be painful.

Dave Farquhar

dfarq.homeip.net

Upgrading a D-Link DIR-615 to DD-WRT

Dave Farquhar DD-WRT, Hardware, security, Servers and Networking December 2, 2013January 31, 2022AES, CGI, code execution, d-link, dd wrt, DDWRT, firefox, Micro Center, Universal Plug and Play

Last year I bought my mother in law a D-Link router, an oddball DIR-615 revision E1 that was only sold at a few stores. It was supposed to be a Fry’s exclusive, but I bought hers at Micro Center. It worked for a while, then gave her trouble, so this year I was working with it again, and when I was setting it up, I noticed it had some security vulnerabilities–remote code execution, UPnP vulnerabilities, and who knows what else. So that got me some practice upgrading a D-Link DIR-615 to DD-WRT.

DD-WRT’s track record and attitude towards security research could be better, but I’d rather trust my mother in law to DD-WRT’s B+ security than D-Link’s F.

Dave Farquhar

dfarq.homeip.net

Microsoft’s bug bounty is a step in the right direction

Dave Farquhar security, Windows June 27, 2013March 25, 2025code execution, oracle, PR, Steve Ballmer, windows 8, Windows XP

Last week, Microsoft announced it’s offering a bug bounty program. Find a working exploit in Windows 8.1/blue/whatever it’s called this week, and Microsoft will hand over $100,000. Find a mitigation for that exploit, and Microsoft will pony up for that to, up to $50,000.

I think I know what they’re up to. Read more

Dave Farquhar

dfarq.homeip.net