Tuesday, February 24, 2009

Adobe Vulnerability APSB09-01

In Adobe's bulletin released last Friday there are 3 solutions to reduce your chances of getting exploited. The first is to disable JavaScript in Adobe Reader by going (in Adobe) Edit > Preferences > JavaScript and unchecking the "Enable Acrobat JavaScript" option. That is fine for the everyday user but not quite a good fix for an enterprise of any size. To accomplish this I found a script located on the internet and modified it to disable Acrobat's JavaScript.

I built the batch file to do a few things including:
a. Add a HKLM key at HKLM\Software\Adobe\Acrobat Reader\8.0\JSPrefs
b. Add a DWORD value under that key called "bEnableJS" with a value of 0
These two steps disable Acrobat JavaScript for all users except those people who have clicked the box manually and created other keys under HKCU.

Next I attempt to change the HKCU values (if generated) to 0 thus disabling the Acrobat JavaScript for all users.

Below is the script:

-------------------------Start Script ---------------------------------
setlocalset regpath=%SystemRoot%\system32\reg.exe
set keypath=Software\Adobe\Acrobat Reader\9.0\JSPrefs
set valuename=bEnableJS
:: update current user
set hive=HKCU
set key=%hive%\%keypath%
:: Add a Master Disable for all users by using HKLM
%regpath% add "HKLM\Software\Adobe\Acrobat Reader\9.0\JSPrefs" /f >nul
%regpath% add "HKLM\Software\Adobe\Acrobat Reader\9.0\JSPrefs" /v %valuename% /d 0x00000000 /t REG_DWORD /f >nul:: Remove Javascript for all individual who have explicitly enabled it.
%regpath% add "%key%" /v %valuename% /d 0x00000000 /t REG_DWORD /f >nul:: update all other users on the computer, using a temporary hive
set hive=HKLM\TempHive
set key=%hive%\%keypath%:: set current directory to "Documents and Settings"
cd /d %USERPROFILE%\..
:: enumerate all folders
for /f "tokens=*" %%i in ('dir /b /ad') do ( if exist ".\%%i\NTUSER.DAT" call :AddRegValue "%%i" ".\%%i\NTUSER.DAT")endlocalgoto :EOF:AddRegValue
set upd=Yif /I %1 equ "All Users" set upd=N
if /I %1 equ "LocalService" set upd=N
if /I %1 equ "NetworkService" set upd=Nif %upd% equ Y (
%regpath% load %hive% %2 >nul 2>&1
%regpath% add "%key%" /v %valuename% /d 0x00000000 /t REG_DWORD /f >nul 2>&1 %regpath% unload %hive% >nul 2>&1
)
-----------------------End Script--------------------------
Note: Change all instances of "8.0" to "9.0" in the script for it to work with Acrobat Reader 9.0



Feel free to modify and use the script but like everything else, test it before you put it into production. I take no responsibility for what you do with it and any results that it might cause.

Thanks to the guys at http://www.ureader.com/ for the original script that I modified to get this running.

Windows Server 2003 Cannot Execute Network File

On Windows 2003 Servers by default you cannot double click on an exe that is located on a file share or you will get the following error:

"Windows cannot access the specified device, path, or file. You may not have the appropiate permissions to access this item."

To get around this issue you can copy the file to your local drive, right click on the file and select properties. On the bottom of the General screen you will see a warning that the file is from another computer (This file came from another computer and might be blocked to help protect this computer) click "Unblock" and you can now execute the file.

or Uninstall the "Internet Explorer Enhanced Security Configuration".

Windows Server 2003 VM Running Exchange with Random Bluescreening

I have a Microsoft Exchange 2007 server (x64) that was originally on a physical piece of hardware. However we have P2V'd it into a guest on a VMware ESX host and it seems to be running normally except for one little detail: It bluescreens every 15 or 20 days with the following information:

Event Type: Error
Event Source: System Error
Event Category: (102)
Event ID: 1003
Date: 1/31/2008
Time: 8:34:36 AM
User: N/A
Computer: SMTP2
Description:Error code 00000000000000d1, parameter1 0000000000000019, parameter2 0000000000000002, parameter3 0000000000000001, parameter4 fffffadfd99f4e5b.
For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.Data:0000: 53 79 73 74 65 6d 20 45 System E0008: 72 72 6f 72 20 20 45 72 rror Er0010: 72 6f 72 20 63 6f 64 65 ror code0018: 20 30 30 30 30 30 30 30 00000000020: 30 30 30 30 30 30 30 64 0000000d0028: 31 20 20 50 61 72 61 6d 1 Param0030: 65 74 65 72 73 20 30 30 eters 000038: 30 30 30 30 30 30 30 30 000000000040: 30 30 30 30 31 39 2c 20 000019, 0048: 30 30 30 30 30 30 30 30 000000000050: 30 30 30 30 30 30 30 32 000000020058: 2c 20 30 30 30 30 30 30 , 0000000060: 30 30 30 30 30 30 30 30 000000000068: 30 31 2c 20 66 66 66 66 01, ffff0070: 66 61 64 66 64 39 39 66 fadfd99f0078: 34 65 35 62 4e5b

It seems fairly random and there is not a whole lot to go on as far as troubleshooting... I found a MS patch (kb950772) that is supposed to fix "A computer that is running an x64-based version of Windows Server 2003... randomly restarts and then generates a Stop Error" After applying the patch the box seems stable and has yet to throw a stop error.

Patch Details at: http://support.microsoft.com/kb/950772

Monday, February 23, 2009

Allowing PPTP Through Cisco ASA 5510

Pretty simple fix for a Cisco ASA5510 that does not allow PPTP traffic.

>Config t
>class-map inspection_default
>Policy-map global_policy
>class inspection_default
>inspect pptp
>service-policy global_policy global
>write

Cannot Connect to Cisco ASA 5510 with ASDM

So, we have a couple Cisco ASA 5510 security appliances that we are working on. Here is the catch, when you attempt to connect to them using the ASDM tool downloaded from the device (or the CD from Cisco, or a download from Cisco's website) you get a connection error "ASDM cannot read the configuration from the ASA". After ensuring that the networking was indeed correct and I could reach the device I discovered (after several hours) that the ASDM is java based and that the version of java that I was using (Java 6 Update 11) was simply too new for the ASDM. To fix this I had to downgrade my java to Java 5 Update 17 and bingo, the ASDM could now talk to the ASA.

Next I was able to upgrade the via the ASDM the ASA's Software and ASDM software. Once updated to the newest versions (8.01 and 6.1551 respectivly) I was able to re-download the ASDM client from the device and use the newest java version.

IT Security Top 10 Tips for 2009

I got to help write the Top 10 Security Tips for 2009 for our employees and this is what we came up with. I think it is a good security overview for the normal everyday user.

#10 Wifi: As you travel around you will frequently see “Free Public Wifi” in your list of available wireless networks. This is almost always a VIRUS on someone’s computer trying to get you to connect so it can infect you also. Think of this as the “free public used gum” stuck under your desk. DO NOT ‘connect’ to it for any reason. Never connect to any Wi-Fi you do not fully trust; unless of course you like hackers using your identity or credit cards…

#9 Fake News Emails: Never click on any links in an email from CNN or MSNBC, or any other "news alerts" that you have never subscribed to. No matter how realistic it looks. Usually they start with a very absurd or weird story such as "Britney Spears killed in a car accident or Bigfoot found in new jersey, etc.." Even if you have subscribed to news alerts it is best to be cautious when following links.

#8 Fake “tracking number” Emails: If you get a "UPS tracking " attachment never ever open these attachments, they are virus's. They also appear to come from FedEx, USPS, etc… A valid tracking email will never have an attachment.

#7 Fake “Greeting Cards”: Never open a email postcard (Hallmark e-card is the most popular) unless it’s your birthday and it’s from someone you expect it from. This is the main delivery mechanism of most of our virus’s today. Also, an e-card will never have an attachment with a .exe extension.

#6 Lock your Desktop when not in use and have a screensaver password. Also lock your mobile devices (phone) with a password. If you don’t lock the doors then it does not make much sense to bar the windows. Don’t make it easy for hackers or others who would want to cause damage.

#5 Fake Instant Messages: Many people here use IM to communicate. It is a great tool but you need to be suspicious of hyperlinks; even if the link appears to be from your friends or coworkers. When a computer gets infected by a virus it is not uncommon for it to steal the address book and email/IM all of that persons contacts with the same virus. Best rule of thumb: Don’t follow hyperlinks

#4 Don’t put every CD you get mailed or USB key you find lying in the parking lot into your PC, they can “auto-install” a virus onto your PC or do many other nasty things. You didn’t just win a free prize, this is like the “free used gum”; besides it is a very well known technique for hackers and pen-testers alike. Again, don’t make it easy for the bad guys.

#3 Make sure you have Antivirus Installed and make sure that it has recent definitions, if you AV software is not updating, it is almost as good as not having it at all. In today’s day and age antivirus is a must…. well maybe not if you don’t have an internet connection…

#2 Keep your software up to date. Do your Microsoft Updates and software updates for all the products that you use. This includes software like Adobe, VMware and whatever else you use. As the famous ex-hacker Kevin Mitnick suggests “Update your OS religiously and be vigilant in applying all security patches released by the software manufacturer.”And the #1 thing Everyone should do in 2009 is:

#1 Backup everything you use. Make sure you have it somewhere else, on an external hard drive, a file share, somewhere. Don’t assume that anyone else (even IT) is backing that data up. If you have a question if a file share is being backed up please contact the IT Department, otherwise assume it is not. One Worm or Trojan or drive crash can wipe out 100% of your data forever, don’t let it happen to you.

A Great Listen (or should I say "A Great Lesson"?)

As I am a bit under the weather and not at work today I have been trying to do something constructive with my time. I found an excellent message by Dr. Ron Rhodes recorded at the Dallas Theological Seminary Chapel Service last week. It is an excellent message on "How to Make a Point Without Impaling Someone Upon It." The message is located at: http://www.dts.edu/media/play/?MediaItemID=c0c46e57-1e9b-49e4-9bc5-d75977a35f91

I hope that it is as much a blessing to you as it is to me. Now, the difficult part, actually living it...