Microsoft published security advisory 981169 yesterday in response to the zero day vulnerability reported a few days prior. The vulnerability is in the help system and can be triggered by luring an Internet Explorer user into pressing the F1 key. Windows 2000, Windows XP SP2 & SP3, and Windows 2003 SP2 with Internet Explorer 7 and Internet Explorer 8 are all affected.

Credit to Maurycy Prodeus for publishing the initial details of the vulnerability.

Details

Using the MsgBox VBScript function in an html file, an attacker can create a dialog box prompting the user to hit F1, something that is likely not difficult to do with a message such as “Internet Explorer encountered an error, press F1 to continue”. The MsgBox function is important as its fourth argument specifies a helpfile parameter, basically which hlp or chm file to launch when the user asks for help via F1.

I created a simple help file with the word “Test” using the Microsoft Help Workshop version 4.03. In addition to this, I added the macro to launch a command prompt (cmd.exe). When I double click this file in Windows XP SP3, I get my test helpfile and the command prompt launches as well:

Cmd.exe launched with my Help file.

So we now have a .hlp file which executes code. As mentioned before, the MsgBox function has a parameter to specify a help file to launch when the user hits F1. Here is where I come back to a recurring issue of SMB traffic and allowing it outbound on firewalls. In order for the MsgBox parameter to launch the .hlp file, the attacker must point to a local file (which the user would have had to already download) or host a file on an internet accessible SMB share. If you look at the proof of concept code circulating, currently you will see the MsgBox help parameter is “\x.x.x.x\attackfile.hlp”, a pointer to a help file on an SMB share. Corporate enterprises should certainly block SMB outbound, and with this vulnerability and the several previous attacks via SMB client, users should be blocking this outbound traffic as well.

Vista, Windows 7, & Server 2008

The vulnerability does not work on Vista, Windows 7 and Windows 2008 due to Microsoft no longer including winhlp32.exe with these versions. However, there is an update which can install winhlp32 for these versions (Windows 7 Version I installed from here). I found that these updates did not launch the cmd.exe as the Windows XP version did (I also tried Prodeus’s PoC help file and it displayed but did not run calc.exe). It is possible that Microsoft removed this code execution function from these versions.

Workarounds

The warnings are avoid hitting F1 when prompted by websites. Additionally, permissions to winhlp32.exe can be modified so that it doesn’t execute. In an Active Directory environment, a Group Policy software restriction setting can prohibit winhlp32.exe from launching. As mentioned, I recommend blocking outbound SMB traffic, as there is rarely a justification for mounting a network share on the public internet. This helps with many known vulnerabilities disclosed in the past as well.

Related Posts:

• Turning an ATM into a Slot Machine
• iPhone 4 Ordering and Session Switching
• Thou Shalt Not Send Naked Pictures…To Anyone Ever
• May’s Patch Tuesday
• IEPeers – A New Internet Explorer Zero Day Vulnerability

Tahaya Buchanan, a 39 year old continued working for the Atlanta office of U.S. Citizenship and Immigration services (USCIS), part of the U.S. Department of Homeland Security, while a fugitive wanted in Essex County, New Jersey for insurance fraud. It was not until yesterday that the CIS office in Atlanta became aware of the criminal charges, despite her having been arrested on July 9th and spending the subsequent week in a Georgia prison, a warrant in the National Crime Information Center system (nationwide law enforcement notification) issued on January 8th, 2008, and her pleading guilty to one charge of insurance fraud on Monday.

Time line of Events

• March 2005: Tahaya Buchanan of Newark, NJ falsely reports her car, a Range Rover, stolen and files an insurance claim.
• April 2005: The Range Rover is found by police in a garage in Irvington, NJ owned by Buchanan’s aunt. The police discovered the car after responding to a fire at the garage. Her insurance company denies her claim and a criminal probe is opened.
• Between April – November 2007: At some point during the investigation, it appears Buchanan transferred from a Homeland Security office in New Jersey to the Georgia office.
• November 2007: Buchanan is indicted on a charge of second degree insurance fraud.
• January 2008: On January 8th, 2008, a warrant is entered into the National Crime Information Center system, entering a nationwide notification to law enforcement agencies that Buchanan is a fugitive, based on the issuance in December of an arrest warrant by a New Jersey judge.
• July 2009: Buchanan is arrested on July 9th of this year in DeKalb County, Georgia after a traffic officer noticed a December 2007 warrant for her arrest. She spends the following week in prison in Georgia.
• December 2009: On December 7th, Buchanan pleads guilty to one count of insurance fraud for which she faces up to three months of probation.
• December 2009: On December 8th the USCIS finds out Buchanan was a fugitive when asked for comment by news sources.

Tahaya Buchanan, Essex County Prosecutors Office

Dueling Quotes

Of interest are the subsequent quotations from both USCIS and the Essex County Prosecutor, each engaging in a bit of finger pointing as to what the real lead of the story is:

“”It’s amazing they couldn’t find her. Good Lord,” – Kevin Kerns, Office Chief of Staff at USCIS

“We found it surprising, alarming that an employee of the Department of Homeland Security is a fraudster, and we do not understand how she could have remained employed there with an open criminal warrant for her arrest remaining on the interstate system without being discovered,” – Michael Morris, Essex County Assistant Prosecutor.

Easily the most bizarre response is from USCIS spokesperson Ana Santiago, who states that she does not have the information available as to whether the office regularly checks its employee lists against national criminal warrants, but does note that the “USCIS has zero tolerance for any type of employee misconduct or criminal activity“.

Providing an answer for Ms. Santiago, the USCIS (obviously) does not regularly check their employee lists against nationwide issued warrants. Additionally Buchanan is still employed by USCIS.

Finally

USCIS is hardly alone, in corporate America many firms fail at hiring an investigation firm to conduct competent background checks on newly hired employees, let alone conduct checks for subsequent criminal behavior after the date of hire. Still, this is a strange story, on one hand demonstrating that the unusual behavior of Tahaya Buchanan went completely unnoticed by supervisory staff at USCIS, on the other showing the competency of local law enforcement in identifying and arresting an out of state fugitive. Still, the Department of Homeland Security agencies have a different level of responsibility and impact than a regular business, and this incident will likely result in changes including potentially regular background checks of existing employees, background checks on employees doing job or regional transfers, or verifications against well known law enforcement registries (Sex offenders, National Crime Information Center, et al) at some regular time interval.

For the corporate information security officer, this is a good excuse to meet with Human Resources, dust off the new hire policy to see if changes are needed, and make sure the investigative agency retained to do background checks is performing adequately and as expected. Want a good way to verify? On your next two new hires, use both your existing investigations firm and an additional firm, and compare the reports to see if the quality level of your existing provider is matching up to that of its similar rate competitors. It is a low cost exercise for a process that can cause high level headaches if it fails and an inappropriate employment choice is made.

References:

• Fugitive is discovered at Homeland Security
• U.S. Citizenship and Immigration Services

Related Posts:

• Press F1 for Help, pwned.
• Panhandling and Policy

There’s the police officer, within 10 feet there is the panhandler
making threats, 10/28/2009 at 4:25pm, corner of Church
and Chambers Streets

Actually it is worse than just one officer ignoring a crime, it is that it is different officers on a daily basis watching people be yelled at and threatened. The approach did not start that way of course, the panhandling started simply as this person asking for change for the subway and being mindful of the police officer standing there. But as the month wore on, and he saw that clearly the police had no intention of addressing what he was doing, he became more aggressive.

A little History…

Around 1994 New York City’s police forces adopted an Order-Maintenance Policing strategy, popularly known as Broken Windows theory. Under this approach laws that deal with social disorder are enforced using a low tolerance approach. In other words, infractions that are generally considered low level such as graffiti, panhandling, jumping subway turnstiles, public urination, and so forth are used as grounds for arrest.

NY Crime Rate Drop

The theory had one of its most well known implementations in New York under William Bratton the then head of the NYC Transit Police. The policy was adopted more widely under Mayor Rudy Giuliani and police commissioner Howard Safir, and in many objective measurements the crime rates dropped for both nuisance and violent crimes. Most would also agree that if multiple officers with the duty to enforce the laws of the city directly observe something happen but take no punitive action that the law while on the books is not an enforced law. When the law is obviously not enforced, people are led to the conclusion that it can be broken without consequence, and thus because of uneven or non-existent enforcement the law becomes a paper tiger, largely not worth the paper it is written on.

Whatever you think of it…

Not everyone subscribes to this theory, which as a zero-tolerance style policy does likely over reach. In general though, most will concede that even if panhandling itself should not be a crime, aggressive panhandling does become problematic under its most extreme variations including: approaching individuals as a group, using veiled threats or insults, following individuals, blocking or touching a person, or approaching a person using an ATM. If you can concede that, and it is against the law, then law officers not addressing the situation is tacitly accepting the behavior.

I keep using officers in plural because one police officer ignoring something could be taken as an outlier, someone who just is not doing his or her job but not characteristic of what other officers would do. In this case I have waited a month to observe multiple officers, to see what the reaction would be.

What does this have to do with Information Security?

Security Policies

People who write information security policies are loath to have their effort be completed in vain. Most texts and experienced security professionals will tell you that anything that is overly technically specific, patently unenforceable, or subject to major variation in interpretation should be taken out of a security policy. The best practice generally put forth is to carefully divide the security requirements of the organization into the direction and context (policy level) and put the specifics for achieving those policies into standards, procedures, and guidelines which can be updated often and are more fungible.

Security folks write what are sometimes complex exception mechanisms and risk acceptance methods to deal with the rare occasion that a security policy must be overridden. Good security policies are usually the result of much iteration, regular update, and reviewed in consult with business, technical, and legal leadership within the organization.

Finally a good security policy contains a corrective action clause. That is the policy details the consequences of non-compliance. This is the part of the policy that usually includes a clause that reads “actions up to and including termination”.

In this context, security policies are like the law. They describe “the what” on what’s prohibited but exclude “the how”, the enforcement itself.

Policy Enforcement

Most security professionals can also quote what should be on the policy books of your Human Resources department, that there can be no difference between individuals in the way policies are enforced or the risk of a downstream law suit that is more difficultly defensible is incurred. In the imperfect reality of the enterprise, corporate policies are enforced differently across different people all the time, but the goal and stated practice generally remains the same. Policy is to be enforced uniformly in all cases. For this reason, a security policy that does not have a reasonable enforcement mechanism (technology products and people processes to detect violation) will generally be difficult to enforce. Further a policy where detection mechanisms do exist but corrective actions never followed communicates clearly to corporate citizens the lack of importance of the policy.

Unenforced policies are difficult to resurrect to being enforceable, and further weaken the overall set of security policies. As soon as the reader comes across a policy instance that they know to either be unenforceable or that clearly is not enforced because it is observed by security personnel but nothing comes of it, that reader comes to question the entire set of security policies in place. It is similar to what happens when reading a newspaper article, if you come across one glaring inaccuracy that you know to be untrue based on your personal experience it draws all of the facts of the article in question.

So what have we learned?

If you know you can’t enforce it, or know your company will not enforce it, fight like hell to keep it out of your security policies. And if you want to threaten people into giving you money, south of Canal Street is the place to do it.

Related Posts:

• Press F1 for Help, pwned.
• Fugitive Found Working at Homeland Security