Revisiting an Info Leak
Today an interesting tweet
[https://twitter.com/Laughing_Mantis/status/631170614720462848] from Greg
Linares [https://twitter.com/Laughing_Mantis] (who has been posting awesome
analysis on twitter lately!) came to our attention, concerning the MS15-080
This patch (included in MS15-080) may have been intended stop one of the Window
kernel bugs exploited by Hacking Team. But, after our analysis, it appears that
Update Tuesday, August 2015
This month's update includes 14 Microsoft security bulletins (52 CVEs), with
three being rated as critical. One of these vulnerabilities has already affected
MS office (MS15-081) and has been detected as being exploited in the wild. As
per the norm, Adobe has also released a high priority Air\Flash security patch
(APSB15-19) to address 34 CVEs on multiple affected platforms (IE, Edge,
Windows, Macintosh, Android and iOS).
Microsoft seems to have implemented a new strategy for Windows 10, as the
Reducing Windows Attack Surface with User Rights Assignment
As we know, attackers leverage legitimate credentials to move through systems,
escalate privileges or get access to data.
Managing privileged accounts such as administrator accounts, shared accounts and
service accounts is a difficult problem to solve.
Even if service account passwords are managed securely, they still remain at
risk of being compromised through exploitation of services using them, lack of
support for encrypted configuration files on some systems, pass-the-hash
attacks, or the
A Closer Look at February 2015's Patch Tuesday
This month's Patch Tuesday covers nine security bulletins from Microsoft,
including what seems like a not-very-unusual mix of remote code execution (RCE)
vulnerabilities and security feature bypasses. However, two of these bulletins –
MS15-011 [https://technet.microsoft.com/en-us/library/security/ms15-011] and
MS15-014 [https://technet.microsoft.com/en-us/library/security/ms15-014] –
require a closer look, both because of the severity of the vulnerabilities that
they address and the changes Mi
12 Days of HaXmas: Does it Blend Like a Duck?
This post is the fifth in a series, 12 Days of HaXmas, where we take a look at
some of more notable advancements and events in the Metasploit Framework over
the course of 2014._
Writing portable software is not hard. It's just like walking through a
minefield! Getting to the other side, that's the tricky part.
Sure, if you target C, Unix-like systems and GCC or LLVM, you may not run into
too many hassles these days. There are still a few annoying differences between
BSDs and Linux, but POSIX a
Mitigating Service Account Credential Theft
I am excited to announce a new whitepaper, Mitigating Service Account
on Windows. This paper was a collaboration between myself, Joe Bialek of
Microsoft, and Ashwath Murthy of Palo Alto Networks. The executive summary is
Over the last 15 years, the Microsoft Windows ecosystem has expanded with the
meteoric rise of the internet, business technology, and computing in gene
Federal Friday - 4.11.14 - Another Quiet Week...
Can you believe how quiet it was this week? Nothing going on, everyday slowly
dragging on, the tick, tick tick of the clock getting louder and louder by the
second. Reminds me of the late-night drip from your faucet but more annoying
because you're stuck at work. Oh wait, totally forgot this was a cybersecurity
blog and mistook it for my crochet blog. You, much like us here at R7, were
probably pretty busy this week. In that case let me officially say, happy
freaking Friday, Federal friends!
It's the end of XP as we know it, April Patch Tuesday 2014, and, oh yeah... heartbleed.
So this is it, the last hurrah for the once beloved XP, the last kick at the can
for patching up the old boat. Sure, by today's standards it's a leaky,
indefensible, liability, but… hey, do you even remember Windows 98? Or (*gasp*)
ME? At least we can all finally put IE 6 to rest, once and for all, the final
excuse for corporate life-support has been pulled… except for legacy apps built
so poorly that they depend on IE 6 and are “too costly” to replace.
As everyone should know by now, ther
Federal Friday - 3.21.14 - A Day of Reckoning
Friday at last...
Hello federal friends! I'm pleased to announce that the sun is setting here in
Boston at 6:58pm tonight and there is major League Baseball being played this
weekend. Spring officially happened yesterday which should make those of you in
DC put Monday's snow-day out of sight and out of mind.
Did my ominous title catch your attention? Don't worry, this is not the end of
times, or even the end of days [http://www.imdb.com/title/tt0146675/] for that
matter (thank goodness) and mo
Patch Tuesday, Sept 2013
September's Patch Tuesday is live! The 14 bulletins predicted were cut to 13,
with the .NET patch landing on the cutting room floor. A patch getting pulled
after the advance notice is up usually indicates that late testing revealed an
undesired interaction with another product or component.
Of the 13 bulletins remaining they are split 7/6 between the MS Office family
and Windows OS patches, if we are counting the Internet Explorer patch as part
of the OS patching, anti-trust lawsuits notwiths
Abusing Windows Remote Management (WinRM) with Metasploit
Late one night at Derbycon [https://www.derbycon.com/], Mubix
[https://twitter.com/mubix] and I were discussing various techniques of mass
ownage. When Mubix told me about the WinRM service, I wondered: "Why don't we
have any Metasploit modules for this yet?" After I got back , I began digging.
WinRM is a remote management service for Windows that is installed but not
enabled by default in Windows XP and higher versions, but you can install it on
older operating systems as well. Win
Microsoft Releases Windows Server Update Services (WSUS) Update
Microsoft has released an update for Windows Server Update Services (WSUS) 3.0
Service Pack 2 (SP2):
By hardening the Windows Server Update Services (WSUS), Microsoft is attempting
to assure their customers that they can trust the update process. From a
security perspective, Flame isn't a mass threat to most organizations; however,
this is a way to ensure the integrity of the update process. It is apparent that
Microsoft was working on many of these upda
Adventures in the Windows NT Registry: A step into the world of Forensics and Information Gathering
As of a few days ago [https://github.com/rapid7/metasploit-framework/pull/98],
the Metasploit Framework has full read-only access to offline registry hives.
Within Rex you will now find a Rex::Registry namespace that will allow you to
load and parse offline NT registry hives (includes Windows 2000 and up),
implemented in pure Ruby. This is a great addition to the framework because it
allows you to be sneakier and more stealthy while gathering information on a
remote computer. You no longer need
January Patch Tuesday Roundup
So I know we all were hoping to see a fix for some of this Windows Graphic
Rendering Engine [http://] nastiness...but no go. For now, you'll need to resort
to the good ol' FixIt [http://support.microsoft.com/kb/2490606] option or if you
wanna get your hands dirty, you can modify the ACL on shimgvw.dll directly.
Either way, if you're running IE, you'll have to patiently wait for the official
So this monthly release was lean-n-mean, Microsoft released (2) bulletins,