Thursday, January 15, 2015

Go home Marriott, Hilton, AHLA you're drunk

You've probably already heard about Marriott being fined by the FCC for intentionally jamming wifi signals at one of its properties.  Marriott claimed they weren't motivated by profit, but by the desire to protect consumers from rogue access points.  By jamming any access point that wasn't theirs, they ensured that you only connected to their slow Internet that they reportedly charged vendors between $250 and $1000 to connect to.  Nope, profit wasn't the motive - security was.

After the fine, the hotel trade association got together with Marriott and has petitioned the FCC to clarify rules around jamming wifi signals. 

The hotel association apparently thinks that the people who run the FCC are brain dead slugs. Otherwise, there's no way they would try to pull garbage as noted in this NY Times piece.
"Marriott and the hotel association say that if the commission rules against them, some hotels might prohibit guests from checking in with Wi-Fi devices or restrict such equipment from some parts of their properties, a move that would only alienate their customers."
Yeah, that's stupid. But not the dumbest quote I could find regarding the situation.  The American Hotel & Lodging Association weighed in on this as well.
“Hotels are responsible for ensuring that vital personal data and information is protected, and need some flexibility in using tools that help protect that data without fear of legal penalty,” said Katherine Lugar, chief executive of the American Hotel & Lodging Association.
This has to be some of the dumbest rationale I've ever heard.  The argument in short is that they should be allowed to jam Wifi signals so they don't run the risk of alienating customers?  Earlier this week, Rendition Infosec let Marriott know that we actively avoid the use hotel wifi and we'd feel very alienated if Marriott (or any other chain) were blocking our wifi hotspots.  Apparently Marriott listened to us and other consumers since they reversed their ridiculous position on blocking wifi hotspots yesterday.

But in case you think we're just picking on Marriott here, Hilton also supports this. Even though Marriott has reversed their decision, the request for clarification is still pending with the FCC.  We'll see how this plays out, but if you want to read some interesting comments like "the impact of deauthentication will not be as draconian as some commenters suggest" check out this filing.

Wednesday, January 14, 2015

Running outdated software can cost healthcare companies big

For the first time, HHS has fined a company for running out of date software.  The actual enforcement letter is available here. This is a new evolution.  Previously, to get a monetary fine, you practically had to sell PHI on the open market to get a fine. Okay, that's a little extreme - some fines have been levied for simply mishandling PHI in a reckless manner.  However, this is the first time I'm aware of that simply running outdated and known insecure software resulted in a fine.

I run into way too many organizations, particularly in health care, that are tied to custom software that requires Internet Explorer 8 (or worse, earlier), Java 1.6, or Windows XP (eek).  More often than not, in-house developed and custom software doesn't support DEP (data execution prevention) or ASLR (address space layout randomization).  And don't even think about EMET...  

When performing security assessments with Rendition Infosec, I get to hear all kinds of excuses about how much it will cost to upgrade legacy systems.  Organizations often simply sign off on the risk instead.  I've actually had IT managers explain to me that while they know their security is bad, nobody ever gets fined for not upgrading their systems.  Well, now that day has come and I for one am thrilled.  I hope that this is the first of many such fines from HHS.

The enforcement letter spells out the actions that must be taken to comply with the HHS settlement.  These  actions can be broadly broken down into the following:
  1. Updated Policies and Procedures
  2. Training (for anyone who touches e-PHI)
  3. Annual Risk Assessments
  4. Annual Reports Attesting the State of Security

The last one sounds easy enough, but one of the requirements is specified as:
"An attestation signed by an owner or officer of ACMHS attesting that all information system resources are currently supported and updated with available patches."
This sounds innocent enough, but can your organization really make such an attestation?  There are no exceptions to this provision in the enforcement letter, no easy out.  Think of all the outdated switches and routers likely in portions of any large business.  Not to mention embedded systems, etc.  They are running fine, but are they supported?  Is everything really running all of the latest patches?  That seems doubtful and is unlike any organization I've ever seen.  While I applaud HHS for this enforcement, I think they may have set up an unattainable standard.  It will be interesting to see how this and other enforcements from HHS play out.

Saturday, January 10, 2015

A unique look at blog spam

A lighter topic for your Saturday morning reading pleasure.

I regularly get spam comments on blog posts, but this one (now removed) has to be the best I've had in years.  Apparently this blog spammer made a mistake or doesn't understand how to post this stuff.  Or maybe they are using a new program to post the spam.  If so, it malfunctioned.  In my younger days, I could totally see turning this into a drinking game.  For me, the funniest thing about it is that the templates don't even use proper English.
{{I have|I've} been {surfing|browsing} online more than {three|3|2|4}hours today, yet I never found any interesting article likeyours. {It's|It is} pretty worth enough for me. {In my opinion|Personally|In my view},if all {webmasters|site owners|website owners|web owners} and bloggers made good content as you did,the {internet|net|web} will be {much more|a lot more} useful than ever before.|I {couldn't|could not} {resist|refrain from} commenting.
{Very well|Perfectly|Well|Exceptionally well} written!|{I will|I'll} {right away|immediately} {take hold of|grab|clutch|grasp|seize|snatch} your{rss|rss feed} as I {can not|can't} {in finding|find|to find} your {email|e-mail} subscription {link|hyperlink} or {newsletter|e-newsletter} service.Do {you have|you've} any? {Please|Kindly} {allow|permit|let} me {realize|recognize|understand|recognise|know} {so that|in order that} I {mayjust|may|could} subscribe. Thanks.|{It is|It's} {appropriate|perfect|the best} time to makesome plans for the future and {it is|it's} time to be happy.{I have|I've} read this post and if I could I {want to|wish to|desire to}suggest you {few|some} interesting things or {advice|suggestions|tips}.{Perhaps|Maybe} you {could|can} write next articles referring to this article.I {want to|wish to|desire to} read {more|even more} things about it!|{It is|It's} {appropriate|perfect|the best} time to make {a few|some}plans for {the future|the longer term|the long run} and {itis|it's} time to be happy. {I have|I've} {read|learn} this {post|submit|publish|put up} andif I {may just|may|could} I {want to|wish to|desire to} {suggest|recommend|counsel} you {few|some} {interesting|fascinating|attention-grabbing} {things|issues} or{advice|suggestions|tips}. {Perhaps|Maybe} you {could|can} write {next|subsequent} articles {relating to|referring to|regarding} this article.I {want to|wish to|desire to} {read|learn} {more|even more} {things|issues} {approximately|about} it!|{I have|I've} been {surfing|browsing} {online|on-line} {morethan|greater than} {three|3} hours {these days|nowadays|today|lately|as oflate}, {yet|but} I {never|by no means} {found|discovered} any {interesting|fascinating|attention-grabbing} article like yours.
{It's|It is} {lovely|pretty|beautiful} {worth|value|price}{enough|sufficient} for me. {In my opinion|Personally|In myview}, if all {webmasters|site owners|website owners|web owners} andbloggers made {just right|good|excellent} {content|content material} as {you did|you probablydid}, the {internet|net|web} {will be|shall be|might be|willprobably be|can be|will likely be} {much more|a lot more}{useful|helpful} than ever before.|Ahaa, its {nice|pleasant|good|fastidious} {discussion|conversation|dialogue} {regarding|concerning|about|on the topic of} this {article|post|piece of writing|paragraph} {here|atthis place} at this {blog|weblog|webpage|website|web site},I have read all that, so {now|at this time} me also commenting {here|at this place}.|I am sure this {article|post|piece of writing|paragraph} has touched all the internet {users|people|viewers|visitors},its really really {nice|pleasant|good|fastidious} {article|post|piece ofwriting|paragraph} on building up new {blog|weblog|webpage|website|web site}.|Wow, this {article|post|piece of writing|paragraph} is {nice|pleasant|good|fastidious},my {sister|younger sister} is analyzing {such|these|these kinds of} things,{so|thus|therefore} I am going to {tell|inform|let know|convey} her.|{Saved as a favorite|bookmarked!!}, {I really like|I like|Ilove} {your blog|your site|your web site|your website}!|Way cool! Some {very|extremely} valid points! I appreciateyou {writing this|penning this} {article|post|write-up} {and the|and alsothe|plus the} rest of the {site is|website is} {alsovery|extremely|very|also really|really} good.|Hi, {I do believe|I do think} {this is an excellent|this is a great} {blog|website|web site|site}.I stumbledupon it ;) {I will|I am going to|I'm going to|I may} {come back|return|revisit} {once again|yetagain} {since I|since i have} {bookmarked|book marked|book-marked|saved as a favorite} it.Money and freedom {is the best|is the greatest} way to change, may you be richand continue to {help|guide} {other people|others}.|Woah! I'm really {loving|enjoying|digging} the template/theme of this {site|website|blog}.It's simple, yet effective. A lot of times it's {very hard|verydifficult|challenging|tough|difficult|hard} to get that "perfect balance" between {superb usability|user friendliness|usability} and {visual appearance|visual appeal|appearance}.I must say {that you've|you have|you've} done a {awesome|amazing|very good|superb|fantastic|excellent|great} jobwith this. {In addition|Additionally|Also}, the blogloads {very|extremely|super} {fast|quick} for me on {Safari|Internet explorer|Chrome|Opera|Firefox}.
{Superb|Exceptional|Outstanding|Excellent} Blog!|These are {really|actually|in fact|truly|genuinely} {great|enormous|impressive|wonderful|fantastic} ideas in {regarding|concerning|about|on the topic of} blogging.You have touched some {nice|pleasant|good|fastidious} {points|factors|things}here. Any way keep up wrinting.|{I love|I really like|I enjoy|I like|Everyone loves} what you guys {are|are usually|tend to be}up too. {This sort of|This type of|Such|This kind of}clever work and {exposure|coverage|reporting}! Keep up the {superb|terrific|very good|great|good|awesome|fantastic|excellent|amazing|wonderful} works guys I've {incorporated||added|included} you guys to {|my|our||my personal|my own} blogroll.|{Howdy|Hi there|Hey there|Hi|Hello|Hey}! Someone in my {Myspace|Facebook} group shared this {site|website} with us so Icame to {give it a look|look it over|take a look|checkit out}. I'm definitely {enjoying|loving} the information. I'm {book-marking|bookmarking}and will be tweeting this to my followers! {Terrific|Wonderful|Great|Fantastic|Outstanding|Exceptional|Superb|Excellent} blog and {wonderful|terrific|brilliant|amazing|great|excellent|fantastic|outstanding|superb} {style and design|design andstyle|design}.|{I love|I really like|I enjoy|I like|Everyone loves} what you guys {are|are usually|tend to be}up too. {This sort of|This type of|Such|This kind of}clever work and {exposure|coverage|reporting}!Keep up the {superb|terrific|very good|great|good|awesome|fantastic|excellent|amazing|wonderful} works guys I've {incorporated|added|included} youguys to {|my|our|my personal|my own} blogroll.|{Howdy|Hi there|Hey there|Hi|Hello|Hey} would you mind {stating|sharing}which blog platform you're {working with|using}?I'm {looking|planning|going} to start my own blog {in the near future|soon} but I'm havinga {tough|difficult|hard} time {making a decision|selecting|choosing|deciding} between BlogEngine/Wordpress/B2evolution and Drupal.The reason I ask is because your {design and style|design|layout}seems different then most blogs and I'm looking for something {completelyunique|unique}. P.S {My apologies|Apologies|Sorry} for {getting|being} off-topicbut I had to ask!|{Howdy|Hi there|Hi|Hey there|Hello|Hey} would you mindletting me know which {webhost|hosting company|web host} you're{utilizing|working with|using}? I've loadedyour blog in 3 {completely different|different} {internet browsers|web browsers|browsers} and I must say this blog loads a lot {quicker|faster} then most.Can you {suggest|recommend} a good {internet hosting|web hosting|hosting} provider at a {honest|reasonable|fair} price?{Thanks a lot|Kudos|Cheers|Thank you|Many thanks|Thanks},I appreciate it!|{I love|I really like|I like|Everyone loves} it {when people|when individuals|when folks|whenever people} {come together|get together}and share {opinions|thoughts|views|ideas}. Great {blog|website|site}, {keep itup|continue the good work|stick with it}!|Thank you for the {auspicious|good} writeup. It in fact was a amusement account it.Look advanced to {far|more} added agreeable from you!{By the way|However}, how {can|could} we communicate?|{Howdy|Hi there|Hey there|Hello|Hey} just wanted to giveyou a quick heads up. The {text|words} in your {content|post|article} seem to berunning off the screen in {Ie|Internet explorer|Chrome|Firefox|Safari|Opera}.
I'm not sure if this is a {format|formatting} issue or something to dowith {web browser|internet browser|browser} compatibility but I {thought|figured} I'd post to let youknow. The {style and design|design and style|layout|design}look great though! Hope you get the {problem|issue} {solved|resolved|fixed}soon. {Kudos|Cheers|Many thanks|Thanks}|This is a topic {that is|that's|which is} {close to|near to} my heart...{Cheers|Many thanks|Best wishes|Take care|Thank you}!{Where|Exactly where} are your contact details though?|It's very {easy|simple|trouble-free|straightforward|effortless} tofind out any {topic|matter} on {net|web} as compared to {books|textbooks}, as I found this{article|post|piece of writing|paragraph} at this {website|website|site|web page}.|Does your {site|website|blog} have a contact page? I'm having {a tough time|problems|trouble}locating it but, I'd like to {send|shoot} you an {e-mail|email}.I've got some {creative ideas|recommendations|suggestions|ideas} for your blog you might be interested in hearing.Either way, great {site|website|blog} and I look forward to seeing it {develop|improve|expand|grow} over time.|{Hola|Hey there|Hi|Hello|Greetings}! I've been {following|reading} your {site|web site|website|weblog|blog} for {a long time|awhile|some time} now and finally got the {bravery|courage} to go ahead and give youa shout out from {New Caney|Kingwood|Huffman|Porter|Houston|Dallas|Austin|Lubbock|Humble|Atascocita} {Tx|Texas}!
Just wanted to {tell you|mention|say} keep upthe {fantastic|excellent|great|good} {job|work}!|Greetings from {Idaho|Carolina|Ohio|Colorado|Florida|Los angeles|California}!I'm {bored to tears|bored to death|bored} at work so I decided to {checkout|browse} your {site|website|blog} on my iphone during lunch break.I {enjoy|really like|love} the {knowledge|info|information} you {present|provide} here and can't waitto take a look when I get home. I'm {shocked|amazed|surprised} at how {quick|fast} yourblog loaded on my {mobile|cell phone|phone} .. I'mnot even using WIFI, just 3G .. {Anyhow|Anyways}, {awesome|amazing|very good|superb|good|wonderful|fantastic|excellent|great} {site|blog}!|Its {like you|such as you} {read|learn} my {mind|thoughts}!You {seem|appear} {to understand|to know|to grasp} {so much|a lot} {approximately|about}this, {like you|such as you} wrote the {book|e-book|guide|ebook|e book}in it or something. {I think|I feel|I believe} {that you|that you simply|that you just} {could|can} do with {some|a few} {%|p.c.|percent} to {force|pressure|drive|power} the message {house|home} {a bit|a little bit}, {however|but} {other than|instead of} that,{this is|that is} {great|wonderful|fantastic|magnificent|excellent} blog.{A great|An excellent|A fantastic} read. {I'll|I will}{definitely|certainly} be back.|I visited {multiple|many|several|various} {websites|sites|web sites|web pages|blogs} {but|except|however} the audio {quality|feature} for audio songs {current|present|existing} at this {website|web site|site|web page}is {really|actually|in fact|truly|genuinely} {marvelous|wonderful|excellent|fabulous|superb}.|{Howdy|Hi there|Hi|Hello}, i read your blog {occasionally|from time to time} and i own a similar oneand i was just {wondering|curious} if you get a lot of spam {comments|responses|feedback|remarks}?If so how do you {prevent|reduce|stop|protect against} it, any plugin oranything you can {advise|suggest|recommend}?I get so much lately it's driving me {mad|insane|crazy} so any {assistance|help|support} is very much appreciated.|Greetings! {Very helpful|Very useful} advice {within this|in this particular} {article|post}!
{It is the|It's the} little changes {that make|which will make|that produce|thatwill make} {the biggest|the largest|the greatest|the most important|themost significant} changes. {Thanks a lot|Thanks|Many thanks} for sharing!|{I really|I truly|I seriously|I absolutely} love {yourblog|your site|your website}.. {Very nice|Excellent|Pleasant|Great} colors.
Wow - just wow.  This thing is a nearly complete thesaurus.  I'm going to work some of these into future presentations.

This one in particular caught my eye:
{Howdy|Hi there|Hi|Hello}, i read your blog {occasionally|from time to time} and i own a similar oneand i was just {wondering|curious} if you get a lot of spam {comments|responses|feedback|remarks}?
I can't imagine why someone would post this as a spam comment.  What possible use can this serve? Seriously, I don't know.  Well, anyway, enjoy a fun Saturday morning read.

Wednesday, January 7, 2015

2014 - the infosec year in review - part 10 (the end)

This is part 10 of a 10 part blog series, discussing the things I found to be game changers in Infosec in 2014.  I have so much left that I could write about, but I have other things to get to so I'll cut this series off here.

Item:  ShellShock

What is (or was) it?  A vulnerability in the bash shell that the media struggled to understand and report on.

Why it's significant? Bash has an amazing number of features, too many in fact.  Does your shell need to be a full on programming language supporting functions?  Maybe so, maybe not.  Does your shell need to have a built in TCP server and client?  I'm going to say definitely not on this one.  But the fact is that bash is all this and more. 

The ShellShock vulnerability comes about because when a function is declared and assigned to an environment variable, bash executes anything after the end of the function definition as code.  This is not desired functionality and leads to arbitrary code execution.  There are an amazing number of libraries that call system() or use shell environment variables under the hood.  Many Apache libraries place things such as the User-Agent string in an environment variable.  If the User-Agent string is in fact a bash function definition and the server is vulnerable, we can in fact execute arbitrary code.

Could it have been prevented? Yes, this is really a case where feature creep was our undoing.  I love bash for its tab completion. As a pentester, I love that bash has a network server so I don't have to rely on netcat.  But wow, we have to be sensible about features, especially in something as prolific as the default shell on most *nix installations.

At Rendition Infosec, we've found that a lot of our customers don't understand the severity of the ShellShock bug.  I personally think that people in infosec have been overwhelmed this year by Heartbleed and a ton of other "must patch this now" bugs.  I've had some customers tell me that ShellShock is no worse than Heartbleed.  I personally disagree.  Heartbleed was an information disclosure vulnerability with a low chance of disclosing the most sensitive information (server private key).  But ShellShock is a remote code execution vulnerability that works reliably against vulnerable targets. Put bluntly, it's a game changer.

There are also far more devices vulnerable to ShellShock.  We have many embedded devices that run bash (I admit that most run ash as their default shell).  Many of these embedded devices are no longer receiving updates.  I still find MS08-067 in penetration tests today, years later (though I admit that it's becoming increasingly rare).  For these devices that aren't easily upgraded (requiring new firmware, etc.) the outlook is much more bleak.

Closing the door
When I started the Infosec year in review, I figured it would be a 5 part series.  As I started looking for things to write about, I found more and more. In the end, it was hard to decide what subjects deserved time in this year of awesome breaches.  Thanks for reading up to this point and I look forward to a busier 2015 (and definitely one with more blogging).

Tuesday, January 6, 2015

2014 - the infosec year in review - part 9

This is part 9 of an n-part blog series, discussing the things I found to be game changers in Infosec in 2014.

Item:  CVE 2014-1776

What is (or was) it?  A new vulnerability in mshtml.dll that left versions 6-11 vulnerable to remote exploits.

Why it's significant? Microsoft said they weren't going to patch XP anymore, right?  Yeah, I remember that too.  But then they changed their tune when this vulnerability was discovered and said "okay, we were just kidding - we'll patch one more time."

This vulnerability was interesting for another reason too.  The flaw itself was exploitable through the use of VML.  If you don't know what VML is, don't feel bad - you're in the majority.  It's an antiquated standard that virtually nobody has used for the last decade.

Could it have been prevented? Yes, but all software has bugs.  This particular bug was exploitable  using an obscure standard that nobody uses, yet is enabled by default on all versions of Windows.  If you are writing software today, you owe it to your user base to only install the features that are actually needed - not everything and the whole kitchen sink.  Any CISSP can tell you to disable unneeded services - the problem here is that this was a feature of software that lots of people use (Internet Explorer) and was not easily disabled.

Stay tuned for more installments in the Infosec year in review.

Monday, January 5, 2015

2014 - the infosec year in review - part 8

This is part 8 of an n-part blog series, discussing the things I found to be game changers in Infosec in 2014.

Item: Infosec Taylor Swift (@SwiftOnSecurity)

What is (or was) it?  An epic Twitter Parody account making fun of all things infosec from the point of view of a pop star.

Why it's significant? First off, because I like to laugh.  But seriously, using humor to communicate the usually dry topics of computer security is awesome.  I especially appreciate the attempts to create infosec themed parodies of Taylor Swift (and other popular) songs.

@SwiftOnSecurity covers Carlie Rae Jespen

@SwiftOnSecurity also educates on important technology topics.  Topics such as where you can find the 32 bit copies of programs on x64 versions of Windows, albeit in her witty tone.

@SwiftOnSecurity explains what SysWOW64 is

Another recent gem was this rant complaining about Microsoft's "fixing" "Program Files" for new x64 systems by adding parenthesis.  I actually think Microsoft missed an opportunity to do away with another folder name with spaces in it and instead chose to take the lazy way out.

@SwiftOnSecurity rants on Program Files
Finally, @SwiftOnSecurity does a great job of covering real infosec news... sort of.  A great example is this little gem about the recent South Korean nuclear plant hack that reminds us all of the dangers of using USB.

@SwiftOnSecurity covers the South Korean nuclear plant hack

Could it have been prevented? No way. Many in the infosec field take themselves way too seriously. An account like this needed to be created to take us down a notch or two.  @SwiftOnSecurity takes an entirely sarcastic and sassy approach to security - something that makes me smile on a nearly daily basis.

Stay tuned for more installments in the Infosec year in review.

Friday, January 2, 2015

2014 - the infosec year in review - part 7

This is part 7 of an n-part blog series, discussing the things I found to be game changers in Infosec in 2014.

Item: Apple's iCloud password brute force "feature"

What is (or was) it?  A horrible time to be a celebrity with nude photos, bad passwords, and bad security questions.

Why it's significant? Many of my readers will likely argue that this is not up to the same significance as some other things I haven't covered yet, but I disagree.  Any time regular users (e.g. people outside of infosec) consider the security of what they have stored in the cloud and their own password usage, that's a win for infosec.

This story is significant because it brought attention to password security and the questions used to protect those accounts.  Apple agrees that attackers shouldn't be able to brute force attack your password on its services and they've put (some) protections in place to prevent this sort of thing.  But attackers figured out how to bypass these protections using the "Find my iPhone" service.  This is a great example of defense in depth.  Businesses often talk about how they've secured  95% of their machines.  That's great, but what about the remaining 5%?  Here, Apple had secured most methods of logging into iCloud accounts against brute force guessing.  But they had neglected to do so on one web form, and that's all it took.

To be fair, the impacted celebrities should have used better passwords to prevent the brute forcing of their accounts. We all should use better passwords.  But we should also expect that big business like Apple will protect us from brute force attacks.  We've demonstrated repeatedly over time that the user cannot be responsible for their own security.

The worst part was that Apple knew of the vulnerability and did nothing before the event.  It's easy to say that people should use better security questions, but that falls flat since Apple added security after the iCloud hack was made public.

Note: As of today, there are still problems with iCloud secondary authentication as evidenced by this tool.  One day iCloud will get it together, but that day is not today.  We have to carefully consider what we store in the cloud, both for personal and professional use.  Once we decide (after weighing all the risks) what is to be stored in the cloud, we should determine what security measures around that data make sense.

Could it have been prevented? Absolutely, 100% yes.  As discussed previously, Apple knew about the vulnerability ahead of time.  This leaves them in a precarious position, though it appears the only company to have been sued so far was Google (related to DMCA takedown requests).

Unfortunately for iCloud, its security problems didn't end there.  Later, users in China were hit with a man in the middle attack.  A truly bad situation for Apple, but according to some press reporting, it was likely sanctioned by the Chinese government given the level of infrastructure involvement.

Stay tuned for more installments in the Infosec year in review.

Thursday, January 1, 2015

2014 - the infosec year in review - part 6

This is part 6 of an n-part blog series, discussing the things I found to be game changers in Infosec in 2014. I'll wrap the series up this week so it doesn't drag too far into 2015.

Item: November 2014 Patch Tuesday

What is (or was) it?  A horrible time to be a systems admin and a great time to be an attacker.

Why it's significant? Microsoft released several critical patches in November 2014.  MS14-068 is the one most people have heard the most about - that's the one that allows an attacker to write their own kerberos golden ticket - Willy Wonka style.  Using any domain account, you could take domain admin.  It is the ultimate in privilege escalation and there's already proof of concept code available. Almost makes penetration testing boring :).

Note: technically, MS the patch for MS14-068 was not released on Patch Tuesday, it was released the week after in an out-of-band update.  But it was originally scheduled to be released then, so it still counts.

The second bug that was news worthy was the "God Mode" bug for VBScript (MS14-064).  This got lots of coverage as a "unicorn vulnerability," presumably because the press was reaching for a way to sensationalize complicated topics.  I was particularly excited about this bug since it offers attackers an easy method to bypass ASLR.

The third bug, MS14-067, got almost no press.  But any other month it would have been the "must patch" bug of the month.  That's how bad November was for systems admins.  This bug offered attackers remote code execution through core XML services.  I noted something with this bug that I suspect most system admins missed.  Microsoft usually creates multiple code changes to help obscure their patches.  This doesn't work very well, most competent reverse engineers see right through this (so it's not particularly effective).  It doesn't prevent reversing the patch, but it is supposed to make it just a little harder.  But Microsoft had a hard month prepping for the patch releases and in this patch only made changes to two functions.  Notice the extra conditional on the left?  Yeah... that's the condition you want to violate in the unlatched code :)

MS14-067 Graphical Patch Diff (BinDiff)

A final note is that Microsoft notified defenders to be ready for a critical Exchange server patch in November as well, but that patch was pulled for QA reasons.  I don't think it was QA at all - MS realized how bad November sucked for system admins and had a heart.

Could it have been prevented? Not applicable here - but if you haven't applied these patches, get on it quick.  MS14-068 is being exploited in the wild.  My recommendations don't matter though - we'll see it on penetration tests for some time to come.

Stay tuned for more installments in the Infosec year in review.