Nabble - Sunnet Beskerming Alert

Advisory #273 - Microsoft (Multiple), Multiple News

2009-12-12T07:27:51Z

Sûnnet Beskerming Alert List Advisory #273

You are receiving this message because you have subscribed to our Information Security Alert Mailing List, or have been selected for a specific one-off copy. If you believe that you are receiving this message in error,pleasecontactinfo@... to resolve the error.

Why not upgrade to get same day notification on security threats? Details and rates available online -
(http://www.beskerming.com/premium/generic_advisory.html).

Why not go the next step and get delivery tailored just for your company?
(http://www.beskerming.com/premium/focussed_advisory.html)

Once you've had a chance to read through this advisory, come back and answer the following question.
Did you like the timeliness of the advisory?
Our premium subscribers get this sort of service on every advisory - same day coverage of security discoveries and full details on all external tracking data that we have discovered, to help keep you informed and form a well-rounded opinion and assessment of the risk to you, your systems, and your data.

Contents
--------------------------------------------------------------------
1. SECURITY
--------------------------------------------------------------------
1.1 Microsoft (Multiple)
- Remote Hacker Automatic Control
- Time Since Discovery - 3 Days
=======================================
/*
- Remote or Local - Can it be achieved through a network or does it require physical access?
- Hacker - The bad guy
- Manual or Automatic - Does the vulnerability need to be manually performed, or can it be automated?
- Control, Denial of Service or Data Theft - Will the hacker get control of your system / website, will they prevent you from using it, or will they steal data.
*/
--------------------------------------------------------------------
2. NEWS
--------------------------------------------------------------------
2.1 Shrinking InfoSec Budgets or not, it can Still go Wrong
2.2 Security Irony from Microsoft and Symantec
=====================================

1. SECURITY

1.1 Microsoft (Multiple) - Remote Hacker Automatic Control

-- Products Affected --
Windows
Office
Internet Explorer

-- Technical Description --
MS09-069 - Windows. Denial of service. Replaces MS06-025. Important
MS09-070 - Windows. Remote code execution. Important
MS09-071 - Windows. Code execution. Critical
MS09-072 - Internet Explorer. Remote code execution. Replaces MS09-054. Critical
MS09-073 - Office. Remote code execution. Replaces MS09-010, MS09-024. Important
MS09-074 - Office. Remote code execution. Replaces MS08-018. Critical

-- Description --
Microsoft have released six patches for the December Security Bulletin Update. Two of the patches are rated Critical, with the remainder as Important. All of the patches deal with code execution vulnerabilities in some form and four replace earlier security bulletins. The most critical patch is the Internet Explorer cumulative update (MS09-072), however it is imperative that all patches are applied at the earliest opportunity. Only one patched vulnerability was known about publicly prior to patch release.

-- Recommended Action --
All users and administrators should apply the updates at the earliest opportunity.

-- Source --
http://www.microsoft.com/technet/security/bulletin/ms09-dec.mspx
http://www.beskerming.com/services/176/Patch_Briefing
http://store.eSellerate.net/s.asp?s=STR3448907936&Cmd=CATALOG&CategoryID=9811

-- Updates Available --
http://www.microsoft.com/technet/security/bulletin/ms09-069.mspx
http://www.microsoft.com/technet/security/bulletin/ms09-070.mspx
http://www.microsoft.com/technet/security/bulletin/ms09-071.mspx
http://www.microsoft.com/technet/security/bulletin/ms09-072.mspx
http://www.microsoft.com/technet/security/bulletin/ms09-073.mspx
http://www.microsoft.com/technet/security/bulletin/ms09-074.mspx

-- External Tracking Data --
Upgrade to get tracking details

-- Threat Matrix --
U O
Home User 10 10 (Highly Critical)
Corporate 10 10 (Highly Critical)

=======================================
/*
Threat Matrix:
U - User
O - Operator
Harmless - 0 ----- 10 - Highly Critical
*/
=======================================

2. NEWS

2.1 Shrinking InfoSec Budgets or not, it can Still go Wrong

Information Security is a difficult thing to get right, especially when new attack methods and vulnerabilities are continually being discovered and exploited, and defensive practices and methodologies change and evolve over time. It is also difficult to justify an often costly process (though it doesn't always have to be) that has no readily apparent return. Mix in a healthy dose of snake oil and the result is something that daunts many people and traps the over-confident.

Melbourne's The Age newspaper recently reported that companies are beginning to cut back their Information Security expenditure, even in the face of continuing threats and growing levels of breaches and other attacks against systems. With a continuing financial crisis, it shouldn't be much of a surprise to see budgets shrinking, but the risk is that it opens up systems and data stores to easier risk of compromise. That compromise may not happen before budgets are improved, but it is still a risky step. With the various business failures and high profile breach reporting that has taken place in the last couple of years, the assessment may even be that a breach isn't necessarily a major problem.

It is telling, though, that the study that brought forward these figures was commissioned by an Information Security vendor, McAfee.

At the other end of the scale, a report via Gov InfoSecurity highlights the failure of a $433 million USD project undertaken by the Los Alamos National Laboratory to secure classified computer networks over several years.

The project achieved some results, but the systems and networks are still apparently plagued with significant weaknesses that do not adequately protect the data on the systems. For an institution where classified research is carried out, and one that is also partly responsible for research on nuclear weapons, this reporting can only be an embarrassment.

2.2 Security Irony from Microsoft and Symantec

Security is a very difficult thing to get right, whether it is a company that has committed itself to overcoming historical security flaws and implementing a secure development process, such as Microsoft, or a company that exists to deliver Information Security services and products to governments, businesses, and consumers, such as Symantec.

One of Microsoft's most recent vulnerabilities that has been disclosed is a flaw in their XSS protection built into Internet Explorer 8. This component, which is designed to re-encode websites while rendering them, in order to nullify any embedded XSS, apparently contains a vulnerability that can actually end up being used to introduce an XSS attack to a site that otherwise would not be vulnerable (by virtue of the fact that it modifies the rendering of the page as it loads). The exact details of the vulnerability have not been disclosed, but the timing and apparent source (Google) of the news is interesting, given Microsoft's recent discovery of a vulnerability in a Google product. Given that Microsoft were apparently notified of the vulnerability some time ago, it does seem a little bit of tit-for-tat rather than responsible vulnerability handling from both parties.

In Symantec's case, a site dedicated to supporting PC Doctor for Japanese and South Korean clients was found to have a SQL Injection vulnerability, that allowed the disclosure of sensitive client data and product registration details. It isn't the first time that the Romanian hacker Unu has found vulnerabilities with Symantec's online offerings, with a similar flaw found earlier this year. While Symantec played down the severity of that particular vulnerability, it seems that this time they have admitted that this flaw is severe.

=======================================

Sincerely,

Sûnnet Beskerming Team
info@...
Sûnnet Beskerming Pty. Ltd.
Adelaide, Australia
http://www.beskerming.com
Tel: +61 (0) 410 707 444

** Sûnnet Beskerming Pty. Ltd. **

Established in mid 2004, Sûnnet Beskerming Pty. Ltd. is the sister company to Jongsma & Jongsma Pty. Ltd., and was formed to develop and commercialise the research coming out of Jongsma & Jongsma Pty. Ltd.. Sûnnet Beskerming Pty. Ltd. is an Information Security specialist and, in conjunction with the tools developed by Jongsma & Jongsma Pty. Ltd., provides total security solutions and services, from the perimeter to internal data stores, including web application security and security testing and analysis.
_______________________________________________
Alertmailinglist mailing list
Alertmailinglist@...
http://skiifwrald.com/mailman/listinfo/alertmailinglist_skiifwrald.com

Advisory #272 - Microsoft (Multiple), OS X (Multiple), Multiple News

2009-11-13T00:52:32Z

Sûnnet Beskerming Alert List Advisory #271

You are receiving this message because you have subscribed to our
Information Security Alert Mailing List, or have been selected for a
specific one-off copy. If you believe that you are receiving this
message in error,pleasecontactinfo@... to resolve the error.

Why not upgrade to get same day notification on security threats?
Details and rates available online -
(http://www.beskerming.com/premium/generic_advisory.html).

Why not go the next step and get delivery tailored just for your
company?
(http://www.beskerming.com/premium/focussed_advisory.html)

Once you've had a chance to read through this advisory, come back and
answer the following question.
Did you like the timeliness of the advisory?
Our premium subscribers get this sort of service on every advisory -
same day coverage of security discoveries and full details on all
external tracking data that we have discovered, to help keep you
informed and form a well-rounded opinion and assessment of the risk to
you, your systems, and your data.

Contents
--------------------------------------------------------------------
1. SECURITY
--------------------------------------------------------------------
1.1 Microsoft (Multiple)
- Remote Hacker Automatic Control
- Time Since Discovery - 3 Days
1.2 OS X (Multiple)
- Remote Hacker Automatic Control
- Time Since Discovery - 5 Days
=======================================
/*
- Remote or Local - Can it be achieved through a network or does it
require physical access?
- Hacker - The bad guy
- Manual or Automatic - Does the vulnerability need to be manually
performed, or can it be automated?
- Control, Denial of Service or Data Theft - Will the hacker get
control of your system / website, will they prevent you from using it,
or will they steal data.
*/
--------------------------------------------------------------------
2. NEWS
--------------------------------------------------------------------
2.1 Geocities Finally Deleted From Internet
2.2 Media Caught Out By Fake Press Release
=====================================

1. SECURITY

1.1 Microsoft (Multiple) - Remote Hacker Automatic Control

-- Products Affected --
Windows
Office

-- Technical Description --
MS09-063 - Windows. Remote code execution. Critical
MS09-064 - Windows. Remote code execution. Critical
MS09-065 - Windows. Random code execution. Replaces MS09-025. Critical
MS09-066 - Windows. Denial of service. Replaces MS09-021, MS09-035.
Important
MS09-067 - Excel. Random code execution. Replaces MS09-021. Important
MS09-068 - Word. Random code execution. Replaces MS09-027. Important

-- Description --
Following the thirteen patches released in October, Microsoft have
released six patches for their November security patch release. Three
have been identified as Critical, and three as Important. Four of the
patches, including all of the Critical patches, are for Windows or
Windows Server components, with the remaining Important patches for
Office products (Excel and Word). From Microsoft's analysis of the
risks, it appears that the vulnerabilities (one in particular) fixed
by MS09-065 are the greatest overall threat addressed with this
month's release.

-- Recommended Action --
All users and administrators should apply the updates at the earliest
opportunity.

-- Source --
http://www.microsoft.com/technet/security/bulletin/ms09-nov.mspx
http://www.beskerming.com/services/176/Patch_Briefing
http://store.eSellerate.net/s.asp?s=STR3448907936&Cmd=CATALOG&CategoryID=9811

-- Updates Available --
http://www.microsoft.com/technet/security/bulletin/ms09-063.mspx
http://www.microsoft.com/technet/security/bulletin/ms09-064.mspx
http://www.microsoft.com/technet/security/bulletin/ms09-065.mspx
http://www.microsoft.com/technet/security/bulletin/ms09-066.mspx
http://www.microsoft.com/technet/security/bulletin/ms09-067.mspx
http://www.microsoft.com/technet/security/bulletin/ms09-068.mspx

-- External Tracking Data --
Upgrade to get tracking details

-- Threat Matrix --
U O
Home User 10 10 (Highly Critical)
Corporate 10 10 (Highly Critical)

1.2 OS X (Multiple) - Remote Hacker Automatic Control

-- Products Affected --
OS X 10.6.2
OS X 10.5.8

-- Technical Description --
AFP Client - Accessing a malicious AFP server may lead to an
unexpected system termination or arbitrary code execution with system
privileges
Adaptive Firewall - A brute force or dictionary attack to guess an
SSH login password may not be detected by Adaptive Firewall
Apache - Multiple vulnerabilities in Apache 2.2.11
Apache Portable Runtime - Applications using Apache Portable Runtime
(apr) may be exploited for code execution
ATS - Viewing or downloading a document containing a maliciously
crafted embedded font may lead to arbitrary code execution
Certificate Assistant - A user may be misled into accepting a
certificate for a different domain
CoreGraphics - Opening a maliciously crafted PDF file may lead to an
unexpected application termination or arbitrary code execution
CoreMedia - Viewing a maliciously crafted H.264 movie may lead to an
unexpected application termination or arbitrary code execution
CUPS - Acessing a maliciously crafted website or URL may lead to a
cross-site scripting or HTTP response splitting attack
Dictionary - A user on the local network may be able to cause
arbitrary code execution
DirectoryService - A remote attacker may cause an unexpected
application termination or arbitrary code execution
Disk Images - Downloading a maliciously crafted disk image may lead
to an unexpected application termination or arbitrary code execution
Dovecot - A local user may cause an unexpected application
termination or arbitrary code execution with system privilege
Event Monitor - A remote attacker may cause log injection
fetchmail - fetchmail is updated to 6.3.11
file - Running the file command on a maliciously crafted Common
Document Format (CDF) file may lead to an unexpected application
termination or arbitrary code execution
FTP Server - An attacker with access to FTP and the ability to create
directories on a system may be able to cause unexpected application
termination or arbitrary code execution
Help Viewer - Using Help Viewer on an untrusted network may result in
arbitrary code execution
ImageIO - Viewing a maliciously crafted TIFF image may lead to an
unexpected application termination or arbitrary code execution
International Components for Unicode - Applications that use the
UCCompareTextDefault API may be vulnerable to an unexpected
application termination or arbitrary code execution
IOKit - A non-privileged user may be able to modify the keyboard
firmware
IPSec - Multiple vulnerabilities in the racoon daemon may lead to a
denial of service
Kernel - A local user may cause information disclosure, an unexpected
system shutdown, or arbitrary code execution
Launch Services - Attempting to open unsafe downloaded content may
not lead to a warning
libsecurity - Support for X.509 certificates with MD2 hashes may
expose users to spoofing and information disclosure as attacks improve
libxml - Parsing maliciously crafted XML content may lead to an
unexpected application termination
Login Window - A user may log in to any account without supplying a
password
OpenLDAP - Multiple vulnerabilities in OpenLDAP
OpenSSH - Data in an OpenSSH session may be disclosed
PHP - Multiple vulnerabilities in PHP 5.2.10
QuickDraw Manager - Opening a maliciously crafted PICT image may lead
to an unexpected application termination or arbitrary code execution
QuickLook - Downloading a maliciously crafted Microsoft Office file
may lead to an unexpected application termination or arbitrary code
execution
QuickTime - Multiple vulnerabilities may lead to an unexpected
application termination or arbitrary code execution
FreeRADIUS - A remote attacker may terminate the operation of the
RADIUS service
Screen Sharing - Accessing a malicious VNC server may lead to an
unexpected application termination or arbitrary code execution
Spotlight - A local user may manipulate files with the privileges of
another user
Subversion - Accessing a Subversion repository may lead to an
unexpected application termination or arbitrary code execution

-- Description --
Apple have released a major security Update, Security Update
2009-006 / OS X 10.6.2, which addresses a large range of issues
affecting numerous components of OS X. For Snow Leopard users, the
update is also the second update for their operating system taking
their systems to 10.6.2.

-- Recommended Action --
All users and administrators should apply the updates at the earliest
opportunity.

-- Source --
http://support.apple.com/kb/HT1222

-- Updates Available --
http://www.apple.com/support/downloads/

-- External Tracking Data --
Upgrade to get tracking details

-- Threat Matrix --
U O
Home User 10 10 (Highly Critical)
Corporate 10 10 (Highly Critical)

=======================================
/*
Threat Matrix:
U - User
O - Operator
Harmless - 0 ----- 10 - Highly Critical
*/
=======================================

2. NEWS

2.1 Geocities Finally Deleted From Internet

After fifteen years of service, the venerable Geocities has finally
closed. Geocities' closure had been announced six months ago, so last
week's closure was the culmination of that process.

In the fifteen years since it first appeared, the Internet has
progressed rapidly to bigger and better things, but there is still a
special place for many people for the site that allowed them, a
regular user, to be able to have a definable place on the Internet
that was theirs. Blogs, MySpace pages, Facebook, LinkedIn, and a host
of other social networking sites have effectively replaced Geocities
and similar sites (Angelfire, Tripod, others) for allowing people to
create their own definable space on the Internet. ISPs still provide
personal webspace, much as they did around the time that Geocities
became popular, but it never really entered the popular imagination in
the way that Geocities did.

While many of the pages that Geocities ended up with were an assault
on the eyes, it did lead many to learn at least rudimentary HTML,
JavaScript and CSS skills in order to make what they had created more
appealing and more user friendly.

As the Geocities data has now been deleted from Yahoo's servers, all
that remains of Geocities is what various archiving sites were able to
extract prior to the closure.

Who knows what the next major community site to close completely will
be. Many once popular and heavily-trafficed sites have faded to a mere
shadow of what they once were, but it may be some time before another
significant chunk of Internet history is deleted as Geocities has been.

2.2 Media Caught Out By Fake Press Release

News organisations seem to like complaining about the apparent lack of
respect that the wider community is paying them, mainly about people
wanting to keep reading their news for free. When challenged about
their slipping standards of reporting and failure to provide actual
news, many of these news organisations point back to falling revenues,
wringing their hands about how hard it is to be them in an electronic
world where information is available almost instantly to anyone,
anywhere in the world.

They really haven't helped their case with a recent egregious failure
to fact check, or even sanity check a fake press release and fake
media conference that signalled a massive change in direction for a
significant organisation representing US business interests.

The US Chamber of Commerce is a body that claims to represent more
than 300,000 US businesses, of all sizes and types, and provides a
common voice for these businesses in environments where they normally
wouldn't be heard. A number of public defections by large companies
like Apple and Nike over the management and Climate Change stance of
the Chamber set the environment for The Yes Men to fake a press
release and media conference where the Chamber of Commerce would be
announcing an about turn on its Climate Change stance.

It didn't take much more for the media to bite. Not everyone was
completely sucked in, but Reuters did take the bait, and as a result,
so did a number of major media sites and newspapers, including the
Washington Post and The New York Times. Retractions may have soon
followed, but the fact was that they had already reported the fake
press release and media conference as real news.

When media conglomerate owners and boards are publicly calling for
consumers to pay to access their content online, being publicly caught
out blindly reporting on a hoax isn't going to help the argument that
they are still relevant and an important source of accurate news. It
isn't the first time that major media organisations have been caught
out taking hoaxed material on blind faith as being accurate, but as
alternative media sources proliferate, it is becoming harder for them
to avoid scrutiny when this happens.

The rush to avoid being seen as the purveyor of yesterday's news
shouldn't mean that common sense and accuracy are disregarded in order
to do so.

=======================================

Sincerely,

Sûnnet Beskerming Team
info@...
Sûnnet Beskerming Pty. Ltd.
Adelaide, Australia
http://www.beskerming.com
Tel: +61 (0) 410 707 444

** Sûnnet Beskerming Pty. Ltd. **

Established in mid 2004, Sûnnet Beskerming Pty. Ltd. is the sister
company to Jongsma & Jongsma Pty. Ltd., and was formed to develop and
commercialise the research coming out of Jongsma & Jongsma Pty. Ltd..
Sûnnet Beskerming Pty. Ltd. is an Information Security specialist and,
in conjunction with the tools developed by Jongsma & Jongsma Pty.
Ltd., provides total security solutions and services, from the
perimeter to internal data stores, including web application security
and security testing and analysis.
_______________________________________________
Alertmailinglist mailing list
Alertmailinglist@...
http://skiifwrald.com/mailman/listinfo/alertmailinglist_skiifwrald.com

Advisory #271 - Microsoft (Multiple), Multiple News

2009-10-15T02:50:47Z

Sûnnet Beskerming Alert List Advisory #271

You are receiving this message because you have subscribed to our
Information Security Alert Mailing List, or have been selected for a
specific one-off copy. If you believe that you are receiving this
message in error,pleasecontactinfo@... to resolve the error.

Why not upgrade to get same day notification on security threats?
Details and rates available online -
(http://www.beskerming.com/premium/generic_advisory.html).

Why not go the next step and get delivery tailored just for your
company?
(http://www.beskerming.com/premium/focussed_advisory.html)

Once you've had a chance to read through this advisory, come back and
answer the following question.
Did you like the timeliness of the advisory?
Our premium subscribers get this sort of service on every advisory -
same day coverage of security discoveries and full details on all
external tracking data that we have discovered, to help keep you
informed and form a well-rounded opinion and assessment of the risk to
you, your systems, and your data.

Contents
--------------------------------------------------------------------
1. SECURITY
--------------------------------------------------------------------
1.1 Microsoft (Multiple)
- Remote Hacker Automatic Control
- Time Since Discovery - 2 Days
=======================================
/*
- Remote or Local - Can it be achieved through a network or does it
require physical access?
- Hacker - The bad guy
- Manual or Automatic - Does the vulnerability need to be manually
performed, or can it be automated?
- Control, Denial of Service or Data Theft - Will the hacker get
control of your system / website, will they prevent you from using it,
or will they steal data.
*/
--------------------------------------------------------------------
2. NEWS
--------------------------------------------------------------------
2.1 Strange Bug Plagues Apple OS
2.2 FTC Moves to Ensure Compensated Reviews Are Clearly Identified
2.3 Charging for Online Content Won't Make it Any More Accurate
2.4 Major Phishing Attack Reports Surface in October
2.5 Anonymous Targets Australian Government Over Censorship Plan
=====================================

1. SECURITY

1.1 Microsoft (Multiple) - Remote Hacker Automatic Control

-- Products Affected --
Windows
Office
Internet Explorer
IIS
.NET

-- Technical Description --
MS09-050 - Windows. Remote code execution. Critical
MS09-051 - Windows. Remote code execution. Critical
MS09-052 - Windows Media Player. Remote code execution. Replaces
MS08-076. Critical
MS09-053 - FTP Service. Remote code execution. Important
MS09-054 - Internet Explorer. Remote code execution. Replaces
MS09-034. Critical
MS09-055 - ActiveX Killbits. Remote code execution. Replaces
MS09-032. Critical
MS09-056 - Windows. Spoofing. Replaces MS04-007. Important
MS09-057 - Indexing Service. Remote code execution. Replaces
MS06-053. Important
MS09-058 - Windows. Privilege Escalation. Replaces MS07-022 and
MS08-064. Important
MS09-059 - LSASS. Denial of service. Important
MS09-060 - Active Template Library. Remote code Execution. Replaces
MS08-015. Critical
MS09-061 - .NET CLR. Remote code execution. Replaces MS07-040. Critical
MS09-062 - GDI+. Remote code execution. Replaces MS08-052. Critical

-- Description --
A massive thirteen patches have been released by Microsoft with the
October Security Bulletin release, with eight Critical updates and
five Important patches being released. Patches have been issued for
previously disclosed and attacked vulnerabilities including an SMB
vulnerability and an IIS FTP vulnerability. Amongst the patches are a
cumulative Internet Explorer update, Killbit updates, and another GDI+
patch.

-- Recommended Action --
All users and administrators should apply the updates at the earliest
opportunity.

-- Source --
http://www.microsoft.com/technet/security/bulletin/ms09-oct.mspx
http://www.beskerming.com/services/176/Patch_Briefing
http://store.eSellerate.net/s.asp?s=STR3448907936&Cmd=CATALOG&CategoryID=9811

-- Updates Available --
http://www.microsoft.com/technet/security/bulletin/ms09-050.mspx
http://www.microsoft.com/technet/security/bulletin/ms09-051.mspx
http://www.microsoft.com/technet/security/bulletin/ms09-052.mspx
http://www.microsoft.com/technet/security/bulletin/ms09-053.mspx
http://www.microsoft.com/technet/security/bulletin/ms09-054.mspx
http://www.microsoft.com/technet/security/bulletin/ms09-055.mspx
http://www.microsoft.com/technet/security/bulletin/ms09-056.mspx
http://www.microsoft.com/technet/security/bulletin/ms09-057.mspx
http://www.microsoft.com/technet/security/bulletin/ms09-058.mspx
http://www.microsoft.com/technet/security/bulletin/ms09-059.mspx
http://www.microsoft.com/technet/security/bulletin/ms09-060.mspx
http://www.microsoft.com/technet/security/bulletin/ms09-061.mspx
http://www.microsoft.com/technet/security/bulletin/ms09-062.mspx

-- External Tracking Data --
Upgrade to get tracking details

-- Threat Matrix --
U O
Home User 10 10 (Highly Critical)
Corporate 10 10 (Highly Critical)

=======================================
/*
Threat Matrix:
U - User
O - Operator
Harmless - 0 ----- 10 - Highly Critical
*/
=======================================

2. NEWS

2.1 Strange Bug Plagues Apple OS

News is spreading rapidly about a serious flaw affecting Apple's
latest Operating System, Snow Leopard (OS X 10.6), first being made
public in early September on Apple's Discussion boards. The timing for
this widespread coverage is unfortunate, given the massive patch
release from Microsoft with their October Security Bulletins this week.

The difficult-to-reproduce bug apparently can only be triggered on
systems that have been upgraded from Leopard (OS X 10.5) and which had
the Guest account active prior to the upgrade being carried out. It
appears that the bug, though it is very much real, is difficult to
reproduce reliably. What is common to affected users is a user having
logged into the Guest account, logging out, and then returning to
another account, at which point it is discovered that the home
directory of the non-Guest account has been wiped clean, as the Guest
account is meant to be.

It has been suggested that the error may be tied to how the system
cleans up following use of the Guest account, which is designed to
wipe itself clean following each use. The suggestion is that this
wiping process is not triggered properly and so activates next time
the user logs into a non-Guest account and it results in the wiping
taking place not only in the Guest account but also others.

Initial reporting suggested that for the bug to be triggered the user
would have been forced to reboot due to a system freeze in the Guest
account, though reports from other affected users provided examples
where merely attempting to log into the Guest account was sufficient
to wipe the home directories.

From the different reports on the bug it seems likely that there is
an issue with the logout / account wipe actions that are scheduled to
take place following the Guest account logout. It may be something
such as a race condition, where the command to clean the Guest home
directory is racing against a command with higher privileges and
occasionally gets to slip in under the higher privilege set and
executes against more than just the Guest account. This would explain
why it has been difficult to reproduce reliably. It may be a buffer
overflow, where the command to erase is overflowing into the memory
space of a higher privileged application. If memory randomisation
(ASLR or the like) is being used by the buggy processes, it could also
explain why reproduction of the flaw is so difficult - being able to
reliably overwrite the higher privileged memory space is much harder
than without randomisation.

So far the bug has slipped through the initial OS release as well as
the first update (10.6.1). Apple have acknowledged the presence of the
bug and are working on addressing it, though with rumours of 10.6.2
being available soon, it isn't certain whether a fix will make it into
this update.

Backing up regularly is very beneficial, however backing up to an
Apple Time Capsule might be as risky as using the Guest account on
Snow Leopard. Time Capsules have had troubles recently with possible
overheating situations leading to hard drive and power supply failures
that are resulting in sudden death of the devices. Concerned users
should ensure they back up regularly and avoid use of the Guest
account where possible.

2.2 FTC Moves to Ensure Compensated Reviews Are Clearly Identified

A recent decision by the FTC is going to require online content
providers to explicitly disclose any payment or goods or services that
they have received in return for providing a review on a product, and
ensure advertisers can not present dramatic results and then claim
that results aren't typical.

The new rules aren't going to be enforceable until the start of
December, but it's really only going to be relevant for sites where it
isn't already plainly obvious that a commercial or in-kind
relationship exists. Those sites already risk their reputation by
trying to sneak a review-with-benefits in amongst their regular
content. Sometimes it works, but when it fails, the loss of
credibility and trust amongst their readership can be critical.

This type of guerilla marketing tries to catch the potential market
off-guard in an environment where they aren't expecting to be marketed
to and while it can be effective, if it is exposed it tends to lead to
dissatisfaction and disgust by the consumer and can see boycotts of
the marketed products and the content provider who delivered the
marketing. It can fall foul of existing deceptive marketing laws, so
the steps being taken by the FTC are about making it clearer how the
rules apply to the online environment.

We don't receive sponsorship or payment for articles that discuss
specific technologies or products and choose not to run advertising
alongside our articles in order to maintain a clear separation of
interest. Our goal is to provide you, the reader, with the best
service and content possible without risking muddying our message with
potential conflicts of interest.

2.3 Charging for Online Content Won't Make it Any More Accurate

Attempts to get consumers of news to pay for what they are reading
continue to stumble ahead. We have already covered previous
announcements from News Corporation that they will be making their
online content fee based, and the challenges and struggles that they
and other content providers face in getting their consumers to pay for
what they provide.

News Corporation is continuing to move forward with their efforts to
lock away their content, with both News Corporation and Associated
Press making announcements at a recent Beijing conference that they
are getting fed up with the "content kleptomaniacs" who are "co-
opting" the content that they provide.

The irony of delivering such a message in a Chinese forum appears to
have been lost on those delivering the message, but it is getting to
the point that, unless they hurry up and get on with locking away
their content so that the market can determine for itself whether
these content providers actually provide enough benefit to make it a
viable business model, they are going to risk making themselves even
more irrelevant to the wider public.

Other content providers seem to be expanding the reach of their fee-
based services, with claims that The Economist will be moving more of
their historical content behind their fee-based services, and
shortening the period that content is available free of charge. While
there is no obvious statement at The Economist regarding this
impending move (to happen tomorrow), the soon-to-be fee-based content
is still available freely.

The move to fee-based services might see an overall reduction in the
variety and number of available services, even including those that
have moved to a fee-based offering. That doesn't help continued claims
of poor fact-checking, outright false claims and inability to
determine trustworthiness of sources, especially previously unseen
single-source reporting. Recently ZDNet were caught out when they
claimed that Yahoo had turned over usernames to Iran following recent
protests, a stance they have since redacted. Reputation might take a
long time to build up, but it doesn't take very long to destroy,
especially in an environment where the rush to be first is more
important than being right.

There are some organisations that are dedicated to being both when it
comes to reporting and which will continue to provide news freely to
readers.

2.4 Major Phishing Attack Reports Surface in October

Several years ago the average computer user would not have been
expected to know that phishing, identity theft, or any number of
Information Security issues existed, nor how important they actually
were to staying safe online and in everyday life. With the almost
constant public reporting in the intervening years, it is rare that
you would come across someone who hasn't heard of identity theft or
phishing, or at least knows someone who has been affected by it
personally (though it might be described as "a hacker did something").

Even with this increase in awareness and reporting, it is evident that
people keep getting caught out, with multiple reports of phishing
attacks surfacing since the start of October. Everything from vast
numbers of Hotmail accounts compromised, to the potential that many
other providers may have been affected, and to reports that the FBI
Director was almost a victim of a phishing attempt.

There still aren't many clues as to just how significant these
phishing collections actually are, given that the data intercepted
recently was only for the first couple of letters of the alphabet
(Hotmail sample) and unknown distribution for the other cases, but it
does suggest a massive number of potentially vulnerable accounts.

It is a remote possibility that these data sets have been leaked from
within the mail providers, or it could just be a collation of
historically leaked / scraped email accounts over many years. Given
that at least some of the accounts are still active and operating
under the same password (as checked by other agencies) it doesn't give
much weight to that particular theory.

Analysis of the account details has shown that a standard dictionary
attack against at least online mail services is still going to net a
high number of compromised accounts. 60% of the exposed accounts were
protected with nothing more than a string of numbers, or a string of
purely lowercase alphabetic characters. Almost 70% of passwords were
between 6 and 9 characters long (almost 90% between 6 and 12
characters) which also reduces the number of likely combinations
required to try and gain access to an account. Surprisingly, of the
sample studied, 90% of passwords were unique, with the most popular
password (123456) only being used 64 times (around 1%). Other trends
within the password distributions suggest that the accounts are the
result of phishing attacks against spanish-speaking users.

While there is bad news for the users who had their accounts exposed,
there is some good news regarding policing those who carry out these
attacks. A two-year operation of the Egyptian and US authorities has
seen 100 people arrested over a series of phishing scams that targeted
US financial institutions and netted $1.5 million USD for the
scammers. The net return per scammer may not seem like much,
especially weighed against the resources that the authorities likely
applied to the investigation and capturing them, but it sends a
message that the authorities are willing to take real action against
something people who scam others online.

2.5 Anonymous Targets Australian Government Over Censorship Plan

An entry on the ISC blog suggests that Australian government websites
will be targeted later on today (September 9) in a targeted attack by
"Anonymous", a loose group of other-wise unconnected individuals
acting towards a common goal, commonly associated with having
originated from the 4chan messageboard.

The website set up as a call to action 09-09-2009.org doesn't
explicitly mention the steps that will be taken as part of their plan
to get their demands met, namely the resignation of current Federal
Communications Minister, Stephen Conroy, and the abolition of the
blacklist that forms the basis for the Federal Government's censorship
plan.

Despite the lack of explicit activity mentioned, if past actions
linked to "Anonymous" groups are any indication, then it is highly
likely that a distributed Denial of Service (dDoS) will be carried out
against government sites. The statement that the group also seeks to
leak and distribute the backlist as well as make freely available
methods to bypass the censorship, raises the possibility that rather
than carrying out a straight denial of service, the attacks may lead
to the takeover of certain specific sites where information about
avoiding the blacklist and planned censorship will then be published.

While there is a general sense of disgust at the planned government
censorship plan, it also seems that the plans for Internet filtering
aren't going to be anything more than that, just plans. The wider
Australian public may not know about the plans in depth, nor really
care about the means to bypass the filtering. Those that do, probably
already know how to achieve it and this action under the "Anonymous"
banner quite likely may not lead to any significant change, either in
government stance, or in wider awareness of the information that
"Anonymous" is distributing. Australian's are famous for their laid-
back attitudes, and this is probably going to be a situation where the
laid-back attitudes will see a smaller than expected result, if any at
all from the currently-unknown actions that "Anonymous" will carry out.

If they are successful, then it would be a remarkable first for many
reasons. Forcing a sitting Minister to resign through nothing more
than Internet bluster would be astounding, as would be an "Anonymous"
challenge being successful beyond a short term or a very localised area.

=======================================

Sincerely,

Sûnnet Beskerming Team
info@...
Sûnnet Beskerming Pty. Ltd.
Adelaide, Australia
http://www.beskerming.com
Tel: +61 (0) 410 707 444

** Sûnnet Beskerming Pty. Ltd. **

Established in mid 2004, Sûnnet Beskerming Pty. Ltd. is the sister
company to Jongsma & Jongsma Pty. Ltd., and was formed to develop and
commercialise the research coming out of Jongsma & Jongsma Pty. Ltd..
Sûnnet Beskerming Pty. Ltd. is an Information Security specialist and,
in conjunction with the tools developed by Jongsma & Jongsma Pty.
Ltd., provides total security solutions and services, from the
perimeter to internal data stores, including web application security
and security testing and analysis.
_______________________________________________
Alertmailinglist mailing list
Alertmailinglist@...
http://skiifwrald.com/mailman/listinfo/alertmailinglist_skiifwrald.com

Advisory #270 - Microsoft (Multiple), Multiple News

2009-09-09T03:10:53Z

Sûnnet Beskerming Alert List Advisory #270

You are receiving this message because you have subscribed to our
Information Security Alert Mailing List, or have been selected for a
specific one-off copy. If you believe that you are receiving this
message in error,please contactinfo@... to resolve the error.

Why not upgrade to get same day notification on security threats?
Details and rates available online -
(http://www.beskerming.com/premium/generic_advisory.html).

Why not go the next step and get delivery tailored just for your
company?
(http://www.beskerming.com/premium/focussed_advisory.html)

Contents
--------------------------------------------------------------------
1. SECURITY
--------------------------------------------------------------------
1.1 Microsoft (Multiple)
- Remote Hacker Automatic Control
- Time Since Discovery - 2 days
======================================
/*
- Remote or Local - Can it be achieved through a network or does it
require physical access?
- Hacker - The bad guy
- Manual or Automatic - Does the vulnerability need to be manually
performed, or can it be automated?
- Control, Denial of Service or Data Theft - Will the hacker get
control of your system / website, will they prevent you from using it,
or will they steal data.
*/
--------------------------------------------------------------------
2. NEWS
--------------------------------------------------------------------
2.1 Just Three People Accused Over Heartland Breach, and Others
2.2 Established Media Taking Different Approaches to Online Content
2.3 Anonymous Targets Australian Government Over Censorship Plan
=====================================

1. SECURITY

1.1 Microsoft (Multiple) - Remote Hacker Automatic Control

-- Products Affected --
Windows

-- Technical Description --
MS09-045 - JScript Scripting Engine. Remote code execution. Replaces
MS06-023. Critical
MS09-046 - DHTML Editing ActiveX. Remote code execution. Critical
MS09-047 - Windows Media Format. Remote code execution. Replaces
MS08-076. Critical
MS09-048 - TCP/IP. Remote code execution. Critical
MS09-049 - Wireless LAN. Remote code execution. Critical

-- Description --
Microsoft have released five patches as part of the September
Security patch release, all of which are rated as Critical and deal
with core Windows components and can lead to arbitrary code execution
on vulnerable systems. There were no known exploits against the
vulnerabilities and the vulnerability data was not known about ahead
of patch release.

-- Recommended Action --
All users and administrators should apply the updates at the earliest
opportunity.

-- Source --
http://www.microsoft.com/technet/security/bulletin/ms09-sep.mspx
http://www.beskerming.com/premium/patch_pack.html
http://store.eSellerate.net/s.asp?s=STR3448907936&Cmd=CATALOG&CategoryID=9811

-- Updates Available --
http://www.microsoft.com/technet/security/bulletin/ms09-045.mspx
http://www.microsoft.com/technet/security/bulletin/ms09-046.mspx
http://www.microsoft.com/technet/security/bulletin/ms09-047.mspx
http://www.microsoft.com/technet/security/bulletin/ms09-048.mspx
http://www.microsoft.com/technet/security/bulletin/ms09-049.mspx

-- External Tracking Data --
CVE-ID: CVE-2009-1920 (MS09-045)
CVE-ID: CVE-2009-2519 (MS09-046)
CVE-ID: CVE-2009-2499 (MS09-047)
CVE-ID: CVE-2009-2498 (MS09-047)
CVE-ID: CVE-2009-4609 (MS09-048)
CVE-ID: CVE-2009-1925 (MS09-048)
CVE-ID: CVE-2009-1926 (MS09-048)
CVE-ID: CVE-2008-1132 (MS09-049)

-- Threat Matrix --
U O
Home User 10 10 (Highly Critical)
Corporate 10 10 (Highly Critical)

=======================================
/*
Threat Matrix:
U - User
O - Operator
Harmless - 0 ----- 10 - Highly Critical
*/
=======================================

2. NEWS

2.1 Just Three People Accused Over Heartland Breach, and Others

It can be amazing sometimes how inter-related many Information
Security events can be, especially when they are important enough to
make the news individually. Major credit card data thefts in the last
couple of years from Heartland, 7-Eleven, TJ Maxx, and others all made
news in their own right, but now one individual is being charged in
relation to all of the cases, with up to 130 million different card
details having been compromised across all of the various companies
and businesses that the accused broke into.

Using SQL-injections in at least some of the cases, the accused and
two unnamed co-accused were able to extract the information and make
plans to sell the data for other fraudulent use. The use of a well-
known and understood technique, not to mention one that can be
defended against, speaks volumes about the inherent state of data
security within the organisations that were breached. Those
responsible for managing data in other businesses should look at these
cases as a warning about what can happen when things go wrong, and
take steps to mitigate that risk.

Companies that are moving to using external services for managing and
storing their payment and privacy related data need to be certain of
the level of services being provided and not merely assume that it
will be fine. In some cases, moving data to external services can make
it difficult or impossible to maintain at the same standard of
protection that it would have been at if kept internally.

Facing up to 20 years jail time for fraud and another five years for
conspiracy, it would make for a serious punishment, which not many
would argue is over the top. A concern is that the accused was at one
stage an informant for the US Secret Service, providing technical
expertise for tracking other hackers and was previously involved with
the carder group Shadowcrew. It wouldn't be the first time that
authorities have misjudged the capabilities and motivation of the
people they are working with and ultimately up against.

Court dates for the suite of charges won't be until 2010, and by then
we all may get to find out the identities of the still-unnamed major
retailers that were also attacked and compromised as part of the spate
of attacks. Whoever they are, they are seemingly in violation of
breach reporting rules and it, too, will be worth watching to see the
reasoning given for not notifying customers in a reasonable or even
regulated timeframe. There isn't anything that can be gained from this
information being kept secret, so it needs to be something incredible
for this information to have been suppressed for so long.

It is going to be some time until a major sequence of attacks such as
these can be tied back to an individual or a small group of attackers
but there are massive botnets where the authors remain unknown that
would likely challenge for scope of overall breach, but not for media
notoriety prior to arrest.

2.2 Established Media Taking Different Approaches to Online Content

Traditional media groups continue to struggle with falling advertising
rates, declining circulation figures and what many might see as a
reduced relevancy in the face of news-coverage-as-it-happens on the
Internet.

Australia's Fairfax Media group has reported a loss of $300 million
AUD for the most recent financial year, and although advertising
income has stabilised, there is no recovery yet. When compared to
profit for the previous year's results, it can be surprising that,
with only 10% less revenue, there is such a great loss (EBITDA shows
the significance of this 10%). A lot of it can be put down to a
reduction in the ethereal value associated to goodwill and the
"carrying value of its mastheads".

It could be seen as a chance to write off some overvaluation or
unprofitable business operations in a challenging economic
environment, perhaps planning for further decline in advertising and
reach. Rather than making waves about how much harder it is competing
against other news sources online, it appears that the Fairfax Group
is making an effort to be positioned to make the most of what is
possible online. With its online division showing the smallest decline
(0.8%), it shows that established media groups will have a place
online and still have a role for distributing and publishing news.

Another take on the difficulties facing media is provided by James
Murdoch, while delivering the McTaggart lecture, who attacked publicly
funded news sources such as the BBC for making it harder for private
news organisations to ask people to pay for their news. With News
Corporation coming off a $3.4 billion USD loss for the most recent
financial year, the decision by the company to charge across its suite
of online services has already been covered here before.

The claims being made by James Murdoch may carry some value, but
having those sources available also represents a diversification of
news coverage and bias, something that is more difficult to achieve if
news becomes completely corporatised, and which continues to inform
people, irrespective of their economic circumstances.

This attack against the BBC could soon be echoed against state and
publicly funded broadcasters globally, all of which present their own
biases when delivering news content.

In an environment where there is only commercial news sources, or even
one where there is only publicly funded sources, dissenting viewpoints
can be lost and it is important that as many sources as possible are
kept around to provide the broadest coverage, and ultimately a
neutrally-weighted average point of view on news.

2.3 Anonymous Targets Australian Government Over Censorship Plan

An entry on the ISC blog suggests that Australian government websites
will be targeted later on today (September 9) in a targeted attack by
"Anonymous", a loose group of other-wise unconnected individuals
acting towards a common goal, commonly associated with having
originated from the 4chan messageboard.

The website set up as a call to action 09-09-2009.org doesn't
explicitly mention the steps that will be taken as part of their plan
to get their demands met, namely the resignation of current Federal
Communications Minister, Stephen Conroy, and the abolition of the
blacklist that forms the basis for the Federal Government's censorship
plan.

Despite the lack of explicit activity mentioned, if past actions
linked to "Anonymous" groups are any indication, then it is highly
likely that a distributed Denial of Service (dDoS) will be carried out
against government sites. The statement that the group also seeks to
leak and distribute the backlist as well as make freely available
methods to bypass the censorship, raises the possibility that rather
than carrying out a straight denial of service, the attacks may lead
to the takeover of certain specific sites where information about
avoiding the blacklist and planned censorship will then be published.

While there is a general sense of disgust at the planned government
censorship plan, it also seems that the plans for Internet filtering
aren't going to be anything more than that, just plans. The wider
Australian public may not know about the plans in depth, nor really
care about the means to bypass the filtering. Those that do, probably
already know how to achieve it and this action under the "Anonymous"
banner quite likely may not lead to any significant change, either in
government stance, or in wider awareness of the information that
"Anonymous" is distributing. Australian's are famous for their laid-
back attitudes, and this is probably going to be a situation where the
laid-back attitudes will see a smaller than expected result, if any at
all from the currently-unknown actions that "Anonymous" will carry out.

If they are successful, then it would be a remarkable first for many
reasons. Forcing a sitting Minister to resign through nothing more
than Internet bluster would be astounding, as would be an "Anonymous"
challenge being successful beyond a short term or a very localised area.

=======================================

Sincerely,

Sûnnet Beskerming Team
info@...
Sûnnet Beskerming Pty. Ltd.
Adelaide, Australia
http://www.beskerming.com
Tel: +61 (0) 410 707 444

** Sûnnet Beskerming Pty. Ltd. **

Established in mid 2004, Sûnnet Beskerming Pty. Ltd. is the sister
company to Jongsma & Jongsma Pty. Ltd., and was formed to develop and
commercialise the research coming out of Jongsma & Jongsma Pty. Ltd..
Sûnnet Beskerming Pty. Ltd. is an Information Security specialist and,
in conjunction with the tools developed by Jongsma & Jongsma Pty.
Ltd., provides total security solutions and services, from the
perimeter to internal data stores, including web application security
and security testing and analysis.
_______________________________________________
Alertmailinglist mailing list
Alertmailinglist@...
http://skiifwrald.com/mailman/listinfo/alertmailinglist_skiifwrald.com

Advisory #269 - Microsoft (Multiple), OS X (Multiple), Safari (Multiple), Multiple News

2009-08-13T03:24:20Z

Sûnnet Beskerming Alert List Advisory #269

You are receiving this message because you have subscribed to our
Information Security Alert Mailing List, or have been selected for a
specific one-off copy. If you believe that you are receiving this
message in error,please contact info@... to resolve the
error.

Why not upgrade to get same day notification on security threats?
Details and rates available online -
(http://www.beskerming.com/premium/generic_advisory.html).

Why not go the next step and get delivery tailored just for your
company?
(http://www.beskerming.com/premium/focussed_advisory.html)

Contents
--------------------------------------------------------------------
1. SECURITY
--------------------------------------------------------------------
1.1 Microsoft (Multiple)
- Remote Hacker Automatic Control
- Time Since Discovery - 2 days
1.2 OS X (Multiple)
- Remote Hacker Automatic Control
- Time Since Discovery - 7 days
1.3 Safari (Multiple)
- Remote Hacker Automatic Control
- Time Since Discovery - 2 days
======================================
/*
- Remote or Local - Can it be achieved through a network or does it
require physical access?
- Hacker - The bad guy
- Manual or Automatic - Does the vulnerability need to be manually
performed, or can it be automated?
- Control, Denial of Service or Data Theft - Will the hacker get
control of your system / website, will they prevent you from using it,
or will they steal data.
*/
--------------------------------------------------------------------
2. NEWS
--------------------------------------------------------------------
2.1 Hiding Content in PDF files
2.2 Microsoft's Out-of-Cycle Patches Could be Tip of Iceberg
2.3 How Will the New York Times Get Readers to Pay?
2.4 News Corporation to Charge for Online Content
=====================================

1. SECURITY

1.1 Microsoft (Multiple) - Remote Hacker Automatic Control

-- Products Affected --
Windows, Publisher, ISA Server, ActiveX, Virtual PC / Virtual Server

-- Technical Description --
MS09-036 - ASP.NET. Denial of Service. Important
MS09-037 - ATL. Arbitrary code execution. Replaces MS08-048,
MS07-047. Critical
MS09-038 - WMF. Arbitrary code execution. Critical
MS09-039 - WINS. Arbitrary code execution. Replaces MS09-008 Critical
MS09-040 - MSMQ. Arbitrary code execution. Important
MS09-041 - Workstation Service. Denial of Service / Privilege
Escalation. Important
MS09-042 - Telnet. Arbitrary code execution. Important
MS09-043 - Office Web Components. Arbitrary code execution. Replaces
MS08-017. Critical
MS09-044 - Remote Desktop. Arbitrary code execution. Critical

-- Description --
Microsoft released nine patches with the August Security patch
release, as well as two out-of-cycle patches after July's release (not
covered here). Five Critical patches, and four Important patches were
released, addressing remote code execution, denial of service, and
elevation of privilege vulnerabilities across Windows, Office, Visual
Studio, .NET, and ISA Server. One of the patches, MS09-044 is also
available for OS X clients that use the Remote Desktop Connection
Client for Mac. Several of the patched vulnerabilities, including
those patched with the out-of-cycle patches, have public vulnerability
data readily available or are under active exploitation. MS09-029 and
MS09-035 have also been re-released this month.

-- Recommended Action --
All users and administrators should apply the updates at the earliest
opportunity.

-- Source --
http://www.microsoft.com/technet/security/bulletin/ms09-aug.mspx
http://www.beskerming.com/premium/patch_pack.html
http://store.eSellerate.net/s.asp?s=STR3448907936&Cmd=CATALOG&CategoryID=9811

-- Updates Available --
http://www.microsoft.com/technet/security/bulletin/ms09-036.mspx
http://www.microsoft.com/technet/security/bulletin/ms09-037.mspx
http://www.microsoft.com/technet/security/bulletin/ms09-038.mspx
http://www.microsoft.com/technet/security/bulletin/ms09-039.mspx
http://www.microsoft.com/technet/security/bulletin/ms09-040.mspx
http://www.microsoft.com/technet/security/bulletin/ms09-041.mspx
http://www.microsoft.com/technet/security/bulletin/ms09-042.mspx
http://www.microsoft.com/technet/security/bulletin/ms09-043.mspx
http://www.microsoft.com/technet/security/bulletin/ms09-044.mspx

-- External Tracking Data --
CVE-ID: CVE-2009-1536 (MS09-036)
CVE-ID: CVE-2008-0015 (MS09-037)
CVE-ID: CVE-2008-0020 (MS09-037)
CVE-ID: CVE-2009-0901 (MS09-037)
CVE-ID: CVE-2009-2493 (MS09-037)
CVE-ID: CVE-2009-2494 (MS09-037)
CVE-ID: CVE-2009-1545 (MS09-038)
CVE-ID: CVE-2008-1546 (MS09-038)
CVE-ID: CVE-2009-1923 (MS09-039)
CVE-ID: CVE-2009-1924 (MS09-039)
CVE-ID: CVE-2008-1922 (MS09-040)
CVE-ID: CVE-2009-1544 (MS09-041)
CVE-ID: CVE-2009-1930 (MS09-042)
CVE-ID: CVE-2009-0562 (MS09-043)
CVE-ID: CVE-2009-1136 (MS09-043)
CVE-ID: CVE-2009-1534 (MS09-043)
CVE-ID: CVE-2009-2496 (MS09-043)
CVE-ID: CVE-2009-1133 (MS09-044)
CVE-ID: CVE-2009-1929 (MS09-044)

-- Threat Matrix --
U O
Home User 10 10 (Highly Critical)
Corporate 10 10 (Highly Critical)

1.2 OS X (Multiple) - Remote Hacker Automatic Control

-- Products Affected --
OS X 10.4.11
OS X 10.5.x

-- Technical Description --
BIND - Denial of service due to poor handling of dynamic DNS update
messages. This is not enabled by default on OS X but is included with
the default system
bzip2 - Denial of service due to memory flaw in bzip2
CFNetwork - Impersonation possible due to poor control of displayed
messages
ColorSync - Arbitrary code execution due to interpreting malicious
ColorSync profile
CoreTypes - Improved notification to users that a content type may
not be safe
Dock - Multitouch gestures on a locked system could allow control of
applications and Expose
Image RAW - Arbitrary code execution when handling malicious Canon
RAW images
ImageIO - Arbitrary code execution when handling malicious EXIF data
and OpenEXR and PNG images
Kernel - Privilege elevation through fcntl vulnerability
launchd - Denial of service due to connection exhaustion with some
inetd-based services
Login Window - Arbitrary code execution due to poor handling of
specific text strings
MobileMe - User Impersonation due to poor handling of user credentials
Networking - Arbitrary code execution due to poor handling of
AppleTalk network traffic
Networking - Denial of Service due to poor handling of simultaneous
file descriptor handling
XQuery - Arbitrary code execution due to poor handling of XML content

-- Description --
Apple have released Security Updates 2009-003 and 2009-004 for the
10.5 and 10.4.11 OS X versions. Incorporated in the 2009-003 Security
Update is the latest point release, bringing OS X 10.5 to 10.5.8. A
number of

-- Recommended Action --
All users and administrators should apply the updates at the earliest
opportunity.

-- Source --
http://support.apple.com/kb/HT1222
APPLE-SA-2009-08-05-1 Security Update 2009-003 / Mac OS X v10.5.8
APPLE-SA-2009-08-12-1 Security Update 2009-004

-- Updates Available --
Apple Software Update application via the Apple Menu
http://www.apple.com/support/downloads/

-- External Tracking Data --
CVE-ID: CVE-2009-0696 (BIND)
CVE-ID: CVE-2008-1372 (bzip2)
CVE-ID: CVE-2009-1723 (CFNetwork)
CVE-ID: CVE-2009-1726 (ColorSync)
CVE-ID: CVE-2009-1727 (CoreTypes)
CVE-ID: CVE-2009-0151 (Dock)
CVE-ID: CVE-2009-1728 (Image RAW)
CVE-ID: CVE-2009-1722 (ImageIO)
CVE-ID: CVE-2009-1721 (ImageIO)
CVE-ID: CVE-2009-1720 (ImageIO)
CVE-ID: CVE-2009-2188 (ImageIO)
CVE-ID: CVE-2009-0040 (ImageIO)
CVE-ID: CVE-2009-1235 (Kernel)
CVE-ID: CVE-2009-2190 (launchd)
CVE-ID: CVE-2009-2191 (Login Window)
CVE-ID: CVE-2009-2192 (MobileMe)
CVE-ID: CVE-2009-2193 (Networking)
CVE-ID: CVE-2009-2194 (Networking)
CVE-ID: CVE-2008-0674 (XQuery)

-- Threat Matrix --
U O
Home User 10 10 (Highly Critical)
Corporate 10 10 (Highly Critical)

1.3 Safari (Multiple) - Remote Hacker Automatic Control

-- Products Affected --
Safari 4.0.2 and earlier

-- Technical Description --
CoreGraphics - Arbitrary code execution from visiting a webpage.
Windows only
ImageIO - Arbitrary code execution when handling malicious EXIF
data. Windows only
Safari - Possible phishing situation. All platforms
WebKit - Multiple, including arbitrary code execution from visiting a
webpage. All platforms

-- Description --
Apple have released version 4.0.3 of their Safari browser, for both
OS X and Windows platforms, addressing a number of serious
vulnerabilities, the worst of which could lead to arbitrary code
execution on vulnerable systems. This arbitrary execution could be
through something as simple as visiting a website.

-- Recommended Action --
Updating to Safari 4.0.3 will protect against opportunistic
compromise of your Internet browser and is recommended due to the
impact of the vulnerabilities patched.

-- Source --
http://support.apple.com/kb/HT1222
APPLE-SA-2009-08-11-1 Safari 4.0.3

-- Updates Available --
Apple Software Update application via the Apple Menu
http://www.apple.com/safari/download/

-- External Tracking Data --
CVE-ID: CVE-2009-2468 (CoreGraphics)
CVE-ID: CVE-2009-2188 (ImgeIO)
CVE-ID: CVE-2009-2196 (Safari)
CVE-ID: CVE-2009-2195 (WebKit)
CVE-ID: CVE-2009-2200 (WebKit)
CVE-ID: CVE-2009-2199 (WebKit)

-- Threat Matrix --
U O
Home User 10 10 (Highly Critical)
Corporate 10 10 (Highly Critical)

=======================================
/*
Threat Matrix:
U - User
O - Operator
Harmless - 0 ----- 10 - Highly Critical
*/
=======================================

2. NEWS

2.1 Hiding Content in PDF files

Didier Stevens' work with demystifying the inner workings of the PDF
file format has attracted attention over recent months and his most
recent discovery holds promise for adding PDF files to the list of
formats that can be used to hide surreptitious content from prying
eyes, with the added benefit that it is effectively hidden from the
PDF reader that is parsing the encompassing document.

To encourage further research and work into this particular aspect of
PDF wrangling, he has released a tool that can be used to create a
secretly embedded PDF while also providing a detailed step through of
the process involved.

It really boils down to the handling of case-sensitive names in the
file itself. Because the correct means to reference an embedded file
is via /EmbeddedFiles, the corruption to /Embeddedfiles means that a
specification-compliant PDF reader should just ignore that and
continue on with parsing the rest of the file.

Of course, if a non-standard PDF reader is used, then the hidden
content may not be so hidden anymore. Recovering the hidden content
can be as simple as changing a single hex value.

As Didier points out, there are plenty of methods available to make
the hidden content even harder to find and encounter.

As a speaker at the upcoming Brucon security conference in Brussels,
it is guaranteed that there is going to be plenty more interesting
material relating to PDF manipulation and discovery to be presented
there.

2.2 Microsoft's Out-of-Cycle Patches Could be Tip of Iceberg

Microsoft released two out-of-cycle security updates, MS09-034 and
MS09-035, earlier this week to address a set of vulnerabilities
affecting Internet Explorer and Visual Studio (MS09-034 and MS09-035
respectively).

Interestingly, the non-standard patch release isn't a result of
attacks already taking place, rather it is to enhance the protections
already provided by MS09-032, which did address the known attacks
against the ATL (Active Template Library) weaknesses patched across
all three patches.

So why release the patches if there is nothing going on to target the
particular vulnerabilities, why not wait until the next scheduled
monthly release? According to the Security Research & Defense blog,
the patch release is because "additional information regarding these
vulnerabilities has been growing over the past few weeks.". With Black
Hat and DefCon taking place before the next scheduled patch release,
it is probable that discussion of the vulnerabilities would take place
and new attacks emerge post-conferences.

While both the Visual Studio and Internet Explorer updates are
related, based on the ATL weaknesses, the Internet Explorer update
also incorporates other fixes, which it would not be prudent waiting
until the next scheduled update for. Why is it important to apply the
patches as soon as possible? One particular aspect of the addressed
vulnerabilities would allow an attacker to bypass the killbit check
and effectively run disabled ActiveX controls in Internet Explorer.
This would open the floodgates for many historical vulnerabilities and
attacks to become valid again. The Internet Explorer update is
designed to block the known attack routes and time will tell if
Microsoft has been successful in arresting all the methods available
to target the vulnerabilities.

The extended problem that is now faced is the unknown number of
ActiveX controls that have been compiled and built using the
vulnerable version of ATL (which the Visual Studio update replaces).
Microsoft have announced their willingness to incorporate killbits for
vulnerable controls in future security updates, so all developers need
to do is contact Microsoft.

With the vulnerable libraries being available for 12 years, the scope
of the potential problems facing end users is immense, hence the
urgency to apply the Internet Explorer patch as a matter of priority.

2.3 How Will the New York Times Get Readers to Pay?

At a time when traditional media markets are suffering for
advertising, there have been a number of ideas floated for how to
attract and maintain customers, from micro-transactions, where readers
pay a tiny fee per article that they read, to monthly access fees and
locking articles away from the casual reader.

There has been quite a lot of talk from different organisations about
what they are planning to do and what they might do, but when a major
media organisation steps forward and states that content that has
previously been advertising-supported only for revenue will soon be
going behind a so-called pay-wall, it suggests that this sort of
future is closer than many have feared.

Recent reporting links the New York Times media group to a decision to
be made in August about how exactly to take the previously openly
accessible content of the New York Times and associated outlets to a
user-pays basis online.

The Wall Street Journal is well known as probably the most successful
news outlet to serve their content to paying customers online, but it
is largely focussed on financial news, and could still be argued to be
a niche provider. If the New York Times goes ahead with the plan to
make users pay, it would be the first significant non-niche newspaper
group to do so.

With information freely available from a range of sources online, with
global newspapers and media sources only a few keystrokes away, does
the New York Times Group have what it takes to be able to keep on
attracting customers once it takes its content away from free public
view? The New York Times used to provide a similar service,
TimesSelect, however the premium service was closed two years ago,
only bringing around $10 million USD in revenue annually. That might
be fine for a smaller organisation, but it isn't enough to keep
something like the New York Times going.

It might not have much choice if it wants to keep alive and a powerful
media outlet, with more than half its market value wiped out in the
last 12 months alone. Trying to become a lean and efficient
organisation has also resulted in the reduction of staffing numbers to
almost a third of where they were five years ago. With other
organisations, such as the Associated Press also making moves to have
users pay for access to content it might just be a matter of waiting
long enough to have enough providers locking away their content before
it becomes cost effective. On the other hand, news bodies that
continue to release information without this encumbrance are likely to
see a surge in popularity and the companies locking away their content
could easily see a loss in readership, mindshare, and revenues.

Monetizing website viewers, especially on sites which deliver unique
and valuable content is a prickly question that every site owner and
operator has to deal with at some time. When the New York Times makes
its decision about how to increase monetization of readers it will be
worth watching to see how it affects not only news organisations but
also the nature of content production and publication on the Internet
in general.

2.4 News Corporation to Charge for Online Content

Following on from our recent article covering the dilemma facing the
New York Times and how it is struggling to find an appropriate means
to drive sufficient revenue from its online assets to make it cost
worthy to continue offering them and to be able to be profitable.

News Corporation has announced that it will soon be making all of its
online sites fee-based for access to news and other content. As with
the New York Times, News Corporation has been suffering from falling
revenues, with $3.4 billion USD lost in the twelve months ending June.
For a company that grew from being a newspaper owner into becoming a
major media conglomerate that also has exposure in Cable news,
Satellite television, as well as newspapers all over the globe.

While one of News Corporation's online assets already works
successfully through a fee-based portal, the Wall Street Journal is
still something of a niche newspaper compared to the broader appeal
other titles within the News Corporation stable.

How News Corporation assets are going to make their offerings
sufficiently differentiated and value-added over free or advertising-
supported news sources is not known, but it will have to be something
spectacular. Many of the assets held by News Corporation are generally
regarded as tabloid-quality, not only for their printing format, but
also for the standard of reporting and content provided. Is the market
willing to pay for this content large enough to be worthwhile? With
such a massive hole in earnings, it looks like News Corporation
doesn't have much choice.

News Corporation's move will open the door for other organisations to
follow, not least of which being the New York Times, but it all hinges
on the move being profitable for News Corporation. When state-
sponsored news agencies such as the BBC, and the Australian
Broadcasting Corporation, continue to exist and deliver original and
quality researched reporting for no cost to the end user (thanks to
licence payers or tax-payers), it is going to make it difficult to
claim that what is available commercially is better to the extent that
it is worth paying directly for it rather than viewing it through
advertising support.

=======================================

Sincerely,

Sûnnet Beskerming Team
info@...
Sûnnet Beskerming Pty. Ltd.
Adelaide, Australia
http://www.beskerming.com
Tel: +61 (0) 410 707 444

** Sûnnet Beskerming Pty. Ltd. **

Established in mid 2004, Sûnnet Beskerming Pty. Ltd. is the sister
company to Jongsma & Jongsma Pty. Ltd., and was formed to develop and
commercialise the research coming out of Jongsma & Jongsma Pty. Ltd..
Sûnnet Beskerming Pty. Ltd. is an Information Security specialist and,
in conjunction with the tools developed by Jongsma & Jongsma Pty.
Ltd., provides total security solutions and services, from the
perimeter to internal data stores, including web application security
and security testing and analysis.
_______________________________________________
Alertmailinglist mailing list
Alertmailinglist@...
http://skiifwrald.com/mailman/listinfo/alertmailinglist_skiifwrald.com

Advisory #268 - Microsoft (Multiple), Multiple News

2009-07-17T09:09:33Z

Sûnnet Beskerming Alert List Advisory #268

You are receiving this message because you have subscribed to our
Information Security Alert Mailing List, or have been selected for a
specific one-off copy. If you believe that you are receiving this
message in error,pleasecontactinfo@... to resolve the error.

Why not upgrade to get same day notification on security threats?
Details and rates available online -
(http://www.beskerming.com/premium/generic_advisory.html).

Why not go the next step and get delivery tailored just for your
company?
(http://www.beskerming.com/premium/focussed_advisory.html)

Contents
--------------------------------------------------------------------
1. SECURITY
--------------------------------------------------------------------
1.1 Microsoft (Multiple)
- Remote Hacker Automatic Control
- Time Since Discovery - 4 days
======================================
/*
- Remote or Local - Can it be achieved through a network or does it
require physical access?
- Hacker - The bad guy
- Manual or Automatic - Does the vulnerability need to be manually
performed, or can it be automated?
- Control, Denial of Service or Data Theft - Will the hacker get
control of your system / website, will they prevent you from using it,
or will they steal data.
*/
--------------------------------------------------------------------
2. NEWS
--------------------------------------------------------------------
2.1 Dealing With People Who Avoid Restrictions
2.2 Learning Information Handling Lessons From Celebrity Tragedy
=====================================

1. SECURITY

1.1 Microsoft (Multiple) - Remote Hacker Automatic Control

-- Products Affected --
Windows, Excel, Wordpad, Internet Explorer, ISA Server

-- Technical Description --
MS09-028 - DirectX. Arbitrary code execution. Replaces MS08-033 and
MS09-011. Critical
MS09-029 - Embedded OpenType. Arbitrary code execution. Replaces
MS06-002. Critical
MS09-030 - Publisher. Arbitrary code execution. Important
MS09-031 - ISA Server 2006. Privilege Escalation. Important
MS09-032 - ActiveX killbits. Arbitrary code execution. Critical
MS09-033 - Virtual PC / Virtual Server. Privilege escalation.
Important.

-- Description --
Six new patches were released with Microsoft’s July patch release.
Three have been rated Critical and the remaining three as Important.
The only vulnerabilities patched with this month’s release have been
arbitrary code execution or privilege escalation vulnerabilities. It
should be noted that two of the Critical patches (DirectX and ActiveX,
MS09-028 and MS09-032) have had attacks targeting at least some of the
patched vulnerabilities ahead of patch release.

-- Recommended Action --
All users and administrators should apply the updates at the earliest
opportunity.

-- Source --
http://www.microsoft.com/technet/security/bulletin/ms09-jul.mspx
http://www.beskerming.com/premium/patch_pack.html
http://store.eSellerate.net/s.asp?s=STR3448907936&Cmd=CATALOG&CategoryID=9811

-- Updates Available --
http://www.microsoft.com/technet/security/bulletin/ms09-028.mspx
http://www.microsoft.com/technet/security/bulletin/ms09-029.mspx
http://www.microsoft.com/technet/security/bulletin/ms09-030.mspx
http://www.microsoft.com/technet/security/bulletin/ms09-031.mspx
http://www.microsoft.com/technet/security/bulletin/ms09-032.mspx
http://www.microsoft.com/technet/security/bulletin/ms09-033.mspx

-- External Tracking Data --
CVE-ID: CVE-2009-1537 (MS09-028)
CVE-ID: CVE-2009-1538 (MS09-028)
CVE-ID: CVE-2008-1539 (MS09-028)
CVE-ID: CVE-2009-0231 (MS09-029)
CVE-ID: CVE-2009-0232 (MS09-029)
CVE-ID: CVE-2009-0566 (MS09-030)
CVE-ID: CVE-2009-1135 (MS09-031)
CVE-ID: CVE-2008-0015 (MS09-032)
CVE-ID: CVE-2009-1542 (MS09-033)

-- Threat Matrix --
U O
Home User 10 10 (Highly Critical)
Corporate 10 10 (Highly Critical)

=======================================
/*
Threat Matrix:
U - User
O - Operator
Harmless - 0 ----- 10 - Highly Critical
*/
=======================================

2. NEWS

2.1 Dealing With People Who Avoid Restrictions
Whenever restrictions are imposed on people, stopping them from
carrying out certain activities, or trying to restrict their access to
information, there will always be a portion of the population that
goes out of their way to avoid and defeat these mechanisms in order to
access what is being blocked.

Sometimes this is done out of necessity, and in these cases the
restrictive blocks really are a hindrance to carrying out their work
or other activities that they have a need to do so.

Other times it is being done out of ignorance of the new, accepted
procedures. People are happy with their old ways and will work a
little bit harder at placing themselves in a position where they can
still do what they used to.

The most risky cases are where it is done out of malicious intent,
done only to prove that they can defeat the system or out of fear that
the newer restrictions aren't as useful as they could be and the users
fear approaching the network administrators and state their case
effectively.

Corporate network administrators face problems like this on a daily
basis, encountering users who fall into each group who are running
head first into the restrictions on approved applications, approved
websites, blocked websites, and approved email usage. The wrong thing
to do is to tighten the restrictions further, as it will drive some of
the casual by-passers into the camp of the willful by-passers and will
do nothing to dissuade the already willful by-passers. The number of
casual by-passers and those who need to bypass the blocks who give up
as a result are going to be outnumbered by those who now intentionally
bypass restrictions.

Some workplaces choose to punish those working around the
restrictions, irrespective of the actual reason for doing so, and this
can lead to resentment and distrust between the frustrated users and
the network gatekeepers.

There are cases in other domains that mirror what goes on with network
restrictions. With the increased concern about the spread of H1N1
influenza, some countries are using body heat scanners at points of
entry to scan for passengers who might be running a fever as an early
indication of possible influenza infection. On the surface it sounds
like a reasonable step to take and can help rapidly sort incoming
individuals into categories where it might be worth taking a closer
look at their condition to confirm the presence or lack of H1N1
infection.

As this is a potential barrier to entry to a country, it is a
restriction that is causing people to seek a way around it. Vietnam
recently reported that some incoming passengers were using fever
reducers that resulted in them passing the body heat scan despite
actually being infected with H1N1.

Just like a disaffected user introducing non-approved network hardware
or potentially malicious storage devices or software into a corporate
system, an ill person avoiding the body temperature scanner is
introducing a potential health risk to the wider population (or a
security risk to the wider user-base).

How do you handle such cases?

Banning use of relief medication by an affected individual isn't going
to work, though this is the path that many network administrators take
when dealing with users who have bypassed network restrictions. It
just forces people to take steps that are more extreme than really
necessary.

You can't always rely upon people to tell you the truth when
questioned, especially when the truth might jeopardise the holiday
that they have already commenced and have almost reached. The fear of
losing out on such an investment of time and money due to something
that feels like a cold won't be well received, especially when they
are so close to their destination.

Sometimes, that is what has to be done, each case investigated
individually and appropriate remedial action taken. Most cases
investigated should amount to nothing (though with an excellent first
filter this will rise), allowing resources to be dedicated to the
cases which are actually significant.

Applying this approach to network security can help ease perceived
restrictions for the majority of users while still managing and
actioning those cases of significant breach of policy. By
demonstrating a well-run and well-managed set of restrictions, it will
make users more comfortable to exist within the boundaries set and
will make them more comfortable about approaching administrators for
the times when the restrictions need to be bypassed.

Not everyone is going to be able to have such a system, but every step
towards such a system is going to be of benefit to the end users and
administrators alike. Such systems, both network and body temperature
scanners, need to be monitored and continually improved upon to
demonstrate that they aren't just for show and are actually effective
(at least partially) at what they claim to be doing.

2.2 Learning Information Handling Lessons From Celebrity Tragedy
In the space of a week and a half the world has lost some major
celebrities, with Billy Mays, Farrah Fawcett, Ed McMahon, and Michael
Jackson all passing away. Although each passing is tragic, it is the
sudden death of Michael Jackson that has had the most effect on the
online world, though there are reports that the deaths of the others
have also led to online scam attempts.

Jackson's unexpected death demonstrates the power that "non-reputable
sources" can have in being able to break and follow important news
that is normally ignored until a more "reputable" source picks it up.
The Internet may make it possible for anyone to have a voice, but it
also means that carrying authority and reputation with that voice
still takes time and effort. Michael Jackson's passing was first
identified and reported on by TMZ, however the "reputable" news
agencies and sources were much slower to pick up the story and run
with it. One of the primary reasons why is that they had a much
stronger reputation and weight of authority to risk running with a
potentially inaccurate story, especially one that could be damaging if
it was inaccurate. When everyone on the Internet is able to go and
visit the originating source site, then the decision to delay the
coverage of his death can result in lower overall readership of their
particular coverage of the story.

Savvy online users and the skeptical will still try to get independent
validation of the breaking story, something that came with time even
though many of the early 'reputable' stories were derived almost
exclusively from TMZ material. This sudden rush of Internet users
seeking out independent validation in a very narrow timeframe led to
some interesting side effects for Google and major news sites.
Google's side effect was that the massive wave of traffic was
initially identified as an attack and so accurate information was
withheld for a short period while Google's defences were activated to
deal with the significant but legitimate traffic flow.

Twitter was another service which found itself struggling to cope with
the increased traffic that came as a result of Jackson's death.
Various elements and features of the service were temporarily disabled
to allow it to carry the messages being created by its users.
Reportedly this was in the vicinity of 66,000 messages per hour, but
that figure seems extremely low. If the service is going to struggle
on 1,100 messages per minute, then it needs to be re-engineered to be
able to carry more capacity if it is going to have wider appeal and
usefulness.

Sites that were reliant upon third party advertising hosting found
that serving the external ads was causing bottlenecks when serving up
news reports, so much so that it made the overall sites seem
unresponsive, despite the site itself still being responsive and fully
functional.

Not only were mainstream "reputable" media sites and sources scooped
by a non-traditional source and means, but there are questions about
the appropriateness of media organisations self-censoring material
that would normally be published.

When that material is suppressed because it pertains to a reporter
that they employ it leads to accusations of double standards from
external observers.

Not only was news of the reporter's kidnapping suppressed from
traditional media sources, but an active and successful campaign was
led to keep the information suppressed from Wikipedia, where the
reporter already had a page describing their life and employment.
Critics of Wikipedia have seized on this as a clear example of how
Wikipedia is not the neutral, freely-editable source of information it
claims to be. Political and commercial interests can trump the efforts
of contributors to improve and enhance the usefulness and accuracy of
the site.

Even though each of the situations described above took place
recently, it isn't quite yet the case where people can claim that "The
Emperor has no clothes", but it is beginning to look that way. How
each situation came about and was resolved should provide lessons to
the companies and organisations involved to help them provide better
results the next time something similar takes place or else they will
find themselves with no clothes.

=======================================

Sincerely,

Sûnnet Beskerming Team
info@...
Sûnnet Beskerming Pty. Ltd.
Adelaide, Australia
http://www.beskerming.com
Tel: +61 (0) 410 707 444

** Sûnnet Beskerming Pty. Ltd. **

Established in mid 2004, Sûnnet Beskerming Pty. Ltd. is the sister
company to Jongsma & Jongsma Pty. Ltd., and was formed to develop and
commercialise the research coming out of Jongsma & Jongsma Pty. Ltd..
Sûnnet Beskerming Pty. Ltd. is an Information Security specialist and,
in conjunction with the tools developed by Jongsma & Jongsma Pty.
Ltd., provides total security solutions and services, from the
perimeter to internal data stores, including web application security
and security testing and analysis.
_______________________________________________
Alertmailinglist mailing list
Alertmailinglist@...
http://skiifwrald.com/mailman/listinfo/alertmailinglist_skiifwrald.com

Get More From This Month's Security Patch Coverage

2009-06-11T19:55:55Z

As a special offer this month, we're offering our Premium Patch
coverage for FREE for Microsoft's June Security Patch release. Always
well-priced, you could have our coverage from as little as $0.45 per
seat for corporate customers, but this month everyone gets it for free.

Arm yourself with a briefing pack that contains a high level slide
deck suitable for presenting to management and non-technical users
that briefly covers the high points of each patch this month, as well
as a more in-depth technical brief of each patch. Both documents are
provided in a single zipped archive, and are presented as PDFs, though
the high level brief is available in a number of formats upon request
(Keynote, PowerPoint, Flash, HTML, others).

Want to make the most of this special offer, just email us here at
Sûnnet Beskerming (info@...) with the subject - "I want my
free Briefing Pack"

Don't forget that you can always get more information at our site -
http://www.beskerming.com/services/176/Patch_Briefing

If you're having trouble picking out the package that's right for you,
get in touch with us and we'll tailor a solution that meets your needs.

Sincerely,

Sûnnet Beskerming Team
info@...
Sûnnet Beskerming Pty. Ltd.
Adelaide, Australia
http://www.beskerming.com
Tel: +61 (0) 410 707 444

** Sûnnet Beskerming Pty. Ltd. **

Established in mid 2004, Sûnnet Beskerming Pty. Ltd. is the sister
company to Jongsma & Jongsma Pty. Ltd., and was formed to develop and
commercialise the research coming out of Jongsma & Jongsma Pty. Ltd..
Sûnnet Beskerming Pty. Ltd. is an Information Security specialist and,
in conjunction with the tools developed by Jongsma & Jongsma Pty.
Ltd., provides total security solutions and services, from the
perimeter to internal data stores, including web application security
and security testing and analysis.
_______________________________________________
Alertmailinglist mailing list
Alertmailinglist@...
http://skiifwrald.com/mailman/listinfo/alertmailinglist_skiifwrald.com

Advisory #267 - Microsoft (Multiple), Safari, Multiple News

2009-06-11T19:43:09Z

Sûnnet Beskerming Alert List Advisory #267

You are receiving this message because you have subscribed to our
Information Security Alert Mailing List, or have been selected for a
specific one-off copy. If you believe that you are receiving this
message in error,pleasecontactinfo@... to resolve the error.

Why not upgrade to get same day notification on security threats?
Details and rates available online -
(http://www.beskerming.com/premium/generic_advisory.html).

Why not go the next step and get delivery tailored just for your
company?
(http://www.beskerming.com/premium/focussed_advisory.html)

Once you've had a chance to read through this advisory, come back and
answer the following question.
Did you like the timeliness of the advisory?
Our premium subscribers get this sort of service on every advisory -
same day coverage of security discoveries and full details on all
external tracking data that we have discovered, to help keep you
informed and form a well-rounded opinion and assessment of the risk to
you, your systems, and your data.

Contents
--------------------------------------------------------------------
1. SECURITY
--------------------------------------------------------------------
1.1 Microsoft (Multiple)
- Remote Hacker Automatic Control
- Time Since Discovery - 2 Days
1.2 Safari (Multiple)
- Remote Hacker Automatic Control
- Time Since Discovery - 2 Days
=======================================
/*
- Remote or Local - Can it be achieved through a network or does it
require physical access?
- Hacker - The bad guy
- Manual or Automatic - Does the vulnerability need to be manually
performed, or can it be automated?
- Control, Denial of Service or Data Theft - Will the hacker get
control of your system / website, will they prevent you from using it,
or will they steal data.
*/
--------------------------------------------------------------------
2. NEWS
--------------------------------------------------------------------
2.1 Dealing With Disasters - Not Being Afraid of a Sick Pig
2.2 Pace Moves to Suppress Reverse Engineering Discussion
2.3 Challenging Security Researchers and Coming off Second-Best
2.4 Claims of T-Mobile Hack Raise More Questions Than Answers
2.5 T-Mobile Responds to Hack Claims - Nothing to See, Please Move On
2.6 Critique of Apple's Security Stance Nothing New - But Still
Worthwhile
2.7 Microsoft Money Joins Encarta on the Scrapheap
=====================================

1. SECURITY

1.1 Microsoft (Multiple) - Remote Hacker Automatic Control

-- Products Affected --
Windows
Office
Internet Explorer
IIS
Word

-- Technical Description --
MS09-018 - Windows. Remote code execution and Denial of Service.
Replaces MS08-060 and MS08-035. Critical
MS09-019 - Internet Explorer cumulative Update. Multiple remote code
execution vulnerabilities. Replaces MS08-014. Critical
MS09-020 - IIS. Privilege Escalation. Important
MS09-021 - Office. Multiple random code execution. Replaces MS-009,
MS08-057, MS08-074. Critical
MS09-022 - Windows. Remote code execution and others. Replaces
MS07-021. Critical
MS09-023 - Windows Search. Information Disclosure. Moderate
MS09-024 - Works converters. Code execution. Replaces MS08-072.
Critical
MS09-025 - Windows Kernel. Multiple Privilege Escalation. Replaces
MS09-006. Important
MS09-026 - Windows. Remote code execution. Replaces MS07-058. Important
MS09-027 - Word. Multiple random code execution vulnerabilities.
Replaces MS08-072. Critical

-- Description --
Microsoft has released ten patches for June, along with the remaining
updates for MS09-017 (effectively making it eleven patches). The
patches include several critical updates for Windows, a cumulative
update for Internet Explorer, and a patch for a recently disclosed
IIS privilege escalation vulnerability. Six patches were rated as
Critical, three as Important, and the final patch as Moderate.

-- Recommended Action --
All users and administrators should apply the updates at the earliest
opportunity.

-- Source --
http://www.microsoft.com/technet/security/bulletin/ms09-jun.mspx
http://www.beskerming.com/services/176/Patch_Briefing
http://store.eSellerate.net/s.asp?s=STR3448907936&Cmd=CATALOG&CategoryID=9811

-- Updates Available --
http://www.microsoft.com/technet/security/bulletin/ms09-018.mspx
http://www.microsoft.com/technet/security/bulletin/ms09-019.mspx
http://www.microsoft.com/technet/security/bulletin/ms09-020.mspx
http://www.microsoft.com/technet/security/bulletin/ms09-021.mspx
http://www.microsoft.com/technet/security/bulletin/ms09-022.mspx
http://www.microsoft.com/technet/security/bulletin/ms09-023.mspx
http://www.microsoft.com/technet/security/bulletin/ms09-024.mspx
http://www.microsoft.com/technet/security/bulletin/ms09-025.mspx
http://www.microsoft.com/technet/security/bulletin/ms09-026.mspx
http://www.microsoft.com/technet/security/bulletin/ms09-027.mspx

-- External Tracking Data --
Upgrade to get details

-- Threat Matrix --
U O
Home User 10 10 (Highly Critical)
Corporate 10 10 (Highly Critical)

1.2 Safari - Remote Hacker Automatic Control

-- Products Affected --
Safari 3.x
Safari 4.0 Beta

-- Technical Description --
CFNetwork - Multiple vulnerabilities leading to code execution or
information disclosure.
CoreGraphics - Multiple vulnerabilities leading to code execution.
ImageIO - PNG handling flaw leading to arbitrary cod execution and
denial of service.
International Components for Unicode - XSS due to poor filtering of
Unicode
libxml - Multiple vulnerabilities leading to code execution
Safari - Possible information disclosure due to poor handling of
privacy related material and possible code execution.
WebKit - Multiple vulnerabilities, leading to remote code execution
in the worst case.

-- Description --
Apple have released version 4 of their web browser, Safari,
addressing numerous serious vulnerabilities across both OS X and
Windows platforms. Due to the critical nature of the vulnerabilities
patched, it is considered extremely important that the update is
applied at the earliest possible opportunity.

-- Recommended Action --
All users and administrators should apply the updates at the earliest
opportunity.

-- Source --
http://support.apple.com/kb/HT1222

-- Updates Available --
http://www.apple.com/support/downloads/

-- External Tracking Data --
Upgrade to get details

-- Threat Matrix --
U O
Home User 10 10 (Highly Critical)
Corporate 10 10 (Highly Critical)

=======================================
/*
Threat Matrix:
U - User
O - Operator
Harmless - 0 ----- 10 - Highly Critical
*/
=======================================

2. NEWS

2.1 Dealing With Disasters - Not Being Afraid of a Sick Pig

A holistic approach to Information Security takes into consideration
more than just electronic assets and elements. Social engineers, for
example, rely upon exploiting people to gain access to what they are
after. Another non-electronic element is Disaster Recovery and all of
the associated crisis management that comes with it.

Winter is less than a week away for countries in the Southern
Hemisphere, and along with the cold weather comes cold and flu season.
Every year companies are placed under strain as whole sections of
their workforce fall ill or are forced to take time off work to care
for family members who are ill. This can lead to real losses of
efficiency and productivity, but it is next to impossible to actually
predict who is more likely to become ill, and what areas of business
are going to suffer the most.

This year swine flu has seen more people than ever concerned about the
slightest sniffle and cough and, so far, it hasn't affected large
numbers worldwide to differentiate it significantly from normal
influenza. Widespread publicity and government action to help mitigate
the spread of affected individuals has many hoping that it is nothing
more than a scare, and will not be the next Spanish Influenza (which
was also a swine flu originating from the Americas). The low
percentages of people infected, compared to the overall population,
seems to support this argument. With the ability for an infectious
person to travel around the globe before symptoms present, the slow
spread of swine flu is further reinforcement for those hoping that it
is not going to be a significant problem.

That has been the case up to now. With the flu season getting into
full swing in the Southern Hemisphere, the doubling of swine flu cases
overnight in Australia might be enough to give people some pause. Even
though the total number of infected people is less than 150 (at the
time of writing), the scare amongst some people is that this could be
the first real sign of an exponential growth in the numbers of
infected people. Others are less concerned.

Whether the rate of growth is exponential or linear doesn't really
matter, a range of actions are going on in the community that are
going to force businesses to begin looking at maintaining operations
on reduced staffing levels. Various schools have been closed (and some
are now reopening), there are people and families all over the country
entering into a 'stay-at-home' isolation, and there is the chance that
passengers on a cruise ship in Australian waters will be all placed
into isolation.

If you or your workplace don't have a Disaster Recovery plan in place,
then now would be a good time to look at making one. The biggest
problem that this flu season presents, even if swine flu is no worse
than a normal flu, is in dragging away a significant percentage of
employees for a week to two weeks at a time, even if they are
completely healthy.

Can your business continue to operate with 10%, 20%, 30% of employees
away from work? Are there any localised points of vulnerability where
the loss of one or two key individuals will bring productivity to a
halt? Can your business survive on limited or no turnover if all
productivity is ceased? Can your healthy employees at home still carry
out work remotely? If so, how secure is the interconnect with the
workplace? Are you going to risk the security of your data and
business to continue operations because you can't otherwise afford the
productivity loss?

The answers to questions such as these should form the core of your
Disaster Recovery plan. Once the plan is established, you should
review it regularly to ensure the recovery actions and assessed risks
are still relevant. The start of flu season is as good a time as any
to do so.

A doubling of confirmed swine flu cases in 24 hours is significant,
even with small overall numbers of infected individuals. The world
will now be watching Australia to see what could be to come for the
major population centres in the Northern hemisphere when winter next
rolls around.

If it was possible to accurately predict and plan for events taking
place, then there would be no need for Disaster Recovery planning, but
by being prepared for disastrous events and having a plan to recover
from them it means that you and your business will survive with more
resilience once normal operations are resumed (and they will be
resumed more quickly). Get some benefit from the increased public
awareness of swine flu and take the opportunity to get your Disaster
Recovery plans sorted out before you actually need to implement them.

2.2 Pace Moves to Suppress Reverse Engineering Discussion

As a follow on to our post about McAfee pulling content before it
could be read by many, is a case where a company has taken steps to
unpublish third party information that has already been published.

The Reverse Engineering Mac OS X site was running a series of entries
on reverse engineering / decompiling Pace protected OS X binaries,
only now the entries have been pulled pending threat of litigation
from Pace.

All that had been published to that point had been exploratory posts
probing possible entry points to bypass the Pace binary obfuscation
and protection and recover the binaries to a point where they could be
explored more readily from a better understood point of view. Efforts
from Pace (specifically the InterLok application) to prevent the
attaching of debuggers only drew the reverse engineers in further -
taunting them with a disassembly they couldn't easily accomplish.

This time around, the RSS feed of the Reverse Engineering Mac OS X
site didn't provide the full posted content, so it seemed that the
content posted up to that point had been lost for good - it was
unlikely that it would have been replicated across other sites to any
significant extent.

Since the content had been online for a couple of weeks, webcrawlers
had been able to index the posts and their full content is still
residing in various search engine caches across the Internet.

As the site's operator, fG! points out "One thing is certain, you
can't acomplish security by obscurity ! You can't simply stop
knowledge because these days information flows at a bigger rate than
ever. Disclosure is the only way to improve products!", with the
following caution for those trying to reproduce the cached but missing
entries "About Pace? I'm in contact with their lawyer and I have been
asked to remove all information about this. If you have mirrored the
three Pace posts and code (I'm pretty sure I'm not the only one who
mirrors important info right away) please do not make it publicly
available. Pace will wave you with DMCA and it's not worth the
trouble. Keep it for yourself, please".

Is there enough interest in reverse engineering OS X to generate a
Streisand Effect, or will Pace be successful in seeing this
information banished from the wider Internet?

2.3 Challenging Security Researchers and Coming off Second-Best

Challenging the security community to do something that you are basing
a core part of your business on is always a risky move. It is
something that you really need to get right the first time, or else it
is going to be quite an embarrassing experience and is likely to cost
reputation if news of the defeat is widespread.

A new webmail provider, which has based a core component of their
service offering around offering "The most secure email accounts on
the planet" might have to reconsider both their claims and their
approach after a $10,000 USD challenge to break into a specified email
account was defeated through a series of web based

With a big push of PR highlighting this challenge, it isn't going to
go down well that the breach took place so quickly. Even if there were
restrictive rules in place as to how the attack might be carried out,
this isn't going to stop anyone who is attacking for real from using
whatever means are at their disposal to access their victim's accounts.

From the description of the attacks carried out, the weakness is in
how the user credentials and authentication is managed once the user
has logged into the system (based on the described requirement for the
attacker to launch it from a valid account), and relies upon the user
having scripting permitted for the attack to work (from an IDG
writeup, it seems that NoScript is enough to prevent the attack from
being functional). This and other Cross Site Scripting flaws allow for
credentials to be stolen, and for a victim's account to be taken over
completely.

One of the researchers involved with the successful compromise of the
targeted account has indicated that detailed information about the
attack methodology will be released early next week.

Depending on the nature of the attack, this could pose problems for
other service providers that rely upon physically separate channels
for two-factor authentication, particularly in the case where messages
sent to cell phones are used as the second authentication factor (as
it is with this email provider and a number of banks which use it as a
selling point of the security of their services).

2.4 Claims of T-Mobile Hack Raise More Questions Than Answers

Claims have been made by an unknown party that they have compromised
the US cellular network carrier T-Mobile and have managed to extract
all of the corporate data, including databases, confidential
documents, scripts and programs from company servers and full
financial data up to the present time.

Issuing the public announcement over a weekend means that it is going
to take some time for T-Mobile to investigate the claims and make a
formal statement, but already there are elements which suggest scam,
and some which suggest that the material is legitimate.

Leaning towards scam is the claimed ignorance by T-Mobile's
competitors when they were approached with the data the hackers claim
to have. This might just be that the hackers relied upon emails to
reach the competitors, and with the email address pwnmobile@... they
were likely to end up in the spam bin before anyone would be able to
see the material on offer. There are better ways to reach people than
through unsolicited email, but there are increased risks with taking
this approach.

Previous cases where there have been attempts to sell company secrets,
especially for major public companies, have ended with major law
enforcement attention and the approached company often aiding law
enforcement in stopping the attempt. With greater corporate and public
awareness of data loss and theft, it is more likely in the modern
environment that competitors will call law enforcement and gain
positive PR than to risk prosecution and damages by purchasing their
competitor's secrets.

Leaning towards legitimacy are anonymous online comments from people
claiming to have worked for T-Mobile in the past verifying that at
least some of the details posted correlate with the systems and
servers that they knew existed within the company. The other aspect
which suggests legitimacy is the level of detail in the material
posted, which amounts to a tabulated network description.

So far, based on the table of possible servers, applications, IPs and
locations, there is nothing that can be done to further verify the
accuracy of the claims by this unknown group. Not enough information
is available to say either way, and it is now up to T-Mobile or the
group to release further information that will clarify the situation.
The arguments for an actual compromise are much weaker than the
arguments for it not being real and it is considered much more likely
that it is a hoax.

It doesn't matter which one is actually true at the moment. The very
public offer for sale of the material is going to cause more harm than
good for the group behind it. For the seventh largest
telecommunications provider in the world (Morgan Stanley, 2008), with
32 million customers in the US alone, T-Mobile is a very large target
to be taking on, and the use of an anonymising email service may not
be as secure as the group thinks it is, with Safe-mail keeping their
client data protected up to the point it is necessary to comply with
legal requirements, something that is probably going to happen soon.

It is staggering to think how much data is represented by what the
hackers have claimed and how long it must have taken to exfiltrate
that information from the corporate networks, if the hackers do have
it, all without the awareness of T-Mobile's Information Security staff.

Other claims have been made that the group responsible is the same one
that claimed to have penetrated Checkpoint, extracting the full source
code for VPN1.

At the end of the day it could just be another bit of drama played out
on the Full-Disclosure mailing list, but it could also be the first
public sign of one of the most significant network breaches in recent
history.

2.5 T-Mobile Responds to Hack Claims - Nothing to See, Please Move On

Following on from our recent article on a claimed successful attack
against the telecommunications giant, T-Mobile, it appears that the
situation still remains a little murky, with reports claiming that the
company has both confirmed and denied that a breach took place.

Ignoring for a moment the most recent statements by T-Mobile, the
original claim of a hack seemed to offer tabulated internal network
data as proof of successful compromise of the company. This is the
sort of information that would be easy to extract in a single file,
and is something that would be expected to exist in any non-trivial
network to aid administrators with keeping the network and associated
systems operating smoothly. While having possession of the file
reduces the need for an attacker to manually map out the network, it
isn't something that many would consider overly damaging, especially
if network and system security was robust.

Perhaps if a company had thrown all their intrusion and detection
system eggs into the basket of Network Intrusion over Host Intrusion
Detection Systems (NIDS vs HIDS), then possession of this list would
allow an attacker to immediately commence extremely targeted attacks
against single systems, hoping to avoid triggering the NIDS (which
should be triggering on the external access in the first place), but
it should be triggering a properly managed HIDS. The flip side is that
having an attacker in possession of a well-enumerated network map
makes it simpler for them to target systems which might have an
unpatched vulnerability, or which have a degraded HIDS, when their
network mapping activity should have triggered on a properly managed
NIDS.

A blended approach, with both systems in place and properly managed
isn't going to be overly threatened by an attacker having possession
of a network map. All it means is that the timeline between initial
contact with the network / company systems and compromise / extraction
of sensitive data is compressed, reducing the available opportunity to
detect, trap and stop the hack and data extraction.

T-Mobile's statements seem to support this point of view,
acknowledging that the information published did exist in a file
(again there are conflicting reports about the validity of this
statement), which has now been identified, and that an investigation
is now ongoing to determine the extent and severity of any breach that
took place.

The downside for external observers is that T-Mobile are not obliged
to make public the results of their internal investigation, and if it
is confirmed that personal data was affected for customers, then it
could take some time for that information to come out. If affected
customers are notified individually, it may never be known just how
significant any breach might have been.

Truth, as it is in many cases like this, will lie somewhere between
the extremes being put forward (no or minimal hack and full network
access and compromise), but it is more likely to lie towards a minor
network penetration and data extraction - after all, the information
that was published had to come from somewhere.

It is entirely possible that the information was the result of
improperly disposed of hardware or a lost storage device.

At the least, it put some excitement back into the old Full-Disclosure
mailing list.

A big welcome, by the way, to those reading this article from within T-
Mobile's network. Yes, we know you're there. If you, or any of our
readers would like to get in touch with us, we're always happy to
discuss analysis and material beyond what is published.

2.6 Critique of Apple's Security Stance Nothing New - But Still
Worthwhile

Apple is a company that is notoriously secretive about their internal
security processes and, although they have become more open about
acknowledging the source of bugs reported to them when they fix them,
they remain steadfastly tight-lipped at almost all other times when it
comes to discussing security matters.

That isn't to say that the company doesn't keep on top of what is
going in the world outside of Apple, nor engage with researchers and
Information Security companies. Despite this, many still hold the
impression that Apple is stand-offish and uncaring / oblivious to the
bugs in their products. For some, this point of view has tainted all
dealings with the company and has seen some researchers go to publicly
disclose vulnerability information before notifying Apple, whereas
other vendors in the same situation would have been notified ahead of
a co-ordinated or a delayed public release of vulnerability data.

Articles such as this one do little to help commonly held views,
especially when it is picked up and reported as Apple struggling with
security, even if it isn't the complete message of the original article.

Rich Mogull puts forward a reasoned, well-thought out series of
arguments in the original article, but it is nothing new. Nothing that
hasn't already been put forward to Apple, both publicly and privately
many times before. This doesn't mean that making these arguments is
worthless.

It's not.

As Adobe has recently shown (and Microsoft some years before that), it
is possible for a large software company to change how it approaches
Information Security management, patch issuing, and dealing with
security-concerned consumers and Information Security researchers.

Even if Apple do not change their stance based on the most recent
hirings and articles published by concerned Information Security and
Apple system users, continuing to highlight and publicise the
importance of taking these recommended steps keeps the ideas out in
the open and being turned over, ready for a time when they might be
more warmly received within Apple.

2.7 Microsoft Money Joins Encarta on the Scrapheap

Following their decision earlier this year to cut Encarta from their
product line, Microsoft have announced that they will be ceasing
production and sale of Microsoft Money (now Microsoft Money Plus) from
June 30 this year. Affected products are all of the Microsoft Money
family (Essentials, Plus Deluxe, Plus Premium, Plus Home & Business).

Citing increasing competition from banks, brokerage firms, and
websites as viable options for traditional Money customers, Microsoft
stopped providing annual updates last year, and will stop all online
services by January 31, 2011. Reading deeper into the linked FAQ it
clearly states that Microsoft Money products can not be activated or
reactivated after January 31, 2011. This means that after that date if
the system running Microsoft Money is replaced, or the software is
otherwise transferred to a new system, it will not and can not be
activated.

End users purchasing the software between now and the end of the month
need to be aware that the effective life of their software could be
eighteen months, and that they need to have alternate plans for
handling their financial data after that date. If the system running
Microsoft Money continues to operate happily beyond that point, the
loss of online functionality can be largely replaced by manual updates
of tax and stock quote data, but this does limit the effectiveness of
the product.

=======================================

Sincerely,

Sûnnet Beskerming Team
info@...
Sûnnet Beskerming Pty. Ltd.
Adelaide, Australia
http://www.beskerming.com
Tel: +61 (0) 410 707 444

** Sûnnet Beskerming Pty. Ltd. **

Established in mid 2004, Sûnnet Beskerming Pty. Ltd. is the sister
company to Jongsma & Jongsma Pty. Ltd., and was formed to develop and
commercialise the research coming out of Jongsma & Jongsma Pty. Ltd..
Sûnnet Beskerming Pty. Ltd. is an Information Security specialist and,
in conjunction with the tools developed by Jongsma & Jongsma Pty.
Ltd., provides total security solutions and services, from the
perimeter to internal data stores, including web application security
and security testing and analysis.
_______________________________________________
Alertmailinglist mailing list
Alertmailinglist@...
http://skiifwrald.com/mailman/listinfo/alertmailinglist_skiifwrald.com

Advisory #266 - Microsoft PowerPoint, Apple (Multiple), Multiple News

2009-05-13T03:16:36Z

Sûnnet Beskerming Alert List Advisory #266

You are receiving this message because you have subscribed to our
Information Security Alert Mailing List, or have been selected for a
specific one-off copy. If you believe that you are receiving this
message in error,pleasecontactinfo@... to resolve the error.

Why not upgrade to get same day notification on security threats?
Details and rates available online -
(http://www.beskerming.com/premium/generic_advisory.html).

Why not go the next step and get delivery tailored just for your
company?
(http://www.beskerming.com/premium/focussed_advisory.html)

Once you've had a chance to read through this advisory, come back and
answer the following question.
Did you like the timeliness of the advisory?
Our premium subscribers get this sort of service on every advisory -
same day coverage of security discoveries and full details on all
external tracking data that we have discovered, to help keep you
informed and form a well-rounded opinion and assessment of the risk to
you, your systems, and your data.

Contents
--------------------------------------------------------------------
1. SECURITY
--------------------------------------------------------------------
1.1 Microsoft PowerPoint
- Remote Hacker Automatic Control
- Time Since Discovery - Same day
1.2 Apple (Multiple)
- Remote Hacker Automatic Control
- Time Since Discovery - Same day
=======================================
/*
- Remote or Local - Can it be achieved through a network or does it
require physical access?
- Hacker - The bad guy
- Manual or Automatic - Does the vulnerability need to be manually
performed, or can it be automated?
- Control, Denial of Service or Data Theft - Will the hacker get
control of your system / website, will they prevent you from using it,
or will they steal data.
*/
--------------------------------------------------------------------
2. NEWS
--------------------------------------------------------------------
2.1 What is the Future for File Sharing?
2.2 GeoCities is Dead. Long Live GeoCities
2.3 AutoRun To Be Disabled, But Not Completely
2.4 Borland Acquired, 3D Realms Rumoured Closed, May 6 is a Sad Day
for Software
2.5 Devil Is In The Details For May 2009 Microsoft Security Update
2.6 Apple Patches Safari 3 & 4, Releases 10.5.7 Update
=====================================

1. SECURITY

1.1 Microsoft PowerPoint - Remote Hacker Automatic Control

-- Products Affected --
PowerPoint 2000, 2002 (XP), 2003, 2004 (OS X), 2007, 2008 (OS X)
Works 8.5, 9.0

-- Technical Description --
MS09-017 - PowerPoint. Multiple Random Code Execution. Replaces
MS08-051, MS08-052. Critical

-- Description --
Microsoft's patch release for May has seen only a single patch
released, a Critical update for PowerPoint. The patch addresses
multiple remote code execution vulnerabilities with several versions
of PowerPoint. What has raised eyebrows across the Information
Security industry is the decision to release the patch for only some
of the affected software versions, leaving OS X and Works users in the
cold, while patches are still being prepared for their platforms.

-- Recommended Action --
All users and administrators should apply the updates at the earliest
opportunity.

-- Source --
http://www.microsoft.com/technet/security/bulletin/ms09-may.mspx
http://www.beskerming.com/premium/patch_pack.html
http://store.eSellerate.net/s.asp?s=STR3448907936&Cmd=CATALOG&CategoryID=9811

-- Updates Available --
http://www.microsoft.com/technet/security/bulletin/ms09-017.mspx

-- External Tracking Data --
Upgrade to get details

-- Threat Matrix --
U O
Home User 10 10 (Highly Critical)
Corporate 10 10 (Highly Critical)

1.2 Apple (Multiple) - Remote Hacker Automatic Control

-- Products Affected --
Safari 3.x
Safari 4.0 Beta
OS X 10.5.x
OS X 10.4.11 (Security Update 2009-002 only)

-- Technical Description --
Apache - Multiple Cross Site Scripting and response injection flaws -
Updates to Apache 2.2.11
ATS - Malicious CFF font may lead to arbitrary code execution
BIND - Spoofing attack through DNSSEC - Updates to 9.3.6-P1 / 9.4.3-P1
CFNetwork - Information disclosure and arbitrary code execution
CoreGraphics - Multiple arbitrary code execution risks from malicious
PDF file handling, including a JBIG2 arbitrary code execution
vulnerability
Cscope - Arbitrary code execution
CUPS - Information Disclosure and remote printer control
Disk Images - Multiple arbitrary code execution vulnerabilities
enscript - Multiple arbitrary code execution vulnerabilities -
Updates to enscript 1.6.4
Flash Player plug-in - Multiple arbitrary code execution
vulnerabilities - Updates to Flash Player plugin 10.0.22.87 / 9.0.159.0
Help Viewer - Multiple arbitrary code execution vulnerabilities
iChat - Information disclosure (SSL Chats downgrade to plaintext)
International Components for Unicode - Cross Site Scripting
IPSec - Multiple denial of service vulnerabilities
Kerberos - Multiple denial of service and arbitrary code execution
vulnerabilities
Kernel - Privilege elevation
Launch Services - Repeated denial of service
libxml - Arbitrary code execution
Net-SNMP - Denial of service vulnerability - Updates to 5.4.2.1
Network Time - Spoofing and arbitrary code execution
Networking - System shut down due to network traffic.
OpenSSL - Information disclosure
PHP - Multiple arbitrary code execution vulnerabilities - Updates to
5.2.8
QuickDraw Manager - Arbitrary code execution when opening malicious
PICT files
ruby - Multiple vulnerabilities - Updates to 1.8.6-p287
Safari - Multiple arbitrary code execution vulnerabilities (10.5 only)
Spotlight - Office file handling could lead to arbitrary code execution
system_cmds - Re-prioritising login command shell
telnet - Denial of service / arbitrary code execution
WebKit - Arbitrary code execution due to handling of SVGList objects
X11 - Multiple FreeType, libpng and xterm vulnerabilities leading to
arbitrary code execution - Updates FreeType to 2.3.8 (and then patches
it), libpng to 1.2.35

-- Description --
MReleased at the same time as Microsoft's May Security Patch are a
series of patches from Apple. Safari has received a bulk update, for
both the 3.x stable line and the Public Beta for 4. Both updates
address the same set of underlying vulnerabilities in libxml, Safari,
and WebKit, all of which could lead to arbitrary code execution. Also
released, and probably of more interest for most users, is Security
Update 2009-002, which is also the 7th point release for OS X 10.5. OS
X 10.5.7 contains a large number of patches and updates, and is
massive. The .6 to .7 updater weighs in at 442 MB, while the
ComboUpdate (from any previous point release of 10.5) is 729 MB.

-- Recommended Action --
All users and administrators should apply the updates at the earliest
opportunity.

-- Source --
http://support.apple.com/kb/HT1222

-- Updates Available --
http://www.apple.com/support/downloads/

-- External Tracking Data --
Upgrade to get details

-- Threat Matrix --
U O
Home User 10 10 (Highly Critical)
Corporate 10 10 (Highly Critical)

=======================================
/*
Threat Matrix:
U - User
O - Operator
Harmless - 0 ----- 10 - Highly Critical
*/
=======================================

2. NEWS

2.1 What is the Future for File Sharing?

From the time that computers began being available for the home
hobbyist, there has been file sharing and copyright infringement. What
has changed over time is the methods used to share the files. With the
rapid growth in the use of the Internet, and the introduction of newer
technologies that make the sharing and discovery of files far easier
than before, file sharing has come within the reach of the everyday
user in a way that could never have been imagined before.

Paralleling this has been high profile court cases against site
operators has helped keep some of the most popular methods over the
years in check. The most recent high profile file sharing court case,
against the operators of The Pirate Bay, already appears to have had
some effect on the availability and use of BitTorrent trackers.

Despite ongoing argument about the validity of the court case and the
sentences handed down, including some spectacular claims of bias and
inappropriate conflicts of interest, the current outcome is reported
to have seen a number of public and not-so-public BitTorrent trackers
voluntarily close. Many of these closures have been of trackers based
in Sweden and are likely a direct result of the Pirate Bay's court
case. When the largest tracker site on the Internet is successfully
prosecuted (pending appeal), it sends a message to similar sites
hosted in the same country that they might be next on the target list.
With a successful prosecution precedent set, many smaller operators
are looking to cut their risk exposure and close down.

Since BitTorrent is a non-centralised means of distributing content,
the only centralised component being a place to record and point users
towards content locations, it probably isn't going to take very long
for new trackers to appear and take up some of the slack that the
Pirate Bay has now created (despite being still available, just not
hosted in Sweden). New sites are more likely to be private trackers
with enforced ratios than the high profile sites like The Pirate Bay.
Smaller private trackers have always been around and are the means by
which a lot of the most desirable torrents trickle down to the public
sites. Because they tend to carry content that is extremely sensitive
and close to the original source, are comprised of users who are very
aware of what their ratios are and how they are proceeding, and are
what investigators should be focusing on, their existence and
accessibility is usually a closely guarded secret.

This might make it harder for the casual file sharer to access
content, but there will always be a way for that information to be
had, eventually trickling down.

In the long run there may be some new sources coming online to help
access files, but overall there isn't really going to be much of a
change. Many of the sites that are closing will probably reappear
under a different name, hosted in another country, just that little
bit further out of reach of investigators. With the borderless nature
of the Internet, this isn't really going to affect end users all that
much. Avid file sharers might hope for the day when copyright laws are
amended to reflect the modern reality of digital content and extremely
simple bit-perfect duplication of that content, but that isn't likely
to happen until generations that grew up with the internet and on-tap
file sharing take political and business power.

Avid file sharers would rather investigators and the various content
associations focus on the sources of the leaked information, which
more often than not seems to be from within those very organisations
(or at least member companies) rather than slamming the end users who
consume it.

Attacking the technology used to distribute content, or sites that
point to what is available isn't going to help in the long run and
will only ensure the survival of file sharing, just maybe in a
slightly different format. What technology is going to emerge to
replace BitTorrent as the most popular file sharing method of the next
decade isn't known, but it is guaranteed that it will trace a similar
arc of emergence into popularity and decline into obscurity through
prosecution that other file sharing technologies have followed before.

2.2 GeoCities is Dead. Long Live GeoCities

For many people who came to the Internet in the mid to late 1990s, the
personal webpage craze was only just beginning and there were a
handful of stalwart providers that gave budding Internet users all the
room they needed to have garish colour schemes, poorly designed
animated gifs and all the flashing under construction signs they could
find.

Tripod, Angelfire, and GeoCities were an effective triumvirate of free
and nearly free web space providers, encouraging the formation and
collection of communities long before the emergence of LiveJournal,
MySpace, Blogspot, Facebook, and any number of other online
communities that now litter the web.

Part of that history is going to disappear forever before the end of
the year, with Yahoo! set to close down GeoCities completely before
the end of 2009. With the yet-to-be-dated closure coming up, Yahoo!
have now stopped accepting new user accounts on the online community
and will be notifying existing users of the various steps that they
can take if they want to save their site when GeoCities finally closes.

One of the options that will be put forward is Yahoo!'s fee-based Web
Hosting service, something which may not be acceptable to users who
are accustomed to free consumer level services. Angelfire and Tripod
continue to offer free services, and for users who wish to keep their
sites alive on a part of Internet history, they provide an alternative
that originates from the same timeframe as GeoCities did.

2.3 AutoRun To Be Disabled, But Not Completely

AutoRun is an innovation that over the years has been a blessing and a
curse for computer users. The Windows feature that allows software to
start automatically when removable media is attached to / inserted
into a Windows machine has made life easy for many computer users who
would be lost without having software to guide them through an
installation process or other use of material on the storage medium.
The downside is that, since other software can be run through this
capability, it was only a short period of time before it began being
abused for malware installation. While AutoRun has been around for a
number of years, it is still being used as part of installers and
malware spreading mechanisms even today. Conficker, the worm that has
attracted the most attention over the last six months uses AutoRun
capabilities to aid in its spread, using it as an alternative
infection mechanism to targeting the MS08-067 vulnerability over a
network.

Microsoft has recently moved to turn off Autorun for good, at least
for media that isn't optical (of-course malware can be inserted on CD-
R media as easily as it can CD-RW). This change is being sold as a
means to address changes in the Threat Landscape, but with AutoRun
malware having been around for a number of years, it is the recent
spike in popularity of malware using it as an infection route that has
led Microsoft to make this decision. It would have been nice for end
users if this had been done some years ago, before it became too much
of a security problem (Microsoft provides graphs showing a significant
uptick over the last 18 months), but at least something is being done
slowly now.

The downside for most users is that this feature will be making it
into Windows 7, and not for the current versions, though there are
readily available registry fixes that can disable AutoRun for existing
Windows versions. Microsoft has indicated that they are planning to
release fixes for Vista and XP to bring this improvement to those
systems as well.

Many system administrators have tried to keep AutoRun disabled over
the years, but found that patches from Microsoft would strangely re-
enable it from time to time. Until Microsoft releases the changes for
Vista and XP, there are plenty of sample Registry fixes that can
easily be found online which can be applied to temporarily disable
AutoRun for these systems.

As good as the change seems on the surface, the detailed explanation
of what is being done is less promising than it is being made out for.
The primary change, of modifying AutoPlay to ignore AutoRun
information on non-optical media will prevent the confusion-based
social attack that Conficker is currently using, where the AutoRun
information presents identical to a subsequent core Windows option,
the only difference being it presented as "Install or run program",
and not as "General options", which is the core Windows function
category.

The second part of the change, primarily for optical media is that the
"Install or run program" option is renamed to "Install or run program
from your media". With some thumb drives capable of reporting as
optical media, and Microsoft's decision to treat such media as optical
media, adding three little words isn't going to stop the infection
mechanism that is in use. Why is Microsoft allowing some USB mass
storage devices to be treated as optical media is because this
determination is made at the hardware level and is something that
should be next to impossible to spoof through the data on the drive.
Assumptions like this have been shown to be false in the past and it
is a question of how much time it will be before a means to work
around this limitation can be found, either through introducing a mini-
partition on the thumb drive that identifies as optical media, or
through some other technique.

Keeping this feature around for optical media isn't going to stop
malware like the Sony/BMG rootkits that were installed silently from
some audio CDs. What it will do is severely limit the usefulness of
USB devices like photoframes, thumb drives, cameras, CF cards, and
some external hard drives for the average user. Time will be the true
test as to whether the computer skills of the average computer user
have improved to the point that disabling AutoRun isn't going to
hinder their normal use of a system.

2.4 Borland Acquired, 3D Realms Rumoured Closed, May 6 is a Sad Day
for Software

It has long been joked that Forever would be how long it would take
for Duke Nukem Forever to be released. Famous as what is probably the
longest running unreleased in-development software title in existence
(first announced in 1997), Duke Nukem Forever may have suffered a
terminal blow with the reported closure of 3D Realms, the developer of
the title-in-waiting and successor to the ever-popular Duke Nukem 3D.

Before fans of the Duke cry in despair, it pays to look at just what
is contained in the available news about the supposed closure. All
available reports at the time of writing this article cite a single
article as the source for this information (linked to above). Links to
a claimed announcement on the 3D Realms forums can not be reached and
so leave the news as a single source, uncorroborated report.

This doesn't mean that it is untrue, though without the forums to
provide at least some sort of corroboration, it is a speculative claim
based on private reporting. It is strange that, for news of such
magnitude, no formal press release has been issued by either 3D Realms
or Take Two, and here, and certainly nothing on the front pages for
the companies at this time. Press releases are present that are dated
after the apparent leaking of the news, so it is possible that the
whole thing is a hoax.

On the other hand, the news may be under a moratorium until a certain
time and date and the leak is going to be verified in the near future.
3D Realms, apparently, is still hiring, something that a closed
company wouldn't be expected to do.

The soap opera that has been the development of Duke Nukem Forever
seems to have taken another plot twist, but at this stage, there is
nothing that can definitively be verified. There are many possible
responses to all of this. The forums at 3D Realms could have been
compromised and false information could have been leaked that way. On
the other hand, with a slow economy, it isn't out of the realm of
reality that a sudden closure of the company has taken place.

It may be that Shacknews have got one of the biggest scoops of gaming
history, but until open reporting emerges that doesn't cite the
Shacknews article as its only source (even the forums at 3D Realms
should be regarded as a tertiary source, at best), the reaction of
gamers around the world are going to have to hang in the balance. Even
the Wikipedia entries for 3D Realms and Duke Nukem Forever have been
updated to report the closure as fact, based solely on the Shacknews
article.

For some, the news that Borland has been acquired by Micro Focus might
be of more immediate importance, coming at the same time as the
apparent closure of 3D Realms.

If the 3D Realms news is true, then it makes the 6th of May a sad day
for the history of modern computing. Borland, a stalwart provider of
development tools (Turbo Pascal and Turbo C will be either fond or
hated memories for many developers) and consumer software (Quattro
Pro, dBase) from the early 1980s and 1990s is now no longer an
independent entity, though the name may live on in some way. 3D
Realms, the evolution of the original Apogee gaming company from the
early 1990s, likewise is bound to be remembered fondly for the
milestone titles that it did release, Duke Nukem 3D and Max Payne
chief amongst them.

It would seem that 3D Realms could be all out of gum.

2.5 Devil Is In The Details For May 2009 Microsoft Security Update

In the last 24 hours Microsoft released the May 2009 Security Update,
a single update for every version of PowerPoint from Office 2000
(PowerPoint 2000), through to Office 2007 (PowerPoint 2007).

Fourteen individual vulnerabilities, as identified by distinct CVE
numbers, are being addressed, all of which could lead to remote code
execution on at least some of the versions of PowerPoint. PowerPoint
2000, 2002 (XP), and 2003 are the versions affected by most of the
vulnerabilities.

Somewhat surprisingly, several of the vulnerabilities have been
identified as affecting Office 2004 and 2008, the OS X versions of
Office, as well as Microsoft Works 8.5 and 9.0. The surprising part
isn't that the vulnerabilities affect those software versions, rather
that MS09-017 will not patch those software versions. In reasoning
given on both the Microsoft Security Response Center, and Security
Research & Defense blogs, the argument is that Microsoft saw the best
opportunity to patch the complete line of Windows PowerPoint versions
at the same time, while patches for the remaining affected software
are in the pipeline for eventual release. Rather than hold up the
release of the Windows PowerPoint update to ensure every affected
software version is patched at the same time, the decision was made to
ensure platform integrity of patching and to take the patch to the
majority of users.

This hasn't gone down well with some people in the Information
Security industry. The argument that attackers reverse engineer
patches to find the patched vulnerabilities and means to attack them
is a fair one, but when there have been vulnerabilities available for
some of the patched issues, in particular one that affects PowerPoint
2000, 2002 (XP), 2003, and 2004 (OS X), prior to the patch release, it
just makes the need to release and apply patches even more critical.

This isn't the worst thing that can happen from differential patching.
Since the same particular vulnerability is present across platforms,
and is a remote code execution vulnerability, reverse engineers on
Windows will be able to determine an attack vector against the Works
versions of PowerPoint and the OS X versions, and have a clear run
against those targets until Microsoft is able to release patches for
those versions. Microsoft's argument that the patch release will
provide coverage for the clear majority of users is fair enough, but
just how large is the attack surface presented by the installed base
of Works and OS X Office? Works is pushed as the solution for a home
user, and OS X installations of Office would be in use in environments
where interaction and file transfer between Windows and OS X is
expected.

According to the SRD team, the sample exploits that they tested
against for the Windows PowerPoint versions could not reliably exploit
the OS X versions, but they still could. There is no guarantee that a
more reliable exploit will not soon emerge.

One of the changes introduced by this update, which could catch a
number of legacy systems (and thus those that most need protection),
is the removal of support for PowerPoint 4 files. Quite rightly the
SRD team point out that Office has not been able to create this sort
of file since at least Office XP, and support for it has already been
removed in Office 2007 and since SP2 for Office 2003. Rather than
modifying Office to prevent handling of this file format, it is a
Registry entry that disables support, something which even Microsoft
provides a workaround for. A lot of the vulnerabilities addressed were
related to this file format, but it still is an interesting approach
to address the vulnerability - through Registry patching. It has a lot
of parallels to the ActiveX patches that have been released in the
past - many of them have been Registry entries disabling components,
rather than addressing the component binaries directly.

2.6 Apple Patches Safari 3 & 4, Releases 10.5.7 Update

Released at the same time as Microsoft's May Security Patch are a
series of patches from Apple. Safari has received a bulk update, for
both the 3.x stable line and the Public Beta for 4. Both updates
address the same set of underlying vulnerabilities in libxml, Safari,
and WebKit, all of which could lead to arbitrary code execution.

Also released, and probably of more interest for most users, is
Security Update 2009-002, which is also the 7th point release for OS X
10.5. OS X 10.5.7 contains a large number of patches and updates, and
is massive. The .6 to .7 updater weighs in at 442 MB, while the
ComboUpdate (from any previous point release of 10.5) is 729 MB.

Contained within this major update is security patches for a whole
range of embedded services and features, including those in the
separate Safari patches.

As with each prior system point release, Apple have introduced a
number of improvements to the system. This includes improved video
playback on NVIDIA-equipped systems, improved Apple Dashboard widgets,
expanded support for RAW images across more cameras, reliability and
stability enhancements to a range of applications (iCal, Mail) and
system utilities (Printing, Parental Controls) as well as general
system enhancement.

Safari users who have not installed the version 4 Beta will find that
Safari is updated to 3.2.3 as part of the 10.5.7 update, so should not
expect to see a separate standalone update for Safari once the
underlying OS update has been applied. Since the announcement of the
updates for the Safari 4 Beta, it would seem that Apple have pulled
the update for some unknown reason. The update doesn't show from a
search on the Apple Support website, and users have reported that it
doesn't show in the Software Update window until after the 10.5.7
update has been applied. The 10.5.7 update will provide coverage for
the libxml and WebKit issues, and users who are concerned that their
actual Safari application remains at risk and will not apply this
patch can downgrade back to 3.2.3, which is provided through the
10.5.7 release.

These updates can be found through the Software Update option under
the Apple menu, or can manually be found at the Apple website, with
the 10.5.7 point update available direct from here. Further technical
details are available from Apple.

User reaction to the updates can be found all over the Internet, but
from the forums at MacRumors, it would appear that most users aren't
having trouble with the updates.

=======================================

Sincerely,

Sûnnet Beskerming Team
info@...
Sûnnet Beskerming Pty. Ltd.
Adelaide, Australia
http://www.beskerming.com
Tel: +61 (0) 410 707 444

** Sûnnet Beskerming Pty. Ltd. **

Established in mid 2004, Sûnnet Beskerming Pty. Ltd. is the sister
company to Jongsma & Jongsma Pty. Ltd., and was formed to develop and
commercialise the research coming out of Jongsma & Jongsma Pty. Ltd..
Sûnnet Beskerming Pty. Ltd. is an Information Security specialist and,
in conjunction with the tools developed by Jongsma & Jongsma Pty.
Ltd., provides total security solutions and services, from the
perimeter to internal data stores, including web application security
and security testing and analysis.
_______________________________________________
Alertmailinglist mailing list
Alertmailinglist@...
http://skiifwrald.com/mailman/listinfo/alertmailinglist_skiifwrald.com

Advisory #265 - Microsoft (Multiple), Multiple News

2009-04-19T07:34:08Z

Sûnnet Beskerming Alert List Advisory #265

You are receiving this message because you have subscribed to our
Information Security Alert Mailing List, or have been selected for a
specific one-off copy. If you believe that you are receiving this
message in error,pleasecontactinfo@... to resolve the error.

Why not upgrade to get same day notification on security threats?
Details and rates available online -
(http://www.beskerming.com/premium/generic_advisory.html).

Why not go the next step and get delivery tailored just for your
company?
(http://www.beskerming.com/premium/focussed_advisory.html)

Contents
--------------------------------------------------------------------
1. SECURITY
--------------------------------------------------------------------
1.1 Microsoft (Multiple)
- Remote Hacker Automatic Control
- Time Since Discovery - 5 days
======================================
/*
- Remote or Local - Can it be achieved through a network or does it
require physical access?
- Hacker - The bad guy
- Manual or Automatic - Does the vulnerability need to be manually
performed, or can it be automated?
- Control, Denial of Service or Data Theft - Will the hacker get
control of your system / website, will they prevent you from using it,
or will they steal data.
*/
--------------------------------------------------------------------
2. NEWS
--------------------------------------------------------------------
2.1 OS X Coming Under Increased Researcher Scrutiny
2.2 Around the Frayed Edge of PCI DSS
2.3 Does Microsoft Gain From Exposing Collaborative Cloud Effort?
2.4 Information Distribution Being Shaken Up In More Than One Way
2.5 A PowerPoint 0-day and a Second Worm Targeting MS08-067
=====================================

1. SECURITY

1.1 Microsoft (Multiple) - Remote Hacker Automatic Control

-- Products Affected --
Windows, Excel, Wordpad, Internet Explorer, ISA Server

-- Technical Description --
MS09-009 - Excel. Random code execution. Replaces MS08-074. Critical
MS09-010 - Wordpad. Random code execution. Replaces MS04-027. Critical
MS09-011 - DirectX. Random code execution. Replaces MS08-033. Critical
MS09-012 - Windows. Multiple vulnerabilities, including code
execution. Replaces MS07-022, MS08-002, MS08-064. Important
MS09-013 - HTTP Services. Multiple vulnerabilities, including code
execution. Critical
MS09-014 - Internet Explorer. Multiple vulnerabilities, including
code execution. Replaces MS08-073, MS08-078, MS09-002. Critical
MS09-015 - Windows. API Update. Replaces MS07-035. Moderate
MS09-016 - ISA Server. Multiple vulnerabilities including Denial of
Service. Important

-- Description --
Microsoft's patch release for April saw eight patches released, five
Critical, two Moderate, and one Important. Most of the patches
address code execution vulnerabilities, most of which have already had
public exploit code readily available for them. Of note, one of the
patches that doesn't address a code execution vulnerability, MS09-015,
provides an updated system API to help mitigate the risk posed to
systems by malware that tries to install fake system libraries. This
API makes the system look for libraries in the system directory by
default and also changes the order in which they are searched for
(which closes a very old method of getting malicious code to load).

-- Recommended Action --
All users and administrators should apply the updates at the earliest
opportunity.

-- Source --
http://www.microsoft.com/technet/security/bulletin/ms09-apr.mspx
http://www.beskerming.com/premium/patch_pack.html
http://store.eSellerate.net/s.asp?s=STR3448907936&Cmd=CATALOG&CategoryID=9811

-- Updates Available --
http://www.microsoft.com/technet/security/bulletin/ms09-009.mspx
http://www.microsoft.com/technet/security/bulletin/ms09-010.mspx
http://www.microsoft.com/technet/security/bulletin/ms09-011.mspx
http://www.microsoft.com/technet/security/bulletin/ms09-012.mspx
http://www.microsoft.com/technet/security/bulletin/ms09-013.mspx
http://www.microsoft.com/technet/security/bulletin/ms09-014.mspx
http://www.microsoft.com/technet/security/bulletin/ms09-015.mspx
http://www.microsoft.com/technet/security/bulletin/ms09-016.mspx

-- External Tracking Data --
CVE-ID: CVE-2009-0100 (MS09-009)
CVE-ID: CVE-2009-0238 (MS09-009)
CVE-ID: CVE-2008-4841 (MS09-010)
CVE-ID: CVE-2009-0087 (MS09-010)
CVE-ID: CVE-2009-0088 (MS09-010)
CVE-ID: CVE-2009-0235 (MS09-010)
CVE-ID: CVE-2009-0084 (MS09-011)
CVE-ID: CVE-2008-1436 (MS09-012)
CVE-ID: CVE-2009-0078 (MS09-012)
CVE-ID: CVE-2009-0079 (MS09-012)
CVE-ID: CVE-2009-0080 (MS09-012)
CVE-ID: CVE-2009-0086 (MS09-013)
CVE-ID: CVE-2009-0089 (MS09-013)
CVE-ID: CVE-2009-0550 (MS09-013)
CVE-ID: CVE-2008-2540 (MS09-014)
CVE-ID: CVE-2009-0550 (MS09-014)
CVE-ID: CVE-2009-0551 (MS09-014)
CVE-ID: CVE-2009-0552 (MS09-014)
CVE-ID: CVE-2009-0553 (MS09-014)
CVE-ID: CVE-2009-0554 (MS09-014)
CVE-ID: CVE-2008-2540 (MS09-015)
CVE-ID: CVE-2009-0077 (MS09-016)
CVE-ID: CVE-2009-0237 (MS09-016)

-- Threat Matrix --
U O
Home User 10 10 (Highly Critical)
Corporate 10 10 (Highly Critical)

=======================================
/*
Threat Matrix:
U - User
O - Operator
Harmless - 0 ----- 10 - Highly Critical
*/
=======================================

2. NEWS

2.1 OS X Coming Under Increased Researcher Scrutiny

While it is still a less-targeted platform, Apple's OS X operating
system has seen some interesting Information Research published in
recent months.

In February, Vincenzo Iozzo presented at Black Hat 09 a method for
injection of code directly into the memory of another application,
while it is running. This takes place completely in memory (which
separates it from previous vulnerabilities of this style) and
disappearing when the application is terminated. It could be argued
that this presents an epipyhtic rather than a parasitic attack route,
given that there is no reliance on the host system to store any part
of it (other than active memory), it attaches into an existing
application, and disappears cleanly at the end.

This method still has to rely upon somehow getting the code launched
in the first place, but it means that once launched it is going to be
hidden from sight and not show up as a running process. Getting the
user to launch an arbitrary application is more of a social weakness
than a technical one, as the mountains of malware and infected Windows
systems can attest.

More recently, Dino Dai Zovi demonstrated a heap overflow
vulnerability (of which he claims there are several just waiting ready
to find) which allowed him to take images with the iSight camera.
Meanwhile, at the Pwn2Own contest at CanSecWest, last year's winner,
Charlie Miller, walked away with the MacBook inside of ten seconds, on
his first attempt. Using a Safari vulnerability, he was able to gain
access at least to the privileges that Safari was running under and
demonstrate code execution. Miller had been able to develop and test
the exploit ahead of time and was confident that he would be able to
take out the target system, even going so far as to claim ahead of the
competition that Safari would be the first browser compromised.

Critics would argue that by allowing the use of web browsers on the
first day of the competition, it effectively moved the competition
from an attack against the underlying systems to an attack against web
browser security. With the constant barrage of critical patches for
web browsers across all platforms, it shouldn't come as any surprise
that the competition systems were compromised so quickly. With
researchers having had months to prepare and develop their pet
exploits, it comes down to a race as to who gets to try their exploit
first, rather than a valid example of how long it takes a
representative system to fall to attack. Critics would also point out
that the more desirable laptop (at least for many the more desirable)
would also be the first and most targeted.

Critical arguments aside, it is getting harder to argue that OS X is a
lesser targeted platform, especially with the recent work put into
updating one of the most popular hacking toolkits, MetaSploit, with OS
X specific capabilities and vulnerabilities. It should not come as any
surprise that those most responsible for the increase in capability
are Charlie Miller and Dino Dai Zovi.

In the face of increasing attention and public exploit demonstration
and release, is it time for Apple to move to a pre-ordained patch
release schedule? Some would argue that it is long past the time when
this should have happened, while others are content with the
relatively random release cycle currently in use. At the least, Apple
could do well by considering how Microsoft has engaged all aspects of
the Information Security community and how they handle Information
Security vulnerability data and patches.

2.2 Around the Frayed Edge of PCI DSS

Following the breach of credit card processor, Heartland, there has
been heated debate on both sides of the argument, as to the value of
PCI and similar mechanisms for ensuring data safety (the new buzz word
of the month being Data Loss Prevention) and system and network
integrity. It doesn't really matter whether there is anything better
available in the marketplace or not, PCI DSS has been seized upon as
the 'best practice' which could lead to ostracisation
(excommunication, maybe) if a business chooses not to follow it and
still tries to carry out credit and debit card transaction handling.

It only takes a single hole to undo a well-constructed set of
defences, but if so many companies are touting their compliance and
adherence to the PCI DSS, and no fully accredited company has had a
breach, what really happened with the Heartland and RBS Worldpay
cases? Is it really security theatre as some would argue, or is it
merely the latest sticking point for people who don't want to go
through the process of auditing and assessment to get accredited? Are
companies claiming that they are compliant, but aren't, in order to
retain or attract customers who are aware of the existence of PCI?

Some of the most ardent advocates of PCI claim that, even if it were
security theatre, then it has at least raised awareness of Information
Security in general and still represents a great leap forward in that
respect and helps force some basic best practices. The problem with
this argument is that doing a really bad job at Information Security
can be more dangerous than no effort at all.

Did Sarbannes-Oxley prevent the financial meltdown? Did the presence
of HIPAA and SB1386 stop the growth of information breaches (it has to
be admitted that SB1386 really set the standard for information
disclosure reporting and helped formalise the current requirements
that exist)? No, and no.

What would go a long way to helping assuage concerned observers would
be complete transparency with reporting of breaches and the subsequent
investigations. So you've had a breach and had to report it. The time
for trying to save face has already passed, now it is important, if
not essential, for complete and open honesty in order that others may
learn from what happened to you (even if it is your mistake that led
to the incident). Unfortunately, this will only happen in an ideal
world - there is just too much at stake to expect people to be
completely honest and open about what has happened or is happening.
Besides, Denial is one of the stages of grief and a major security
incident does attract a grief-like response.

This is an area where the direct involvement of an Information
Security professional is really what is needed, but it also seems to
be the least likely to actually happen within the organisations that
need it the most. Good security practices and awareness, even without
the software and hardware elements to back them up are better than all
the software, hardware, and industry best practices that are only
backed by a laissez faire attitude.

Just a little something to think about the next time you sit down to
consider your Information Security needs and compliance to industry
standards.

2.3 Does Microsoft Gain From Exposing Collaborative Cloud Effort?

A group of competitors come together in secret to create a common
approach to handling how different 'clouds' might interact and allow
data to move between, setting out a community-based approach.

Only, now it isn't so secret.

Microsoft were recently invited to be part of this currently secretive
group, comprised of unknown members, but believed to include at least
IBM, Amazon, and Google, but decided not to be involved, choosing to
publicly disclose the existence of the document that is being created
in private at the moment.

Microsoft's argument that openness and real community assistance in
developing the 'Cloud Manifesto' is what is really important is true,
though it does come as a surprise coming from Microsoft, a company
that has traditionally fought against the methods and concepts used in
Open Source.

It seems that the intention has always been to open up the discussion
on the effort once a common approach had been agreed upon, so the
question then becomes at what point is it harmful to keep the
development and structuring of the manifesto private? Does it really
benefit the wider community to have input from the very beginning of
the process, or is it best to wait until the major service providers
have worked out a means to interact. The risk of the latter is that
proprietary systems may be implemented that are mutually beneficent to
the major players who have created the agreement, forcing everyone
else to licence and pay for them, or result in the selection of a sub-
optimal solution. The flipside is that allowing everyone to have input
from the very beginning risks having the project bogged down in
minutiae at every turn and could then be forked to a more private
equivalent that is almost the same as what is in place at the moment.

Sometimes projects need a strong leadership cabal who are capable of
making decisions in private before putting them out for community
input and decision. Even major Open Source projects and movements have
figureheads and key decision makers who manage to retain veto powers.

Cloud computing may be just the buzz word du jour, but with the
resources being thrown at it and it being touted as the solution for
everything, there is a lot riding on getting different vendor
creations talking to each other and sharing data effectively. Rather
than having cute fluffy clouds that build and share with each other we
risk having massive towering cumulus and cumulonimbus clouds that
smash into each other, releasing massive amounts of lightning and
thunder, but not achieving much by way of sharing resources. One
buzzword is being supported by another, with Microsoft pushing SOAP,
XML, and REST as part of their approach to opening the data in the
cloud.

When Microsoft holds up Silverlight as an example of openness and
standardisation it leaves a strange taste in the mouths of open source
advocates, something which is further enhanced by the claim that the
manifesto organisers were unwilling to accept Microsoft's
'enhancements to the document'.

Microsoft's move to publicly announce in this light looks like a
vindictive dummy spit, while the reluctance of the other companies
looks like they have an awareness of recent decades of history, where
Microsoft 'enhancements' often cripple or kill non-Microsoft
technologies. Past history can be forgiven, but it isn't going to be
forgotten so quickly. Microsoft may just have to accept that, for the
next couple of years at least, they will encounter this sort of
stonewalling when interacting with the long term companies in the
sector. If their actions indicate that they will no longer use their
'enhancements' to neuter, then it may be accepted. The whole push to
subjugate OpenDocument through the use of Open Office XML (OOXML)
isn't going to leave many feeling willing to readily accept Microsoft
and their enhancements.

Statements such as "Cloud computing...[will] be driven in beneficial
ways by a lot of innovation that we're dreaming up today" by Microsoft
are a two edged sword. The benefits may be great, but it carries all
the hallmarks of being a proprietary Microsoft-only approach that has
been demonstrated all too many times before.

We'll all just have to wait until the Cloud manifesto is released
(said to be March 30) to see just what the hype is all about and what
sort of ideas and processes have been implemented. Those who think the
cloud is just another hype-filled waste of time might secretly be
cheering for the manifesto to be a failure, or for Microsoft to really
deliver on their 'enhancements' as they have in the past and kill it
before it gets too big.

Who is really behind it all? Links to groups and sites have sprung up
all over the place, but with the dating on many being after Microsoft
spilled the beans, it is hard to say where it originated, though here
and here are two of the most likely sources behind the manifesto.
Despite the open linkage after Microsoft's announcement, it does seem
that Microsoft does have a minor point. From the available
information, it does look like there are some biases present (a Google
Code project - probably one of the sore points for Microsoft), but it
is far more open than what has come before.

Come the 30th, we will be able to see just what the bickering and hype
is all about. What is almost certain is that the people and groups
behind the manifesto have completely screwed up the handling of the
public release of information and are scrambling to recover after
Microsoft's announcement.

Let's hope the standard for intercommunication and sharing of data put
forward in the manifesto is better than what has been displayed so far.

2.4 Information Distribution Being Shaken Up In More Than One Way

More and more pressure is being placed on traditional publishers as
the economic crisis continues to bite. Recently there have been major
newspaper publishers filing for bankruptcy protection, with the
publisher of the Los Angeles Times and the Chicago Tribune, and the
publisher of the Chicago Sun-Times filing within four months of each
other. Within that timeframe, the Rocky Mountain News has completely
closed down, and the Seattle Post-Intelligencer has given up print
editions.

It isn't just newspapers that are feeling the pressure. Microsoft has
made the decision to shut down their Encarta encyclopedia website and
software lines. In explaining why they have made the decision to close
down this service, it appears that it is due to the changing way that
people seek and obtain information.

Ready access to a seemingly-limitless tap of free or low cost
information is going to make charging for access to the same (or even
slightly out-dated) information more difficult. Be it encyclopedia or
print media, both faced the same problems from the way people obtain
and consume information. Economic struggles in the wider marketplace
are just a catalyst, the real struggle has been with maintaining
relevancy and a paying client-base in the face of increasingly free
and comparative quality services.

The big risk is that it could see a decline in investigative
journalism as fewer organisations are capable of providing the
resources for journalists to spend weeks and months developing a
story. There is also a fear that the quality of journalism is going to
decline as the number of potential news sources rapidly increases
online.

Counter to this argument is the claim that much of what has passed for
journalism in recent years has been poorly written and researched,
with much content lifted from the online sources that are now moving
in to take over the role that the print media once had held in those
areas.

No one will really miss this aspect of journalism.

It doesn't help that circular reporting continues to take place (where
one single source is the spawn for numerous articles that busily cite
each other as proof of something happening), but at least with an
online-primary means of reporting and distribution, this cycle will
take place much quicker, though involve more articles of dubious
quality re-reporting the same factoid.

In the face of this news, it might be surprising, then, to find online
information providers also cutting back on their capabilities and
reach. Rather than having people find the same information from other
sources, it seems that falling advertising revenues are making it
difficult to retain all the writers on staff.

The first to go in any downturn are the freelancers and contractors.
Many who were in this position 12 months ago have found their services
suddenly no longer needed (including some of our own staff who were
writing freelance material in recent years).

Content providers are struggling to find the balance between
delivering quality content in the right quantity, with fewer people.
The fewer articles that are published and the fewer number of site
visitors, the lower the advertising revenue and the harder it is to
retain writers. And so the vicious cycle continues.

Long term Internet users like to argue that much of the advertising is
overbearing and annoying, especially on sites where simple, short
content is spread across several pages in order to maximise potential
ad revenue and the number of ad impressions per article. There are
numerous methods by which site visitors can block the advertisements
that site operators try to get them to view. Some methods block the
requests completely, saving the advertisers the cost of an impression
that isn't seen. Other methods download the advertisement, but then
discard the data once on the local system. This gives the site
operator the impression revenue, but forces the advertiser to pay for
marketing that is never seen.

With advertising continuing to push in on the content of many sites,
falling ad revenues, and increasing methods to fake impressions or
click-through rates, it should come as little surprise that this is
causing content providers who have built their business plans around
advertising fees a lot of trouble and concern.

It hasn't quite been an Internet 2.0 bubble, at least not yet, but the
online environment and many global information collation and
distribution networks are going through some fairly major changes at
the moment. Changes that will set out how we seek and interact with
information into the future. Some of the changes are going to be a
step back from what we have now, but it is the unknown technological
improvements that will come along that will really change the world.

2.5 A PowerPoint 0-day and a Second Worm Targeting MS08-067

Microsoft has in recent days identified a new PowerPoint vulnerability
that has been attacked in the wild prior to detection, and have also
announced the discovery of another malware family attacking the same
MS08-067 vulnerability that Conficker initially did.

For the PowerPoint vulnerability, use of the Microsoft Office Isolated
Conversion Environment (MOICE) will help mitigate against attack, by
converting existing binary office file formats into the XML format
supported by recent versions of Office. Microsoft's write up (linked
to above) demonstrates two examples of how the infected PowerPoint
files might appear when first opened, as well as a description of some
of the actions taken once an infected file is opened. Rather than
using the MOICE, an alternative is to avoid PowerPoint files from
untrusted sources or unexpected files from trusted sources.

The new worm family attacking MS08-067's vulnerability appear to have
evolved from an older code base that previously was attacking MS06-040
and earlier vulnerabilities. What is different about this particular
strain detected by Microsoft, is that the worm appears to have
integrated some of the features in use by Conficker.

Apart from targeting the MS08-067 vulnerability, it also spreads via
autorun, appearing very similar to how a Conficker infected device
appears when connected to a system. Similar to Conficker, the worm
downloads its worm payload via HTTP after initial infection, and uses
a driver to patch the network layer to remove system outbound
connection limits in Windows XP SP2.

Although the described added features are fairly generic, the
particular grouping of them in worms attacking the same vulnerability
is an interesting coincidence that could be worth some increased
investigation. By being able to attach itself to the system to be
loaded even in Safe Boot mode, it is going to make it harder than the
average piece of malware to get rid of.

=======================================

Sincerely,

Sûnnet Beskerming Team
info@...
Sûnnet Beskerming Pty. Ltd.
Adelaide, Australia
http://www.beskerming.com
Tel: +61 (0) 410 707 444

** Sûnnet Beskerming Pty. Ltd. **

Established in mid 2004, Sûnnet Beskerming Pty. Ltd. is the sister
company to Jongsma & Jongsma Pty. Ltd., and was formed to develop and
commercialise the research coming out of Jongsma & Jongsma Pty. Ltd..
Sûnnet Beskerming Pty. Ltd. is an Information Security specialist and,
in conjunction with the tools developed by Jongsma & Jongsma Pty.
Ltd., provides total security solutions and services, from the
perimeter to internal data stores, including web application security
and security testing and analysis.
_______________________________________________
Alertmailinglist mailing list
Alertmailinglist@...
http://skiifwrald.com/mailman/listinfo/alertmailinglist_skiifwrald.com

Advisory #264 - Microsoft (Multiple), Multiple News

2009-03-13T04:43:35Z

Sûnnet Beskerming Alert List Advisory #264

You are receiving this message because you have subscribed to our
Information Security Alert Mailing List, or have been selected for a
specific one-off copy. If you believe that you are receiving this
message in error,pleasecontactinfo@... to resolve the error.

Why not upgrade to get same day notification on security threats?
Details and rates available online -
(http://www.beskerming.com/premium/generic_advisory.html).

Why not go the next step and get delivery tailored just for your
company?
(http://www.beskerming.com/premium/focussed_advisory.html)

Contents
--------------------------------------------------------------------
1. SECURITY
--------------------------------------------------------------------
1.1 Microsoft (Multiple)
- Remote Hacker Automatic Control
- Time Since Discovery - 3 days
======================================
/*
- Remote or Local - Can it be achieved through a network or does it
require physical access?
- Hacker - The bad guy
- Manual or Automatic - Does the vulnerability need to be manually
performed, or can it be automated?
- Control, Denial of Service or Data Theft - Will the hacker get
control of your system / website, will they prevent you from using it,
or will they steal data.
*/
--------------------------------------------------------------------
2. NEWS
--------------------------------------------------------------------
2.1 A Data Breach In The Tea Leaves, Or Tilting At Windmills?
2.2 Backup Policies Can Really Save Businesses
2.3 External RSS Management Migrations
2.4 Patching Cycles and the Adobe Vulnerability
2.5 JBIG2Decode Adobe PDF Vulnerability now Completely Hands Free
=====================================

1. SECURITY

1.1 Microsoft (Multiple) - Remote Hacker Automatic Control

-- Products Affected --
Windows

-- Technical Description --
MS09-006 - Windows. Remote code execution (GDI). Replaces MS08-061.
Critical
MS09-007 - Windows. Data Theft (SSL, TLS). Replaces MS07-031. Important
MS09-008 - Windows. Multiple vulnerabilities including Data Theft.
Replaces MS08-037, MS08-034, MS08-066. Important

-- Description --
Microsoft's patch release for March has seen three updates issued,
with only the first listed as Critical and the other two as
Important. Unfortunately, it is for a problematic Windows component
that has had several prior updates released for it (WMF, EMF support
in GDI). All three patches replace prior patches, but only the first
is regarded as being a risk for arbitrary code execution. There has
not yet been a patch issued for the Excel vulnerability currently
being targeted in careful attacks, and only MS09-008 had vulnerability
data publicly available prior to patch release. MS08-52 (GDI+ related
code execution) was also updated this month.

-- Recommended Action --
All users and administrators should apply the updates at the earliest
opportunity.

-- Source --
http://www.microsoft.com/technet/security/bulletin/ms09-mar.mspx
http://www.beskerming.com/premium/patch_pack.html
http://store.eSellerate.net/s.asp?s=STR3448907936&Cmd=CATALOG&CategoryID=9811

-- Updates Available --
http://www.microsoft.com/technet/security/bulletin/ms09-006.mspx
http://www.microsoft.com/technet/security/bulletin/ms09-007.mspx
http://www.microsoft.com/technet/security/bulletin/ms09-008.mspx

-- External Tracking Data --
CVE-ID: CVE-2009-0081 (MS09-006)
CVE-ID: CVE-2009-0082 (MS09-006)
CVE-ID: CVE-2009-0083 (MS09-006)
CVE-ID: CVE-2009-0085 (MS09-007)
CVE-ID: CVE-2009-0093 (MS09-008)
CVE-ID: CVE-2009-0094 (MS09-008)
CVE-ID: CVE-2009-0233 (MS09-008)
CVE-ID: CVE-2009-0234 (MS09-008)

-- Threat Matrix --
U O
Home User 10 10 (Highly Critical)
Corporate 10 10 (Highly Critical)

=======================================
/*
Threat Matrix:
U - User
O - Operator
Harmless - 0 ----- 10 - Highly Critical
*/
=======================================

2. NEWS

2.1 A Data Breach In The Tea Leaves, Or Tilting At Windmills?

Intelligence analysts and operatives are expert at the collection and
analysis of seemingly irrelevant snippets of data as they build and
form a picture of what is going on.

This sort of skill is beginning to find a home amongst some
Information Security researchers and it has led an increasing number
of researchers to claim that there is a major data loss incident (or
set of incidents) that has yet to be made public. Increased frequency
of reports of small to medium numbers of credit and debit cards being
reissued at seemingly-unrelated institutions are just some of the
clues that have led people to consider that a major breach disclosure
is set to take place in the near future.

A risk of this sort of approach, and it is one that the Intelligence
community faces, is that it is possible to read too much into the
information that has been collected and analysts end up jumping at
shadows. While signs are growing stronger that there is a major breach
disclosure coming up in the near future (weeks or months), it may just
be that the breach is an independent occurrence as far as the data
collected to-date is concerned. The uptick in breach reports may just
be a sign of improved coverage of breaches, especially following the
major Heartland Payment Systems breach, or it could just represent
organic growth and merely mark the new baseline for data loss reporting.

Anyone who has spent time observing how news is reported, how
information spreads from source to source and how it varies in
relevancy and reliability with time and source, would suggest that
this reporting may just be echoes of the Heartland data breach being
mixed with increasing reporting of a potential breach.

It's too early to say at this stage which side of the argument is
right, but whatever happens, more and more consumers are going to find
themselves the victims of a data breach and eventual financial fraud.

Just as knowing how to write a cheque used to be an essential skill
for financial existence, the ability to manage and track finances with
a forensic accountant's level of skill seems like what it is going to
take in order to minimise the risk of financial fraud to the everyday
individual.

2.2 Backup Policies Can Really Save Businesses

At the end of January, social bookmarking site, Ma.gnolia suffered a
significant data corruption and loss incident, resulting in what
initially appeared to be a complete loss of user supplied data.

In the fortnight since the initial loss of data, there have been
several improvements that have been made to retrieve at least some of
the user supplied content, primarily from web caches, however this has
been limited to only public bookmarks that users supplied.

When a site or service is dependent upon the whim of the masses to
remain viable, such as with almost every social-anything site, the
sudden and long term loss of data can be a fatal blow, much as it can
also be for any business.

Since people tend not to limit themselves to a single site to do
things on, there are opportunities for users to recover bookmarks that
they may have linked from ma.gnolia to other services.

From the information being posted online by Larry Halff, it seems
that there is ongoing trouble in trying to recover the data that has
been lost and there is still no end in sight for when the service may
be brought back online, or any of the stored data recovered.

No information has been made public about whether there were any
adequate data backup policies in place, but it is a lesson that data
backup is more than just a chore - it can really save a business. Even
if there were adequate backups, the data corruption may have extended
back through enough of the backups to limit the usefulness of actually
recovering the site.

2.3 External RSS Management Migrations

From the time that Google acquired FeedBurner in 2007, there has been
a slow but ongoing push to move services across to Google-hosted
equivalents. As of this weekend, specifically February 28, it is
expected that FeedBurner accounts will have been completely moved
across to Google Accounts and that users of FeedBurner who have not
yet established a Google account and moved their feeds across will
find that they will no longer be able to access their FeedBurner
accounts.

While Google have stated that they intend to keep the
feeds.feedburner.com/feedname link available for existing feeds ("for
as long as this service exists"), it is recommended that feeds are
updated where possible to reflect the new home for feeds -
feedproxy.google.com/feedname. Users who have not created a Google
Account or otherwise ensured that their feeds have been moved to their
Google account (automatic for most users), then they will probably
find their feeds returning 404 or 301 errors whenever the feeds are
attempted to be accessed - starting from this weekend.

Some feed operators will find that the loss of Site Stats (visitors)
and FeedBurner Networks will have a detrimental effect on the level of
service they get from the now fully Google-absorbed feed delivery
system. Google has retired the FeedBurner Network feature due to poor
usage rates, however FeedBurner Network operators have had a
significant period of time to migrate their networks to other systems.
Competition from standalone feed aggregators and feed readers, as well
as flexible online management tools (including the powerful Yahoo!
Pipes product) are possible reasons why FeedBurner Networks never
really took off like it was hoped, though there were some high quality
Networks that were created and actively used.

Sûnnet Beskerming will soon be updating the RSS feed address for the
primary company feeds to reflect their new home at
feedproxy.google.com, though we will continue to ensure that the old
FeedBurner address is supported for several more days. Most reader
applications and integration tools will automatically update to the
new address, especially with the replication across to the old
feedburner.com addresses, however it is more efficient to point to the
actual hosting location and not a redirected or mirrored site. It will
also mean that if and when Google shut down the FeedBurner domain that
Sûnnet Beskerming feeds will continue to be available without
disruption.

New feed locations are as follows:

* Blended Feed (main feed) - http://feedproxy.google.com/beskermingcombined
* Commentary Only Feed - http://feedproxy.google.com/beskermingcommentary

2.4 Patching Cycles and the Adobe Vulnerability

Just how quickly a vendor should move to release patches for security
vulnerabilities has been a point of contention for as long as there
have been patches for software. Over time different vendors have
settled into their own routines and patching cycles, providing end
users and administrators with either a time-based releasing cycle or
an opportunistic release cycle.

Time based cycles, such as Microsoft's monthly patch release, or
Oracle's quarterly patch releases, may provide users and
administrators with the knowledge that there are defined times when
patches will be made available, but it does mean that vulnerabilities
may be exposed for significant periods of time before patching (though
there is no guarantee that a patch for any vulnerability will be made
available in the period following discovery or disclosure). Microsoft
made their move to releasing patches on the second Tuesday of every
month, with a pre-release notification released the previous Thursday,
following pressure from administrators and end users that a seemingly
random release cycle was making their jobs more difficult than they
needed to be and that a regular release cycle would allow them to plan
patch testing and rollout reliably.

For Microsoft, the monthly release cycle seems to have hit a sweet
spot for patch releases, helping to reduce the number of out-of-cycle
patches that need releasing, while for a database vendor like Oracle,
the quarterly release cycle seems to work well, although there are
critics of this lengthy approach.

Ad-hoc patch release cycles, such as adhered to by Apple, most Linux
distributions, and a number of other software vendors means that
patches can be released on an as-needed basis, but it does mean that
administrators and users are left in the dark about the length of time
before the next patch release. Even though the ad-hoc approach seems
like it would provide the most rapid response to any publicised
vulnerability, which is the case for many Linux distributions, it can
still have inherent delays between vulnerability disclosure and
patching - something that has been seen recently with a highly public
disclosure of an Adobe Acrobat and Reader exploit.

Public claims were made in mid February by Shadowserver of a
previously undiscovered PDF-related vulnerability that was circulating
in the wild, being used for targeted attacks. This was soon followed
by the public release of exploit sample code which demonstrated a JBIG
issue. Initially it was believed that JavaScript was required to
exploit the issue and early mitigation advice was that disabling
JavaScript support would be sufficient to protect against
exploitation. When exploit sample code was freely available it was
found that it was possible to exploit without the use of JavaScript

Shadowserver are considered the first to publicly alert to the
presence of the vulnerability under exploitation, but there are
counterclaims that some security companies were aware of this as early
as December 2008. With the different times of discovery being claimed,
and the Adobe advisory not appearing until after Shadowserver issued
their information, it raises the question as to whether Adobe were on
top of the vulnerability at an earlier date than their Advisory, or
whether they were pressured into releasing the information following
the Shadowserver release.

With no patch scheduled until March 11, there are community released
patches, but it only provides limited protection for Windows XP users,
leaving the other affected platforms unprotected.

At the same time that information about the new vulnerability was
being made public, there were cases of exploits against Internet users
by way of poisoned ads hosted at Ziff-Davis that used an attack
against older versions of Adobe Acrobat Reader (8.12 and earlier) to
deliver their payload.

2.5 JBIG2Decode Adobe PDF Vulnerability now Completely Hands Free

Adobe's expected patch for the JBIG2Decode exploitable vulnerability
is expected in just a few days time. However, as the wider security
community gets to spend more time playing around with the
vulnerability, more interesting ways to trigger the vulnerability are
found.

After his recent documentation of three methods to trigger the
vulnerability without actually double clicking and opening an affected
file, Didier Stevens has gone one better and has documented a new
exploitation method that activates the exploit with no user
interaction, and which results in the exploit code running with Local
System privileges.

In order for a system to be vulnerable to this particular approach, it
needs to have Acrobat Reader 9.0 installed, and the Windows Indexing
Services started. As part of the installation process for Reader 9.0,
it installs an assistant (IFilter) to allow Windows Explorer to
interpret and index PDFs. This is called by Windows Explorer when it
encounters a PDF and it subsequently calls the Acrobat Reader core
interpreter, which is vulnerable to the JBIG2Decode vulnerability.

In Specific technical terms, cidaemon.exe encounters a PDF and calls
AcroRDIF.dll, which loads AcroRD32.dll, which is vulnerable to the
exploit. This all takes place with Local System privileges.

A positive aspect to the discovery is that the Indexing Service is not
activated by default on Windows XP SP2, though it will be activated if
the user answers yes to the offer to make future searches faster after
they first carry out a local search in an administrator level account.
The counter to this is that other software can also call the Acrobat
IFilter, including Windows Desktop Search (also vulnerable, but to a
lesser privileged Local Service account), SharePoint and SQL Server
(which has interesting implications for DBAs and developers who elect
to store binary data in their databases).

Didier describes a blended attack where a system that has had the
Indexing Service enabled, and also has a means to upload files can be
remotely compromised to give a local system shell with absolutely no
interaction from a local or logged in user.

There is some lingering doubt as to when the affected dlls are loaded
by Windows Explorer, but it is guaranteed that once the user has tried
to carry out a "word or phrase in the file" type search, the dlls are
loaded and present until the next time Windows Explorer is restarted.
Even with the options of just killing and restarting the process, or
just logging the active user off and back on, it isn't obvious at this
stage just how likely it is that the affected dlls have been properly
unloaded from memory. A full system shut down and restart is about the
only guaranteed way to make sure.

It has also been found by commenters to Didier's blog that even
uninstalling Acrobat Reader leaves behind the vulnerable dlls that
hook into Windows Explorer, something that can be simply verified by
looking for them in the Process Explorer after attempting "a word or
phrase in the file" type search after uninstalling Reader.

Depending on how alternative desktop search solutions (such as Google
Desktop Search [doesn't use IFilters unless third party add on has
been included], Yahoo! Desktop Search, and a number of commercial
solutions) implement search within a file options, they could also be
vulnerable to this particular exploitation method. Similarly, indexing
of attachments within PST files could present an exploitable problem
when the right conditions are encountered.

=======================================

Sincerely,

Sûnnet Beskerming Team
info@...
Sûnnet Beskerming Pty. Ltd.
Adelaide, Australia
http://www.beskerming.com
Tel: +61 (0) 410 707 444

** Sûnnet Beskerming Pty. Ltd. **

Established in mid 2004, Sûnnet Beskerming Pty. Ltd. is the sister
company to Jongsma & Jongsma Pty. Ltd., and was formed to develop and
commercialise the research coming out of Jongsma & Jongsma Pty. Ltd..
Sûnnet Beskerming Pty. Ltd. is an Information Security specialist and,
in conjunction with the tools developed by Jongsma & Jongsma Pty.
Ltd., provides total security solutions and services, from the
perimeter to internal data stores, including web application security
and security testing and analysis.
_______________________________________________
Alertmailinglist mailing list
Alertmailinglist@...
http://skiifwrald.com/mailman/listinfo/alertmailinglist_skiifwrald.com

Advisory #263 - Microsoft (Multiple), Apple (Multiple), Multiple News

2009-02-16T19:17:00Z

Sûnnet Beskerming Alert List Advisory #263

You are receiving this message because you have subscribed to our
Information Security Alert Mailing List, or have been selected for a
specific one-off copy. If you believe that you are receiving this
message in error,pleasecontactinfo@... to resolve the error.

Why not upgrade to get same day notification on security threats?
Details and rates available online -
(http://www.beskerming.com/premium/generic_advisory.html).

Why not go the next step and get delivery tailored just for your
company?
(http://www.beskerming.com/premium/focussed_advisory.html)

Contents
--------------------------------------------------------------------
1. SECURITY
--------------------------------------------------------------------
1.1 Microsoft (Multiple)
- Remote Hacker Automatic Control
- Time Since Discovery - 7 days
1.2 Apple (Multiple)
- Remote Hacker Automatic Control
- Time Since Discovery - > 7 days
=======================================
/*
- Remote or Local - Can it be achieved through a network or does it
require physical access?
- Hacker - The bad guy
- Manual or Automatic - Does the vulnerability need to be manually
performed, or can it be automated?
- Control, Denial of Service or Data Theft - Will the hacker get
control of your system / website, will they prevent you from using it,
or will they steal data.
*/
--------------------------------------------------------------------
2. NEWS
--------------------------------------------------------------------
2.1 SSL Certificates Not as Safe as Once Thought
2.2 Arrested for Being Critical of Government Policy
2.3 2009 To Be The Year Of...
2.4 1234567890 on Black Friday
2.5 Google Demonstrates Risk of Filtering Systems
=====================================

1. SECURITY

1.1 Microsoft (Multiple) - Remote Hacker Automatic Control

-- Products Affected --
Windows
Visio
SQL Server
Internet Explorer

-- Technical Description --
MS09-001 - SMB. Remote Code Execution. Replaces MS08-063. Critical
MS09-002 - Internet Explorer. Multiple Remote Code Execution.
Replaces MS08-073 and MS08-078. Critical
MS09-003 - Exchange. Multiple Code Execution and Denial of Service.
Replaces MS08-039. Critical
MS09-004 - SQL Server. Code Execution. Replaces MS08-040 and
MS08-052. Important
MS09-005 - Visio. Code Execution. Replaces MS08-019. Important.

-- Description --
Microsoft's security patch releases for the first two months of 2009
have only seen five patches released, three of them Critical. While
the remaining two patches have only been rated by Microsoft as
Important, they do relate to code execution vulnerabilities and there
is still significant risk associated with not applying the patches for
those vulnerabilities. Microsoft, and most of the antivirus /
antimalware industry, have been focussed on the problems associated
with Conficker / Downadup, the worm which has been spreading across
the globe, using a range of different means to infect vulnerable
systems. It is considered extremely important that these patches are
applied as soon as possible.

-- Recommended Action --
All users and administrators should apply the updates at the earliest
opportunity.

-- Source --
http://www.microsoft.com/technet/security/bulletin/ms09-jan.mspx
http://www.microsoft.com/technet/security/bulletin/ms09-feb.mspx
http://www.beskerming.com/premium/patch_pack.html
http://store.eSellerate.net/s.asp?s=STR3448907936&Cmd=CATALOG&CategoryID=9811

-- Updates Available --
http://www.microsoft.com/technet/security/bulletin/ms09-001.mspx
http://www.microsoft.com/technet/security/bulletin/ms09-002.mspx
http://www.microsoft.com/technet/security/bulletin/ms09-003.mspx
http://www.microsoft.com/technet/security/bulletin/ms09-004.mspx
http://www.microsoft.com/technet/security/bulletin/ms09-005.mspx

-- External Tracking Data --
CVE-ID: CVE-2008-4114 (MS09-001)
CVE-ID: CVE-2008-4834 (MS09-001)
CVE-ID: CVE-2008-4835 (MS09-001)
CVE-ID: CVE-2009-0075 (MS09-002)
CVE-ID: CVE-2009-0076 (MS09-002)
CVE-ID: CVE-2009-0098 (MS09-003)
CVE-ID: CVE-2009-0099 (MS09-003)
CVE-ID: CVE-2008-5416 (MS09-004)
CVE-ID: CVE-2009-0095 (MS09-005)
CVE-ID: CVE-2009-0096 (MS09-005)
CVE-ID: CVE-2009-0097 (MS09-005)

-- Threat Matrix --
U O
Home User 10 10 (Highly Critical)
Corporate 10 10 (Highly Critical)

1.2 Apple (Multiple) - Remote Hacker Automatic Control

-- Products Affected --
OS X 10.4.x
OS X 10.5.x

-- Technical Description --
AFP Server - Denial of Service
Apple Pixlet Video - Denial of Service and Arbitrary Code Execution
CarbonCore - Denial of Service and Arbitrary Code Execution
CFNetwork - Cookie handling
Certificate Assistant - File manipulation
ClamAV - Multiple arbitrary code execution
CoreText - Denial of Service and arbitrary code execution
CUPS - Denial of service
DS Tools - Information Disclosure
fetchmail - Multiple Denial of Service
Folder Manager - Permissions Issue
FSEvents - Information Disclosure
Java - Multiple privilege elevation
Network Time - Configuration Change
perl - Denial of Service and arbitrary code execution
Printing - Privilege elevation
python - Multiple arbitrary code execution
Remote Apple Events - Multiple Denial of Service and Information
Disclosure
Safari RSS - Arbitrary code execution
servermgrd - Information disclosure
SMB - Denial of Service and arbitrary code execution
SquirrelMail - Multiple Cross Site Scripting issues
X11 - Multiple arbitrary code execution
XTerm - Information disclosure

-- Description --
Apple has released a number of updates in the last several days,
providing Security Update 2009-001, an update for Safari for Windows
and a Java update. Due to the broad range of services and software
being updated with the Updates, and the severity of the
vulnerabilities being patched, it is considered extremely important
that the Updates are applied as soon as possible.

-- Recommended Action --
All users and administrators should apply the updates at the earliest
opportunity.

-- Source --
http://support.apple.com/kb/HT1222

-- Updates Available --
http://www.apple.com/support/downloads/

-- External Tracking Data --
CVE-ID: CVE-2009-0142 (AFP Server)
CVE-ID: CVE-2009-0009 (Apple Pixlet Video)
CVE-ID: CVE-2009-0020 (CarbonCore)
CVE-ID: CVE-2009-0011 (Certificate Assistant)
CVE-ID: CVE-2008-5050 (ClamAV)
CVE-ID: CVE-2008-5314 (ClamAV)
CVE-ID: CVE-2009-0012 (CoreText)
CVE-ID: CVE-2008-5183 (CUPS)
CVE-ID: CVE-2009-0013 (DS Tools)
CVE-ID: CVE-2007-4565 (fetchmail)
CVE-ID: CVE-2008-2711 (fetchmail)
CVE-ID: CVE-2009-0014 (Folder Manager)
CVE-ID: CVE-2009-0015 (FSEvents)
CVE-ID: CVE-2008-2086 (Java)
CVE-ID: CVE-2008-5340 (Java)
CVE-ID: CVE-2008-5342 (Java)
CVE-ID: CVE-2008-5343 (Java)
CVE-ID: CVE-2008-1927 (perl)
CVE-ID: CVE-2009-0017 (Printing)
CVE-ID: CVE-2008-1679 (python)
CVE-ID: CVE-2008-1721 (python)
CVE-ID: CVE-2008-1887 (python)
CVE-ID: CVE-2008-2315 (python)
CVE-ID: CVE-2008-2316 (python)
CVE-ID: CVE-2008-3142 (python)
CVE-ID: CVE-2008-3144 (python)
CVE-ID: CVE-2008-4864 (python)
CVE-ID: CVE-2007-4965 (python)
CVE-ID: CVE-2008-5031 (python)
CVE-ID: CVE-2009-0018 (Remote Apple Events)
CVE-ID: CVE-2009-0019 (Remote Apple Events)
CVE-ID: CVE-2009-0137 (Safari RSS)
CVE-ID: CVE-2009-0138 (servermgrd)
CVE-ID: CVE-2009-0139 (SMB)
CVE-ID: CVE-2009-0140 (SMB)
CVE-ID: CVE-2008-2379 (SquirrelMail)
CVE-ID: CVE-2008-3663 (SquirrelMail)
CVE-ID: CVE-2008-1377 (X11)
CVE-ID: CVE-2008-1379 (X11)
CVE-ID: CVE-2008-2360 (X11)
CVE-ID: CVE-2008-2361 (X11)
CVE-ID: CVE-2008-2362 (X11)
CVE-ID: CVE-2006-1861 (X11)
CVE-ID: CVE-2006-3467 (X11)
CVE-ID: CVE-2007-1351 (X11)
CVE-ID: CVE-2008-1806 (X11)
CVE-ID: CVE-2008-1807 (X11)
CVE-ID: CVE-2008-1808 (X11)
CVE-ID: CVE-2007-1351 (X11)
CVE-ID: CVE-2007-1352 (X11)
CVE-ID: CVE-2007-1667 (X11)
CVE-ID: CVE-2009-0141 (XTerm)

-- Threat Matrix --
U O
Home User 10 10 (Highly Critical)
Corporate 10 10 (Highly Critical)

=======================================
/*
Threat Matrix:
U - User
O - Operator
Harmless - 0 ----- 10 - Highly Critical
*/
=======================================

2. NEWS

2.1 SSL Certificates Not as Safe as Once Thought

Over time, security practices that were once thought to be safe
change. Many years ago it was believed that viruses could not
propagate through email, images, or web pages attack your system or
network. Those beliefs have all been shown to be inaccurate as attack
methods evolve and researchers discover new weaknesses and new ways to
exploit and expose those weaknesses.

One of the more recent mantras, which has become a key part of
ensuring Internet users stay safe online, is to always look for the
lock icon or https at the start of the URL when passing sensitive
personal or financial information across the Internet to an otherwise
trusted remote site (banking, online shopping, etc). The presence of a
SSL certificate that matched the site name (for more advanced users)
meant that no one on the network was listening in to the transaction.
As phishers and other malware authors became more skilled, the sites
being used to capture personal data began obtaining certificates of
their own that matched their not-quite-right URLs and others shifted
their focus to the victim's own system, intercepting and siphoning off
the data before it was encrypted in the browser and sent across the
network.

Recently there have been a couple of cases to cause alarm amongst
security watchers, raising the possibility that SSL certificates are
not as secure and as much of a panacea against attack as many thought.

It was discovered late last year that it is possible through some
Certificate Authorities (CAs, the companies that are trusted to issue
the SSL certificates that your browsers trust) to obtain authorised
certificates for any domain, even when you don't represent it. This
means that someone setting out to create a fake yourbank.com domain
can obtain a valid SSL certificate for that domain and point it to
their fake-yourbank.com site and not have any alerts raised in any web
browser.

At the recent CCC conference it was shown that it is possible, given
the right set of circumstances, to create a fake Intermediate CA due
to weaknesses in the methods used by some Root CAs in issuing their
certificates. By creating a fake Intermediate CA, it is then possible
to issue valid SSL certificates for any domain at all, and they will
all be accepted as valid by visitors' browsers. This is a more
concerning development, since it means that once the Intermediate CA
has been created, there does not need to be a request made to a valid
CA to obtain a certificate for each malicious domain.

For all users it means another thing to be careful of when going
online and that even a valid-looking SSL certificate may no longer
actually be valid.

2.2 Arrested for Being Critical of Government Policy

The AFP has reported on an interesting case in South Korea, where a
blogger was arrested for critical commentary he had posted about the
economic decisions of the South Korean government.

Although it isn't unheard of for people to be arrested for what they
post online, especially where that information is highly critical of
the government (or governments) in power, it does appear odd that the
South Korean government took this step against a popular online
commentator who had several key economic downturn predictions come
true in recent months, based on his critical commentary. With the
successful prediction of the failure of Lehman Brothers, local
currency devaluation, and local stock market crashes, the
commentator's credibility was enhanced and so when he claimed that the
government had taken active measures to support the South Korean won,
it was a step too far for the government.

While South Korea does maintain laws that could see a five year prison
term or even a 50 million won fine for the posting / distribution of
false reports and stories online, it now places the burden of proof on
the government to demonstrate that the claims were false, though
official charges have yet to be laid.

The anonymity of the internet allowed a jobless self-educated man to
become an influential financial commentator, it was being overly
critical with the government's economic decisions (at least as far as
the government sees it) which led to his arrest and pending charges.

With the government on one side and the opposition, freedom of speech
groups, and civil liberties groups on the other, this case has grabbed
attention far more than many of the previous South Korean arrests for
online commentary ever had.

2.3 2009 To Be The Year Of...

If 2009 is going to be the year of anything, it may as well be the
year of data loss, which conveniently has also been every year for the
last few years.

Around the time of the inauguration of President Obama, came news of
what could be the largest single breach of credit card information to
date. The potential scope of the breach is staggering. With around 100
million transactions a month passing through systems belonging to
Heartland, and malware in place to capture that data for an unknown
period of time, there could be an immense number of cards and details
that have been breached as a result.

Names, numbers and expiration dates were the information claimed to
have been compromised, but it is easy enough to clone fake cards from
this data, and with a range of other data that should be readily
available to professional data thieves, sufficient information to
reconstitute the missing cardholder data (which, it is claimed, has
not been compromised).

The choice of the inauguration day for disclosure of the breach is
seen by some as a method to play down the importance of what took
place, or even to avoid the negative press and significant attention
that have followed major breaches in recent years, such as that which
followed the TJ Maxx data breach. Why the information was not made
public when Heartland were initially made aware of the problem in 2008
is not known, but it is bound to come to light in the inevitable law
suits that will follow.

More than 250,000 businesses across the United States were supplying
transaction information to Heartland processing systems. What this
means for consumers is that it isn't really a matter of where they
went shopping, with so many retailers potentially having had
transaction data intercepted the risk of a customer having their data
intercepted is much higher than if a single retailer or retail chain
was compromised (such as happened with TJ Maxx).

Another reason why this case is gaining some attention is the claim
that Heartland were assessed as PCI compliant. Whether that compliance
was still valid at the time of the ongoing data interception hasn't
been made clear, but it has already split the Information Security
community into two camps. Many PCI supporters are rushing to defend
the system against claims that it doesn't really achieve much by way
of actual security.

PCI DSS falls into the same sort of general traps as ISO 17799:2005
and ISO 27001. It is great to be able to wave a certification in the
air as part of marketing claims, but when it comes down to actual
implementation and effective security, doing what is necessary to meet
certification isn't going to do much to stop what is, undoubtedly in
the case of a financial payments processor, a motivated attacker. It
may even provide the attacker with a clearer picture as to what
assumptions the company has made in achieving certification and what
they may or may not be observing with their ongoing security posture.

If you're a supporter of PCI, or even if you're not, it is prudent to
at least be cognizant that PCI isn't a be all for Information
Security. It can be extremely useful, when properly applied and
understood, but it should never be used as a crutch to claim effective
security procedures are in place.

If some of the other cases (breaches of USAJobs.gov and Monster.com)
to receive coverage this month can be looked at as bellwethers of the
year ahead, then 2009 is going to be another year where the
Information Security industry will continue to be playing catchup and
there are going to be many more high profile cases of massive data
loss and compromise.

2.4 1234567890 on Black Friday

Strange things tend to happen when notable timestamps are reached. It
may not seem like it would be much of a problem, but the whole Y2K
concern was a result of the fear that systems and software that were
coded to handle two digit years and not four digit years would have
major problems with the roll over from 1999 to 2000, seeing 00 as
representing 1900, and not 2000. More succinctly, it was a problem of
how to handle systems that were not designed to handle anything other
than the century in which they were created.

Another unique timestamp will be encountered in a little over a week's
time, with POSIX time reaching 1234567890 at 23:31:30 UTC on February
13th, 2009. Other than making for an interesting number it should give
programmers and QA staff something to think about. Are there any test
cases or unexpected code entry points that might have been left behind
and which can be triggered by the above timestamp (which would make
for an easy to remember test case)?

Having 1234567890 go past might be a useful hint that timekeeping
problems will eventually be an issue for most software. Just as many
of the developers of software affected by Y2K hadn't considered their
software still being in use at the change of century, there is still a
lot of software in use that is either having problems due to time and
date related errors, or will soon be.

If you are having trouble telling when the 1234567890 time is going to
be, the following is a helpful site, where you can see just how long
it is until that time, or if it has already been.

2.5 Google Demonstrates Risk of Filtering Systems

Over the weekend it has been hard to avoid the news that Google
inadvertently marked the whole Internet as dangerous and "may harm
your computer", at least that was what search results were returning.
What had happened, according to Google, was that the filtering list
being used to identify which sites are malicious had accidentally
included a wildcard operator. The inclusion of the '/' entry meant
that, with the system Google has implemented, all URLs on the web were
inadvertently identified as malicious.

There was initial confusion about where the error had been introduced,
with initial reporting suggesting that it had originated with
stopbadware.org, which is the non-profit that Google works with to
build their list of potentially malicious sites. While both Google and
StopBadware have issued statements, there is still some ambiguity as
to where the error was introduced. The consensus is that it was
introduced at Google, and the sharing of information with StopBadware
was just the normal data exchange.

Many people have for the first time seen the problems that can happen
when over-reliance on filtering systems breaks down. It doesn't matter
whether the systems are proactive or reactive in their performance,
similar problems plague both types. This recent case shows what can
happen when a simple human error occurs, but there is criticism of the
technologies that operate these systems.

Even after the systems were repaired (total exposure was about an hour
in the worst cases), there were still false positives that littered
the system. If sites like BitDefender.com are listed as malicious,
even temporarily, then how can the full system be trusted to be
accurate on an unknown site?

Probably the best way to approach it is to treat the Internet and
malicious site identification systems like Antivirus applications.
Most of the time, they will work as advertised, helping identify the
most common malicious sites, but there will always be a lag between
when malicious data challenges users, and when detection picks it up.
There will also always be a defined and present risk of false
positives, otherwise innocent sites and data misidentified as
malicious. Use of these systems is recommended, with the caveat that
nothing can trump common sense and careful Internet use. At the end of
the day, even a trusted, trustworthy site can be compromised in a
heartbeat, so users should always apply caution on the Internet.

=======================================

Sincerely,

Sûnnet Beskerming Team
info@...
Sûnnet Beskerming Pty. Ltd.
Adelaide, Australia
http://www.beskerming.com
Tel: +61 (0) 410 707 444

** Sûnnet Beskerming Pty. Ltd. **

Established in mid 2004, Sûnnet Beskerming Pty. Ltd. is the sister
company to Jongsma & Jongsma Pty. Ltd., and was formed to develop and
commercialise the research coming out of Jongsma & Jongsma Pty. Ltd..
Sûnnet Beskerming Pty. Ltd. is an Information Security specialist and,
in conjunction with the tools developed by Jongsma & Jongsma Pty.
Ltd., provides total security solutions and services, from the
perimeter to internal data stores, including web application security
and security testing and analysis.
_______________________________________________
Alertmailinglist mailing list
Alertmailinglist@...
http://skiifwrald.com/mailman/listinfo/alertmailinglist_skiifwrald.com

Advisory #262 - Microsoft (Multiple), Multiple News

2008-12-12T05:03:10Z

Sûnnet Beskerming Alert List Advisory #262

You are receiving this message because you have subscribed to our
Information Security Alert Mailing List, or have been selected for a
specific one-off copy. If you believe that you are receiving this
message in error,pleasecontactinfo@... to resolve the error.

Why not upgrade to get same day notification on security threats?
Details and rates available online -
(http://www.beskerming.com/premium/generic_advisory.html).

Why not go the next step and get delivery tailored just for your
company?
(http://www.beskerming.com/premium/focussed_advisory.html)

Contents
--------------------------------------------------------------------
1. SECURITY
--------------------------------------------------------------------
1.1 Microsoft (Multiple)
- Remote Hacker Automatic Control
- Time Since Discovery - 2 days
=======================================
/*
- Remote or Local - Can it be achieved through a network or does it
require physical access?
- Hacker - The bad guy
- Manual or Automatic - Does the vulnerability need to be manually
performed, or can it be automated?
- Control, Denial of Service or Data Theft - Will the hacker get
control of your system / website, will they prevent you from using it,
or will they steal data.
*/
--------------------------------------------------------------------
2. NEWS
--------------------------------------------------------------------
2.1 A Compromised Network Leads to Military Exercise Failure
2.2 Live OneCare is Dead, Long Live Live OneCare (and Morro)
2.3 How to Survive the Economic Downturn (Discounts for All!)
2.4 Time To Check For The Reds Under Your Bed
2.5 An Interesting Internet Explorer 0-day
2.6 Another Interesting Microsoft 0-day Exploit
2.7 PHP Project Updates, Then Rapidly Updates Again due to bug
2.8 National Internet Censorship Plans Attract Criticism
=====================================

1. SECURITY

1.1 Microsoft (Multiple) - Remote Hacker Automatic Control

-- Products Affected --
Windows
Office
SharePoint

-- Technical Description --
MS08-070 - ActiveX (VisualBasic). Multiple Code Execution. Critical
MS08-071 - Windows. Multiple Code Execution. Replaces MS08-021.
Critical
MS08-072 - Word. Multiple Code Execution. Replaces MS08-026,
MS08-042, MS08-052, MS08-057. Critical
MS08-073 - Internet Explorer. Multiple Code Execution. Replaces
MS08-058. Critical
MS08-074 - Excel. Multiple Code Execution. Critical
MS08-075 - Windows Explorer. Multiple Code Execution. Critical
MS08-076 - Windows Media Player. Multiple Code Execution. Important
MS08-077 - SharePoint. Authentication Bypass. Replaces MS07-059.
Important

-- Description --
With the final Security Patch Release for 2008, Microsoft have issued
eight patches, which have addressed a large number of individual
vulnerabilities across Windows, Office, and SharePoint components.
Also of significance is the high number of previous patches replaced
as part of this update. Two unpatched 0-day exploits have also been
seen following this month’s release, with one likely to spread
rapidly. It is imperative that users and administrators apply the
patches as soon as possible.

-- Recommended Action --
All users and administrators should apply the updates at the earliest
opportunity.

-- Source --
http://www.microsoft.com/technet/security/bulletin/ms08-dec.mspx
http://www.beskerming.com/premium/patch_pack.html
http://store.eSellerate.net/s.asp?s=STR3448907936&Cmd=CATALOG&CategoryID=9811

-- Updates Available --
http://www.microsoft.com/technet/security/bulletin/ms08-070.mspx
http://www.microsoft.com/technet/security/bulletin/ms08-071.mspx
http://www.microsoft.com/technet/security/bulletin/ms08-072.mspx
http://www.microsoft.com/technet/security/bulletin/ms08-073.mspx
http://www.microsoft.com/technet/security/bulletin/ms08-074.mspx
http://www.microsoft.com/technet/security/bulletin/ms08-075.mspx
http://www.microsoft.com/technet/security/bulletin/ms08-076.mspx
http://www.microsoft.com/technet/security/bulletin/ms08-077.mspx

-- External Tracking Data --
CVE-ID: CVE-2008-3704 (MS08-070)
CVE-ID: CVE-2008-4252 (MS08-070)
CVE-ID: CVE-2008-4256 (MS08-070)
CVE-ID: CVE-2008-4253 (MS08-070)
CVE-ID: CVE-2008-4254 (MS08-070)
CVE-ID: CVE-2008-4255 (MS08-070)
CVE-ID: CVE-2008-3465 (MS08-071)
CVE-ID: CVE-2008-2249 (MS08-071)
CVE-ID: CVE-2008-4024 (MS08-072)
CVE-ID: CVE-2008-4025 (MS08-072)
CVE-ID: CVE-2008-4026 (MS08-072)
CVE-ID: CVE-2008-4027 (MS08-072)
CVE-ID: CVE-2008-4028 (MS08-072)
CVE-ID: CVE-2008-4030 (MS08-072)
CVE-ID: CVE-2008-4031 (MS08-072)
CVE-ID: CVE-2008-4837 (MS08-072)
CVE-ID: CVE-2008-4258 (MS08-073)
CVE-ID: CVE-2008-4259 (MS08-073)
CVE-ID: CVE-2008-4260 (MS08-073)
CVE-ID: CVE-2008-4261 (MS08-073)
CVE-ID: CVE-2008-4265 (MS08-074)
CVE-ID: CVE-2008-4264 (MS08-074)
CVE-ID: CVE-2008-4266 (MS08-074)
CVE-ID: CVE-2008-4269 (MS08-075)
CVE-ID: CVE-2008-4268 (MS08-075)
CVE-ID: CVE-2008-3010 (MS08-076)
CVE-ID: CVE-2008-3009 (MS08-076)
CVE-ID: CVE-2008-4032 (MS08-077)

-- Threat Matrix --
U O
Home User 10 10 (Highly Critical)
Corporate 10 10 (Highly Critical)

=======================================
/*
Threat Matrix:
U - User
O - Operator
Harmless - 0 ----- 10 - Highly Critical
*/
=======================================

2. NEWS

2.1 A Compromised Network Leads to Military Exercise Failure

An interesting claim has been made about the extent to which a
compromised computer network was able to lead to failure of a military
exercise for a Chinese Armour Brigade.

The claim is that a virus had compromised an unpatched system and was
able to interrupt supply orders being passed across the network which
were meant to send extra ammunition to the engaged armour. Since the
orders were interrupted, the ammunition was never sent forward and the
main attack force eventually ran out of ammunition, troops were lost
(simulated), and the battle was lost.

Not only does the case provide an interesting insight into the
reliance upon computer networks for normal operation and function, but
it also highlights the importance of having reliable and functional
non-computerised systems to carry out critical functions. It is
surprising that the Chinese military did not have those fallback
systems in place, however it may have been an important part of the
exercise - to test the reliability of the computerised systems for
normal operations.

Despite the hype and chest beating that a lot of militaries put
forward about Network Centric Warfare, it is something that many then
find extremely difficult to implement. It only takes a single
oversight in order for the whole system to come crashing down. As
quoted in the Dark Visitor article, the commander of the armoured
brigade involved, Li Jintai, succinctly described the problem as:

"If there is insufficient importance attached to information security,
a lack of network defense consciousness and methodology, it can leave
a crack that your adversary can take advantage of and lead to grave
consequences.".

Advice that is pertinent for everyone, not just the Chinese military.

2.2 Live OneCare is Dead, Long Live Live OneCare (and Morro)

Microsoft is set to cancel the fee based Live OneCare for consumers
from mid-2009, replacing it with a free product, currently named
Morro. In a seemingly user-aware move, Microsoft have acknowledged
that the clear majority of users in both developed and developing
markets that do not maintain current security protection on their
systems.

Morro is being designed to address this problem, meant to provide
capability to address this protection gap. With Microsoft identifying
low-bandwidth and older systems as target installations, it will be
interesting to observe how they end up managing to deliver this
capability when many competing offerings are renown for being able to
bring high spec systems to an effective grinding halt.

From the published details, Morro will be a stripped down version of
the existing OneCare suite (which may remain as a fee-based full
service offering under another name), missing some of the printer
sharing / multi-PC / disk defragmentation features that OneCare
currently has.

A side benefit of the new suite will be that future Microsoft Security
Reporting will have a much larger number of sources from which to
gather data, and which hopefully will address some of the weaknesses
of their previous reports.

2.3 How to Survive the Economic Downturn (Discounts for All!)

Much has been written about the ongoing financial crisis that is
gripping the world, from Wall Street and Main Street, to High Street
and your street. Your company might be finding it more difficult to
attract external funding, you might be finding it difficult to attract
new customers or to retain those you already have. You might even be
finding it difficult to get your existing customers to pay their
accounts.

In all probability there have been job losses (maybe even yours) in
your company, and almost certainly there have been losses in your
industry.

So, how do you make sure that your company's Information Security
needs (and your own) continue to be met when budgets are being frozen
or cut and personnel are being stretched to do more with far less?

If you are running an internal security team, you can always use extra
resources from experts in the field - us! Join some of the biggest
global companies and government agencies and begin benefitting from
our special approach to Information Security.

If you are no longer running your own internal team (or if you are the
security team) then we are here to help you maintain the security
posture that you have been tasked to achieve. Sûnnet Beskerming is the
ultimate force multiplier. Make use of our advanced capabilities do
deliver results that will amaze and astound and make it look like you
have an army of experts at your command.

You do. Us.

We here at Sûnnet Beskerming recognise the difficulty that many now
find themselves in and so are offering 25% off all of our products and
services for as long as it takes for the economic downturn to be
turned around (even if it takes years). To claim this extremely
valuable offering, merely enter the coupon code 'DOWNTURNBUSTER' when
ordering any of our Premium Services.

Since it is also the start of the festive shopping season, we would
like to spread some festive cheer to all our valued clients and soon-
to-be clients, with 33% off all of our products and services. To claim
this even more valuable offering, merely enter the coupon code
'FESTIVE08' when ordering any of our Premium Services.

If the deep discounts on our already competitively-priced services
aren't enough for you, please contact us to see what we can do for you
inside your budgetary constraints. If you just have no available
budget, then our various free services are there to be an important
keystone for protecting and informing you.

Sûnnet Beskerming is there to help you and your company survive this
economic crisis with confidence that your Information Security needs
are being met.

The coupon codes, for easy reference:

FESTIVE08 - 33% off all services and products, valid until 31
December, 2008.

DOWNTURNBUSTER - 25% off all services and products, valid until such
time that there is consensus that the economic downturn has ended.

2.4 Time To Check For The Reds Under Your Bed

Reporting on a recent set of compromises to US military systems in
Afghanistan has identified different attackers, depending on who you
listen to.

On the one hand we have the attacks being tenuously linked to
attackers based in Russia, and on the other we have the attacks being
tenuously linked to attackers based in China. Aside from the poor
light it casts the military in (not being able to determine roughly
who is behind a network attack) it suggests that the bad old days of
the cold war haven't really gone away very far. If anything, the
location for confrontation has shifted into the information systems
and away from the proxy wars and world oceans.

Whether that is still the case is a topic for another time. It
certainly wouldn't hurt some military planners and leaders to have a
well-defined set of enemies again, nation states instead of the
stateless bodies that are the current enemy-du-jour. With this in mind
it doesn't take too much to see this as being something that is a lot
less than is being claimed by the military. Certainly, the network
compromises are embarrassing and potentially risky for national
security, but there may be too much being read into why the attacks
have taken place.

It is highly likely that whoever is carrying out these attacks is
using resources in Russia and China to achieve their goals, hence it
looking like the attacker might be coming from two places at once. It
is also highly likely that the attacks have been opportunistic and not
purely a result of targeted attacks. Targeted attacks are more likely
to show up as 0-day infections, such as the various Office
vulnerabilities that have been used over the years to compromise
government networks.

Sure, it might be possible that a targeted attack against military
systems was carried out using and AUTORUN infector that is not leading
edge and which had no guarantee of ever making it onto the military
systems (social engineering notwithstanding), but it is more likely
that a targeted attack isn't going to be as obvious. If you are a
conspiracy nut, then perhaps it is being used as misdirection, while
the real targeted attack is taking place through other channels...

There are plenty of people in Information Security who dismiss the
concept of each device on a network having its own protection against
other devices but it is a key part to a full defense in depth approach
to security. In cases like this, effective defences between systems on
the same network segments would have limited the ability of the
malware to spread and take hold within the military networks.

2.5 An Interesting Internet Explorer 0-day

News of what is the closest thing to a widespread 0-day attack against
Internet Explorer for some time has been spreading across the
Internet, complete with fully described exploits code, available from
a number of sources, such as the dependable milw0rm.

Microsoft's own notice on the vulnerability identifies that the
vulnerable platforms are Internet Explorer version 7 on Windows XP,
2003, Vista, and 2008. Microsoft have identified that setting the
Internet zone security setting to High blocks the current
implementations of the attack, and running Internet Explorer with Data
Execution Prevention (DEP) will limit attack options.

The biggest problem with the High setting on the Internet zone
security settings is that it effectively disables ActiveX and Active
Scripting for all sites that haven't previously been identified as
Trusted. For many users this particular step may lead to significant
usability difficulties when visiting their regular Internet sites,
and, as described below, the use of the attack in blended attacks
means that even a trusted site can become affected by this particular
vulnerability in a very short period of time.

Already several different versions are available, varying in how they
go about filling the arrays before launching the attack (and exactly
how the attack is launched). From the ISC writeup, it seems that many
of the sites currently using this vulnerability to target Windows XP,
Vista, and 2008 users, are using the version (or a derivative) that
the ISC initially received. The milw0rm version is slightly different
in makeup and is expected to become the dominant version once other
malware distributors pick up this distribution method.

The ISC write up also highlights the appearance in blended attacks,
making use of SQL injection as the delivery vector to implant an
infected link on a site which then silently loads the Internet
Explorer 0-day.

Until such time as detection has been included in the major
antimalware detection engines, and Microsoft has been able to release
an appropriate patch to address the issue, it is recommended that
users consider the use of alternate browsers for their Internet use
(the preferred solution), or to apply the non-patch mitigation steps
recommended by Microsoft (and listed above).

2.6 Another Interesting Microsoft 0-day Exploit

Earlier this week Microsoft published a Security Advisory dealing with
a remote code execution vulnerability in WordPad that is being
actively exploited, though only in a limited capacity at the time of
publishing.

How a basic text editor could be vulnerable to a remote code execution
flaw is an interesting case. It appears that the problem is with the
text converter used to convert Word 97 files to a format appropriate
for display in WordPad. This puts it in the same sort of league as
antivirus scanning engine vulnerabilities that can be targeted by the
very malware that it is trying to detect.

While detailed technical details have yet to be released describing
how the vulnerability specifically works, it is believed that there
are one or more weak conversion / filtering routines in the text
converter that can be targeted with specific Word 97 formatting and
from there allow the execution of code in the context of the current
user.

Users who are running Windows 2000, XP (Service Pack 2 and earlier),
and 2003 are vulnerable to this particular issue and the discovery
that there are active attacks targeting this flaw means that there is
greater importance in applying special handling to .wri filetypes,
filetypes that many had previously considered safe when associated
with WordPad.

2.7 PHP Project Updates, Then Rapidly Updates Again due to bug

PHP version 5.2.7 was only released earlier this week, but it
introduced a serious bug. Effectively magic_quotes was forced off,
irrespective of the local php.ini settings. While the feature is
deprecated and being removed with PHP 6.0, it is still available
within the PHP 5 branch.

Relying on magic_quotes became a crutch for many PHP developers when
it came to managing user input and any other input that was passed to
any particular script. It was the lazy developer's approach to
security and is undoubtedly present in many, many scripts in use
across the Internet (and many intranets). The forced disablement of
magic_quotes would have made many of these scripts extremely
vulnerable to exploitation.

Initial guidance for administrators and users who had updated and
applied 5.2.7 was to revert to 5.2.6 until the issue could be
addressed. Fortunately, this did not take long, and 5.2.8 is now
available. All of the security improvements that were originally with
5.2.7 have been included and now there is the fix for the magic_quotes
issue, as well. Administrators also had the option of recompiling
5.2.7 and disabling ext/filter, which is where the vulnerable code was.

2.8 National Internet Censorship Plans Attract Criticism

Plans to introduce a national ISP-level Internet censorship and
filtering system in Australia have attracted vocal criticism, with an
almost unanimous slamming of the proposed plan by users and industry
experts alike. With the Federal Communications Minister introducing a
consultation blog to attract public comments on the proposed filtering
(and other national level communications issues) it is likely that the
comments will be swamped with open criticism.

Despite the level of criticism and public demonstration planned to
highlight the problem, it seems that the Federal government is
resolutely proceeding with the plan.

While the tested systems have all fallen short of effectively
filtering the content they were meant to, and with serious network
speed problems encountered whenever the filters were activated, there
is still a broader test that is scheduled to take place on a closed
network. Use of a closed network raises concerns that the results are
going to be stage managed to a greater extent than they would be in a
live test - where users will be able to experience first hand exactly
how the systems are supposed to work (or not).

In the UK, a voluntary filtering system that is in use by almost all
ISPs has demonstrated the risks associated with arbitrarily blocking
sites. The Internet Watch Foundation (IWF) listed Wikipedia as a
blocked site due to the appearance of an image from an album cover
from the 1970s that they deemed to be child pornography. With the
effect that all traffic from affected ISP customers to Wikipedia now
appeared to source from the IWF, Wikipedia took steps to limit the
risk of vandalism and so limited the ability of visitors from those IP
addresses to modify Wikipedia. A matching announcement on Wikipedia
describing what had taken place did more to raise awareness and
complaints than the actual blocking did.

As with most attempts to block online content, there were multiple
means available to access the blocked content, which was readily
available on other sites (like Amazon), as well as different methods
for accessing the blocked content on Wikipedia itself. The actual
blocking appeared to many as a simple network error, but it wasn't
long before the real reason for the strange errors to become apparent.

The minor inconvenience of not being able to easily view the Scorpions
album cover has led to awareness that there is active filtering taking
place in an environment where many users had previously not considered
any filtering to be taking place. There are bound to be questions
asked in the future about just how much other content is being
surreptitiously filtered out for UK Internet users.

As some observers have pointed out, the censorship is very
inconsistently applied. If the Scorpions album was identified as
potentially being child pornography, then Nirvana's Nevermind, Blind
Faith's Blind Faith, Led Zeppelin's Houses of the Holy, and many other
albums should also be actively blocked or otherwise restricted.

This gives the impression that, even years after the first series of
internet filters appeared, that what makes it onto and off the filter
lists is being driven by a minority of outraged special interests that
aren't necessarily able to recognise that some of what they find
annoying is seen as acceptable by the silent majority.

While the IWF has since reversed their decision to block the image,
which in a case of the Streissand effect saw the image promoted far
more following the blocking than it was beforehand, they have not
acknowledged that their censorship approach may be fundamentally
flawed (something that a growing number of users believe), only that
it didn't work in this public instance.

The Great Firewall of China might have entered the vernacular of
Information Security specialists, but the idea of a Great Firewall of
Australia or the UK is not sitting comfortably with many, including
many of the strongest supporters of the censorship plans.

=======================================

Sincerely,

Sûnnet Beskerming Team
info@...
Sûnnet Beskerming Pty. Ltd.
Adelaide, Australia
http://www.beskerming.com
Tel: +61 (0) 410 707 444

** Sûnnet Beskerming Pty. Ltd. **

Established in mid 2004, Sûnnet Beskerming Pty. Ltd. is the sister
company to Jongsma & Jongsma Pty. Ltd., and was formed to develop and
commercialise the research coming out of Jongsma & Jongsma Pty. Ltd..
Sûnnet Beskerming Pty. Ltd. is an Information Security specialist and,
in conjunction with the tools developed by Jongsma & Jongsma Pty.
Ltd., provides total security solutions and services, from the
perimeter to internal data stores, including web application security
and security testing and analysis.
_______________________________________________
Alertmailinglist mailing list
Alertmailinglist@...
http://skiifwrald.com/mailman/listinfo/alertmailinglist_skiifwrald.com

Advisory #261 - Microsoft (Multiple), Multiple News

2008-11-17T03:35:45Z

Sûnnet Beskerming Alert List Advisory #261

You are receiving this message because you have subscribed to our
Information Security Alert Mailing List, or have been selected for a
specific one-off copy. If you believe that you are receiving this
message in error,pleasecontactinfo@... to resolve the error.

Why not upgrade to get same day notification on security threats?
Details and rates available online -
(http://www.beskerming.com/premium/generic_advisory.html).

Why not go the next step and get delivery tailored just for your
company?
(http://www.beskerming.com/premium/focussed_advisory.html)

Contents
--------------------------------------------------------------------
1. SECURITY
--------------------------------------------------------------------
1.1 Microsoft (Multiple)
- Remote Hacker Automatic Control
- Time Since Discovery - 6 days
=======================================
/*
- Remote or Local - Can it be achieved through a network or does it
require physical access?
- Hacker - The bad guy
- Manual or Automatic - Does the vulnerability need to be manually
performed, or can it be automated?
- Control, Denial of Service or Data Theft - Will the hacker get
control of your system / website, will they prevent you from using it,
or will they steal data.
*/
--------------------------------------------------------------------
2. NEWS
--------------------------------------------------------------------
2.1 When Joke Emails Turn Real
2.2 Microsoft Issues Security Report for Jan-Jun 2008
2.3 Old Malware Tricks Still Work
2.4 Google Provides Details on how it Determines Unsafe Sites
2.5 20th Anniversary for Poorly Written Network Worms
2.6 This [FILTERED] is [FILTERED][FILTERED]
2.7 Critical Out-of-Cycle Patch from Microsoft (MS08-067)
=====================================

1. SECURITY

1.1 Microsoft (Multiple) - Remote Hacker Automatic Control

-- Products Affected --
Windows
Office

-- Technical Description --
MS08-068 - Windows NTLM. Remote code execution. Important
MS08-069 - XML Core Services. Remote code execution. Critical

-- Description --
Last week Microsoft released two patches as part of the November
Security Patch Release. Although both patches were for remote code
execution possibilities, one was ranked Important, with the other
ranked as Critical. Due to the Critical out of sequence patch
released in late October (MS08-067), this month's first patch is
MS08-069. Both patches released this month replace prior monthly
patches from Microsoft. Exploit code and vulnerability data has been
readily available for both patches and it is imperative that users and
administrators apply the patches as soon as possible.

-- Recommended Action --
All users and administrators should apply the updates at the earliest
opportunity.

-- Source --
http://www.microsoft.com/technet/security/bulletin/ms08-nov.mspx
http://www.beskerming.com/premium/patch_pack.html
http://store.eSellerate.net/s.asp?s=STR3448907936&Cmd=CATALOG&CategoryID=9811

-- Updates Available --
http://www.microsoft.com/technet/security/bulletin/ms08-068.mspx
http://www.microsoft.com/technet/security/bulletin/ms08-069.mspx

-- External Tracking Data --
CVE-ID: CVE-2008-4037 (MS08-068)
CVE-ID: CVE-2007-0099 (MS08-069)
CVE-ID: CVE-2008-4029 (MS08-069)
CVE-ID: CVE-2008-4033 (MS08-069)

-- Threat Matrix --
U O
Home User 10 10 (Highly Critical)
Corporate 10 10 (Highly Critical)

=======================================
/*
Threat Matrix:
U - User
O - Operator
Harmless - 0 ----- 10 - Highly Critical
*/
=======================================

2. NEWS

2.1 When Joke Emails Turn Real

In the cyclical world of chain emails one of the earliest staples was
an email claiming that Microsoft were able to track emails being sent
and Bill Gates will pay you for each and every person who you
forwarded the particular message to.

In May of this year, Microsoft launched their Live Search Cashback
program, designed to reward Internet users who used Microsoft Live to
find and purchase goods online, but it didn't really garner much
attention from anybody.

The idea sounds almost exactly like the chain email of yesteryear -
use a Microsoft product and they'll send you money (or at least get
you a discount when you spend your money). Where the chain email was
readily identifiable and somewhat of a nuisance, the Live Search
Cashback program doesn't seem to have the mindshare that Microsoft
would have hoped. Recent maneuvers from the software giant suggest
that it is either pre-positioning for an aggressive online Christmas
shopping season assault (Black Friday is only a fortnight away), or
struggling to find people who are willing to use the service, even
when paid. With the lack of widespread awareness of the service, both
opinions could be considered valid.

By increasing the number of conditions applied to any rebate, it
severely limits the usefulness of the service to the majority of the
Internet using world. The 25% rebate for eBay purchases is limited to
$200, paid through PayPal, and only available in the United States
(there are some jurisdictions internationally where the eBay / PayPal
enforcement is not looked upon kindly).

Why Microsoft see it as being necessary to pay people to use their
search engine is not known. While the other major competitors (Google
and Yahoo!) don't seem to have directly competing paid-to-use
services, there are a number of fly-by-night companies that keep
appearing (and mostly rapidly disappearing) who offer to pay users to
search online in an effort to improve the SEO results for their clients.

Perhaps the best commentary on the whole idea is a single word:

Why?

Surely there are better ways to attract online customers. If
Microsoft's own financial reporting is anything to go by, then their
Online Services division (which includes Live) is an ever-growing
black hole, losing $480 million USD in the first quarter of 2008-2009,
for a division that lost $1.23 billion USD in the entire previous
financial year (07-08), double what it lost in 06-07 ($617 million USD).

2.2 Microsoft Issues Security Report for Jan-Jun 2008

Microsoft's Malware Protection Centre has released Volume 5 of their
Security Intelligence Report (SIR), covering January to June 2008.
While it may not have the independence of reporting from OWASP, ISC,
US-CERT, or a number of other bodies, coming from the largest
operating system and software vendor it is a very interesting point of
view on the state of computer security, as observed by Microsoft.

While the report doesn't cover threats and malware targeting non-
Windows operating systems, it provides a very detailed look at the
ecosystem of malware and threats that infects Microsoft systems across
the globe, including detailed breakdown of per-country infection rates
and types. This per-country reporting throws up some interesting
statistics about the prevalence of different malware types in
different countries. For countries like Brazil and South Korea, the
relative distribution of malware types speaks volumes about how these
countries have seen their local IT infrastructure and composition
evolve.

Some of the positive highlights from the report are the improvement
(decrease) in the number of vulnerabilities reported, while at the
same time seeing an increase in the overall number of serious
vulnerabilities being reported. Perhaps Volume 6 of the report will
show some different results, with October's large number of security
patches, Kaminsky's DNS flaw, the unreleased TCP/IP vulnerability, and
the Critical out of cycle patch for the RPC Service potentially
skewing the next set of results.

One statistic to keep an eye on in future reports is the relative
global distribution and percentage of systems requiring cleaning every
time the Microsoft security tools are run. As identified in Volume 5,
there appears to be a clustering of systems requiring disinfection
following tool use in countries that are otherwise considered to be
"developing". Given the borderless nature of the Internet, it suggests
alternative infection mechanisms for systems in those countries (such
as sneakernet).

It is also an interesting observation that countries traditionally
seen as copyright infringement hotspots are not reporting as such a
high risk as others. Perhaps systems using infringing copies of
Microsoft software in those countries have been configured not to
report back to Microsoft or just aren't running Microsoft's security
tools in the first place.

Given the depth of excellent data provided in the SIR, it is important
to at least be aware of a possible self-selection bias in the
reporting of problems detected and removed. It appears that most of
the raw data used to compile the report came from Microsoft security
tools that had been installed and operated on end user systems, as
well as from selected online service providers. This means that
systems and sites that use alternate security suites that detected and
removed problems before the Microsoft tools will not have their data
appearing in the report. Likewise, systems where the "Call Home"
feature is disabled or blocked will not see their results appear,
either.

It does look like Microsoft made an attempt to source data from
outside of their own networks and tools, using the datalossdb.org (and
attrition.org) site to build statistics about the relative percentages
of security breach incidents - data that Microsoft's own tools would
not have been able to gather. It should be cautioned that, although it
is probably the best online archive of data loss incidents, the
information presented through datalossdb.org / attrition.org only
identifies openly reported data loss cases. It isn't able to capture
incidents that don't receive media coverage, or which aren't reported
directly to the site.

Despite lacking information on non-Microsoft operating systems and the
Internet as a whole, the SIR justifiably takes its place alongside
those from OWASP and ISC as being one of the key security reports that
should be read and appreciated by the modern Information Security
employee.

2.3 Old Malware Tricks Still Work

When Didier Stevens stumbled across a zero-byte padded piece of
malware a year ago he was somewhat surprised to see that many
antivirus systems tested against it failed to identify the underlying
malware despite the targeted application (Internet Explorer) being
quite happy to strip the 0x00 content and run the malware.

Didier has revisited his earlier work and happily found that
successful detection for the original malware samples has increased
markedly in the past twelve months (29/36 for unobfuscated samples).
When he lengthened the 0x00 padding within the malware samples,
however, the detection rates dropped off significantly. By only
doubling the length of padding, the rate of detection dropped from 6
to 3 out of 36 command line scanners. It is still disturbing that by
adding 255 bytes worth of 0x00 is enough to see the detection rate
drop from 29 to 6 scanners, especially given that the obfuscation
technique has been well known for a number of years.

Even more interesting is the change in detection when the 0x00 bytes
are added to the malware sample. For the engines that do detect the
modified file, there is often a change in description of the malware
between the unobfuscated sample and the obscured one. In almost all
cases it is a move to a generic descriptor (0x00 padded) from a
specific definition (original sample), so it doesn't appear that
scanning engine developers are claiming a new and unique variant for
each 0x00 padded file (which is a good thing).

While the generic detection of the modified files points to at least
partially-functioning heuristics in some engines, the lack of
detection from the clear majority of command line scanners being used
at VirusTotal shows that there is still some way to go for antimalware
companies as they drag their products away from purely signature-based
detection to a more flexible model.

As Didier points out in his post, it could be that the command line
versions of the scanning engines are lacking in some of the features
that the GUI versions will have that could detect his malware samples.
It would be better if those features were actually in the command line
versions as it would provide a greater level of protection in a
managed network environment, where it is more likely that network
level scanning is being managed by a command line tool.

2.4 Google Provides Details on how it Determines Unsafe Sites

A recent post at the Google Online Security Blog provides some
background on how Google generates the "This site may harm your
computer" warnings that appear from time to time in Google searches.
It all boils down to automated scanners detecting the presence of
malicious content. The article identifies that at least some of the
scanners have been created by Google staff, though it is possible that
commercial and freely available tools are also in use to generate the
results.

Although the results are defined as "accurate" there is no information
about what level of false positives or false negatives manage to slip
through the net. There are enough problems with similar available
toolsets to suggest that Google's own approach is not the panacea that
it might appear to the uninitiated.

If you think that your site has been misidentified as having malicious
content from the Google scanners, then they have provided a straight
forward link to go to and check on exactly what it was that triggered
the initial labelling. The basic site is http://www.google.com/safebrowsing/diagnostic
, and it can be made site specific by adding ?site=site_name at the
end of the link. For example, the result for Sûnnet Beskerming is
this. Google's Webmaster Tools will also provide added information
about what was scanned and found, though not the complete list of URLs
that have been identified as problematic.

Once whatever problem that was discovered has been rectified, there
are procedures available to request a review for your site from Google
(Overview page in the Webmaster Tools part of the site). Since the
review process is effectively the same as the original automated scan
(i.e. it is another automated scan), the complete process to remove
the unsafe indication should only take a few hours, a day at most.

On the other hand, if you have found that your site has completely
disappeared from the Google results, it may be due to it being a
"spammy website", in which case a Request for reconsideration is the
appropriate action to take.

2.5 20th Anniversary for Poorly Written Network Worms

20 years of poorly written havoc-causing network worms will come to
pass on November 2, as it marks the 20th anniversary of the Morris
Worm, considered the first major network attack on the Internet.
Despite only reaching an estimated 6,000 systems, it still represents
10% of the available systems on the Internet at that time. There is
some argument over the exact number of systems compromised and the
overall percentage of Internet hosts affected, but the widespread
impact of the worm is the most significant outcome.

Not only was it one of the earliest examples of an automated denial of
service attack (which came about because the detection routine to tell
if another copy of the worm was present had a bug in it), but it also
led to the creation of the CERT Coordination Center (CERT/CC), which
preceded US-CERT by several years and is meant to be one of the key
management centres for Internet related attacks and problems.

Robert Morris, the worm's creator, was convicted under the Computer
Fraud and Abuse Act and was eventually sentenced to probation (3
years), community service (400 hours) and a fine ($10,000). For
Morris, he has now entered the academic staff as an Associate
Professor at the institution he used to launch the attack, MIT,
despite being at Cornell when the worm was originally released.

Whether or not the worm was designed for malicious use, or, as Morris
has claimed, to map the Internet, the fact remains that it ended up
acting as a malicious worm. The use of vulnerabilities in sendmail,
finger, rsh, weak passwords, and the attempt to hide the source of the
attack (using a system at MIT rather than at Cornell where Morris was)
would nowadays suggest motives that weren't completely pure. A problem
with this line of thought is that it is extremely difficult to
identify an outcome from the worm which could be considered beneficial
for a malicious attacker.

The mid 80s were an interesting time for Information Security. The
first viruses and trojan horses appeared in 1986, so there was a lot
of advancement in malicious activity taking place in a very short
period of time and next year marks the 20th anniversary of ransomware
- the particularly nasty type of malware that encrypts a victim's
content and then demanding payment for a decryption key that will
decrypt the content back to its original state.

2.6 This [FILTERED] is [FILTERED][FILTERED]

In the lead up to last year's national election in Australia there
were a range of promises made by the incumbent government, under the
name NetAlert, which was reported to be for a range of projects
including Internet blocking software at the user end, tracking down
online predators, and filtering of traffic on the network.

It seems that the new government has now taken the proposals one step
further, moving to enforce the legislation that they pushed through at
the start of this year. At the time of the NetAlert announcements, the
opposition (now the government) were seen to be tacitly approving of
the initial presentation and the Labor party had previously been
ridiculed over their approaches to, and ideas of, online censorship.

Although the Federal Government has promised to listen to "the best
advice", it seems that they are only listening to the advice that
validates and otherwise affirms their approach to online censorship.

There have been accusations that the sudden rapid movement that has
taken place is a result of appeasement of minor parties, particularly
Family First, whose senator is key to the government being able to
pass their bills through parliament smoothly and who had slammed the
prior government's $89 million filtering program as being inadequate.

There is also reporting that the government is pressuring the
silencing of dissenting voices. With increasing reporting on this
proposal, the chorus of dissenting voices grows louder by the day.

Somewhat unsurprisingly, the technology being tested has demonstrated
significant slowdowns for available network speed. The more that they
try to filter, the greater the slowdown for end user, which could be
up to 86% with one unnamed system.

There can be no other way to put it other than to suggest that these
efforts are being pushed through out of an ignorance of the structure
and nature of the Internet, even when accurate information is readily
available.

It could be that those making the decisions can't differentiate
between the arguments that the opposing sides are making (after all,
both sides are talking about something the decision maker doesn't
really understand) and so back the one that they feel is right (or
best for their political ends).

2.7 Critical Out-of-Cycle Patch from Microsoft (MS08-067)

From first alert on Tuesday, to patch release on Thursday, Microsoft
has rushed an out-of-cycle patch out to Windows users, acting on a
privately reported problem affecting the core Windows kernel.

In some detail, the vulnerability is a problem with the way that
Windows handles Remote Procedure Calls (RPC) and can result in a
remote unauthenticated user (i.e. anyone on the Internet) being able
to take complete control over your system.

Microsoft acknowledges that the issue is being actively targeted by
malicious code, though code samples have yet to appear publicly. It
has been reported that Gimmiv.A is a worm which is using this
particular vulnerability to attack vulnerable systems, though
Microsoft's initial guidance was that it was only being used in
targeted attacks.

Already different groups have claimed to have reverse engineered the
patch and there are fears that this vulnerability could lead to
something like the Blaster worm from 2003, where a patch was available
but attacks took down a significant number of systems anyway.

In some of the open analysis that has taken place, there is enough
information to point to the NetPathCanonicalize call as being the
weakness currently being exploited. The available information also
shows a fairly straight forward buffer overflow.

Users who have enabled the builtin Windows firewall (default on
systems after XP SP2) will be protected by default against this issue,
though it is still urgent to apply the patch. However, if print or
file sharing is enabled the system is vulnerable again. This means
that many systems that would otherwise be secure are not going to be.

Windows Vista and 2008 systems are vulnerable if the file / print
sharing has been enabled for networks of type 'Public'.

According to the Security Vulnerability Research & Defense team at
Microsoft, ASLR and DEP should provide some added protection to
Windows Vista and Windows 2008, though it is still considered possible
that arbitrary code execution could take place. The UAC feature of
Vista and 2008 will also limit anonymous attacks, however if "Password
Protected Sharing" is disabled, anonymous attacks will be successful.
If TCP ports 139 and 445 are blocked at the network perimeter it will
mitigate against external attacks, however internal networked systems
will remain vulnerable and some services might no longer work as
expected, including:

Applications that use SMB (CIFS)
Applications that use mailslots or named pipes (RPC over SMB)
Server (File and Print Sharing)
Group Policy
Net Logon
Distributed File System (DFS)
Terminal Server Licensing
Print Spooler
Computer Browser
Remote Procedure Call Locator
Fax Service
Indexing Service
Performance Logs and Alerts
Systems Management Server
License Logging Service
Despite Microsoft providing non-patch mitigation options, the
criticality of this particular vulnerability, and the fact that it is
being targeted in the wild means that users and administrators should
apply the patch as soon as possible.

For Windows 2000, XP, and 2003, the vulnerability has been rated as
Critical, with Windows Vista and 2008 attracting Important ratings.
Microsoft have even acknowledged that the pre-beta versions of Windows
7 are also affected by this particular vulnerability. The ISC have
rated their threat indicator to Yellow, as have Symantec.

You can get MS08-067 direct from Microsoft, here.

=======================================

Sincerely,

Sûnnet Beskerming Team
info@...
Sûnnet Beskerming Pty. Ltd.
Adelaide, Australia
http://www.beskerming.com
Tel: +61 (0) 410 707 444

** Sûnnet Beskerming Pty. Ltd. **

Established in mid 2004, Sûnnet Beskerming Pty. Ltd. is the sister
company to Jongsma & Jongsma Pty. Ltd., and was formed to develop and
commercialise the research coming out of Jongsma & Jongsma Pty. Ltd..
Sûnnet Beskerming Pty. Ltd. is an Information Security specialist and,
in conjunction with the tools developed by Jongsma & Jongsma Pty.
Ltd., provides total security solutions and services, from the
perimeter to internal data stores, including web application security
and security testing and analysis.
_______________________________________________
Alertmailinglist mailing list
Alertmailinglist@...
http://skiifwrald.com/mailman/listinfo/alertmailinglist_skiifwrald.com

Advisory #260 - Microsoft (Multiple), OS X (Multiple), Multiple News

2008-10-17T04:26:28Z

Sûnnet Beskerming Alert List Advisory #260

You are receiving this message because you have subscribed to our
Information Security Alert Mailing List, or have been selected for a
specific one-off copy. If you believe that you are receiving this
message in error, pleasecontactinfo@... to resolve the error.

Why not upgrade to get same day notification on security threats?
Details and rates available online -
(http://www.beskerming.com/premium/generic_advisory.html).

Why not go the next step and get delivery tailored just for your
company?
(http://www.beskerming.com/premium/focussed_advisory.html)

Contents
--------------------------------------------------------------------
1. SECURITY
--------------------------------------------------------------------
1.1 Microsoft (Multiple)
- Remote Hacker Automatic Control
- Time Since Discovery - 4 days
1.2 OS X (Multiple)
- Remote Hacker Automatic Control
- Time Since Discovery - More than 7 days
=======================================
/*
- Remote or Local - Can it be achieved through a network or does it
require physical access?
- Hacker - The bad guy
- Manual or Automatic - Does the vulnerability need to be manually
performed, or can it be automated?
- Control, Denial of Service or Data Theft - Will the hacker get
control of your system / website, will they prevent you from using it,
or will they steal data.
*/
--------------------------------------------------------------------
2. NEWS
--------------------------------------------------------------------
2.1 If You Can't Take The Heat, Get Out of The Kitchen
2.2 If you build it, will they come?
2.3 Survey Results Unsurprisingly in Favour of Company That Paid for
Them
2.4 Governments Listen to You - Just Not The Way You Think
2.5 Fact Checking Helps
2.6 Don't Forget Your Oracle Patches
=====================================

1. SECURITY

1.1 Microsoft (Multiple) - Remote Hacker Automatic Control

-- Products Affected --
Windows
Office

-- Technical Description --
MS08-056 - Office. XSS. Moderate.
MS08-057 - Excel. Remote Code Execution. Replaces MS08-043. Critical
MS08-058 - Internet Explorer. Remote Code Execution. Replaces
MS08-045. Critical
MS08-059 - Host Integration Server. Remote Code Execution. Critical
MS08-060 - Windows Active Directory. Remote Code Execution. Replaces
MS08-035. Critical
MS08-061 - Windows Kernel. Privilege Elevation. Replaces MS08-025.
Important
MS08-062 - Internet Printing (IIS). Remote Code Execution. Important
MS08-063 - Windows File Sharing. Remote Code Execution. Replaces
MS06-063. Important
MS08-064 - Windows. Privilege Elevation. Replaces MS07-066, MS07-022.
Important
MS08-065 - Windows 2000 Message Queuing. Remote Code Execution.
Important
MS08-066 - Windows Ancillary Function Driver. Privilege Elevation.
Important

-- Description --
October's Security Patch Release from Microsoft has seen 11 patches
provided. Four of the patches were identified as Critical, six as
Important, and one as Moderate. An advisory release was also
provided, but not listed with a MS08- number, which provided killbit
settings for a number of third party ActiveX controls and set the
killbit for Microsoft controls mentioned in MS02-044, MS08-017,
MS08-041, MS08-052. Several of the patched vulnerabilities were under
active attack prior to patch release and sample exploit code has since
been released for several other vulnerabilities. It is imperative
that these patches are applied at the earliest opportunity.

-- Recommended Action --
All users and administrators should apply the updates at the earliest
opportunity.

-- Source --
http://www.microsoft.com/technet/security/bulletin/ms08-oct.mspx
http://www.beskerming.com/premium/patch_pack.html
http://store.eSellerate.net/s.asp?s=STR3448907936&Cmd=CATALOG&CategoryID=9811

-- Updates Available --
http://www.microsoft.com/technet/security/bulletin/ms08-056.mspx
http://www.microsoft.com/technet/security/bulletin/ms08-057.mspx
http://www.microsoft.com/technet/security/bulletin/ms08-058.mspx
http://www.microsoft.com/technet/security/bulletin/ms08-059.mspx
http://www.microsoft.com/technet/security/bulletin/ms08-060.mspx
http://www.microsoft.com/technet/security/bulletin/ms08-061.mspx
http://www.microsoft.com/technet/security/bulletin/ms08-062.mspx
http://www.microsoft.com/technet/security/bulletin/ms08-063.mspx
http://www.microsoft.com/technet/security/bulletin/ms08-064.mspx
http://www.microsoft.com/technet/security/bulletin/ms08-065.mspx
http://www.microsoft.com/technet/security/bulletin/ms08-066.mspx

-- External Tracking Data --
CVE-ID: CVE-2008-4020 (MS08-056)
CVE-ID: CVE-2008-4019 (MS08-057)
CVE-ID: CVE-2008-3471 (MS08-057)
CVE-ID: CVE-2008-3477 (MS08-057)
CVE-ID: CVE-2008-2947 (MS08-058)
CVE-ID: CVE-2008-3472 (MS08-058)
CVE-ID: CVE-2008-3473 (MS08-058)
CVE-ID: CVE-2008-3474 (MS08-058)
CVE-ID: CVE-2008-3475 (MS08-058)
CVE-ID: CVE-2008-3476 (MS08-058)
CVE-ID: CVE-2008-3466 (MS08-059)
CVE-ID: CVE-2008-4023 (MS08-060)
CVE-ID: CVE-2008-2250 (MS08-061)
CVE-ID: CVE-2008-2251 (MS08-061)
CVE-ID: CVE-2008-2252 (MS08-061)
CVE-ID: CVE-2008-1446 (MS08-062)
CVE-ID: CVE-2008-4038 (MS08-063)
CVE-ID: CVE-2008-4036 (MS08-064)
CVE-ID: CVE-2008-3479 (MS08-065)
CVE-ID: CVE-2008-3464 (MS08-066)

-- Threat Matrix --
U O
Home User 10 10 (Highly Critical)
Corporate 10 10 (Highly Critical)

1.2 OS X (Multiple) - Remote Hacker Automatic Control

-- Products Affected --
OS X 10.4.x
OS X 10.5.x

-- Technical Description --
Apache - Multiple vulnerabilities
Certificates - Updated Root certificates
ClamAV - Multiple vulnerabilities, the worst of which being remote
code execution
ColorSync - Arbitrary code execution when handling malicious images
CUPS - Arbitrary code execution with 'lp' privileges
Finder - Denial of Service
launchd - Failure of applications to enter sandbox mode
libxslt - XML processing may lead to arbitrary code execution
MySQL Server - Multiple vulnerabilities, the worst of which being
remote code execution
Networking - Privilege elevation
PHP - Multiple vulnerabilities, the worst of which being remote code
execution
Postfix - Mail may be sent to local users arbitrarily by remote
attackers
PSNormalizer - Arbitrary code execution when handling malicious
PostScript files
QuickLook - Handling malicious Excel files may lead to arbitrary code
execution
rlogin - Unexpected root access possible with rlogin and host.equiv
Script Editor - Privilege elevation
Single Sign-On - Feature enhancement
Tomcat - Multiple vulnerabilities, update to 6.0.18
vim - Update to 7.2.0.22 to address multiple vulnerabilities
Weblog - Access control failure

-- Description --
Last week, Apple released APPLE-SA-2008-10-09 Security Update
2008-007 for OS X 10.4.x and 10.5.x systems. Numerous system
components received critical security patches, including for
vulnerabilities that could lead to remote system compromise.

-- Recommended Action --
All users and administrators should apply the updates at the earliest
opportunity.

-- Source --
http://support.apple.com/kb/HT1222

-- Updates Available --
Security Update 2008-007 may be obtained from the Software Update
pane in System Preferences, or Apple's Software Downloads web site: http://www.apple.com/support/downloads/

-- External Tracking Data --
CVE-ID: CVE-2007-6420 (Apache)
CVE-ID: CVE-2008-1678 (Apache)
CVE-ID: CVE-2008-2364 (Apache)
CVE-ID: CVE-2008-1389 (ClamAV)
CVE-ID: CVE-2008-3912 (ClamAV)
CVE-ID: CVE-2008-3913 (ClamAV)
CVE-ID: CVE-2008-3914 (ClamAV)
CVE-ID: CVE-2008-3642 (ColorSync)
CVE-ID: CVE-2008-3641 (CUPS)
CVE-ID: CVE-2008-3643 (Finder)
CVE-ID: CVE-2008-1767 (libxslt)
CVE-ID: CVE-2007-2691 (MySQL Server)
CVE-ID: CVE-2007-5969 (MySQL Server)
CVE-ID: CVE-2008-0226 (MySQL Server)
CVE-ID: CVE-2008-0227 (MySQL Server)
CVE-ID: CVE-2008-3645 (Networking)
CVE-ID: CVE-2007-4850 (PHP)
CVE-ID: CVE-2008-0674 (PHP)
CVE-ID: CVE-2008-2371 (PHP)
CVE-ID: CVE-2008-3646 (Postfix)
CVE-ID: CVE-2008-3647 (PSNormalizer)
CVE-ID: CVE-2008-4211 (Quicklook)
CVE-ID: CVE-2008-4212 (rlogin)
CVE-ID: CVE-2008-4214 (Script Editor)
CVE-ID: CVE-2007-6286 (Tomcat)
CVE-ID: CVE-2008-0002 (Tomcat)
CVE-ID: CVE-2008-1232 (Tomcat)
CVE-ID: CVE-2008-1947 (Tomcat)
CVE-ID: CVE-2008-2370 (Tomcat)
CVE-ID: CVE-2008-2938 (Tomcat)
CVE-ID: CVE-2007-5333 (Tomcat)
CVE-ID: CVE-2007-5342 (Tomcat)
CVE-ID: CVE-2007-5461 (Tomcat)
CVE-ID: CVE-2008-2712 (vim)
CVE-ID: CVE-2008-4101 (vim)
CVE-ID: CVE-2008-2712 (vim)
CVE-ID: CVE-2008-3432 (vim)
CVE-ID: CVE-2008-3294 (vim)
CVE-ID: CVE-2008-4215 (Weblog)

-- Threat Matrix --
U O
Home User 10 10 (Highly Critical)
Corporate 10 10 (Highly Critical)

=======================================
/*
Threat Matrix:
U - User
O - Operator
Harmless - 0 ----- 10 - Highly Critical
*/
=======================================

2. NEWS

2.1 If You Can't Take The Heat, Get Out of The Kitchen

When United Airlines' stock recently tanked on an out of date news
report, questions were asked about the appropriateness of relying upon
automated news reporting for making critical financial decisions, or
really any decision.

Sun Sentinel, and parent The Tribune, might have been quick to blame
Google for the incident, but the core problem was that there was no
dated byline on the article to provide context for either human
readers or Google's automated crawlers. With the only date on the page
displaying the article being the current day's date, what conclusions
could a reader draw from the article other than the wrong ones? Unless
a reader is in the habit of conducting string matches in every article
they read against historical news, then they aren't going to pick this
up easily. The fact that it doesn't appear as breaking news might
provide some context, but where would you assume the error lay if you
came across the article without other context?

Google's subsequent actions of highlighting the article in their email
alerts relating to United Airlines, and listing it in their Google
News archives, merely meant that more people were now aware that the
Sun Sentinel was carrying an article on a United Airlines bankruptcy.

It was when humans stepped in and rewrote the article for other news
services, particularly those that investors were relying on, that the
situation compounded and was the critical error that eventually led to
the loss of market value for United Airlines. Without access to other
context, there wasn't much else that the readers could have done other
than to trust a service that, up to that point, may have been
extremely reliable.

Each time the story was picked up and re-reported, from the Sun
Sentinel, to Google, to the stock research firm (where the human re-
report tied the story to the current date), to Bloomberg, legitimacy
was added and this contributed to the final downfall.

With almost daily bailouts and failures in the lending markets could
jumpy investors (gamblers?) be blamed for going all in on another
bankruptcy report? Yes.

The investors who allowed their decisions to be swayed by an
inaccurate report need to shoulder responsibility for their actions,
but the stock research firm and Bloomberg need to be asked the hard
questions over how they let this happen and why their monitoring
systems (if any) didn't flag this as possibly inaccurate. Who knows
just how many stop loss orders were activated as a result of the
initial slide in price? If all of the sales based on misinformation
took place before the stop loss orders kicked in, but resulted in
depressing the stock price below this floor, it no longer matters
where the information came from, the market was going to be flooded
with United Airlines stock that not many people were going to want to
hang on to.

If nothing else, this is a classic example of a Swiss Cheese failure
(Reason's model). It wasn't a single cause of failure, but a number of
procedural and design errors that chained together, with poor or non-
existent active and latent defences, to almost wipe United Airlines
off the stock market.

When a small (debatable) error on one website can lead to a major
company almost being destroyed in a matter of minutes it suggests that
something is seriously wrong with how much trust is placed into
unverified information and how much value is then applied to that
information.

In the rush to be first to the news, you shouldn't leave behind your
critical thinking skills. Garbage In will result in Garbage Out, every
time.

2.2 If you build it, will they come?

Despite many people exhorting that all it takes to get online traffic
is to build it, and people will come, sometimes it doesn't turn out
that way, as the University of Illinois is currently finding out.

Earlier this year, the University of Illinois set out to establish an
online campus that would allow students to obtain degrees online,
however the response has been underwhelming, to say the least.

Online degree programs have always been regarded with dubiousness,
however the idea of delivering degrees online is only one step removed
from degrees by correspondence that many universities offer for
students who work or otherwise can't attend classes full-time. Having
ready access to a network connection means that coursework can include
media and improved learning aids that can not really be delivered
through the mail.

Expecting 5,000 students by the five year mark, fewer than 150
students have taken up the opportunity with the University of Illinois
since the system went online.

One of the biggest problems with the University of Illinois' online
campus seems to be that the whole concept relied upon University
departments creating new coursework and material in order to create
online degree programs. It has rapidly become apparent that there
aren't too many departments with the time or interest to create new
coursework for the system.

This is an excellent demonstration of what can happen when you don't
adequately plan for how a concept is to be implemented before actually
trying to implement it. Social networks rely upon their users for most
of their content and relevance, but it seems that online degree
programs (at least the legitimate ones) aren't as simple to establish.
Perhaps a better approach would be to have arranged with the various
high demand courses to be created ahead of time and then placed
online. Achieving accreditation, as suggested in the article, could
help somewhat.

2.3 Survey Results Unsurprisingly in Favour of Company That Paid for
Them

Any time that the results of a new survey are announced, especially a
survey that seems to paint a company in a positive light, questions
must be asked as to who is responsible for the funding and setup of
the particular survey or analysis. Generally, it is the company being
reported on favourably that is funding the survey, even if the survey
is being run by a nominally independent organisation.

This pattern of behaviour seems to be most obvious in Information
Technology, where the survey and associated analysis seem to be the
method-du-jour for companies to gain favourable press and to make it
look like an independent source is painting them in a positive light.
If a business purchasing decision can be based off such a report, then
it is all the better for the original company.

The Harrison Group recently ran a survey, paid for by Microsoft, that
found that companies running incorrectly licenced versions of Windows
were more likely to run into problems such as system failures and loss
of customer data. With Microsoft paying for the survey, was any
different result really to be expected?

With unlicenced systems almost certainly using digital perfect copies
of licenced software, why should there be any difference with how
stable the systems are? One of the suggestions put forward in the
article is that whoever is responsible for the copied software has
slipstreamed something malicious in with it. It would be more likely
that a company that is unwilling to spend funds on licenced software
would be unwilling to spend funds on properly maintaining their
systems - and so be more likely to encounter problems extending from
not maintaining their systems than they would from just having
unlicenced software.

In order to see a result like that, though, we are going to have to
wait until a system administration service provider runs their own set
of surveys.

2.4 Governments Listen to You - Just Not The Way You Think

It should have come as no real surprise that Skype's China-based
partner had been intercepting, logging, and even blocking text
messages traversing the Skype network through China. A Canadian
research group discovered the activity after breaching the insecure
Chinese servers (which in itself was a dubious activity, but since the
data was available from a web server that was outward facing, it can
be argued that it was permissable).

Based on a previously disclosed set of text filters, the modified
filters allowed for a broader set of communications to be intercepted
and logged, apparently without Skype's knowledge. As the original
filter was described, it was meant to drop text messages that had been
deemed inappropriate and not transmit them anywhere. The modified
system seems to have resulted in the messages being transmitted to
centralised servers for further storing.

It is interesting that the tracking servers appeared to have been
compromised by others before the research group came along. This opens
up some interesting possibilities to pressure people of interest,
based on intercepting already intercepted messages. It would be
possible to alert people to the fact they are being routinely logged,
even for traffic that does not match any filterable words, as well as
lean on people by blackmailing them into doing what you ask them to -
after all, you have copies of their text conversations.

2.5 Fact Checking Helps

In the last few weeks there have been a handful of standout cases
where poor reporting on an issue, including fake reports, led to
significant negative outcomes for the companies involved. A couple of
weeks ago it was a poorly dated news article about a United Airlines
bankruptcy from several years ago that led to massive stock market
losses for United Airlines, and most recently it has been a fake
report about Steve Jobs having a heart attack that led to an immediate
drop of 2% on Apple's stock, which recovered but still closed down 3%
for the day.

Apple's famed reputation for secrecy makes it more likely that rumour
and speculation will gain traction amongst Apple-watchers, but if
investors allow themselves to be led based on nothing more than
baseless rumour, it might go someway to explaining some of the
volatility in recent stock and commodity markets. Any time an incident
such as this takes place there are immediately whispers about stock
market manipulation having taken place.

It is often said that people are smart and reasonable as individuals,
but place them in a group and they become dumb, panicky herd-driven
creatures. With the stock market being made up of a massive herd of
investors, panicky and flighty responses can take place based on
speculative and poorly referenced rumours, leading to major changes in
the value (at least in the short term) of a stock.

On a smaller scale, malware authors and distributors have been
spamming our inboxes for some time with fake news stories in an
attempt to gain hits on their sites for drive-by downloads or clicks
on malware-loaded content. Pink sheet stock pump and dump scams are
also very similar, but on a smaller scale. In each case, falsified or
exaggerated "news" is being pushed to users in an attempt to
compromise a system or manipulate a stock.

What stands out from the recent cases is the seeming unwillingness for
reporting organisations to admit responsibility for spreading the
false or outdated news. If they hadn't picked up on the story, then
nothing would have happened, yet when it comes time to apportion
blame, it seems like they can't point the finger fast enough at
someone else. In both of the recent cases it wasn't until the
misrepresented story appeared on "legitimate" and "trustworthy" sites
that the problems really began for the companies involved.

Rather than stand up and admit that they contributed to this latest
event, CNN have handed over as much detail as possible on the alleged
source of the Steve Jobs rumour to the SEC.

You can argue as much as you like about whether it is "New Media"
versus "Old Media", but ultimately it is a case of poorly verifying
content that has been published. The same problems still take place in
print and broadcast media and it doesn't take too much searching to
turn up errata columns where these errors are hopefully addressed.

2.6 Don't Forget Your Oracle Patches

In a week when Microsoft released eleven patches, and an advisory, and
Apple released a Security Update (actually released last week), some
people might have been forgiven for missing Oracle's quarterly patch
release, which coincided with Microsoft's releases this month.

41 vulnerabilities were patched in the release for a broad range of
Oracle products, including Siebel, BEA, PeopleSoft and JD Edwards
applications.

The next quarterly mass update from Oracle is due on January 13, 2009,
which matches with Microsoft's scheduled patch release for January 2009.

=======================================

Sincerely,

Sûnnet Beskerming Team
info@...
Sûnnet Beskerming Pty. Ltd.
Adelaide, Australia
http://www.beskerming.com
Tel: +61 (0) 410 707 444

** Sûnnet Beskerming Pty. Ltd. **

Established in mid 2004, Sûnnet Beskerming Pty. Ltd. is the sister
company to Jongsma & Jongsma Pty. Ltd., and was formed to develop and
commercialise the research coming out of Jongsma & Jongsma Pty. Ltd..
Sûnnet Beskerming Pty. Ltd. is an Information Security specialist and,
in conjunction with the tools developed by Jongsma & Jongsma Pty.
Ltd., provides total security solutions and services, from the
perimeter to internal data stores, including web application security
and security testing and analysis.
_______________________________________________
Alertmailinglist mailing list
Alertmailinglist@...
http://skiifwrald.com/mailman/listinfo/alertmailinglist_skiifwrald.com

Advisory #259 - Microsoft (Multiple), Multiple News

2008-09-12T23:59:21Z

Sûnnet Beskerming Alert List Advisory #259

You are receiving this message because you have subscribed to our
Information Security Alert Mailing List, or have been selected for a
specific one-off copy. If you believe that you are receiving this
message in error, pleasecontactinfo@... to resolve the error.

Why not upgrade to get same day notification on security threats?
Details and rates available online -
(http://www.beskerming.com/premium/generic_advisory.html).

Why not go the next step and get delivery tailored just for your
company?
(http://www.beskerming.com/premium/focussed_advisory.html)

Contents
--------------------------------------------------------------------
1. SECURITY
--------------------------------------------------------------------
1.1 Microsoft (Multiple)
- Remote Hacker Automatic Control
- Time Since Discovery - 4 days
=======================================
/*
- Remote or Local - Can it be achieved through a network or does it
require physical access?
- Hacker - The bad guy
- Manual or Automatic - Does the vulnerability need to be manually
performed, or can it be automated?
- Control, Denial of Service or Data Theft - Will the hacker get
control of your system / website, will they prevent you from using it,
or will they steal data.
*/
--------------------------------------------------------------------
2. NEWS
--------------------------------------------------------------------
2.1 What Isn't Best Western Telling Us?
2.2 Hacking Security Researchers
2.3 An Exploit That Targets Developers
=====================================

1. SECURITY

1.1 Microsoft (Multiple) - Remote Hacker Automatic Control

-- Products Affected --
Windows
Windows Media Encoder
SQL Server
Windows Media Player
Office
Visual Studio

-- Technical Description --
MS08-052 - Windows. Remote Code Execution. Replaces MS07-015,
MS08-044, MS08-051, MS07-050, MS08-040, MS04-028. Critical
MS08-053 - Windows Media Encoder. Remote Code Execution. Critical
MS08-054 - Windows Media Player. Remote Code Execution. Critical
MS08-055 - Office. Remote Code Execution. Replaces MS07-025,
MS08-016. Critical

-- Description --
With September’s Security Patch Release, Microsoft have provided the
four patches that were identified in the advanced notice. All four of
the patches are rated by Microsoft as Critical and there were no known
public exploits prior to patch release. Since the patches have been
released there has been a lot of information published about the
vulnerabilities addressed and exploits should follow in a short period
of time.

-- Recommended Action --
All users and administrators should apply the updates at the earliest
opportunity.

-- Source --
http://www.microsoft.com/technet/security/bulletin/ms08-sep.mspx
http://www.beskerming.com/premium/patch_pack.html
http://store.eSellerate.net/s.asp?s=STR3448907936&Cmd=CATALOG&CategoryID=9811

-- Updates Available --
http://www.microsoft.com/technet/security/bulletin/ms08-052.mspx
http://www.microsoft.com/technet/security/bulletin/ms08-053.mspx
http://www.microsoft.com/technet/security/bulletin/ms08-054.mspx
http://www.microsoft.com/technet/security/bulletin/ms08-055.mspx

-- External Tracking Data --
CVE-ID: CVE-2007-5348 (MS08-052)
CVE-ID: CVE-2008-3012 (MS08-052)
CVE-ID: CVE-2008-3013 (MS08-052)
CVE-ID: CVE-2008-3014 (MS08-052)
CVE-ID: CVE-2008-3015 (MS08-052)
CVE-ID: CVE-2008-3008 (MS08-053)
CVE-ID: CVE-2008-2253 (MS08-054)
CVE-ID: CVE-2008-3007 (MS08-055)

-- Threat Matrix --
U O
Home User 10 10 (Highly Critical)
Corporate 10 10 (Highly Critical)

=======================================
/*
Threat Matrix:
U - User
O - Operator
Harmless - 0 ----- 10 - Highly Critical
*/
=======================================

2. NEWS

2.1 What Isn't Best Western Telling Us?

Reports of a recent data breach at Best Western were vigorously
refuted by the company, but is there something else going on in the
background that is not being acknowledged by the company?

From the initial reports, more than 8 million Best Western customers
may have had their details captured following unauthorised system
access. Best Western's assertions that only one hotel and 13 records
being affected didn't attract many supporters, and their assertion
that their adherence to PCI DSS requirements ensured customer safety
was even less well received.

At the moment all that is happening is that the Glasgow Sunday Herald
(and their source at Prevx) and Best Western have made contrasting
claims on the incident and neither has provided much more by way of
evidence of their claims. Claims that it is the World's biggest cyber
heist, when it isn't by a long way, would put the burden of proof on
the Sunday Herald.

The difference between 13 records and 8 million is significant, but is
does raise the question as to how Best Western knew that it was only
those few records that had been accessed. 13 just isn't the sort of
number that people tend to make up when they are making vague claims
about quantities. As reported by Best Western, it was antivirus
software that managed to identify the trojan horse that had been
installed to try and capture credentials at a single European Best
Western hotel.

There are questions being asked about Best Western's claims that
recorded credit card details are destroyed after a period of time and
whether this claimed breach indicates a failure to adhere to Level One
PCI DSS requirements (assuming they are top level PCI DSS),
particularly the requirements for a Data Security Assessment and
Quarterly Network Scan. Perhaps the rapid discovery of the breach and
limited account access claimed by Best Western was achieved through
adherence to this requirement, but there are not many who place much
faith in this idea, or in the PCI DSS auditing requirements.

There is also the possibility that any breach was targeted at Identity
Theft first, financial theft second, so the PCI DSS requirements
aren't going to do much to stop that from happening.

How can Best Western ease a lot of concerned observers fears? If they
re-issued their press release (or even a new one) identifying when and
how the compromised system was identified and taken offline, and then
acknowledged that the PCI DSS is only one means to protect sensitive
data and forms part of a layered defence strategy then it would go a
long way to achieving this goal.

It isn't often that the benefit of the doubt is given to a company
involved in a data breach, but in this case it is leaning slightly
towards Best Western. At the end of the day, Best Western has been
tarnished by their response to this issue and if they can not
adequately address the concerns identified above, then there is little
else to do but assume that he worst outcome reported by the Sunday
Herald is what happened. Of course, if the evidence of the attack is
released by other means, then that, too, would validate the claims of
one side.

2.2 Hacking Security Researchers

When Alan Shimel (StillSecure) and Petko Petkov (GNUCitizen) had their
online mail accounts hacked in the latest bout of Full-Disclosure
posturing, including contents of select emails published to the list
and, in Alan's case, objectionable content sent to various mailing
lists that he was involved with, reactions ranged from ignoring the
event through to blaming Alan and Petko for using webmail accounts for
more than they really should have.

The irony of security experts having their own security shortcomings
exposed so publicly was not lost on the group claiming responsibility
for the attacks, or on a number of observers. The incidents prove the
adage that it is a matter of "when" not "if" you will be hacked. More
importantly, they show that it only takes a single lapse in procedure
for a critical weakness to be opened up in a security position. If
there are multiple lapses that can then be chained together, then it
only exacerbates the problems being faced. When a security expert is
relying on their reputation to attract clients, being smeared like
this doesn't help their case. How somebody recovers and responds to
such an incident is key to their future reputation, and maybe even
their future earning potential.

Alan and Petko's responses to the breach of their security can be
easily be found online and it is interesting to see the general
posture being taken by both (and also some of the external parties
affected when emails were published or malicious content was sent to
them). The significant differences in approach may be due to
American / European cultural differences, but blaming the service
providers for a mistake on your behalf is probably not the best way to
go about rebuilding after a compromise.

An interesting sidepoint to Alan Shimel's experience is that he had
his personal domain redirected at GoDaddy after the hackers were able
to use his legitimate email account to direct GoDaddy to unlock the
domain and make the requisite changes. Without a backup channel means
of validating such directions (such as via phone) what else is a
registrar to do - the email came from the correct account. With the
level of control over the various accounts that Alan held, including
full details of his credit cards, it wouldn't have taken much more for
the hackers to completely transfer control of his sites and
potentially severely restrict Alan's access to his own finances.

While Alan was able to use his personal contacts to gain rapid access
to in-person support at major service providers, this isn't
necessarily something that many people will have easy access to, and
even then it will take a measure of trust on the service provider's
behalf to believe the caller is who they say they are and not the
hackers making a last ditch social engineering attempt to regain
control of the site(s).

Taking the Turkish approach to solving this problem is not necessary,
but it might be a fun fantasy for a while.

2.3 An Exploit That Targets Developers

Towards the middle of August, a vulnerability affecting Microsoft's
Visual Studio was identified in the wild, though it isn't known just
how widespread the attacks are at this stage.

While the mechanism of the vulnerability, an ActiveX control buffer
overflow leading to remote code execution, isn't exactly new, it is
the target (and the fact it is being actively targeted) that makes it
somewhat interesting.

In the past there have been proof of concept and limited release
vulnerabilities targeting developers, reverse engineers, forensic
analysts, and a range of other service providers. What hasn't really
happened with any of the previous examples is a move to exploitation
in the wild.

Developers who are not able to separate their development environment
from the Internet, and who use their development systems to surf the
Internet, will be at greatest risk from this particular exploit. With
the increasing levels of high quality online development libraries and
code samples, it is becoming rarer that developers maintain a clear
separation between the two and so the vulnerable userbase is actually
quite a high proportion of the total number of Visual Studio
installations.

If you have Visual Studio 6 installed and you want to be protected
against the vulnerability in the Msmask32.ocx ActiveX Control, either
install version 6.0.84.18 (reported to be fixed in this version), or
set the killbit for the following CLSID in the Registry :
{C932BA85-4374-101B-A56C-00AA003668DC}.

=======================================

Sincerely,

Sûnnet Beskerming Team
info@...
Sûnnet Beskerming Pty. Ltd.
Adelaide, Australia
http://www.beskerming.com
Tel: +61 (0) 410 707 444

** Sûnnet Beskerming Pty. Ltd. **

Established in mid 2004, Sûnnet Beskerming Pty. Ltd. is the sister
company to Jongsma & Jongsma Pty. Ltd., and was formed to develop and
commercialise the research coming out of Jongsma & Jongsma Pty. Ltd..
Sûnnet Beskerming Pty. Ltd. is an Information Security specialist and,
in conjunction with the tools developed by Jongsma & Jongsma Pty.
Ltd., provides total security solutions and services, from the
perimeter to internal data stores, including web application security
and security testing and analysis.
_______________________________________________
Alertmailinglist mailing list
Alertmailinglist@...
http://skiifwrald.com/mailman/listinfo/alertmailinglist_skiifwrald.com

Advisory #258 - Microsoft (Multiple), Multiple News

2008-08-13T03:59:39Z

Sûnnet Beskerming Alert List Advisory #258

You are receiving this message because you have subscribed to our
Information Security Alert Mailing List, or have been selected for a
specific one-off copy. If you believe that you are receiving this
message in error, pleasecontactinfo@... to resolve the error.

Why not upgrade to get same day notification on security threats?
Details and rates available online -
(http://www.beskerming.com/premium/generic_advisory.html).

Why not go the next step and get delivery tailored just for your
company?
(http://www.beskerming.com/premium/focussed_advisory.html)

Contents
--------------------------------------------------------------------
1. SECURITY
--------------------------------------------------------------------
1.1 Microsoft (Multiple)
- Remote Hacker Automatic Control
- Time Since Discovery - 1 day
=======================================
/*
- Remote or Local - Can it be achieved through a network or does it
require physical access?
- Hacker - The bad guy
- Manual or Automatic - Does the vulnerability need to be manually
performed, or can it be automated?
- Control, Denial of Service or Data Theft - Will the hacker get
control of your system / website, will they prevent you from using it,
or will they steal data.
*/
--------------------------------------------------------------------
2. NEWS
--------------------------------------------------------------------
2.1 $1 Million gets you International Hacking Capabilities
2.2 Online Attacks for Political Reasons
2.3 You can Only Blame Technology so Often
=====================================

1. SECURITY

1.1 Microsoft (Multiple) - Remote Hacker Automatic Control

-- Products Affected --
Windows
Exchange Server
SQL Server

-- Technical Description --
MS08-041 - ActiveX Control associated with Microsoft Access. Remote
code execution. Critical
MS08-042 - Word. Remote Code Execution. Important
MS08-043 - Excel. Remote Code Execution. Critical
MS08-044 - Office. Remote Code Execution. Critical
MS08-045 - Internet Explorer. Remote Code Execution. Critical
MS08-046 - Windows Color Management System. Remote Code Execution.
Critical
MS08-047 - IPSec policy. Information Disclosure. Important
MS08-048 - Outlook Express, Windows Mail. Security Update. Important
MS08-049 - Event System. Remote Code Execution. Important
MS08-050 - Windows Messenger. Information Disclosure. Important
MS08-051 - Microsoft Office Filters. Remote Code Execution. Critical

-- Description --
Eleven patches were released by Microsoft with the August Security
Patch Release. Of those patches, six were rated as Critical, and the
remaining five were rated Important. This marked a change from the
advance notification, where it was identified that seven of the
patches were to be Critical, and only five as Important. Microsoft
also provided updated patches for MS08-022, MS08-033, MS08-047, and
MS08-040 and two advisories, 955179 and 954960.

-- Recommended Action --
All users and administrators should apply the updates at the earliest
opportunity.

-- Source --
http://www.beskerming.com/premium/patch_pack.html
http://store.eSellerate.net/s.asp?s=STR3448907936&Cmd=CATALOG&CategoryID=9811

-- Updates Available --
Register to gain access

-- External Tracking Data --
Register to gain access

-- Threat Matrix --
U O
Home User 10 10 (Highly Critical)
Corporate 10 10 (Highly Critical)

=======================================
/*
Threat Matrix:
U - User
O - Operator
Harmless - 0 ----- 10 - Highly Critical
*/
=======================================

2. NEWS

2.1 Olympic Ticket Scam Traps Many

In the age of the P-p-p-p-powerbook and the ubiquitous 419 scammer, it
comes as no surprise that many people have fallen for a Beijing
Olympics ticketing scam that seems to have hit people all across the
world. Due to the rarity of tickets for the games, and the particular
setup of the scam site (and others), there has been a lot of money
lost by many people as they struggled to get their hands on tickets
that didn't exist. It is ticket scalping for the 21st century, made
even more lucrative by the need not to actually provide any tickets to
the victims.

When MSNBC carried a Forbes Traveler article, initially published late
February, it carried links to at least one fake ticketing site, sites
that have since disappeared from the actual page, pulled sometime
between the end of July and now, it led to implied legitimacy for the
site and helped it gain a search engine position and helped lead many
down the path of losing large amounts of money.

By silently fixing the article, MSNBC have contributed to the
confusion as to how people were led into believing the site was
legitimate. If you or your site find yourself in the position of
having to amend something that you have already published online, you
need to make sure that visitors can tell that you have amended the
original page and at least identify what has changed. MSNBC's silent
fix, without any acknowledgement that the original links might not
have been appropriate, is the worst possible way to deal with things,
it is even worse than leaving the information as it was - at least
then people could identify where the implied legitimacy had originated
from.

Just to make it clear, this is NOT THE REAL BEIJING GAMES TICKET SITE,
this one is. Does it mean that the Chinese Olympic organisers have
failed to secure all probable online domains before selling tickets?
It is impossible to completely close off the multitude of possible
domains that might be set up to try and sell tickets, so the
organisers aren't really at fault for that. Could they have made more
effort to secure likely domains? Probably. Then again, hindsight is
always perfect.

Key to the whole incident is how trust is allocated and determined
when interacting with new sites on the Internet. It actually
highlights one of the biggest problems with establishing viable online
trust. If a site, such as MSNBC, that you would normally otherwise
trust, provides a link to a malicious site and claims it is
legitimate, how would you be able to differentiate if the link is
malicious if you had never been there before? Under almost any trust
model that exists, the site would have gained trustworthy status
earlier this year, when MSNBC first linked to it. Where the trust
breakdown took place was when people failed to receive their tickets
and it was realised that the site was claiming ticket availability for
events that had long been completely sold out. Some of the more
advanced trust models that are in development (such as the one
developed by Sûnnet Beskerming) would have given the site a dubious
weighting, but would have struggled to offset the implied trust
delivered by other sites against the Official Beijing site, which
should have been the only one to offer tickets for sale.

All you need to trick people into giving you their money, it seems, is
to have a flashy website and promise delivery in the future for some
desirable item. If you want to find out more about the risks and what
sites are scamming people, one of the best resources for those who are
trying to hunt down the people behind the various scams is over at
beijingticketscam.com.

2.2 Internet Flaw Highlights More Than Just Technical Problems

When Dan Kaminsky released a cryptic announcement that one of the core
technologies (DNS, the Domain Name System) tying the Internet together
was vulnerable to a critical weakness it gained the attention of many
people, especially given that many of the software vendors who create
the vulnerable software had come together to address the problem and
the fact that Kaminsky was going to delay the release of information
until early August, at the Las Vegas Black Hat conference.

Despite the secrecy about the details of the vulnerability, if you
don't want anyone else to work it out for you, then don't tell anyone
you've found something. The lack of openness about the issue led many
to start speculating and eventually Halvar Flake hit upon the correct
answer. When Kaminsky himself challenged others to look into the
security of DNS and look at what might have been missed, the outcome
was almost guaranteed. Indeed, since the vulnerability was correctly
speculated on, exploit code has been publicly released through a
number of websites and mailing lists.

Since the correct guessing of the vulnerability, the general response
has been one of panic. Those who have read and understood the
technical details have largely been left scratching their heads -
there's not really anything new there. All it demonstrates is a corner
case of a previously known issue. Certainly the issue is one that
should have been fixed properly the first time, but for whatever
reason it wasn't.

What is more interesting is to see the vitriol that has now emerged as
people realise the information is out there. Some of the most serious
claims have been levelled against the team at Matasano Chargen for
having been the ones to actually spill the beans, as Halvar Flake had
only speculated about the details. The pulled post at Matasano Chargen
did more to get people to sit up and take notice than it would have if
it was left in place and the fact that they had declared that they
were part of the trusted few who had the details confirmed by Dan
Kaminsky only further validated for many people what had been posted.

Part of the problem is once data has been published on the Internet it
is awfully hard to completely retract it, even if it has only been
there for a couple of hours in total. As the retracted post at
Matasano Chargen promised technical details on the vulnerability it
was quickly snapped up by the lucky few who were able to see it and
then reproduced on numerous other sites.

Information Security has egg on its face over this issue. It shows how
immature the industry can be and how poor many people's skills are at
managing release and coordination of information. To his credit Dan
Kaminsky did find something that hadn't been fixed. Whether that is an
old problem or not is irrelevant for the time being, as it affected a
significant portion of the Internet's DNS servers and required a
coordinated effort by vendors to do something about it.

The whole incident has left a sour taste in many mouths.

Is Black Hat or DefCon the place to release all about a vulnerability?
After the debacle surrounding David Maynor and Jon Ellch's Black Hat
OS X wireless vulnerability demonstration in 2006, perhaps people who
are looking to release sensitive vulnerability information with some
flair should reconsider the pre-release media blitz. It runs the very
high risk of turning what might be a valid issue into a circus and
leaving all involved worse off for the experience.

Richard Bejtlich suggests that the incident might have been better
handled if initial and full disclosure was handled by an impartial
third party and the conference used for post-disclosure discussion and
the details of how the vulnerability was found. The problem is then
finding what can be regarded as an impartial third party.

The open discussion that was created following the initial
announcement turned up a more serious problem, which will continue to
have problems for users long after most systems are updated to address
the vulnerability. NAT, a very common technology that allows for
multiple systems to sit behind a single network connection wasn't
considered in the vulnerability equation but it was soon realised that
the method implemented to protect against the vulnerability would
break down when network traffic encountered most NAT devices, with the
result of zero protection against the vulnerability.

The whole idea of responsible disclosure, most famously set out by
Rain Forest Puppy, has broken down in this case. Those who were not
briefed in with details on the vulnerability feel that security by
obscurity was the gameplan and watching how the incident played out in
the media and how those who knew were (mis)managing the information
reinforced this idea for them. As far as those who did know the
details, they saw the withholding of information as a necessary step
to prevent widespread attack before updated systems could be put in
place. The problem was that this left everyone else having to
guesstimate the severity of the vulnerability, or having to trust the
claims being made by people who weren't releasing enough information
to back up their claims.

The problem with the approach taken was that it was set up such that
the carrot being dangled was too tempting for everyone to leave alone
until Black Hat. When the vulnerability was finally released, it
didn't seem to make a lot of sense, surely the vulnerability wasn't as
simple as that. With the way that a number of people in the know were
talking it sounded like the world was about to end.

So, what is the vulnerability?

Historically, it was possible to guess fairly quickly the IDs in use
by DNS queries and responses and so insert fake responses to poison a
DNS cache and point requests for legitimate sites to those under a
hacker's control. Improved random number generators (to increase the
entropy of the IDs) and randomising the source ports helped make this
particular attack far more difficult to carry out (but not completely
impossible).

Within the structure of a DNS response it is possible for amplifying
data to be returned about a domain so that subsequent requests to that
domain or subdomains can be made more efficiently, either by
identifying the correct authoritative server to query or by supplying
the data direct to the requesting system so that it doesn't need to
poll the server.

It is this particular feature which is the key to the whole discovery
made by Dan Kaminsky. While it should not be possible (poor
implementation of the specification aside) for this amplifying data to
change the details of other domain entries, it is possible for the
amplifying data to change the details for parent domains. This means
that a poisoned response for poisoned.example.com can change the
details for example.com.

Without the source port randomisation, it has been discovered that it
is possible to overcome the message ID randomisation and inject a fake
response that poisons the entry for the top domain in around 10
seconds on a fast modern system. To achieve this, numerous requests
are made for fake subdomains until the right combination of ID and
timing have been found to inject the response. The solution of adding
increased randomisation to the source ports used in making the
requests adds another layer of complexity for the hacker to overcome,
one which is enough for this point in time.

It is a band-aid type solution? Only time will show, but it might
prove good enough for the next few years at least. Perhaps a better
solution would be that every domain should include a wildcard
subdomain entry that identifies the legitimate main server as the
authoritative one for all subdomains for that particular domain.
Sending this wildcard information in the DNS response would result in
increased network traffic but it would also completely neutralise a
spoofing attack (unless the attacker is lucky enough to have the right
combination of ID, timing, and source port to beat the legitimate
response to the end user). It might break some business models that
rely upon selling / marketing subdomains and mean more authoritative
DNS servers need to be set up, but that is what might be necessary to
completely neutralise the vulnerability.

At the end of the day it still only seems to be domain-specific
poisoning, that is you can't forcefully poison results for a domain
that you aren't already making requests for (i.e. poisoning the result
for google.com when making requests for yahoo.com), but with the
various IFRAME and JavaScript tricks that exist out there it isn't too
hard to make this seem transparent - such that the user doesn't know
that they have been making requests for the site, but by this stage it
is too late for their system and they are compromised. With readily
available exploit code this is going to become a real problem for many
people in a short period of time.

=======================================

Sincerely,

Sûnnet Beskerming Team
info@...
Sûnnet Beskerming Pty. Ltd.
Adelaide, Australia
http://www.beskerming.com
Tel: +61 (0) 410 707 444

** Sûnnet Beskerming Pty. Ltd. **

Established in mid 2004, Sûnnet Beskerming Pty. Ltd. is the sister
company to Jongsma & Jongsma Pty. Ltd., and was formed to develop and
commercialise the research coming out of Jongsma & Jongsma Pty. Ltd..
Sûnnet Beskerming Pty. Ltd. is an Information Security specialist and,
in conjunction with the tools developed by Jongsma & Jongsma Pty.
Ltd., provides total security solutions and services, from the
perimeter to internal data stores, including web application security
and security testing and analysis.
_______________________________________________
Alertmailinglist mailing list
Alertmailinglist@...
http://skiifwrald.com/mailman/listinfo/alertmailinglist_skiifwrald.com

Advisory #257 - Microsoft (Multiple), Multiple News

2008-07-18T00:48:30Z

Sûnnet Beskerming Alert List Advisory #257

You are receiving this message because you have subscribed to our
Information Security Alert Mailing List, or have been selected for a
specific one-off copy. If you believe that you are receiving this
message in error, please contactinfo@... to resolve the
error.

Why not upgrade to get same day notification on security threats?
Details and rates available online -
(http://www.beskerming.com/premium/generic_advisory.html).

Why not go the next step and get delivery tailored just for your
company?
(http://www.beskerming.com/premium/focussed_advisory.html)

Contents
--------------------------------------------------------------------
1. SECURITY
--------------------------------------------------------------------
1.1 Microsoft (Multiple)
- Remote Hacker Automatic Control
- Time Since Discovery - >1 week
=======================================
/*
- Remote or Local - Can it be achieved through a network or does it
require physical access?
- Hacker - The bad guy
- Manual or Automatic - Does the vulnerability need to be manually
performed, or can it be automated?
- Control, Denial of Service or Data Theft - Will the hacker get
control of your system / website, will they prevent you from using it,
or will they steal data.
*/
--------------------------------------------------------------------
2. NEWS
--------------------------------------------------------------------
2.1 $1 Million gets you International Hacking Capabilities
2.2 Online Attacks for Political Reasons
2.3 You can Only Blame Technology so Often
=====================================

1. SECURITY

1. SECURITY

1.1 Microsoft (Multiple) - Remote Hacker Automatic Control

-- Products Affected --
Windows
Exchange Server
SQL Server

-- Technical Description --
MS08-037 - DNS Server / Client. Spoofing / Cache poisoning. Important
MS08-038 - Windows Explorer. Multiple remote code execution. Important
MS08-039 - Exchange Server - Outlook Web Access. Privilege
Elevation. Replaces MS07-026. Important
MS08-040 - SQL Server. Privilege Elevation. Important

-- Description --
Microsoft provided four Important patches with the July Security
Patch Release. Only one of the patches had any vulnerability or
exploit data available
Microsoft has provided seven patches with the June Security Patch
Release. Of the patches, three are rated as Critical, three as
Important, and the remaining patch as Moderate. Exploit data for some
of the Internet Explorer (MS08-031) and Speech API (MS08-032)
vulnerabilities has been publicly available, but limited in
distribution.

-- Recommended Action --
All users and administrators should apply the updates at the earliest
opportunity.

-- Source --
http://www.microsoft.com/technet/security/bulletin/ms08-jul.mspx
http://www.beskerming.com/premium/patch_pack.html
http://store.eSellerate.net/s.asp?s=STR3448907936&Cmd=CATALOG&CategoryID=9811

-- Updates Available --
http://www.microsoft.com/technet/security/bulletin/ms08-037.mspx
http://www.microsoft.com/technet/security/bulletin/ms08-038.mspx
http://www.microsoft.com/technet/security/bulletin/ms08-039.mspx
http://www.microsoft.com/technet/security/bulletin/ms08-040.mspx

-- External Tracking Data --
CVE-ID: CVE-2008-1447 (MS08-037)
CVE-ID: CVE-2008-1454 (MS08-037)
CVE-ID: CVE-2008-1435 (MS08-038)
CVE-ID: CVE-2008-0951 (MS08-038)
CVE-ID: CVE-2008-2247 (MS08-039)
CVE-ID: CVE-2008-2248 (MS08-039)
CVE-ID: CVE-2008-0085 (MS08-040)
CVE-ID: CVE-2008-0086 (MS08-040)
CVE-ID: CVE-2008-0106 (MS08-040)
CVE-ID: CVE-2008-0107 (MS08-040)

-- Threat Matrix --
U O
Home User 10 10 (Highly Critical)
Corporate 10 10 (Highly Critical)

=======================================
/*
Threat Matrix:
U - User
O - Operator
Harmless - 0 ----- 10 - Highly Critical
*/
=======================================

2. NEWS

2.1 $1 Million gets you International Hacking Capabilities

A recent briefing by the US Department of Homeland Security has thrown
up some interesting figures about the level of online attack
capability that a number of designated terrorist organisations are
believed to possess. What is somewhat surprising is the level of
capability being claimed for a relatively low level of investment.

That a number of these organisations are developing an ability and
commensurate plans to target online services and data stores is not a
surprise. After all, online attacks represent almost the perfect form
of attack - significant short to medium term effect for almost no
personal risk, easy to set up and administer and have effects far
beyond the immediate region.

Figures were quoted in the report for Hezbollah, which is estimated to
be devoting almost $1 million of the estimated $60 million annually
that it receives to electronic warfare. From that amount it has
apparently developed the capability to tap and monitor / hijack fiber
optic networks, though it could be assumed that much of whatever
capability they have has come direct from their state sponsors (Syria
and Iran).

While people are coming to rely upon the Internet as an essential
service, it wasn't all that long ago that there was no real level of
interconnection as such and so the wider community probably won't be
too greatly affected by an attack on an individual level. Communities
as a whole may suffer due to outages with essential services and
service providers that may be relying upon the Internet for operations.

How the terrorist organisations compare to the existing spam networks,
Russian and Chinese controlled botnets, and system and software
updates going awry remains to be seen. Perhaps now that Information
Security threats have been linked with terrorist groups, the
Information Security may start to see some of the funds set aside to
combat terrorism.

2.2 Online Attacks for Political Reasons

It seems that the only time that state-sponsored online attacks are
covered in the media is when someone wants to create a short term
scare campaign that is focussed on driving business to a company, or
on increasing funding or perceived relevancy for a government agency
or group of agencies. Perhaps the best known case in the last few
years was in Estonia, though there remains contention about who
exactly was behind the attacks. Even though the official story is that
an ethnic Russian in Estonia was responsible, there are those who
still believe that the attacks were coordinated and managed from Russia.

State sponsored attacks are always guaranteed to attract interest, but
the idea of semi-state and stateless organisations developing online
attack capabilities for political goals is also starting to attract
attention. With many of the groups that have openly admitted to
developing such capability already engaged in open attacks in other
environments and many also attracting designation as 'terrorist'
groups, an online attack that is claimed by or attributed to one of
these groups is considered far more likely than a state-sponsored
attack. While the technology and methods used may be no different from
those used in spam, phishing, and other online criminal activity, it
is the political intent behind their use which places them in a
separate class.

Supporting this argument is a number of claims by different terror
groups that they have access to an electronic attack capability
surfacing in recent weeks and months. These claims are actively
promoted by the groups, who argue that it allows them to level the
playing field against their opponents and, more importantly for them,
it provides a means to disrupt their opponents without significant
risk to themselves.

Even though online attacks offer far less personal risk to the
instigators, there are still some global regions where this is not the
case. Earlier this year Israel killed a Palestinian believed to have
been in charge of the online attack element for a Palestinian militant
organisation, but this is probably the only global region where an
electronic attacker may be at significant personal risk.

India is the latest country to join the ranks of those accusing China
of attacking their internal networks and systems. This accusation is
more significant than most, given the geographic proximity of the two
countries and their historical military and political tension
(including two current disputed regions and a number of historical
armed conflicts).

It will be interesting to see how the two most populous and rapidly
developing countries in the world handle this sort of activity and how
each responds to claimed attack and counter attack, given that the
attacks may be attributed to state-sponsored, semi-state, and
stateless bodies in varying proportions. Though the scale of the
attacks is relatively small, given the overall size of both countries,
the economic and technological boost that has been delivered with the
outsourcing industry means that some of the juciest targets in India
are actually datasets belonging to foreign companies.

There is no sign that these sorts of attacks will increase in scope
anytime soon, but it is something to consider with data security
concerns - especially in an outsourced environment. You might wake up
one day to find that your data is being held ransom or under attack by
an external party that is actually targeting your supplier and not you
directly. That is cold comfort for the people whose data lies within
that dataset and it will be you ultimately held responsible for its
safety.

2.3 You can Only Blame Technology so Often

Is the latest defence against embarrassing or criminal emails, text
messages, and Internet activity that a hacker did it? Detroit's Mayor
is currently the subject of a lawsuit alleging that he and a former
aide conspired to lie under oath in a previous investigation.

That in itself isn't too much out of the ordinary, but the Mayor's
lawyers are arguing that allegedly incriminating text messages that
are supposed to have been sent between the parties were actually the
work of hackers.

It is assumed that the text messages will provide sufficient evidence
of guilt but it does make for an interesting defence tactic to prevent
the release of the messages. What it leaves most people with is the
impression that the text messages will implicate the Mayor and his
aide and that it is a wildly speculative attempt from his defence
lawyers to avoid them having to be shown in court.

It has been pointed out that while it is technically feasible to have
had hackers create the messages, it is fairly straight forward to
correlate messaging activity with other events on the Mayor's
schedule. A further reason why the defence lawyers seem to be pushing
hard to suppress release of the records is the belief that the
messages are the key component to the prosecution's case, and without
them the case will fail.

Making matters worse, when it can be shown that there is a reasonable
assumption that the person involved has actually been the victim of a
malware author / hacker, such as the Julie Amero case, it can be
difficult to convince people that it actually is the case.

=======================================

Sincerely,

Sûnnet Beskerming Team
info@...
Sûnnet Beskerming Pty. Ltd.
Adelaide, Australia
http://www.beskerming.com
Tel: +61 (0) 410 707 444

** Sûnnet Beskerming Pty. Ltd. **

Established in mid 2004, Sûnnet Beskerming Pty. Ltd. is the sister
company to Jongsma & Jongsma Pty. Ltd., and was formed to develop and
commercialise the research coming out of Jongsma & Jongsma Pty. Ltd..
Sûnnet Beskerming Pty. Ltd. is an Information Security specialist and,
in conjunction with the tools developed by Jongsma & Jongsma Pty.
Ltd., provides total security solutions and services, from the
perimeter to internal data stores, including web application security
and security testing and analysis.
_______________________________________________
Alertmailinglist mailing list
Alertmailinglist@...
http://skiifwrald.com/mailman/listinfo/alertmailinglist_skiifwrald.com

Advisory #256 - Microsoft (Multiple), QuickTime, Multiple News

2008-06-13T00:34:19Z

Sûnnet Beskerming Alert List Advisory #256

You are receiving this message because you have subscribed to our
Information Security Alert Mailing List, or have been selected for a
specific one-off copy. If you believe that you are receiving this
message in error, please contact info@... to resolve the
error.

Why not upgrade to get same day notification on security threats?
Details and rates available online -
(http://www.beskerming.com/premium/generic_advisory.html).

Why not go the next step and get delivery tailored just for your
company?
(http://www.beskerming.com/premium/focussed_advisory.html)

Contents
--------------------------------------------------------------------
1. SECURITY
--------------------------------------------------------------------
1.1 Microsoft (Multiple)
- Remote Hacker Automatic Control
- Time Since Discovery - 3 days
1.2 QuickTime
- Remote Hacker Automatic Control
- Time Since Discovery - 3 days
=======================================
/*
- Remote or Local - Can it be achieved through a network or does it
require physical access?
- Hacker - The bad guy
- Manual or Automatic - Does the vulnerability need to be manually
performed, or can it be automated?
- Control, Denial of Service or Data Theft - Will the hacker get
control of your system / website, will they prevent you from using it,
or will they steal data.
*/
--------------------------------------------------------------------
2. NEWS
--------------------------------------------------------------------
2.1 Website Defacement Group Arrested After Going too far
2.2 An Interesting Firefox Flaw
2.3 BT Home Hub Still full of Holes
2.4 What makes for a Dangerous Domain?
=====================================

1. SECURITY

1.1 Microsoft (Multiple) - Remote Hacker Automatic Control

-- Products Affected --
Microsoft Office
Windows
Internet Explorer

-- Technical Description --
MS08-030 - Bluetooth. Remote code execution. Critical
MS08-031 - Internet Explorer cumulative update. multiple remote code
execution. Replaces MS08-024. Critical
MS08-032 - Speech API. Remote code execution. Replaces MS08-023.
Moderate
MS08-033 - DirectX. Code execution. Replaces MS07-064. Critical
MS08-034 - WINS. Privilege escalation. Replaces MS04-045. Important
MS08-035 - LDAP - Active Directory. Denial of Service. Replaces
MS08-003. Important
MS08-036 - Microsoft Message Queuing. Denial of Service. Replaces
MS06-052. Important

-- Description --
Microsoft has provided seven patches with the June Security Patch
Release. Of the patches, three are rated as Critical, three as
Important, and the remaining patch as Moderate. Exploit data for some
of the Internet Explorer (MS08-031) and Speech API (MS08-032)
vulnerabilities has been publicly available, but limited in
distribution.

-- Recommended Action --
All users and administrators should apply the updates at the earliest
opportunity.

-- Source --
http://www.microsoft.com/technet/security/bulletin/ms08-jun.mspx
http://www.beskerming.com/premium/patch_pack.html
http://store.eSellerate.net/s.asp?s=STR3448907936&Cmd=CATALOG&CategoryID=9811

-- Updates Available --
http://www.microsoft.com/technet/security/bulletin/ms08-030.mspx
http://www.microsoft.com/technet/security/bulletin/ms08-031.mspx
http://www.microsoft.com/technet/security/bulletin/ms08-032.mspx
http://www.microsoft.com/technet/security/bulletin/ms08-033.mspx
http://www.microsoft.com/technet/security/bulletin/ms08-034.mspx
http://www.microsoft.com/technet/security/bulletin/ms08-035.mspx
http://www.microsoft.com/technet/security/bulletin/ms08-036.mspx

-- External Tracking Data --
CVE-ID: CVE-2008-1453 (MS08-030)
CVE-ID: CVE-2008-1442 (MS08-031)
CVE-ID: CVE-2008-1544 (MS08-031)
CVE-ID: CVE-2007-0675 (MS08-032)
CVE-ID: CVE-2008-0011 (MS08-033)
CVE-ID: CVE-2008-1444 (MS08-033)
CVE-ID: CVE-2008-1451 (MS08-034)
CVE-ID: CVE-2008-1445 (MS08-035)
CVE-ID: CVE-2008-1440 (MS08-036)
CVE-ID: CVE-2008-1441 (MS08-036)

-- Threat Matrix --
U O
Home User 10 10 (Highly Critical)
Corporate 10 10 (Highly Critical)

1.2 QuickTime - Remote Hacker Automatic Control

-- Products Affected --
QuickTime versions prior to 7.5

-- Technical Description --
QuickTime 7.5 has been released, incorporating several critical
security patches, including patches for remote code execution risks
associated with PICT file handling, AAC-encoded file handling, Indeo
video content, and QuickTime media content. The exploits are a range
of heap overflows, stack overflows and URL handling issues and affect
both the OS X and Windows versions of QuickTime.

-- Description --
Earlier this week, Apple released version 7.5 of the QuickTime media
codec and associated player software. With the update, Apple provided
a range of critical security fixes which addressed a number of remote
code execution opportunities that were identified with QuickTime.

-- Recommended Action --
Update to QuickTime 7.5 when possible.

-- Source --
http://support.apple.com/kb/HT1222

-- Updates Available --
http://www.apple.com/quicktime/download/

-- External Tracking Data --
CVE-ID: CVE-2008-1581
CVE-ID: CVE-2008-1582
CVE-ID: CVE-2008-1583
CVE-ID: CVE-2008-1584
CVE-ID: CVE-2008-1585

-- Threat Matrix --
U O
Home User 10 10 (Highly Critical)
Corporate 10 10 (Highly Critical)

=======================================
/*
Threat Matrix:
U - User
O - Operator
Harmless - 0 ----- 10 - Highly Critical
*/
=======================================

2. NEWS

2.1 Website Defacement Group Arrested After Going too far

Most website defacement groups are regarded as more of a nuisance than
a major threat. While they cost site operators and maintainers
valuable time and resources to recover damaged sections of their sites
and patch the entry points, generally the only damage done is to place
a page on the site to proclaim the technical prowess of the group,
before they run off and self-report to the World's largest online
defacement archive, atZone-H.

Sometimes the groups go too far for comfort for authorities.
Defacements of sites belonging to government agencies or bodies have
their own special place in the Zone-H archive, but most of the time
these defacements are treated exactly the same as for non-government
sites - as a nuisance.

For one Spanish group, hacking a Spanish political site was the one
step too far for comfort, eventually resulting in their arrest.
Spanish sites weren't the only sites that they defaced, with numerous
US sites, including NASA sites, on their list of defacements recorded
at Zone-H.

2.2 An Interesting Firefox Flaw

Ronald van den Heetkamp has published information about an interesting
heap corruption in Firefox.

Put simply, it has been discovered that merely running document.open,
document.write and document.close in close succession can sometimes
lead to code not being executed prior to the document being closed
(the obviously named document.close method) and some inconsistent
behaviour from Firefox. The interesting aspect of what Ronald has
discovered is that if he uses an empty applet then it leads to a
fairly predictable denial of service after a couple of minutes after
attempting to load the initial code element. Based on the information
provided, it is predictable from the point of view that it can be
assumed the browser will be unresponsive within a few minutes of
loading the code, even if the underlying mechanism of just how the
code is causing the failure is not understood.

Although Ronald has not developed his example to the point of
executing code, the sample gives an easy starting point for further
investigation and develeopment. It is true that every heap corruption
isn't going to end in arbitrary code execution, but on initial view it
does seem possible with this particular vulnerability. At the moment
it is an interesting and simple denial of service vulnerability.

2.3 BT Home Hub Still full of Holes

British Hacker group GNUCITIZEN, and in particular Adrian 'pagvac'
Pastor, have been focussing on the BT (British Telecom) Home Hub, an
ADSL modem capable of acting as a wireless access point and
interfacing with DECT compliant telephone handsets (the standard used
in most cordless handsets) as well as supporting VoIP. In their past
research, GNUCITIZEN identified several methods to compromise various
features of the BT Home Hub, including the complete take over of the
device by a remote attacker, provided that the local user could be
convinced to visit a malicious website.

Some of the modifications made by BT to address the concerns raised by
GNUCITIZEN included changing the default password of the Home Hub to
the serial number of the device. On initial observation, this gives
each device a unique root password that should be non-guessable by a
remote attacker, neutralising the techniques otherwise used to
compromise the system.

Recent work, however, has shown that this serial number is
recoverable, and thus the control of the device. To achieve this feat,
a local network request is made using Multi Directory Access Protocol
(MDAP) which then results in the device responding with its ID number,
which can then be pre-prended with 'CP' to give the serial number and
the default password for the device.

Limiting the impact of the discovery is the requirement for the
attacker to be on the same LAN as the router, either through a wired
or wireless connection. Given that the wireless connection is only
secured with WEP, it isn't going to take long for a casual wardriver
to break into a targeted device. Alternatively, techniques described
by other researchers, to allow probing of local LAN resources remotely
could be blended to give the remote attacker all the information they
need without actually having to be present on the LAN.

While this is a real concern, Adrian points out that there are still
critical UPnP port forwarding vulnerabilities that leave the Home Hub
just as vulnerable. Given the numerous capabilities of the device and
what it is designed to be used for, anything that could allow a remote
attacker to capture all Internet and telephony traffic passing through
the device is going to have serious consequences.

If BT, the company that purchased noted security company CounterPane
(including Bruce Schneier) can have critical security errors in their
consumer level devices, it doesn't bode well for the many other ISPs
that provide slightly modified devices to their own customers, even if
they are nothing like the Home Hub in appearance or capability. As
with any other network or computing device, the safest approach to
take is to always assume that it is or can be compromised and be aware
of what information is being sent through or stored on it.

2.4 What makes for a Dangerous Domain?

McAfee recently published a study that identifies what could be
described as the world's most dangerous top level domain (.hk).
According to McAfee's report, 19% of .hk domains are alleged to be
serving malware or otherwise considered potentially risky for site
visitors. Two other top level domains, .cn and .info were identified
as having more than 11% of their sites identified as being risky, with
the .com domain only having about 5% of the total sites on that domain
being considered risky.

While raw percentages give a quick initial first impression, in terms
of the raw overall numbers of sites that are considered dangerous,
there are more on the .com domain than on .hk. The other question not
quite answered by the research is how likely a generic Internet user
is going to stumble across one of these malicious sites and how
obvious it is going to be that they have done so when they have.

Suggestions as to how to improve the data collection and reporting
would be to report the numbers by IP block. This would give a better
indication as to where on the Internet malicious (and potentially
malicious) sites are located and also which network providers are more
accommodating to these sites. It would also make the life of other
admins much simpler in terms of limiting network traffic to dangerous
sites.

=======================================

Sincerely,

Sûnnet Beskerming Team
info@...
Sûnnet Beskerming Pty. Ltd.
Adelaide, Australia
http://www.beskerming.com
Tel: +61 (0) 410 707 444

** Sûnnet Beskerming Pty. Ltd. **

Established in mid 2004, Sûnnet Beskerming Pty. Ltd. is the sister
company to Jongsma & Jongsma Pty. Ltd., and was formed to develop and
commercialise the research coming out of Jongsma & Jongsma Pty. Ltd..
Sûnnet Beskerming Pty. Ltd. is an Information Security specialist and,
in conjunction with the tools developed by Jongsma & Jongsma Pty.
Ltd., provides total security solutions and services, from the
perimeter to internal data stores, including web application security
and security testing and analysis.
_______________________________________________
Alertmailinglist mailing list
Alertmailinglist@...
http://skiifwrald.com/mailman/listinfo/alertmailinglist_skiifwrald.com

Advisory #255 - Microsoft (Multiple), Multiple News

2008-05-14T14:19:12Z

Sûnnet Beskerming Alert List Advisory #255

You are receiving this message because you have subscribed to our
Information Security Alert Mailing List, or have been selected for a
specific one-off copy. If you believe that you are receiving this
message in error, please contact info@... to resolve the
error.

Why not upgrade to get same day notification on security threats?
Details and rates available online -
(http://www.beskerming.com/premium/generic_advisory.html).

Why not go the next step and get delivery tailored just for your
company?
(http://www.beskerming.com/premium/focussed_advisory.html)

Contents
--------------------------------------------------------------------
1. SECURITY
--------------------------------------------------------------------
1.1 Microsoft (Multiple)
- Remote Hacker Automatic Control
- Time Since Discovery - 2 days
=======================================
/*
- Remote or Local - Can it be achieved through a network or does it
require physical access?
- Hacker - The bad guy
- Manual or Automatic - Does the vulnerability need to be manually
performed, or can it be automated?
- Control, Denial of Service or Data Theft - Will the hacker get
control of your system / website, will they prevent you from using
it, or will they steal data.
*/
--------------------------------------------------------------------
2. NEWS
--------------------------------------------------------------------
2.1 PHP Updates to 5.2.6
2.2 Mass Site Hack Proves no Site is Truly Safe
2.3 DefCon Competition has Antivirus Vendors Complaining
=====================================

1. SECURITY

1.1 Microsoft (Multiple) - Remote Hacker Automatic Control

-- Products Affected --
Microsoft Office

-- Technical Description --
MS08-026 - Office. Multiple Remote code execution. Replaces
MS08-009. Critical
MS08-027 - Publisher. Remote code execution. Replaces MS07-037 and
MS08-012. Critical
MS08-028 - Jet Database Engine. Remote code execution. Critical
MS08-029 - Microsoft malware protection engine. Multiple Denial of
Service. Important

-- Description --
Microsoft has provided four patches with the May Security Update
release, with the first three identified as Critical, and the
remaining one as Important. MS06-069 was also re-released to account
for Windows XP SP3 as a vulnerable product. The Jet Database Engine
vulnerabilities (MS08-028) have been actively exploited for some
time, while the other vulnerabilities have not had any public release
of attack code.

-- Recommended Action --
All users and administrators should apply the updates at the
earliest opportunity.

-- Source --
http://www.microsoft.com/technet/security/bulletin/ms08-may.mspx
http://www.beskerming.com/premium/patch_pack.html
http://store.eSellerate.net/s.asp?
s=STR3448907936&Cmd=CATALOG&CategoryID=9811

-- Updates Available --
http://www.microsoft.com/technet/security/bulletin/ms08-026.mspx
http://www.microsoft.com/technet/security/bulletin/ms08-027.mspx
http://www.microsoft.com/technet/security/bulletin/ms08-028.mspx
http://www.microsoft.com/technet/security/bulletin/ms08-029.mspx

-- External Tracking Data --
CVE-ID: CVE-2008-1091 (MS08-026)
CVE-ID: CVE-2008-1434 (MS08-026)
CVE-ID: CVE-2008-0119 (MS08-027)
CVE-ID: CVE-2008-6026 (MS08-028)
CVE-ID: CVE-2008-1437 (MS08-029)
CVE-ID: CVE-2008-1438 (MS08-029)

-- Threat Matrix --
U O
Home User 10 10 (Highly Critical)
Corporate 10 10 (Highly Critical)

=======================================
/*
Threat Matrix:
U - User
O - Operator
Harmless - 0 ----- 10 - Highly Critical
*/
=======================================

2. NEWS

2.1 PHP Updates to 5.2.6

The PHP Group released version 5.2.6 of the popular scripting
language earlier this month. While there were more than 100 bugs
fixed with this update, there were several critical security
vulnerabilities patched that make updating essential for any
administrators or users currently using the 5.x branch of PHP (if
you're still stuck using 4.x or earlier you should really consider
updating your installation).

Several memory leaks, buffer overflows, safe mode bypasses, and multi-
byte character handling are amongst the issues addressed by this
update, which is the first one to be released in six months by the
PHP Group. Although there are probably many more security
vulnerabilities yet to be found or patched (just see Stefan Esser's
work, which has been somewhat quiet since the end of last year), the
significant number of bugs patched is a continuing good sign from a
project that has come under fire in the past for having a mixed
approach to the security of their main product.

2.2 Mass Site Hack Proves no Site is Truly Safe

There has been a lot of coverage of a widespread (estimated at more
than half a million sites) set of web server attacks that have been
taking place for a number of weeks using an unfortunately-common SQL
injection opportunity to take control of back end databases, and
sites themselves. So much concern and confusion has surrounded what
is going on that Microsoft's Security Response Center have released a
statement to clarify the nature of the attacks as reported to them.
Although there has been a new IIS vulnerability disclosed in recent
weeks, the attacks are only making use of poor site and database
maintenance practices - using SQL injection to exploit sites.

For site visitors who visit an affected site, JavaScript is used to
try and download / run malware that then targets a number of commonly
used technologies in order to gain full control over the system.

It goes to show that input validation is a critical component of the
security picture for a site and it is a problem that is still not
being properly addressed by many sites, including a lot that should
know better.

If anything else is needed to concern site operators, it is research
from David Litchfield that demonstrates an almost-generic attack
method against Oracle databases.

In one simple set of attacks, previously trustworthy sites can now no
longer be considered trustworthy and it is another blow to services
that tout their ability to mark a site as being 'Hacker Safe' or
otherwise safe for visiting (like SiteAdvisor).

2.3 DefCon Competition has Antivirus Vendors Complaining

DefCon is known for a range of 'out there' type activities and
presentations and it looks like this year is going to be no
different. A contest that is being organised on the sidelines of this
year's convention is already raising eyebrows and complaints from
around the Information Security industry.

In a nutshell, the aim of the contest is to successfully modify
malware samples so that they pass through a number of antivirus
scanners without detection, while still retaining the malware
capability. It could be seen as a polymorphism competition - how much
can you change the code and still retain the same function.

What the contest is seeking to achieve is nothing more than what is
happening continuously on the Internet, where malware developers are
continually fine-tuning their software to best avoid detection. It
should also show up the antivirus tools that are making use of poor
signature detection mechanisms and those that are using weak
heuristics to detect previously unknown malware. The big problem for
the antivirus developers is that it is possible to effectively drive
a truck through the holes in their systems and it isn't going to take
much for competitors to bypass most tools. It will be interesting to
see how the competition organisers set about increasing the
difficulty of each round.

Antivirus developers are complaining about the competition, though
most of the complaints sound like the developers are having a hard
time keeping their technology within spitting distance of the malware
authors. Even with the complaining, it probably won't take long for
the competition samples to appear in definition files and in the
count of malware types being detected. It is strange, though, how
competitions like CTF, or the recent 0-day competition at CanSecWest,
do not attract much complaint, but as soon as antivirus or
antimalware tools are targeted it is too much for people.

It is the latest in a number of interesting competitions where the
practical attack value of what is being done is greater than in other
competitions. This contest ranks up with miniscule-XSS competitions
and archives of XSS / SQL injection vulnerable sites.

=======================================

Sincerely,

Sûnnet Beskerming Team
info@...
Sûnnet Beskerming Pty. Ltd.
Adelaide, Australia
http://www.beskerming.com
Tel: +61 (0) 410 707 444

** Sûnnet Beskerming Pty. Ltd. **

Established in mid 2004, Sûnnet Beskerming Pty. Ltd. is the sister
company to Jongsma & Jongsma Pty. Ltd., and was formed to develop and
commercialise the research coming out of Jongsma & Jongsma Pty. Ltd..
Sûnnet Beskerming Pty. Ltd. is an Information Security specialist
and, in conjunction with the tools developed by Jongsma & Jongsma
Pty. Ltd., provides total security solutions and services, from the
perimeter to internal data stores, including web application security
and security testing and analysis.
_______________________________________________
Alertmailinglist mailing list
Alertmailinglist@...
http://skiifwrald.com/mailman/listinfo/alertmailinglist_skiifwrald.com

Advisory #254 - Microsoft (Multiple), OS X (Multiple), Multiple News

2008-03-21T06:47:28Z

Sûnnet Beskerming Alert List Advisory #254

You are receiving this message because you have subscribed to our
Information Security Alert Mailing List, or have been selected for a
specific one-off copy. If you believe that you are receiving this
message in error, please contact info@... to resolve the
error.

Why not upgrade to get same day notification on security threats?
Details and rates available online -
(http://www.beskerming.com/premium/generic_advisory.html).

Why not go the next step and get delivery tailored just for your
company?
(http://www.beskerming.com/premium/focussed_advisory.html)

Contents
--------------------------------------------------------------------
1. SECURITY
--------------------------------------------------------------------
1.1 Microsoft (Multiple)
- Remote Hacker Automatic Control
- Time Since Discovery - 7+days
1.2 OS X (Multiple)
- Remote Hacker Automatic Control
- Time Since Discovery - 4 days
=======================================
/*
- Remote or Local - Can it be achieved through a network or does it
require physical access?
- Hacker - The bad guy
- Manual or Automatic - Does the vulnerability need to be manually
performed, or can it be automated?
- Control, Denial of Service or Data Theft - Will the hacker get
control of your system / website, will they prevent you from using
it, or will they steal data.
*/
--------------------------------------------------------------------
2. NEWS
--------------------------------------------------------------------
2.1 Don't Click Here
2.2 When SSL Isn't Going to save you
2.3 A Simple Demonstration of CSRF risk
2.4 Somebody has to do the Dirty work
2.5 Advertising Poisons Major British Media Site
=====================================

1. SECURITY

1.1 Microsoft (Multiple) - Remote Hacker Automatic Control

-- Products Affected --
Microsoft Office

-- Technical Description --
MS08-014 - Excel. Multiple Remote code execution. Replaces
MS07-044, MS07-036, MS08-013. Critical
MS08-015 - Outlook. Remote code execution. Replaces MS07-003. Critical
MS08-016 - Office. Multiple Remote code execution. Replaces
MS07-015, MS07-025, MS08-013. Critical
MS08-017 - Office Web components. Multiple Remote code execution.
Critical

-- Description --
Microsoft have provided four patches as part of the March Security
Patch Update release, with all marked as Critical. All four patches
are for Microsoft Office and related components, with at least one of
the patched vulnerabilities having been targeted by targeted attacks
prior to patching.

-- Recommended Action --
All users and administrators should apply the updates at the
earliest opportunity.

-- Source --
http://www.microsoft.com/technet/security/bulletin/ms08-mar.mspx
http://www.beskerming.com/premium/patch_pack.html
http://store.eSellerate.net/s.asp?
s=STR3448907936&Cmd=CATALOG&CategoryID=9811

-- Updates Available --
http://www.microsoft.com/technet/security/bulletin/ms08-014.mspx
http://www.microsoft.com/technet/security/bulletin/ms08-015.mspx
http://www.microsoft.com/technet/security/bulletin/ms08-016.mspx
http://www.microsoft.com/technet/security/bulletin/ms08-017.mspx

-- External Tracking Data --
CVE-ID: CVE-2008-0081 (MS08-014)
CVE-ID: CVE-2008-0112 (MS08-014)
CVE-ID: CVE-2008-0114 (MS08-014)
CVE-ID: CVE-2008-0115 (MS08-014)
CVE-ID: CVE-2008-0116 (MS08-014)
CVE-ID: CVE-2008-0117 (MS08-014)
CVE-ID: CVE-2008-0110 (MS08-015)
CVE-ID: CVE-2008-0113 (MS08-016)
CVE-ID: CVE-2008-0118 (MS08-016)
CVE-ID: CVE-2006-4695 (MS08-017)
CVE-ID: CVE-2007-1201 (MS08-017)

-- Threat Matrix --
U O
Home User 10 10 (Highly Critical)
Corporate 10 10 (Highly Critical)

1.2 OS X (Multiple) - Remote hacker automatic control

-- Products Affected --
OS X 10.4.x
OS X 10.5.x

-- Technical Description --
AFP Client - Arbitrary code execution due to poor handling of
malicious afp:// URLs
AFP Server - Cross-realm authentication can be bypassed
Apache - Numerous vulnerabilities affecting supplied Apache versions
AppKit - Arbitrary code execution risks from a range of
vulnerabilities.
Application Firewall - German translation of Preference Pane fixed.
CFNetwork - Spoofing of secure (https) content is possible
ClamAV - Numerous arbitrary code execution vulnerabilities
CoreFoundation - Arbitrary code execution through integer overflow
when handling time zone data.
CoreServices - AppleWorks may be convinced to open files ending
in .ief if Safari's "Open Safe files" preference is enabled.
CUPS - Multiple arbitrary code execution vulnerabilities.
curl - Possible arbitrary code execution when interacting with a
malicious URL.
Emacs - Multiple arbitrary code execution vulnerabilities possible
via the built-in Lisp interpreter.
file - Arbitrary code execution when using 'file' on a malicious file.
Foundation - Multiple arbitrary code execution vulnerabilities
Help Viewer - Malicious help: URLs may lead to arbitrary Applescript
execution
Image Raw - Viewing a malicious image may lead to arbitrary code
execution
Kerberos - Multiple arbitrary code execution and denial of service
vulnerabilities
libc - Denial of Service possible for applications using the strnstr
API.
mDNSResponder - Arbitrary code execution via privilege escalation
notifyd - System call spoofing
OpenSSH - Arbitrary code execution when used with X11.
pax archive utility - Arbitrary code execution risk when pax is run
as a command line utility
PHP - Multiple arbitrary code execution vulnerabilities
Podcast Producer - Information disclosure (passwords) to other local
users
Preview - Encrypted PDF saves may not adequately protect the file
Printing - Multiple Information disclosure opportunities
System Configuration - Arbitrary code execution
UDF - Denial of service (system shut down) when interacting with
malicious disk images
Wiki Server - Arbitrary system access possible for users with edit
access to the wiki
X11 - Numerous arbitrary code execution vulnerabilities

-- Description --
Apple Computer have released Security Update 2008-002, addressing a
number of serious security problems.

-- Recommended Action --
It is recommended that users apply the update, via the Software
Update option in the Apple Menu, or via the Apple Download link,
below. If installing via the Software Update option, it will only
download the applicable Update (Intel / PPC / 10.5 / 10.4).

-- Source --
http://docs.info.apple.com/article.html?artnum=61798

-- Updates Available --
http://www.apple.com/support/downloads/

-- External Tracking Data --
CVE-ID: CVE-2008-0044 (AFP Client)
CVE-ID: CVE-2008-0045 (AFP Server)
CVE-ID: CVE-2005-3352 (Apache)
CVE-ID: CVE-2006-3747 (Apache)
CVE-ID: CVE-2007-3847 (Apache)
CVE-ID: CVE-2007-5000 (Apache)
CVE-ID: CVE-2007-6388 (Apache)
CVE-ID: CVE-2007-5000 (Apache)
CVE-ID: CVE-2007-6203 (Apache)
CVE-ID: CVE-2007-6388 (Apache)
CVE-ID: CVE-2007-6421 (Apache)
CVE-ID: CVE-2008-0005 (Apache)
CVE-ID: CVE-2008-0048 (AppKit)
CVE-ID: CVE-2008-0049 (AppKit)
CVE-ID: CVE-2008-0057 (AppKit)
CVE-ID: CVE-2008-0997 (AppKit)
CVE-ID: CVE-2008-0046 (Application Firewall)
CVE-ID: CVE-2008-0050 (CFNetwork)
CVE-ID: CVE-2007-3725 (ClamAV)
CVE-ID: CVE-2007-4510 (ClamAV)
CVE-ID: CVE-2007-4560 (ClamAV)
CVE-ID: CVE-2007-5759 (ClamAV)
CVE-ID: CVE-2007-6335 (ClamAV)
CVE-ID: CVE-2007-6336 (ClamAV)
CVE-ID: CVE-2007-6337 (ClamAV)
CVE-ID: CVE-2008-0318 (ClamAV)
CVE-ID: CVE-2008-0728 (ClamAV)
CVE-ID: CVE-2006-6481 (ClamAV)
CVE-ID: CVE-2007-1745 (ClamAV)
CVE-ID: CVE-2007-1997 (ClamAV)
CVE-ID: CVE-2007-3725 (ClamAV)
CVE-ID: CVE-2007-4510 (ClamAV)
CVE-ID: CVE-2007-4560 (ClamAV)
CVE-ID: CVE-2007-0897 (ClamAV)
CVE-ID: CVE-2007-0898 (ClamAV)
CVE-ID: CVE-2008-0318 (ClamAV)
CVE-ID: CVE-2008-0728 (ClamAV)
CVE-ID: CVE-2008-0051 (CoreFoundation)
CVE-ID: CVE-2008-0052 (CoreServices)
CVE-ID: CVE-2008-0596 (CUPS)
CVE-ID: CVE-2008-0047 (CUPS)
CVE-ID: CVE-2008-0053 (CUPS)
CVE-ID: CVE-2008-0882 (CUPS)
CVE-ID: CVE-2005-4077 (curl)
CVE-ID: CVE-2007-6109 (Emacs)
CVE-ID: CVE-2007-5795 (Emacs)
CVE-ID: CVE-2007-2799 (file)
CVE-ID: CVE-2008-0054 (Foundation)
CVE-ID: CVE-2008-0055 (Foundation)
CVE-ID: CVE-2008-0056 (Foundation)
CVE-ID: CVE-2008-0058 (Foundation)
CVE-ID: CVE-2008-0059 (Foundation)
CVE-ID: CVE-2008-0060 (Help Viewer)
CVE-ID: CVE-2008-0987 (Image Row)
CVE-ID: CVE-2007-5901 (Kerberos)
CVE-ID: CVE-2007-5971 (Kerberos)
CVE-ID: CVE-2008-0062 (Kerberos)
CVE-ID: CVE-2008-0063 (Kerberos)
CVE-ID: CVE-2008-0988 (libc)
CVE-ID: CVE-2008-0989 (mDNSResponder)
CVE-ID: CVE-2008-0990 (notifyd)
CVE-ID: CVE-2007-4752 (OpenSSH)
CVE-ID: CVE-2008-0992 (pax archive utility)
CVE-ID: CVE-2007-1659 (PHP)
CVE-ID: CVE-2007-1660 (PHP)
CVE-ID: CVE-2007-1661 (PHP)
CVE-ID: CVE-2007-1662 (PHP)
CVE-ID: CVE-2007-4766 (PHP)
CVE-ID: CVE-2007-4767 (PHP)
CVE-ID: CVE-2007-4768 (PHP)
CVE-ID: CVE-2007-4887 (PHP)
CVE-ID: CVE-2007-3378 (PHP)
CVE-ID: CVE-2007-3799 (PHP)
CVE-ID: CVE-2008-0993 (Podcast Producer)
CVE-ID: CVE-2008-0994 (Preview)
CVE-ID: CVE-2008-0995 (Printing)
CVE-ID: CVE-2008-0996 (Printing)
CVE-ID: CVE-2008-0998 (System Configuration)
CVE-ID: CVE-2008-0999 (UDF)
CVE-ID: CVE-2008-1000 (Wiki Server)
CVE-ID: CVE-2007-4568 (X11)
CVE-ID: CVE-2007-4990 (X11)
CVE-ID: CVE-2006-3334 (X11)
CVE-ID: CVE-2006-5793 (X11)
CVE-ID: CVE-2007-2445 (X11)
CVE-ID: CVE-2007-5266 (X11)
CVE-ID: CVE-2007-5267 (X11)
CVE-ID: CVE-2007-5268 (X11)
CVE-ID: CVE-2007-5269 (X11)
CVE-ID: CVE-2007-5958 (X11)
CVE-ID: CVE-2008-0006 (X11)
CVE-ID: CVE-2007-6427 (X11)
CVE-ID: CVE-2007-6428 (X11)
CVE-ID: CVE-2007-6429 (X11)

-- Threat Matrix --
U O
Home User 10 10 (Highly Critical)
Corporate 10 10 (Highly Critical)

=======================================
/*
Threat Matrix:
U - User
O - Operator
Harmless - 0 ----- 10 - Highly Critical
*/
=======================================

2. NEWS

2.1 Don't Click Here

A number of media outlets are now covering news of a program run by
the FBI that led to the arrest of people for clicking on fake links
that the FBI had set up. The rationale for this being appropriate was
that the fake links suggested that they led to child pornography.

As at least one noted web security expert has pointed out that it
sounds like a good idea in theory, but it fails to take into account
the ease by which users can either be tricked into visiting links or
by which their systems can automatically be sent to links without the
user's knowledge or permission. Even some browsers include link
prefetching, which silently loads data from the links present on a
page so that when a user follows one, the browser has already
received most of the data for the page.

Even worse, it acts as a discouragement for people to report on
anything that they have seen.

For the affected individuals, they had their homes raided and
""computer-related" equipment, utility bills, telephone bills, any
"addressed correspondence" sent through the U.S. mail, video gear,
camera equipment, checkbooks, bank statements, and credit card
statements" seized. That's a lot for clicking a link on the web
(which has to be proven that they actually clicked, first).

2.2 When SSL Isn't Going to save you

After many years of trying from InfoSec and general IT people, users
are starting to get a better grasp on the importance of looking for
the little lock icon in their browser and https at the start of the
URL when they go to enter sensitive personal or financial information
online. The more involved step of checking the validity of the SSL
certificate hasn't caught on as much but most browsers will alert the
user when the certificate appears to have expired or does not match
what the browser is expecting.

This improvement in user awareness and online activity is a wonderful
thing, however all it means is that the user is applying greater
security awareness to an established connection between their system
and a website. Malware authors and attackers that are trying to
recover sensitive details from a user have a much simpler means of
doing so, by compromising either end of the connection, though there
is still a small place for MITM attacks against the connection
itself. Remote website compromises is a topic which has had recent
coverage and is a problem which the user can do little about.
Disaffected insiders and motivated external attackers pose real
problems for users of popular sites, and it is a problem that
unfortunately is not uncommon.

Even the security of an end user's system can easily be compromised,
and it is at this point that a user's sensitive data is most likely
to be retrieved. Modern browsers make a range of efforts to limit the
amount of time that information being passed to a secured website
spends in an unencrypted state, but once malware is present on a
user's system it is much more difficult to prevent the loss of
sensitive information.

Didier Stevens has written a straight forward article that describes
how simple it is to trap information passed in Internet Explorer's
HTTPS requests even if the user is not running as an Administrator or
higher level. All it requires is for malicious software to be running
at the same time as the user is visiting websites through a secure
connection. As Didier points out, the process of capturing this
information is disturbingly easy. While the technique exactly as
described by Didier has just been published, capable malware authors
have been well aware of process hooking and it would not be
unreasonable to assume that if a system has been compromised by
malware, then ANY information being passed to and from the Internet
can be read by the malware.

If you are using your system for any online financial activity, or
any activity that requires the provision of sensitive details, then
it is considered prudent to at least be running regular antivirus and
antimalware scans, using a regularly updated suite of tools. There is
still a real risk to the end user that they will end up compromised,
but it is something that happens to the best of them.

2.3 A Simple Demonstration of CSRF risk

Noted Web Security expert Jeremiah Grossman has published an
interesting article that is a welcome reminder as to how easy it is
to sniff out whether a user is logged into a website, from another
one (i.e. Cross Site Request Forging).

Using the method Jeremiah describes, a request is made for a resource
that is only served to a logged in user. The nature of the response
dictates whether or not the user is logged in (either the browser
provides the requested resource or it returns an error).

Jeremiah suggests that possible options for site developers
preventing this sort of attack is to remove authentication
requirements from resources that aren't necessarily sensitive (so
that they are returned even for a non-authenticated user) or to
tokenise the resource descriptors so that arbitrary guessing of the
resource will not be a viable method for finding it. Browser
developers could prevent cross site information leakage in some way,
but no suggestion is put forward (plus it would break a lot of
existing Internet functionality that relies upon sites being able to
request and display information from other sites in the context of
the original site such as online advertising).

While most attacks that try to exploit a user for being logged into a
site are carried out blind (without actually checking the logged in
status), the simplicity with which it may be checked makes the risk
of targeted attacks, and also those that are harder to detect, much
more likely.

2.4 Somebody has to do the Dirty work

The team at Zone-H is currently questioning the merit of continuing
to update and maintain their well known defacement archive service
given the negative sentiment directed at them that many people
express when they find out that they have been compromised and the
discouraging trend of site defacers using the archive as an informal
ranking board, with some striving for the highest number of
defacements recorded in the archive.

Having become the leading archive of defaced sites following the
demise of the Alldas archive (the Zone-H archive is now more than 200
times larger than Alldas was at its peak), Zone-H has become a
valuable resource for Information Security, even more valuable when
the numerous other services that the company offers are considered.
However, the continuation of the archive isn't the only problem that
Zone-H has had to face in recent months, with the arrest of their
founder, Roberto Preatoni in relation to an Italian spying scandal.

Zone-H are currently running a poll to determine whether maintaining
the service is worthwhile (the poll is reachable directly from the
main page). Worryingly for Information Security researchers and
interested observers there is an almost 80% vote in favour of
terminating the mirroring services.

Those who would argue against the continuation of the Zone-H archive
should consider that their same arguments can be used against
Information Security resources such as Full Disclosure, BugTraq
(probably more of a concern given the moderation delay), Milw0rm, and
any number of sites that have published information about attacks and
how to carry them out. Most of these arguments seem to stem from the
fact that Zone-H is only a relatively small Information Security
company and a lot of the negative sentiment they attract comes from a
fear of the unknown.

Withholding valuable information from the Information Security
community is more of a problem than any short term embarrassment that
might come from the knowledge that an attacker might pick up from the
archive.

If nothing else, the historical data that Zone-H provides is a
valuable insight into the changing nature of website attacks and
defacements and the sort of general attacks that an attacker might be
expected to have in their toolkit. It is interesting to note that the
greatest overall successful target is Linux-hosted systems, and there
is a distinct downwards trend in terms of overall attack numbers
following a peak in 2006.

Open source advocates who point to the robustness of their chosen
solutions (generally a Linux - Apache stack) against attack will be
shocked to discover that the greatest number of successful attacks
were against Linux systems (more than double the combined number of
Windows systems in 2007) and against the Apache web server (more than
double the combined number of IIS attacks in 2007). It is surmised
that the primary reason for this is due to the greatest threat to a
website.

Based on the reported compromise methodology, it would appear that
poor administrative skills and weak security policies are the
greatest threat to a website, though almost a quarter of all attacks
are actually based on weaknesses within the site itself (file
inclusion, SQL injection and the like). This ratio is surprising,
given the increasingly vocal nature of the web security community
(though it should be noted that many site compromises that take place
through the actual site would never get reported as they are being
actively used for malicious purposes).

If Zone-H were to terminate their operation of the defacement
archives it would be a great loss to the Information and general
security community. It is disappointing that the reason may be due to
the ill will that Zone-H (and doubtless many others in the
Information Security receive very similar ill will) receives for
archiving what has been reported to them.

It is often those who are least capable of understanding the true
nature of what has happened to their systems who are quickest and
most vocal in attacking those who are reporting an identified problem
and it wouldn't be the first time that someone has stopped openly
reporting issues because of slander from victims when they have
passed along the information.

2.5 Advertising Poisons Major British Media Site

Any time that a site loads external content in their main pages there
is a risk of something going wrong. Probably the worst thing that
could go wrong is some of this content attempting to take control
over the systems belonging to site visitors. This is a risk that has
been covered here before, but it is something that is alarming and
most likely completely unexpected to the site operator when it does
happen.

One such incident recently took place on the main site for British
media firm ITV. According to Sophos, advertising placed on the site
was being used to push 'scareware' to end users, sniffing out the
Operating System a visitor was using, and serving the appropriate
scareware ad to each visitor. ITV wasn't the only British media firm
affected, with Radio Times (a TV listing magazine) also affected.
Other sites are considered likely to have been affected by the
injected malware.

Compromises can take many forms, with blended threats posing more
viable risks to end users than they may have in the past.

Incidents such as this highlight the risks that even 'safe' websites
can pose to end users. Advice such as whitelisting safe sites in a
'Scripting only' zone (either through IE's trusted zone, or through
the use of an extension like NoScript on Firefox) can now be
considered out of date and likely to harm end users.

What should users be advised to do now? Telling them to disable
scripting completely may be somewhat safe (ignoring the research that
is going into hacking via CSS), but it effectively disables much of
the Internet, including online shopping sites, online banking, and
many sports and news sites. Perhaps the best thing would be to have
browsers that can run happily inside a sandbox, reducing the threat
of automated exploitation, and for that to be the default operating
configuration direct from the browser developer.

=======================================

Sincerely,

Sûnnet Beskerming Team
info@...
Sûnnet Beskerming Pty. Ltd.
Adelaide, Australia
http://www.beskerming.com
Tel: +61 (0) 410 707 444

** Sûnnet Beskerming Pty. Ltd. **

Established in mid 2004, Sûnnet Beskerming Pty. Ltd. is the sister
company to Jongsma & Jongsma Pty. Ltd., and was formed to develop and
commercialise the research coming out of Jongsma & Jongsma Pty. Ltd..
Sûnnet Beskerming Pty. Ltd. is an Information Security specialist
and, in conjunction with the tools developed by Jongsma & Jongsma
Pty. Ltd., provides total security solutions and services, from the
perimeter to internal data stores, including web application security
and security testing and analysis.
_______________________________________________
Alertmailinglist mailing list
Alertmailinglist@...
http://skiifwrald.com/mailman/listinfo/alertmailinglist_skiifwrald.com

Advisory #253 - Microsoft (Multiple), OS X (Multiple), Multiple News

2008-02-17T01:18:30Z

Sûnnet Beskerming Alert List Advisory #253

You are receiving this message because you have subscribed to our
Information Security Alert Mailing List, or have been selected for a
specific one-off copy. If you believe that you are receiving this
message in error, please contact info@... to resolve the
error.

Why not upgrade to get same day notification on security threats?
Details and rates available online -
(http://www.beskerming.com/premium/generic_advisory.html).

Why not go the next step and get delivery tailored just for your
company?
(http://www.beskerming.com/premium/focussed_advisory.html)

Contents
--------------------------------------------------------------------
1. SECURITY
--------------------------------------------------------------------
1.1 Microsoft (Multiple)
- Remote Hacker Automatic Control
- Time Since Discovery - 5 Days
1.2 OS X (Multiple)
- Remote Hacker Automatic Control
- Time Since Discovery - 5 Days
=======================================
/*
- Remote or Local - Can it be achieved through a network or does it
require physical access?
- Hacker - The bad guy
- Manual or Automatic - Does the vulnerability need to be manually
performed, or can it be automated?
- Control, Denial of Service or Data Theft - Will the hacker get
control of your system / website, will they prevent you from using
it, or will they steal data.
*/
--------------------------------------------------------------------
2. NEWS
--------------------------------------------------------------------
2.1 Sometimes Things just Break
2.2 A thin line Between Challenge and Exploitation
2.3 What's Your Website Hiding?
2.4 Overreacting to Security Theatre is Harmful
=====================================

1. SECURITY

1.1 Microsoft (Multiple) - Remote Hacker Automatic Control

-- Products Affected --
Windows 2000, XP, 2003, Vista

-- Technical Description --
MS08-003 - Active Directory. Denial of Service. Replaces MS07-039.
Important
MS08-004 - Windows TCP/IP. Denial of Service. Replaces MS08-001.
Important
MS08-005 - IIS. Privilege Elevation. Important
MS08-006 - IIS. Remote code execution. Replaces MS06-034. Important
MS08-007 - WebDAV. Remote code execution. Critical
MS08-008 - Microsoft OLE. Remote code execution. Replaces MS07-043.
Critical
MS08-009 - Microsoft Word. Remote code execution. Replaces MS07-060
and MS07-024. Critical
MS08-010 - Internet Explorer. Remote code execution. Replaces
MS07-069. Critial
MS08-011 - Microsoft Works. Remote code execution. Important
MS08-012 - Microsoft Office. Remote code execution. Critical
MS08-013 - Microsoft Office. Remote code execution. Critical

-- Description --
Microsoft delivered eleven patches as part of the February Security
Update release earlier this week. Six patches have been rated as
Critical, with the remainder as Important. At this time, it is
believed that only the Internet Explorer cumulative patch has had
exploit code available ahead of patching.

-- Recommended Action --
All users and administrators should apply the updates at the
earliest opportunity.

-- Source --
http://www.microsoft.com/technet/security/bulletin/ms08-feb.mspx
http://www.beskerming.com/premium/patch_pack.html
http://store.eSellerate.net/s.asp?
s=STR3448907936&Cmd=CATALOG&CategoryID=9811

-- Updates Available --
http://www.microsoft.com/technet/security/bulletin/ms08-003.mspx
http://www.microsoft.com/technet/security/bulletin/ms08-004.mspx
http://www.microsoft.com/technet/security/bulletin/ms08-005.mspx
http://www.microsoft.com/technet/security/bulletin/ms08-006.mspx
http://www.microsoft.com/technet/security/bulletin/ms08-007.mspx
http://www.microsoft.com/technet/security/bulletin/ms08-008.mspx
http://www.microsoft.com/technet/security/bulletin/ms08-009.mspx
http://www.microsoft.com/technet/security/bulletin/ms08-010.mspx
http://www.microsoft.com/technet/security/bulletin/ms08-011.mspx
http://www.microsoft.com/technet/security/bulletin/ms08-012.mspx
http://www.microsoft.com/technet/security/bulletin/ms08-013.mspx

-- External Tracking Data --
Upgrade to view

-- Threat Matrix --
U O
Home User 10 10 (Highly Critical)
Corporate 10 10 (Highly Critical)

1.2 OS X (Multiple) - Remote hacker automatic control

-- Products Affected --
OS X 10.4.x
OS X 10.5.x

-- Technical Description --
Directory Services - Stack buffer overflow leading to local
arbitrary code execution - originally disclosed in January 2007.
Foundation - Arbitrary code execution or application denial of
service due to accessing malformed URLs. (10.5 only)
Launch Services - Applications removed from a system may still be
launched via the Time Machine backup version.
Mail - Accessing a file:// URL from within a message may lead to
arbitrary code execution. (10.4 only)
NFS - Arbitrary code execution opportunity if the system is being
used as either a NFS client or server due to poor handling of mbuf
chains.
Open Directory - NTLM authentication attempts may continuously fail,
even with accurate parameters. This is due to a race condition in the
service.
Parental Controls - Information disclosure when requesting to
unblock a website, as the machine will inadvertently contact
apple.com as part of the unblocking process.
Samba - Stack buffer overflow leading to arbitrary code execution.
Terminal - Arbitrary code execution when viewing malicious URLs in
Terminal.
X11 - Multiple vulnerabilities, leading to arbitrary code execution
in the worst case.

-- Description --
Apple Computer have released Security Update 2008-001 and OS X
10.5.2, addressing a number of serious security problems. OS X 10.4
is also vulnerable to the above issues - the update is presented as
Security Update 2008-001 for those users.

-- Recommended Action --
It is recommended that users apply the update, via the Software
Update option in the Apple Menu, or via the Apple Download link,
below. If installing via the Software Update option, it will only
download the applicable Update (Intel / PPC / !0.5 / 10.4).

-- Source --
http://docs.info.apple.com/article.html?artnum=61798

-- Updates Available --
http://www.apple.com/support/downloads/

-- External Tracking Data --
Upgrade to view

-- Threat Matrix --
U O
Home User 10 10 (Highly Critical)
Corporate 10 10 (Highly Critical)

=======================================
/*
Threat Matrix:
U - User
O - Operator
Harmless - 0 ----- 10 - Highly Critical
*/
=======================================

2. NEWS

2.1 Sometimes Things just Break

For the last several days it has almost been impossible to get away
from the news of numerous undersea telecommunications cables serving
the middle east and sub-continent regions having been cut in a
relatively short period of time.

Rather than just being passed off as a coincidence that four cables
had been cut through (two in the Mediterranean and two in the Persian
Gulf) via one means or another over several days, a lot of the
analysis and opinion being put forward was that there was some form
of secretive government conspiracy taking place and that the cable
cuts were a diversion. Naturally the secretive government activity
belongs to the United States and they are trying to tap sensitive
communications passing through the Middle East.

This particular flight of fancy fails to take into account the ease
with which communications can be tapped at the point that they enter
or leave the undersea cable (thank you CALEA), and the problem that
fixing a physical severance of an undersea line generally means that
the line segments need to be raised and physically rejoined, which
means that a physical tap on the line will be readily noticed (as
well as detectable using line quality monitoring tools).

At least, the cables should be repaired and functional within a week
or so. Although it is nice to think of the Internet as being a fault-
tolerant mesh-like network, capable of readily redirecting around
damage to one or more nodes, in reality there are a limited number of
key trunk lines that are responsible for making sure whole segments
of the Internet can talk to each other. When some of these lines
break, as with these undersea cables, it forces their network load
onto communication channels without sufficient bandwidth. This
network overload can also cause some connections to fail, which is
being suggested as the reason for at least some of the failures. At
no stage is communication completely cut, it just shrinks in
available bandwidth to the point that it is effectively cut for most
users. Information originating from The Economist, but commented on
over here indicates that there are only three cables providing most
of the network interaction for the whole region affected, and they
all pass very closely to each other at various geographic choke points.

The readiness of many Information Security "Professionals", as well
as many other armchair quarterbacks, to jump to the conclusion that
the breaks were a malicious attack is a poor reflection on the public
perception of Information Security Professionals. Of course, if they
said it was all a part of normal operations, then there would be no
need for undersea cable breaks to be splashed all over the news.
Internet users from within the affected region and conspiracy
theorists were more than happy to point to the planned Iranian Oil
Bourse as the reason for the cuts, but despite some claiming single
data points as authoritative, Iran never actually lost its internet
connectivity.

Claiming the cut cables is the result of malicious activity is as
valid as saying that the bungled Antivirus definitions file updates
from Symantec (and other vendors) that results in end user systems
being rendered unbootable are a malicious act.

Security Theater and overreaction is a topic that has been covered
before, but this is a case where a lack of knowledge was allowed to
develop into ignorance of facts and the public reporting is actually
more damaging than not reporting about the breaks. It is symptomatic
of the generally poor state of reporting on technical matters, and it
allows for the rapid deterioration of facts into conspiracy fodder.

Observing how information gleaned from a few sources (reports of
cable cut, non-response of a specific Iranian network device, and
excited bloggers, reporters and Internet users within the affected
countries) is allowed to spread and evolve is like watching the
world's biggest game of Chinese Whispers. In this case, poor
information was able to dominate over good information. With
Information Security, it is this challenge that is faced every day -
how to adequately extract accurate information and original sources
from a flood of data that may be tertiary reporting and more harmful
than beneficial. Some people have solved this problem better than
others.

2.2 A thin line Between Challenge and Exploitation

Yet another 'challenge' of the form of 'break into our website for
free, tell us exactly how you did it, and we might pay you a token
amount' has been found on the web, only this time there were quite a
number of serious holes found rather early in the process. Even
though the main challenge still stands, there are sufficient concerns
about the basic technological design to suggest that some of the
currently-found problems will not ever be completely fixed.

The team behind Flickr-competitor SmugMug have issued a challenge to
the wider web to break into their site and retrieve a specific image,
along with the album it came from, and who uploaded it.

The first few people to take a serious look at the challenge soon
discovered a couple of glaring problems:

* Firstly, the photo IDs are sequential, making it a relatively
simple proposition to retrieve every image that has been uploaded and
not protected correctly.
* Secondly, the system used to redirect direct requests for a
protected image to the correct album and uploader, which allowed the
early testers to grab a thumbnail version of the image (but not the
actual image).

SmugMug's CEO, the person behind the challenge, has already taken
steps to address the first couple of problems identified, though he
does admit that the first problem came about because they did not
understand GUIDs when they initially created the site. Retrofitting
the site to use GUIDs instead of sequential IDs will break links that
users have already passed on to others, unless the site silently
converts the sequential ID into an appropriate GUID - though this has
the net effect of no overall change. With this sort of design
decision being applied, what other critical weaknesses have been
designed into the system?

How does the site security actually work? That seems to be a closely
held secret by SmugMug's site owners, but there are enough clues that
a couple of simple requests can turn up. The image that SmugMug's
owners want you to try and recover is http://www.smugmug.com/photos/
248415594-O.jpg. Direct requests for this image will return an empty
page, which suggests that something is being done on the server side
to determine access rights for an image. Despite the claims of the
CEO that steps have been taken to rectify the sequential image
problem, it is still possible to access images and albums through
sequential guesstimation, through URLs of the following form:

http://www.smugmug.com/gallery/album_id
http://www.smugmug.com/photos/photo_id.jpg

for albums and images respectively. What the site seems to prefer,
though is the following form for accessing content:

http://user_name.smugmug.com/gallery/album_id#photo_id

This will load the SmugMug image and album viewer scripts, though
there is still the occasional URL where it is

gallery/album_id/1/photo_id

Once the site visitor accesses an image through the SmugMug site, it
applies a right-click prevention script that is meant to stop the
theft of images from users who don't want them taken. The easiest
method to bypass this step is to note the #photo_id URI component and
then plug that photo_id directly into one of the above URLs for
directly accessing content. A minor complication to this is the
suffix that is added to images that have been directly requested, but
that is simply decoded as follows:

photo-O.jpg - Original size
photo-M.jpg - Medium
photo-L.jpg - Large
photo-S.jpg - Small

A similar looking code is applied to images viewed through the main
site, but in this case the -LB addition indicates that the image is
being viewed through the site's LightBox feature.

Going back to the image that forms the core of the test, it is
discovered that images 248415594, 248415595, and 248415596 can not be
directly requested, though there are others before and after them
that can. This suggests that they belong to the same album, and have
been protected through the use of the password function in the user's
account.

Disturbingly, it is only through the use of the password that a user
can protect images from viewing. Any other choice of setting will
still allow direct request of both images and albums. It is also
apparent from random test selections that there is a loose
correlation between album ID and image ID. Basically, the newer an
album, the newer the images are that are in it. Using this approach,
it is possible to establish a bracket of likely album IDs that have
an image of interest, even if they are password protected and the
image can not be directly accessed.

It is here that another unexpected weakness arises. Despite all the
steps taken to protect the album name and user name, the page title
helpfully announces both of these details when a request is made for
a protected album.

Through simple testing, it is apparent that SmugMug sniffs for
authentication, even on direct requests for an image file (i.e. .../
blah.jpg), and it is the presence of an authentication token that
determines whether a file that is protected should be displayed. This
authentication token only really takes effect for images that are
otherwise password protected. Through the main site, this
authentication is backed up by the cookie that the site has set, but
when direct image requests fail it points to some server-side IP-
based filtering and authentication management taking place. This
could be leveraged if a number of users are accessing the site via a
single gateway, as an unauthenticated user could make successful
direct requests for images belonging to authenticated users behind
that gateway that otherwise would be password protected, though the
use of a different User-Agent seems to be enough to fail.

Leveraging already-existent XSS vulnerabilities could allow a
motivated attacker to create an attack that would extract all of the
password protected images belonging to a user (once a user has logged
in, direct requests for protected images are possible). The heavy
reliance on JavaScript for site functionality makes it impossible to
avoid through the disabling of JavaScript / Active Scripting.

To make matters worse, it is possible to spoof image origination,
which could be used by someone with a malicious anonymised account to
blackmail or harass legitimate account holders. By manipulating the
URL, it is possible to load any non-password protected image in any
non-password protected album. Passing a URL of the following form to
a victim will make it appear that they have a malicious image (what
sort of content that is is left to the reader) in their legitimate
album:

http://victim.smugmug.com/gallery/legit_album_id#malicious_photo_id

If this URL is passed to others, it would appear that the malicious
image has been placed there by the victim, while there is no way to
determine who placed the malicious image on the site in the first
place (though SmugMug should be able to work that one out). If such a
URL held referenced an image of illegal content, the implications for
the victim are significant, especially if it is passed to law
enforcement agencies or those with limited technical knowledge.

All this for $1000 USD, now $599.99 USD (thanks to taxes)?
Competitions might be fun, but this sort of weak reward borders on
exploitation, though it is voluntary exploitation. Considering the
above was found after a little bit of idle poking around, the
motivated individual is probably going to find a number of
vulnerabilities that promise greater reward.

If or when the SmugMug site owners read this, there are two options:

* Ignore the valuable advice you have received up to this point,
and gain security from the voluntary exploitation of the honourable
(the dishonourable will not have made it public).
* Make it right. Pay someone to sit down and conduct a thorough
review of your security, from both the design and implementation
perspectives, and retain them to provide ongoing services to protect
your site and its users.

2.3 What's Your Website Hiding?

As more companies are finding their way onto the Internet there has
been an increase in the number of websites that have been compromised
for theft of sensitive data and those that have been compromised for
the purpose of spreading malicious software to unwary visitors.

Groups such as Zone-h have been tracking and identifying websites
that have been defaced, but many of those that are being used in
phishing runs and malware attacks are not so openly defaced. That is
where other interest groups like PhishTank step in, identifying and
tracking sites that are being used to host phishing pages that are
actively being spammed or otherwise distributed. There are a number
of other sources that also maintain lists of sites that are
vulnerable to different attack vectors, such as XSS.

Some companies look to verification firms like Verisign and ScanAlert
to routinely validate that their sites are not hosting malware or
that they are vulnerable to known problems. Based on the number of
sites identified as being vulnerable to well known, but somewhat
difficult to completely mitigate against, attack vectors that also
display that they have been successfully scanned by one of these
companies, their effectiveness could be questionable.

The big problem with all of the above methods is that they are after
the fact, they can only identify that a site is being actively used
for phishing, or that it is protected against known problems.
Automated scanning systems also have the problem of not being able to
reliably detect all of the weaknesses (such as all of the XSS
weaknesses) even if the mechanism of attack is well understood. What
they can't protect against or identify is compromises that are low
profile and those using advanced techniques to gain access.

As being reported by The Register, security firm Sophos is claiming
that 6,000 new websites are being compromised on a daily basis for
the purpose of spreading malware to unsuspecting victims (more than 2
million new site compromises each year). They go on to claim that 80%
of those affected have no idea that their site has been compromised,
a figure which is probably on the low side. The figure of 2 million
new site compromises per year seems to be quite significant, but
could be explained by virtual hosting servers with many sites on the
one physical server being compromised, leading to the same vector
affecting multiple sites (in some cases thousands of sites).

Complementary reporting which has emerged over the last week or so
points to a number of embassies that have had their sites compromised
to deliver malware, at least according to eSafe as reported by The
Register. Further vulnerability and proof-of-concept disclosures from
researchers who have been responsible for the recent UPnP disclosures
(now being used in attacks) point to a problematic future for home
users with small local networks, particularly through blended attacks.

There are an increasing number of voices that are pointing out the
elephant-sized holes in the protective services that some companies
are providing. What this has resulted in is a split forming, between
these dissenting voices and some of the largest companies in the
Information Security industry, that are conveniently many of those
offering the protective services. When representatives of companies
like Symantec are on record as saying that while XSS vulnerabilities
are a serious risk, they have not really been used in actual attacks,
then the efficacy of their service needs to be questioned. Others
claim that XSS vulnerabilities can not be used to hack a server,
which seems to contradict the findings of Sophos presented earlier,
and also the claims of their own products.

Of course, many of those dissenting voices have a vested interest,
offering their own competing black-box services (while ScanAlert is
Nessus 2 - an open source application that anyone can run,
themselves). Even with that bias, it doesn't discount the value of
their arguments.

Note : Sûnnet Beskerming has a vested interest in the above
commentary, as we offer a range of blended protective services,
mixing the best of automated and manual testing and evaluation systems.

2.4 Overreacting to Security Theatre is Harmful

Security Theatre is a term that has been gaining acceptance as part
of the Information Security lexicon for some time and it has also
found acceptance in other security fields, being used to describe
actions or proposals that deliver more show than substance with
respect to a real or imagined threat.

In simple terms, it can be argued that Security Theatre is nothing
more than an overreaction to a real or perceived threat by those who
do not fully understand the risks that they are trying to mitigate.

There is little argument that Security Theatre is harmful to those
who are paying for it, as well as those who are notionally being
given greater protection as a result. With most of these projects
originating from various government agencies, it is the tax payers
who fall into both categories and also those who can have the
greatest difficulty determining whether a measure is appropriate or not.

Just as harmful is the immediate labelling of security initiatives as
Security Theatre, which is a risk when those doing the labelling do
not fully understand the risks that have been attempted to be
mitigated. Into this category, unfortunately, fall mainly Information
Security experts who have been encouraged to step beyond the limits
of their immediate practical knowledge and experience and assess
something which they have little understanding of.

One of the main proponents of this new term is the noted Information
Security specialist Bruce Schneier, who has been using his blog to
draw attention to egregious examples of Security Theatre. From time
to time, Bruce falls into the trap of being too dismissive of a
technology or effort, labelling it as Security Theatre when there may
actually be a viable reason for the implementation.

Comments on a blog should never be relied upon as authoritative, but
because Bruce writes with such authority and there is a distinct
trend of an emerging groupthink, it encourages readers to accept what
is presented without questioning the validity of what is being put
forward. Even Bruce argues that "Security is fundamentally a fear
sell, and so it doesn't sell very well."

In a recent case, the decision to fit commercial passenger aircraft
with anti-missile systems (three American Airlines jets on
unidentified routes) has been dismissed as "security theater[sic]
against a movie-plot threat". In amongst the significant number of
comments backing the argument of Security Theatre were a couple of
dissenting voices that pointed out it isn't a completely inane
suggestion, with more than 20 recorded airline crashes since 1975
that can be attributed to surface-to-air attacks.

There have been a number of recent attacks against airliners,
including an attack against El Al in Kenya (where the aircraft was
reported to have been fitted with anti-missile defences and the
missile missed), and an attack against a DHL freight aircraft in Iraq
(where the crew were able to land the aircraft despite significant
damage to the port wing). One of the most famous examples of a
civilian airliner being destroyed by a surface missile is the Iranian
airliner shot down by a US warship over the Persian Gulf a number of
years ago.

It isn't the first time that it has been suggested that civilian
airliners should be fitted with defensive systems like this, but the
main argument within the aviation world has been about the relative
costs and benefits of these systems, as well as the level of threat
faced by the airliners. It has long been rumoured that the Israeli
national air line, El Al, has fitted at least some of their aircraft
with defences, but it has never been officially confirmed. With a
fluid geopolitical environment some could argue that the threat to
civilian airliners around the world has increased, thus justifying
the expenditure and effort to fit the anti-missile systems. Perceived
American aggression in a number of countries and regions can also be
seen as a contributing factor to a perceived increased threat against
American airliners.

To the uninformed, it does appear that fitting aircraft with defences
is an inane suggestion, especially if the commentator is living in a
stable country or region that has not traditionally seen attacks
against civilian targets. In other words, the perceived risk is very
low and fitting aircraft with defences is a waste of resources. To
the informed, it still appears somewhat inane, but there are defined
cases where it would be prudent to ensure a civilian airliner is
protected against external attack while it is in flight. Flight
operations to regions that are politically unstable or where there is
lax law enforcement are cases where defence mechanisms may be
justified. It is somewhat ironic that US airlines are considering
fitting their aircraft with defences against US-built and sold missiles.

Using lasers against missiles could be considered inappropriate use
of technology as, on the surface, it seems impossible for a laser
defence system to disable missiles that are radar-guided, semi-
active, or even modern IR-guided weapons. One of the main theorised
approaches is to use the laser to provide localised heating of the
weapon such that it disables the guidance circuits or even
prematurely detonates the weapon. Using the laser also allows for
continuous tracking of trajectories and probable launch sites which
can be useful to determine if to take evasive action (not needed if
it is going to miss), and to aid in any law enforcement investigation
(providing an actual launch location). Other suggested modes of
operation include blinding IR seekers with blooms of light / heat.
Laser anti-missile defensive systems are still in their infancy
compared to the more traditional flares, chaff, and ECM.

There is also a quite well defined threat, with the basic launch
platform being the MANPAD (MAN Portable Air Defence), which includes
the SA-7, SA-14 and Stinger type of shoulder launched missiles,
though the RPG is also a viable unguided ground-air weapon. There are
many thousands of these class of weapons that have gone 'missing'
from official inventories around the world, and many more that have
been sold off the books to different organisations. For a weapon that
can be broken down into approximately 1-2 suitcases for transit, it
is something that can be shipped quickly and easily concealed -
almost the perfect weapon of terror.

=======================================

Sincerely,

Sûnnet Beskerming Team
info@...
Sûnnet Beskerming Pty. Ltd.
Adelaide, Australia
http://www.beskerming.com
Tel: +61 (0) 410 707 444

** Sûnnet Beskerming Pty. Ltd. **

Established in mid 2004, Sûnnet Beskerming Pty. Ltd. is the sister
company to Jongsma & Jongsma Pty. Ltd., and was formed to develop and
commercialise the research coming out of Jongsma & Jongsma Pty. Ltd..
Sûnnet Beskerming Pty. Ltd. is an Information Security specialist
and, in conjunction with the tools developed by Jongsma & Jongsma
Pty. Ltd., provides total security solutions and services, from the
perimeter to internal data stores, including web application security
and security testing and analysis.
_______________________________________________
Alertmailinglist mailing list
Alertmailinglist@...
http://skiifwrald.com/mailman/listinfo/alertmailinglist_skiifwrald.com

Advisory #252 - Microsoft (Multiple), QuickTime, PostgreSQL, Multiple News

2008-01-12T08:30:22Z

Sûnnet Beskerming Alert List Advisory #252

You are receiving this message because you have subscribed to our
Information Security Alert Mailing List, or have been selected for a
specific one-off copy. If you believe that you are receiving this
message in error, please contact info@... to resolve the
error.

Why not upgrade to get same day notification on security threats?
Details and rates available online -
(http://www.beskerming.com/premium/generic_advisory.html).

Why not go the next step and get delivery tailored just for your
company?
(http://www.beskerming.com/premium/focussed_advisory.html)

Contents
--------------------------------------------------------------------
1. SECURITY
--------------------------------------------------------------------
1.1 Microsoft (Multiple)
- Remote Hacker Automatic Control
- Time Since Discovery - 4 Days
1.2 QuickTime
- Remote Hacker Automatic Control
- Time Since Discovery - 3 Days
1.3 PostgreSQL
- Remote Hacker Manual Control
- Time Since Discovery - 4 Days
=======================================
/*
- Remote or Local - Can it be achieved through a network or does it
require physical access?
- Hacker - The bad guy
- Manual or Automatic - Does the vulnerability need to be manually
performed, or can it be automated?
- Control, Denial of Service or Data Theft - Will the hacker get
control of your system / website, will they prevent you from using
it, or will they steal data.
*/
--------------------------------------------------------------------
2. NEWS
--------------------------------------------------------------------
2.1 Does the new QuickTime 0-day mean Apple has Problems with Patching?
2.2 Ignorance is no Excuse
2.3 Ethical Boundaries in Information Security Research
=====================================

1. SECURITY

1.1 Microsoft (Multiple) - Remote Hacker Automatic Control

-- Products Affected --
Windows 2000, XP, 2003, Vista

-- Technical Description --
MS08-001 - TCP/IP. Arbitrary code execution. Replaces MS06-032.
Critical
MS08-002 - LSASS. Local arbitrary code execution and privilege
escalation. Important

-- Description --
Microsoft delivered two patches as part of the January Security
Update release earlier this week. One patch (MS08-001) has been
rated as Critical and delivers a fix for a previously unknown set of
issues with the Windows TCP/IP stack, while the remaining patch deals
with poor input handling associated with the LSASS service. Both
patches address code execution problems, though only the TCP/IP
issues could be remotely executed.

-- Recommended Action --
All users and administrators should apply the updates at the
earliest opportunity.

-- Source --
http://www.microsoft.com/technet/security/bulletin/ms08-jan.mspx
http://www.beskerming.com/premium/patch_pack.html
http://store.eSellerate.net/s.asp?
s=STR3448907936&Cmd=CATALOG&CategoryID=9811

-- Updates Available --
http://www.microsoft.com/technet/security/bulletin/ms08-001.mspx
http://www.microsoft.com/technet/security/bulletin/ms08-002.mspx

-- External Tracking Data --
CVE-ID: CVE-2007-0066 (MS08-001)
CVE-ID: CVE-2007-0069 (MS08-001)
CVE-ID: CVE-2007-5352 (MS08-002)

-- Threat Matrix --
U O
Home User 10 10 (Highly Critical)
Corporate 10 10 (Highly Critical)

1.2 QuickTime - Remote hacker automatic control

-- Products Affected --
7.3 and prior.

-- Technical Description --
A new vulnerability appears to have been discovered with the RTSP
handling within QuickTime, despite the fixes provided with QuickTime
version 7.3.1.

According to Luigi Auriemma, the vulnerability is a buffer overflow
that can be exploited when the QuickTime media player is retrieving
information about the status of the current rtsp connection. At this
stage it appears that the vulnerability as tested in the proof of
concept only affects the Windows version of QuickTime, but it is
possible that the OS X version is vulnerable as well.

-- Description --
Luigi Auriemma has disclosed the discovery of a new vulnerability
affecting QuickTime's handling of RTSP streams. This issue may be
related to a previous RTSP vulnerability(updated with QuickTime
7.3.1, released in mid-December), but at this stage it appears to
only affect Windows QuickTime versions.

Proof of concept sample code is readily available from the discoverer.

-- Recommended Action --
For all users, it is recommended that they update to QuickTime 7.3.1
(if they haven't already). Early reports suggest that OS X users (at
least 10.5.1) are not vulnerable to this particular issue, but it is
recommended that all users apply caution when interacting with
rtsp:// streams.

-- Source --
Upgrade to view

-- Updates Available --
Upgrade to view

-- External Tracking Data --
Upgrade to view

-- Threat Matrix --
U O
Home User 10 10 (Highly Critical)
Corporate 10 10 (Highly Critical)

1.3 PostgreSQL - Remote hacker automatic control

-- Products Affected --
PostgreSQL 7.3, 7.4, 8.0, 8.1, 8.2

-- Technical Description --
Various security vulnerabilities were patched in a set of updates
released for the PostgreSQL RDBMS platform. Five separate
vulnerabilities were patched across all versions from 7.3 through to
8.2.

The vulnerabilities range from a privilege escalation vulnerability
in the Index Functions, through to denial of service in regular
expression libraries, and privilege escalation in DBLink.

PostgreSQL 7.3, 8.0, and 8.1 have also been EOL'ed.

-- Description --
The PostgreSQL Global Development Group has released updated
versions of the PostgreSQL RDBMS, addressing several key
vulnerabilities affecting all versions from 7.3 through to 8.2. The
PostgreSQL developers consider these vulnerabilities to be critical
and strongly recommend that administrators update to the latest
versions as soon as possible.

PostgreSQL developers discovered the vulnerabilities during security
analysis, and have worked to ensure backwards compatibility for
existing data stores with the updated versions.

It should also be noted that PostgreSQL versions 7.3, 8.0, and 8.1
have been EOL'ed and it is recommended that administrators update to
current versions.

-- Recommended Action --
Update to the releases provided by the PostgreSQL development group.

-- Source --
Upgrade to view

-- Updates Available --
http://www.postgresql.org/ftp/binary/

-- External Tracking Data --
Upgrade to view

-- Threat Matrix --
U O
Home User 8 8 (Very High)
Corporate 8 8 (Very High)

=======================================
/*
Threat Matrix:
U - User
O - Operator
Harmless - 0 ----- 10 - Highly Critical
*/
=======================================

2. NEWS

2.1 Does the new QuickTime 0-day mean Apple has Problems with Patching?

In the past Microsoft has been criticised for poor vulnerability
patching (by not patching the underlying vulnerability that is
causing a problem and then having to reissue patches as attackers
adjust and attack), and it is a criticism that has also been levied
against Apple with the handling of different mDNSResponder
vulnerabilities. Recently disclosed vulnerability information
regarding another RTSP handling problem in QuickTime could be a sign
of a similar problem brewing. RTSP vulnerabilities were patched no
less than four times in the last twelve months (Security Update
2007-001, Security Update 2007-004, Darwin Streaming Server 5.5.5,
and QuickTime 7.3.1), and it seems that there are still opportunities
for remote code execution within the RTSP code handling routines.

A minor blessing with the latest vulnerability disclosure seems to be
that the vulnerability does not appear to affect the latest version
of OS X (10.5.1), at least according to early reports from third
party testers. It is known that there is partial exploit
functionality on the Windows QuickTime version, but with increased
attention sure to be focussed on the product it may yet be found that
the vulnerability can be extended to the OS X versions. As in the
past, it is recommended that users avoid RTSP data streams until
Apple is able to issue a patch for this latest problem.

2.2 Ignorance is no Excuse

After noted British television presenter Jeremy Clarkson took umbrage
at the massive outcry regarding the loss of personal records for 25
million UK residents he decided to prove that it was an over-reaction
(in his mind) by publishing his bank details in a newspaper column
that he writes. According to Clarkson, the worst that could be done
was that someone would be able to deposit money into his account.

Unfortunately for Clarkson, a reader was able to establish a £500
direct debit to a Diabetes charity, direct from his account. While
this should not have been allowed to take place (the bank should have
required correct proof of identity in order to establish the direct
debit), it was a wakeup call for Clarkson, who acknowledged the
misconceptions that he originally held and recognised that the loss
of personal data can have significant negative effects on those whose
data has been misappropriated.

It is rare to see such a public reversal of opinion on such a matter,
and it is likely to serve as a clear example to many about the risks
associated with the loss or mishandling of personal data.

While the incident is unfortunate, it is highlighting a problem with
the UK banking system. As Clarkson initially pointed out, all someone
should have been able to do would have been to add money to his
account, but the result showed that there is at least one UK bank
that is more than happy to allow money to be withdrawn from an
account without really validating that the account holder is the one
authorising the withdrawal. Some comments have gone as far as to
suggest that the financial industry is complicit in data theft cases
- being too ready to allow the withdrawal of a victim's financial
resources.

2.3 Ethical Boundaries in Information Security Research

With Information Security being such a broad field, without any
formalised coordinating or licensing body, appropriate boundaries for
ethical and professional behaviour and activity can be difficult to
determine. What is ethical to one researcher may be completely
inappropriate to another. What may be generally accepted as
appropriate behaviour at one point in time might be shown later to be
completely inappropriate.

When the burden of becoming the Information Security specialist falls
to people who have little idea of the issues within the field, it can
lead to further problems, as they attempt to reduce the problems and
issues that they face into a format that they recognise and
understand (which isn't always a bad thing - they just need to
recognise when that approach breaks down).

Unfortunately for the Information Security field, the strongest
supporters can also sometimes become the threat that they continually
warn about - a lot of the time completely by accident. The
development and limited release of proof of concept tools is often a
means to rapidly demonstrate a set of risks and aid in the
development of techniques to address them.

It was recently disclosed that one such tool, created by noted
Information Security firm eEye, has had its techniques morphed into
an attack tool by malware authors. In this particular case it had
taken two years for the proof of concept to be morphed into an attack
tool (or at least be publicly discovered).

While it is likely that the techniques would have eventually been
discovered independently, and there is no definitive proof that the
eEye tool was the basis for the new attack code, it does raise the
question as to how much assistance the publication of proof of
concept materials provides to attackers.

It can be argued that the previous example is more beneficial to the
field of Information Security than it is harmful, and that similar
examples are just as valuable. A less clear example has come to light
in recent days, with noted web security expert RSnake issuing a call
for entries in a contest designed to create the smallest XSS worm
that can functionally replicate itself across a network. Arguments
for the contest are centred on the benefits that it will bring to
those studying how such worms can be created and how to defend
against their potential. With increasing coverage of the contest,
there are plenty of arguments being put forward that the approach is
unethical and contributes to the image of Information Security being
full of people who are just as willing to create the problem as they
are to solve it (especially if they helped create it in the first
place).

That isn't the only ethical concern facing Information Security
workers. One of the big selling points that Antivirus companies try
to beat each other on is the number of malware types that they can
detect and handle. Although there are plenty of examples of rootkits,
viruses, and other malware that can easily slip past up to date
antimalware defences, and there are plenty of cases where up to date
antimalware tools have gone off the rails or companies have over-
reported on critical problems (despite what some companies initially
claimed, the exploit code was not publicly released), companies are
still pushing to be number one in detection of numerous malware samples.

F-Secure recently laid claim to one of the largest detection sets, at
half a million distinct malware samples. Although this seems to
correlate to other industry reporting the question posed is just how
many of those samples can truly be claimed as distinct malware. If
the same signature pattern will trigger on multiple variants, that
might only differ in where they send their malicious data or where
they report to, does it really mean that those variants are distinct?
It also seems that antimalware companies are more than happy to move
the boundaries of where they measure their malware from, and with the
inclusion of malware based on JavaScript, HTML, PHP, and which
targets those technologies, it means that their claims for numbers of
malware types detected can be massively increased. This is even more
beneficial for the antimalware companies as the change of a simple
couple of bytes in a lot of these recently added malware types will
allow them to slip past detection relatively simply without radically
changing the exploit effectiveness (which means more added detection
opportunities).

The other interesting point raised by the claims of detections is
that it suggests that efforts to arrest malware developers, close
down their control networks, and provide other legal and paralegal
means of limiting their activities are ineffective. Either that or
malware authors are the biggest growth industry in software
development and they have solved many of the efficiency problems
plaguing large software development firms.

As that is plainly not the case, and the legal efforts are starting
to have some effect on the various malware industries (the Russian
Business Network has effectively been forced offline in the last 12
months), it suggests that the antimalware companies are not being
completely honest in how they identify distinct malware samples.

=======================================

Sincerely,

Sûnnet Beskerming Team
info@...
Sûnnet Beskerming Pty. Ltd.
Adelaide, Australia
http://www.beskerming.com
Tel: +61 (0) 410 707 444

** Sûnnet Beskerming Pty. Ltd. **

Established in mid 2004, Sûnnet Beskerming Pty. Ltd. is the sister
company to Jongsma & Jongsma Pty. Ltd., and was formed to develop and
commercialise the research coming out of Jongsma & Jongsma Pty. Ltd..
Sûnnet Beskerming Pty. Ltd. is an Information Security specialist
and, in conjunction with the tools developed by Jongsma & Jongsma
Pty. Ltd., provides total security solutions and services, from the
perimeter to internal data stores, including web application security
and security testing and analysis.

_______________________________________________
Alertmailinglist mailing list
Alertmailinglist@...
http://skiifwrald.com/mailman/listinfo/alertmailinglist_skiifwrald.com

Advisory #251 - Microsoft (Multiple), Multiple News

2007-12-11T21:25:42Z

Sûnnet Beskerming Alert List Advisory #251

You are receiving this message because you have subscribed to our
Information Security Alert Mailing List, or have been selected for a
specific one-off copy. If you believe that you are receiving this
message in error, please contact info@... to resolve the
error.

Why not upgrade to get same day notification on security threats?
Details and rates available online -
(http://www.beskerming.com/premium/generic_advisory.html).

Why not go the next step and get delivery tailored just for your
company?
(http://www.beskerming.com/premium/focussed_advisory.html)

Contents
--------------------------------------------------------------------
1. SECURITY
--------------------------------------------------------------------
1.1 Microsoft (Multiple)
- Remote Hacker Automatic Control
- Time Since Discovery - 1 Day
=======================================
/*
- Remote or Local - Can it be achieved through a network or does it
require physical access?
- Hacker - The bad guy
- Manual or Automatic - Does the vulnerability need to be manually
performed, or can it be automated?
- Control, Denial of Service or Data Theft - Will the hacker get
control of your system / website, will they prevent you from using
it, or will they steal data.
*/
--------------------------------------------------------------------
2. NEWS
--------------------------------------------------------------------
2.1 Effective Communication is the key
2.2 Advertising and risk
2.3 Flipping bits at ASLR
2.4 QuickTime flaw Could be next Menace for Users
=====================================

1. SECURITY

1.1 Microsoft (Multiple) - Remote Hacker Automatic Control

-- Products Affected --
Windows 2000, XP, 2003, Vista
Crystal Reports
Windows Services for Unix
Messenger

-- Technical Description --
MS07-063 - Vista SMBv2 support. Remote code execution due to
modification of signed network traffic. Important
MS07-064 - DirectX. Input validation errors in DirectShow allow
arbitrary code execution. Replaces MS05-050. Critical
MS07-065 - Windows Message Queuing (MSMQ). Buffer overflow leading
to code execution with system privileges. Replaces MS05-017. Important
MS07-066 - Vista Kernel. Privilege escalation due to Advanced Local
Procedure Call (ALPC) request handling vulnerability. Important
MS07-067 - Secdrv.sys (Macrovision). Privilege escalation due to
poor handling of configuration parameters. Important
MS07-068 - Windows Media Format. Arbitrary code execution faults
affecting ASF, WMV, and WMA formats. Replaces MS06-078. Critical
MS07-069 - Internet Explorer cumulative update. Numerous remote
code execution faults, actively exploited. Replaces MS07-057. Critical

-- Description --
Microsoft delivered seven patches as part of the December Security
Update release earlier this week. Three of the patches have been
rated as Critical, including a cumulative Internet Explorer update,
with the remaining four patches rated as Important. Exploit code has
been readily available for a number of the vulnerabilities patched in
this patch cycle.

-- Recommended Action --
All users and administrators should apply the updates at the
earliest opportunity.

-- Source --
http://www.microsoft.com/technet/security/bulletin/ms07-dec.mspx
http://www.beskerming.com/premium/patch_pack.html
http://store.eSellerate.net/s.asp?
s=STR3448907936&Cmd=CATALOG&CategoryID=9811

-- Updates Available --
http://www.microsoft.com/technet/security/bulletin/ms07-063.mspx
http://www.microsoft.com/technet/security/bulletin/ms07-064.mspx
http://www.microsoft.com/technet/security/bulletin/ms07-065.mspx
http://www.microsoft.com/technet/security/bulletin/ms07-066.mspx
http://www.microsoft.com/technet/security/bulletin/ms07-067.mspx
http://www.microsoft.com/technet/security/bulletin/ms07-068.mspx
http://www.microsoft.com/technet/security/bulletin/ms07-069.mspx

-- External Tracking Data --
CVE-ID: CVE-2007-5351 (MS07-063)
CVE-ID: CVE-2007-3895 (MS07-064)
CVE-ID: CVE-2007-3901 (MS07-064)
CVE-ID: CVE-2007-3039 (MS07-065)
CVE-ID: CVE-2007-5350 (MS07-066)
CVE-ID: CVE-2007-5587 (MS07-067)
CVE-ID: CVE-2007-0064 (MS07-068)
CVE-ID: CVE-2007-3902 (MS07-069)
CVE-ID: CVE-2007-3903 (MS07-069)
CVE-ID: CVE-2007-5344 (MS07-069)
CVE-ID: CVE-2007-5347 (MS07-069)

-- Threat Matrix --
U O
Home User 10 10 (Highly Critical)
Corporate 10 10 (Highly Critical)

=======================================
/*
Threat Matrix:
U - User
O - Operator
Harmless - 0 ----- 10 - Highly Critical
*/
=======================================

2. NEWS

2.1 Effective Communication is the key

Effective communication is a cornerstone for all professional and
interpersonal interaction. People who can not communicate their ideas
and intentions effectively will find greater difficulty in achieving
tasks and desired results.

In one instance that company staff recently had the benefit of
observing, people that were highly effective at communicating and
managing personnel and professional tasks allowed a situation to
develop where a serious incident resulted from a total breakdown in
communication. Parallel sets of operating procedures had been allowed
to emerge that, while largely aligned with each other, contained
critical differences that trapped an unwary team and led to the
incident. In addition to the problem of parallel operating
procedures, the key underlying fault was that there was a lack of
effective communication between the managers who owned the respective
operating procedures and groups, and that lack of effective
communication cascaded down to the point that the affected team had a
very poor idea of the overall management responsibility in the
affected area. The team that caused the incident had identified a
potential problem and attempted all reasonable measures to resolve
the cause of the difference that they had identified, only to find
that having made a decision based on the information provided to
them, a different set of managers had overruled the information used
to make the decision (the fact that they also owned the competing set
of operating procedures was not lost on those observing).

The above incident could be written off as merely internal politics
amongst workers, but it highlights how poor information flow can lead
to serious incidents taking place. It took nothing more than one or
two managers failing to disseminate and communicate their decisions
(and make effective decisions based on available information) for an
incident to take place, even with seemingly appropriate 'checks and
balances' in place.

Within Information Security, being able to effectively identify and
describe what a problem is, how it came about, and how to mitigate
the effects that the problem causes, is a critical skill that is
always in short supply. Generally people find that those who can
communicate effectively do not have the breadth of experience or
knowledge to package the relevant information, and those who do know
the relevant information have difficulty in communicating that
information in an appropriate format.

This is not a new problem, and it is not a problem that is faced by
Information Security practitioners, alone (as the opening paragraphs
identified). Within the field of Information Technology the problem
had been well identified as early as the mid-seventies, with
Frederick Brooks discussing it in his seminal 'The Mythical Man
Month', where he identified the problem faced by 'expert systems'
developers. To generate an effective 'expert system', not only do you
need an expert of the system that is going to be recreated in
software, but you also require an expert who understands how to
implement the various components of the original system. Even more
rare is being able to have one person who can fill both roles
effectively.

Unfortunately for most developers and companies, people like that are
in short supply, and making do with what they have is where potential
security and functionality shortfalls can enter the system. If you
are able to identify where your experience or knowledgebase is
lacking, and can communicate that fact effectively, then you can
begin to identify potential problem areas.

2.2 Advertising and risk

Regular and first time readers will note that there are very few ads
served with Sûnnet Beskerming content. The only advertising shown is
a small image linking to one of our pre-configured products, tucked
away halfway down the right column, or occasional text ads that are
inserted into the primary FeedBurner feed for this site. Not everyone
who operates a busy site chooses to operate in such a manner, and
site owners that have accepted advertising from major online
advertising firms are giving away some of their security to earn some
money for their site. It isn't often that this risk has been
highlighted in a public manner.

In essence, Google's recent advertising acquisition, DoubleClick, was
found to be serving malware through its advertisements across a whole
range of otherwise trustworthy sites, including The Economist and
MLB.com. Visitors to these sites would not expect to be at
significant risk of compromise - and this is something that the
Information Security industry puts forward as a major point - only
allow scripting and other interactive content support for "trusted"
sites.

Risks introduced by including third party scripts and code on
websites is a topic that is gaining increased awareness amongst
Information Security professionals, with a recent BugTraq discussion
focussing on problems that can be introduced by third party
JavaScript code. This is a problem particularly pertinent for
financial sites, where any external code is a potential vector for
attack. While critical for financial sites, it is a problem for any
site that accepts third party elements or data. The core problem is
that externally hosted scripts have full access to the DOM for the
trusted site, and so can modify any element on the trusted site.

Rather than attempting to break through the main financial site, why
not spend the relatively less effort required to break into the
services offered by the third party vendor (and also gain access to
other interesting sites)? Before complaining that this is not as
viable as breaking into the main target site, consider that there
have been several published and unpublished vulnerabilities affecting
VeriSign's services that are provided in just such a manner, with
many of the vulnerabilities remaining viable for months.

If anybody thought that the online trust model wasn't completely
broken, these examples should reinforce it for them.

2.3 Flipping bits at ASLR

Didier Stevens points out quite an interesting discovery about
Windows Vista and ASLR. With just the right touch of bit flipping
(only one needed), it is possible to enable or disable ASLR support
for an application.

While this might provide a valuable stepping off point for attacking
applications that otherwise utilise ASLR to protect against memory
overflow attacks, what is more interesting is that Windows File
Protection (Windows Resource Protection on Vista) apparently doesn't
check to see if this setting has changed on critical system software.

Windows File Protection is one of those unique system components that
checks core Windows software for signs of modification or damage when
they are accessed and replaces them / repairs them with known good
copies from system repositories. This is the reason why deleted
system files in XP reappear within a matter of seconds. With Vista's
Windows Resource Protection, apparently it only identifies that
something is wrong and doesn't automatically regenerate the damaged
resource.

Either way, Windows apparently can't identify that this key
protective mechanism has been modified on key applications. Of
course, if an attacker had the free reign to change key system
software in such a manner, they already control the system and
there's little reason to open new holes for others to walk in through.

For the technically inclined, setting or unsetting the 0x4000 bit in
the DLL Characteristics field of the PE header is what is required.

2.4 QuickTime flaw Could be next Menace for Users

In the United States, the fourth Friday in November is commonly
referred to as "Black Friday" and traditionally marks the start of
the Christmas shopping season, coming the day after Thanksgiving and
forming part of an informal four or five day weekend. Windows
QuickTime users might be marking Black Friday for another reason this
year, with the emergence of a new threat to QuickTime, just two weeks
after the latest version (7.3) was released.

A proof-of-concept exploit for a remote code execution vulnerability
with the way that QuickTime interprets RTSP (Real Time Streaming
Protocol) responses was posted on Black Friday, marking one of the
first public disclosures of this vulnerability affecting the latest
QuickTime versions. Normally there is some delay between proof-of-
concept and public exploit code being published, with many proof-of-
concept releases going no further than the initial publication. With
this particular vulnerability, two exploit samples were released
within 24 hours of the initial proof-of-concept.

At this stage, Apple have yet to release any information about the
vulnerability, but there is mitigation advice available for concerned
users and administrators.

There has also been no confirmation that the vulnerability affects
the OS X version of QuickTime, but there is the possibility that it
is also vulnerable given historical problems with QuickTime's RTSP
support on OS X.

With the widespread coverage of OS X-specific malware earlier this
month, and the ease with which this new exploit could be integrated
with a malicious media stream, users and administrators of both OS X
and Windows systems, who also have QuickTime installed, need to be
cautious about their risk exposure and mitigate as appropriate
against this new threat.

=======================================

Sincerely,

Sûnnet Beskerming Team
info@...
Sûnnet Beskerming Pty. Ltd.
Adelaide, Australia
http://www.beskerming.com
Tel: +61 (0) 410 707 444

** Sûnnet Beskerming Pty. Ltd. **

Established in mid 2004, Sûnnet Beskerming Pty. Ltd. is the sister
company to Jongsma & Jongsma Pty. Ltd., and was formed to develop and
commercialise the research coming out of Jongsma & Jongsma Pty. Ltd..
Sûnnet Beskerming Pty. Ltd. is an Information Security specialist
and, in conjunction with the tools developed by Jongsma & Jongsma
Pty. Ltd., provides total security solutions and services, from the
perimeter to internal data stores, including web application security
and security testing and analysis.
_______________________________________________
Alertmailinglist mailing list
Alertmailinglist@...
http://skiifwrald.com/mailman/listinfo/alertmailinglist_skiifwrald.com

Advisory #250 - Microsoft (Multiple), Multiple News

2007-11-19T06:42:01Z

Sûnnet Beskerming Alert List Advisory #250

You are receiving this message because you have subscribed to our
Information Security Alert Mailing List, or have been selected for a
specific one-off copy. If you believe that you are receiving this
message in error, please contact info@... to resolve the
error.

Why not upgrade to get same day notification on security threats?
Details and rates available online -
(http://www.beskerming.com/premium/generic_advisory.html).

Why not go the next step and get delivery tailored just for your
company?
(http://www.beskerming.com/premium/focussed_advisory.html)

Contents
--------------------------------------------------------------------
1. SECURITY
--------------------------------------------------------------------
1.1 Microsoft (Multiple)
- Remote Hacker Automatic Control
- Time Since Discovery - 6 Days
1.2 OS X (Multiple)
- Remote Hacker Automatic Control
- Time Since Discovery - 6 Days
1.3 QuickTime
- Remote Hacker Manual Control
- Time Since Discovery - > 7 Days
=======================================
/*
- Remote or Local - Can it be achieved through a network or does it
require physical access?
- Hacker - The bad guy
- Manual or Automatic - Does the vulnerability need to be manually
performed, or can it be automated?
- Control, Denial of Service or Data Theft - Will the hacker get
control of your system / website, will they prevent you from using
it, or will they steal data.
*/
--------------------------------------------------------------------
2. NEWS
--------------------------------------------------------------------
2.1 Where Have we Been?
2.2 The fine line Between Security and Usability
2.3 Noted Italian Security Expert Arrested in Ongoing Spy Scandal
2.4 Internet Bubble 2.0
2.5 RealPlayer 0-Day Shows ActiveX Still an Issue
=====================================

1. SECURITY

1.1 Microsoft (Multiple) - Remote Hacker Automatic Control

-- Products Affected --
Windows 2000, XP, 2003, Vista
Crystal Reports
Windows Services for Unix
Messenger

-- Technical Description --
MS07-061 - Windows Shell (Win XP, 2003). Arbitrary code execution.
Critical
MS07-062 - DNS Server (Win XP, 2003). DNS Spoofing due random number
prediction. Important

-- Description --
Microsoft delivered two patches as part of the November Security
Update release earlier this week. One patch (MS07-061) has been
rated as Critical and delivers a fix for well known URI handling
vulnerabilities that were identified earlier this year and have been
actively attacked for some time. The remaining patch deals with poor
random number generation in certain Windows versions that allows for
prediction of DNS response parameters and simple spoofing of
results. Both patches replace earlier updates issued from Microsoft.

-- Recommended Action --
All users and administrators should apply the updates at the
earliest opportunity.

-- Source --
http://www.microsoft.com/technet/security/bulletin/ms07-nov.mspx
http://www.beskerming.com/premium/patch_pack.html
http://store.eSellerate.net/s.asp?
s=STR3448907936&Cmd=CATALOG&CategoryID=9811

-- Updates Available --
http://www.microsoft.com/technet/security/bulletin/ms07-061.mspx
http://www.microsoft.com/technet/security/bulletin/ms07-062.mspx

-- External Tracking Data --
CVE-ID: CVE-2007-3896 (MS07-061)
CVE-ID: CVE-2007-3898 (MS07-062)

-- Threat Matrix --
U O
Home User 10 10 (Highly Critical)
Corporate 10 10 (Highly Critical)

1.2 OS X (Multiple) - Remote hacker automatic control

-- Products Affected --
OS X 10.4.10 and prior.

-- Technical Description --
AppleRAID - Opening a maliciously crafted disk image may lead to an
unexpected system shutdown.
BIND - An attacker may be able to control the content provided by a
DNS server (weak random number generation)
bzip2 - Multiple vulnerabilities in bzip2
CFFTP - A user's FTP client could be remotely controlled to connect
to other hosts
CFNetwork - Multiple Vulnerabilities
CoreFoundation - Reading a directory hierarchy may lead to an
unexpected application termination or arbitrary code execution
CoreText - Viewing maliciously crafted text content may lead to an
unexpected application termination or arbitrary code execution
Flash Player Plug-in - Opening maliciously crafted Flash content may
lead to arbitrary code execution
Kerberos - A remote attacker may be able to cause a denial of
service or arbitrary code execution if the Kerberos administration
daemon is enabled
Kernel - Multiple Vulnerabilities
Networking - Multiple Vulnerabilities
NFS - A maliciously crafted AUTH_UNIX RPC call may lead to an
unexpected system shutdown or arbitrary code execution
NSURL - Visiting a malicious web site may result in arbitrary code
execution
remote_cmds - If tftpd is enabled, the default configuration allows
clients to access any path on the system
Safari - Multiple Vulnerabilities
SecurityAgent - A person with physical access to a system may be
able to bypass the screen saver authentication dialog
WebCore - Multiple Vulnerabilities
WebKit - Multiple Vulnerabilities

-- Description --
Apple Inc have released a cumulative update for OS X 10.4, bringing
it to 10.4.11, and have released a separate Security Update 2007-008,
for OS X 10.3.x systems (included in the 10.4.11 update). The update
provides fixes for multiple serious vulnerabilities, including for
AppleRAID, BIND, bzip2, CoreFoundation, and other system components.
Vulnerabilities range from denial of service and local privilege
escalation, through to automatic remote code execution.

-- Recommended Action --
Apply the update to OS X 10.4.11 or Security Update 2007-008 (OS X
10.3.x systems) at the earliest opportunity, either from the Software
Update option in the Apple Menu, or from Apple's download link, below.

If the Software Update application is used, only the applicable
update will be selected and installed on a vulnerable system.

-- Source --
http://docs.info.apple.com/article.html?artnum=61798

-- Updates Available --
http://www.apple.com/support/downloads/

-- External Tracking Data --
CVE-ID: CVE-2007-4678 (AppleRAID)
CVE-ID: CVE-2007-2926 (BIND)
CVE-ID: CVE-2005-0953 (bzip2)
CVE-ID: CVE-2005-1260 (bzip2)
CVE-ID: CVE-2007-4679 (CFFTP)
CVE-ID: CVE-2007-4680 (CFNetwork)
CVE-ID: CVE-2007-0464 (CFNetwork)
CVE-ID: CVE-2007-4681 (CoreFoundation)
CVE-ID: CVE-2007-4682 (CoreText)
CVE-ID: CVE-2007-3456 (Flash Player)
CVE-ID: CVE-2007-3999 (Kerberos)
CVE-ID: CVE-2007-4743 (Kerberos)
CVE-ID: CVE-2007-3749 (Kernel)
CVE-ID: CVE-2007-4683 (Kernel)
CVE-ID: CVE-2007-4684 (Kernel)
CVE-ID: CVE-2007-4685 (Kernel)
CVE-ID: CVE-2006-6127 (Kernel)
CVE-ID: CVE-2007-4686 (Kernel)
CVE-ID: CVE-2007-4688 (Networking)
CVE-ID: CVE-2007-4269 (Networking)
CVE-ID: CVE-2007-4689 (Networking)
CVE-ID: CVE-2007-4267 (Networking)
CVE-ID: CVE-2007-4268 (Networking)
CVE-ID: CVE-2007-4690 (NFS)
CVE-ID: CVE-2007-4691 (NSURL)
CVE-ID: CVE-2007-4687 (remote_cmds)
CVE-ID: CVE-2007-0646 (Safari)
CVE-ID: CVE-2007-4692 (Safari)
CVE-ID: CVE-2007-4693 (SecurityAgent)
CVE-ID: CVE-2007-4694 (WebCore)
CVE-ID: CVE-2007-4695 (WebCore)
CVE-ID: CVE-2007-4696 (WebCore)
CVE-ID: CVE-2007-4697 (WebCore)
CVE-ID: CVE-2007-4698 (WebCore)
CVE-ID: CVE-2007-3758 (WebCore)
CVE-ID: CVE-2007-3760 (WebCore)
CVE-ID: CVE-2007-4671 (WebCore)
CVE-ID: CVE-2007-3756 (WebCore)
CVE-ID: CVE-2007-4699 (WebKit)
CVE-ID: CVE-2007-4700 (WebKit)
CVE-ID: CVE-2007-4701 (WebKit)

-- Threat Matrix --
U O
Home User 10 10 (Highly Critical)
Corporate 10 10 (Highly Critical)

1.3 QuickTime - Remote hacker automatic control

-- Products Affected --
QuickTime 7.2 and prior.

-- Technical Description --
QuickTime 7.3 has been released, and includes fixes for issues that
could lead to arbitrary code execution as the result of interacting
with malicious image or movie files.

-- Description --
Apple Inc have released QuickTime 7.3 and have included numerous
fixes to vulnerabilities present in previous versions. QuickTime 7.3
is available for both Windows and OS X platforms and users should
update to the latest version as soon as practical.

-- Recommended Action --
Update to QuickTime 7.3 from either the Software Update application,
or from the download link below.

-- Source --
http://docs.info.apple.com/article.html?artnum=61798

-- Updates Available --
http://www.apple.com/support/downloads/

-- External Tracking Data --
CVE-ID: CVE-2007-2395 (QuickTime)
CVE-ID: CVE-2007-3750 (QuickTime)
CVE-ID: CVE-2007-3751 (QuickTime)
CVE-ID: CVE-2007-4672 (QuickTime)
CVE-ID: CVE-2007-4676 (QuickTime)
CVE-ID: CVE-2007-4675 (QuickTime)
CVE-ID: CVE-2007-4677 (QuickTime)

-- Threat Matrix --
U O
Home User 9 9 (Critical)
Corporate 9 9 (Critical)

=======================================
/*
Threat Matrix:
U - User
O - Operator
Harmless - 0 ----- 10 - Highly Critical
*/
=======================================

2. NEWS

2.1 Where Have we Been?

The observant reader would note that it has been almost two months
since they last received an Advisory from this service, two months
that have passed quickly for all concerned. While it was not an
ideal situation, our website was kept updated throughout the period,
with many new readers discovering our reporting through links from
various high traffic sites such as The Register, Slashdot, Reddit,
and others. Our RSS feeds, available from our website (http://
www.beskerming.com) have also been continuously updated, providing
the latest reporting from Sûnnet Beskerming on both Security and
Commentary material.

2.2 The fine line Between Security and Usability

Finding the right balance between security and usability is difficult
for any software developer. Recently a set of issues were disclosed
where it was apparent that Microsoft had worsened the security
situation for their users based on the software provided with
Windows, or based on their response to reported problems.

Whether it is Microsoft's desire to make computing as simple as
possible for the masses, or whether it is a simple question of
economic terms, the inclusion of the affected Macrovision DLL on
Windows XP and 2003 could be interpreted as both. If Microsoft hadn't
included it, then there would be many users confused as to why their
software wasn't quite working as expected, and why a newly purchased
game was seeking to install core system components. On the other
hand, by providing the software, it means that there are millions of
business systems that will never see gaming software installed, and
which have no need for this particular anti-copying measure. In this
instance, Microsoft identified and issued a patch before there was
too much of a problem.

On the other hand, predictable (pseudo)random number generation isn't
something that most people would encounter on a routine basis, but it
can have real world effects when systems rely upon that number
generation to determine how network responses should be sequenced.
While this was one of the patches issued by Microsoft with the
November release cycle, it should be noted that numerous sources were
carrying information about the predictability of number generation
before the patches were released. Not only this, but Apple's Security
Update 2007-008 / OS X 10.4.11 release that came out in the same week
included an update for BIND that addressed a similar-looking weak
(pseudo)random number generation issue. While it may have just been
coincidental, it is interesting to see two major software vendors
provide updates for very similar DNS server problems for two
different DNS server products in the same approximate timeframe.

Another issue which came to light last week may pose more of a
problem for business and home users, especially given that Microsoft
acknowledged to the discoverer that they would not be patching the
remote code execution vulnerability that he had reported -

"Microsoft replied me that they would not fix this vulnerability, it
looks like they will not acknowledge vulnerabilities which are
from .mdb file".

Microsoft's response points to a Knowledge Base article which merely
leads to a list of filetypes that are considered 'unsafe' by
different Microsoft products. It doesn't actually indicate that the
filetype should no longer be used by end users or that Microsoft will
not be supporting the filetype anymore.

As far as JET .mdb files go, it seems that Microsoft has deprecated
the technology somewhat, but it still continues to be supported by
the latest versions of Access (Access 2007).

Not every application in use can or will be updated to the Microsoft
Desktop Engine (MSDE) or SQL Server 2005 Express Edition / SQL Server
2005 Compact Edition, so there are going to be plenty of viable
targets where exploits can find traction.

Probably the biggest defensive measure against widespread attack of
this vulnerability is the requirement to get a malicious .mdb file
onto the target system and then executed through the JET engine. As
ruder points out, some web servers could be at risk if users upload a
malicious .asp / .mdb file and then execute it via calls to
"ADODB.Connection".

Unfortunately for Access users, this is just one of several arbitrary
execution problems affecting the .mdb file format that may never get
fixed by the vendor (the linked one is from 2005 and may be related).

While vendors do have to draw the line somewhere with the filetypes
and application versions that they will continue to support, refusing
to provide security related fixes for serious vulnerabilities is a
failure of their duty of care to their users.

2.3 Noted Italian Security Expert Arrested in Ongoing Spy Scandal

Some fairly surprising news recently came to light when it was
reported that Domina Security, Zone-h and WabiSabiLabi cofounder,
Roberto Preatoni, was arrested and charged in connection with claims
of spying at Telecom Italia.

It was Roberto's work with a penetration testing team, a 'Tiger Team'
that had been created to do some testing for Telecom Italia, that is
believed to have led to the arrest rather than his involvement with
the controversial WabiSabiLabi vulnerability auction market.

The team that Roberto worked with apparently had some shady history,
including allegations of spying, unauthorised hacking, wiretaps, and
it may just be a case of 'wrong place, wrong time' for the security
expert who has been charged with unauthorised access to computer
systems and wiretapping. It is reported that hacking and spying
activities were carried out against Brasil Telecom's CEO, an
investigative agency, and two journalists.

Others have been arrested earlier in the year, including Telecom
Italia's Security Chief Technology Officer, who has presented
alongside Preatoni at security conferences over the last twelve
months. These presentations included one that might be considered
ironic - "The Biggest Brother", presented at the 2006 Hack in the Box
conference, which argued that many governments have taken advantage
of September 11 to tighten control over their citizens. A previous
presentation by Roberto, given at 2005's CCC, regarding industrial
espionage and counter attacks might be of more interest to
investigators.

WabiSabiLabi has yet to issue a statement regarding the incident,
though one is expected soon.

2.4 Internet Bubble 2.0

Microsoft's purchase of 1.6% of social networking site Facebook for
$240 million USD has only added to fears that there is a significant
overvaluation in the market for major websites and related companies
- basically that there is an Internet Bubble 2.0 in the works. With
Facebook valued now at up to $15 billion USD (based on Microsoft's
purchase price) it has elevated the company into the top 10 Internet
companies by value, though it is still producing far less in terms of
ongoing revenue than other companies with comparable market value.

Some who are looking deeper into the purchase are seeing it as a
strategic move by Microsoft to prevent Google or another competitor
from snapping up the site on the cheap. By paying so much for so
little of the company it forces other would-be investors to
significantly increase the amount of resources that they would need
to gain a controlling stake in the site, while it also provides a
stronger avenue for Microsoft to push their Flash-competing
Silverlight technology on web users (Microsoft is Facebook's primary,
now exclusive, advertising supplier).

In the fickle world of social networking sites, it could still be a
$240 million USD hole in the space of a few months if the next
greatest thing comes along - something Microsoft should have already
been aware of with their Windows Live Spaces platform. While Facebook
currently has a nicer feel and look than many comparative sites, it
is all based on something better not yet having much traction amongst
Internet users. Some have pointed out that these sites maintain the
position that free webhosts like Geocities once maintained in the
late 90's.

Microsoft's big push to purchase 20 web companies per year over the
next five years could also be playing a part in the investment into
Facebook and ongoing growth of the bubble for the next few years.
With predicted purchase ranges of $50 million to $1 billion USD per
company, that is a lot of money for companies that will soon find
themselves in the sights of Microsoft (if they aren't already in the
sights of Google, Yahoo!, or some other major technological company).
Enterprising company owners can pitch directly to Steve Ballmer, or
he can always contact us directly.

2.5 RealPlayer 0-Day Shows ActiveX Still an Issue

News has been spreading rapidly of an actively-exploited
vulnerability affecting RealPlayer, activated via Internet Explorer.
Based on the available reporting, it appears that at least one major
victim has been targeted with this exploit (NASA), with the first
information being made public on Wednesday of this week. Symantec,
McAfee, and the ISC then published initial details of the
vulnerability on Thursday / Friday.

Discovered in the wild, but without public exploit code samples at
this stage, concerns are being aired by Information Security vendors
about the risk of widespread infection attempts using this
vulnerability. Making the situation worse is that it is being
reported that a successful infection only requires the ActiveX
control to be present - it does not need to be activated for a
successful attack.

While a critical vulnerability in a common third party ActiveX plugin
is a problem for Windows users (especially one that comes pre-
installed by default on some systems - such as Dell), it serves as a
timely reminder for all that the Internet Explorer and ActiveX
combination is still a risky one for Windows users, despite the
ongoing efforts that Microsoft are putting in to tightening security.

For users and administrators who do not have third party protection
software in place, setting the following killbit in the Windows
Registry will provide interim protection (as well as preventing
RealPlayer from being called in Internet Explorer):

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\
ActiveX Compatibility\{FDC7A535-4070-4B92-A0EA-D9994BCC0DC5}

With RealPlayer notorious for constant 'buffering...' messages early
in the time of streaming online media content, some Internet
humourists have suggested that the vulnerability might be due to a
'buffering overflow'.

=======================================

Sincerely,

Sûnnet Beskerming Team
info@...
Sûnnet Beskerming Pty. Ltd.
Adelaide, Australia
http://www.beskerming.com
Tel: +61 (0) 410 707 444

** Sûnnet Beskerming Pty. Ltd. **

Established in mid 2004, Sûnnet Beskerming Pty. Ltd. is the sister
company to Jongsma & Jongsma Pty. Ltd., and was formed to develop and
commercialise the research coming out of Jongsma & Jongsma Pty. Ltd..
Sûnnet Beskerming Pty. Ltd. is an Information Security specialist
and, in conjunction with the tools developed by Jongsma & Jongsma
Pty. Ltd., provides total security solutions and services, from the
perimeter to internal data stores, including web application security
and security testing and analysis.

_______________________________________________
Alertmailinglist mailing list
Alertmailinglist@...
http://skiifwrald.com/mailman/listinfo/alertmailinglist_skiifwrald.com

Advisory #249 - Microsoft (Multiple), Kerberos, QuickTime, Multiple News

2007-09-16T15:45:16Z

Sûnnet Beskerming Alert List Advisory #249

You are receiving this message because you have subscribed to our
Information Security Alert Mailing List, or have been selected for a
specific one-off copy. If you believe that you are receiving this
message in error, please contact info@... to resolve the
error.

Why not upgrade to get same day notification on security threats?
Details and rates available online -
(http://www.beskerming.com/premium/generic_advisory.html).

Why not go the next step and get delivery tailored just for your
company?
(http://www.beskerming.com/premium/focussed_advisory.html)

Contents
--------------------------------------------------------------------
1. SECURITY
--------------------------------------------------------------------
1.1 Microsoft (Multiple)
- Remote Hacker Automatic Control
- Time Since Discovery - 5 Days
1.2 Kerberos
- Remote Hacker Automatic Control
- Time Since Discovery - > 1 Week
1.3 QuickTime
- Remote Hacker Manual Control
- Time Since Discovery - 3 Days
=======================================
/*
- Remote or Local - Can it be achieved through a network or does it
require physical access?
- Hacker - The bad guy
- Manual or Automatic - Does the vulnerability need to be manually
performed, or can it be automated?
- Control, Denial of Service or Data Theft - Will the hacker get
control of your system / website, will they prevent you from using
it, or will they steal data.
*/
--------------------------------------------------------------------
2. NEWS
--------------------------------------------------------------------
2.1 Torrent-spiking Company Loses Email via Torrent
2.2 When Security Products Weaken Security
2.3 How the Online Trust Model is Broken - The Bank of India.com attack
2.4 Windows Vista SP 1 Slips to 2008
2.5 Listen to SIP Phones Even When They are on the Hook
=====================================

1. SECURITY

1.1 Microsoft (Multiple) - Remote Hacker Automatic Control

-- Products Affected --
Windows 2000, XP, 2003, Vista
Crystal Reports
Windows Services for Unix
Messenger

-- Technical Description --
MS07-051 - Microsoft Agent (Win 2000 only). Arbitrary remote code
execution. Critical
MS07-052 - Crystal Reports (as distributed with Visual Studio).
Arbitrary remote code execution. Important
MS07-053 - Windows Services for Unix. Privilege Escalation. Important
MS07-054 - Microsoft Messenger. Arbitrary remote code execution.
Important

-- Description --
Microsoft delivered four patches as part of the September Security
Update release earlier this week. Only one of the patches (MS07-051)
has been rated as Critical, with the others rated as Important.
Exploit code has been available for some time for some of the patched
vulnerabilities, and Microsoft have updated the release information
for MS07-054 and MS07-052 to address issues identified after the
initial release date.

-- Recommended Action --
All users and administrators should apply the updates at the
earliest opportunity.

-- Source --
http://www.microsoft.com/technet/security/bulletin/ms07-sep.mspx
http://www.beskerming.com/premium/patch_pack.html
http://store.eSellerate.net/s.asp?
s=STR3448907936&Cmd=CATALOG&CategoryID=9811

-- Updates Available --
http://www.microsoft.com/technet/security/bulletin/ms07-051.mspx
http://www.microsoft.com/technet/security/bulletin/ms07-052.mspx
http://www.microsoft.com/technet/security/bulletin/ms07-053.mspx
http://www.microsoft.com/technet/security/bulletin/ms07-054.mspx

-- External Tracking Data --
CVE-ID: CVE-2007-3040 (MS07-051)
CVE-ID: CVE-2006-6133 (MS07-052)
CVE-ID: CVE-2007-3036 (MS07-053)
CVE-ID: CVE-2007-2931 (MS07-054)

-- Threat Matrix --
U O
Home User 10 10 (Highly Critical)
Corporate 10 10 (Highly Critical)

1.2 Kerberos - Remote hacker automatic control

-- Products Affected --
Kerberos 5-1.6.2 and prior.

-- Technical Description --
Two vulnerabilities affecting the Kerberos application have been
discovered. The first is a buffer overflow affecting the RPC library
included with the MIT Kerberos application (and which may also be
included in other software), which allows arbitrary code execution.
The second vulnerability is with the kadmind component, where an
authenticated user may be able to execute arbitrary code through the
use of an uninitialised memory pointer.

-- Description --
Two separate vulnerabilities have been reported for the Kerberos
authentication tool maintained by MIT. The most serious of the two
vulnerabilities is a memory fault in an included software library
(which may also be in other products) that potentially allows an
attacker to run software of their choice on a victim's system. The
second vulnerability allows an authenticated user to run software of
their choice on a vulnerable system through another memory issue.
Although MIT have received sample exploitation code from a third
party, exploit code for these issues has yet to circulate widely.

-- Recommended Action --
Update to the latest official version from MIT, or wait until your
Operating System vendor is able to release a patched version for your
platform.

-- Source --
(Paid subscription required to access)

-- Updates Available --
(Paid subscription required to access)

-- External Tracking Data --
(Paid subscription required to access)

-- Threat Matrix --
U O
Home User 9 9 (Critical)
Corporate 9 9 (Critical)

1.3 QuickTime - Remote hacker automatic control

-- Products Affected --
QuickTime 7.1.6 and prior.

-- Technical Description --
From the available information, it appears that there is a problem
with how QuickTime handles XML data that is presented as a valid
QuickTime media format. Browsers enabled with a QuickTime plugin have
been demonstrated to be vulnerable to an attack based on this (it has
yet to be determined if it is the browser interpreting the XML, or
the plugin, but multiple browsers are vulnerable).

-- Description --
A web security researcher has identified a vulnerability with the
way that a number of browsers handle different QuickTime media files.
At this stage, it is too early to determine if the vulnerability is
with the QuickTime plugin (likely), or the browsers. Along with the
disclosure of the vulnerability, public exploit samples were
provided. At this time there has been no response from Apple about
the potential vulnerability.

-- Recommended Action --
Consider the use of alternate QuickTime media handling libraries, or
change the handling of QuickTime from within the browser.

-- Source --
(Paid subscription required to access)

-- Updates Available --
(Paid subscription required to access)

-- External Tracking Data --
(Paid subscription required to access)

-- Threat Matrix --
U O
Home User 9 9 (Critical)
Corporate 9 9 (Critical)

=======================================
/*
Threat Matrix:
U - User
O - Operator
Harmless - 0 ----- 10 - Highly Critical
*/
=======================================

2. NEWS

2.1 Torrent-spiking Company Loses Email via Torrent

Via news at TorrentFreak, it seems that MediaDefender has become the
subject of what could be the biggest BitTorrent leak to date.
Apparently, more than 700 MB of internal email (almost 9 months
worth, with the most recent from September 2007) from the company was
leaked to the Internet after an employee's GMail account was hacked.

MediaDefender markets itself as 'the leading provider of anti-piracy
solution in the emerging Internet-Piracy-Prevention (IPP) industry',
specialising in services and technology designed to mitigate and
prevent the spread of illegally copied / distributed copyrighted
material. In simple terms, they are one of the companies believed to
be responsible for the poisoning of material on various P2P networks
and BitTorrent trackers.

The release of MediaDefender's email history appears to be the
responsibility of a group calling themselves 'MediaDefender-
Defenders', an advocacy group that claims to be working for securing
the privacy and integrity of all peer-to-peer users. According to the
information still publicly available from a number of Torrent tracker
sites, the data was captured from a MediaDefender employee's GMail
account, where the employee had been forwarding all internal email
(hint, don't ever do that). Even worse, he had been using a weak
access password on the account which eventually gave the
MediaDefender-Defenders group access.

Material that might get some to pause and think about the source of
that next download includes information on the New York State
Attorney General's Office apparently looking to set up fake sources
to build cases against file sharers in New York State. Even more
relevant for Torrent users is indication that MediaDefender had
accounts with several private torrent sites.

Current court cases where members of the RIAA are suing file sharers
might be looked at in a slightly different light (or at least
confirmed that certain activities are for the suspected reasons)
after it appears that Universal are looking for correlation between
their lawsuit activity and P2P usage from within Universities
(looking for a reduction following lawsuit activity). There is also
information suggesting that MediaDefender were using a Universal
Music Group site to store material that they had downloaded for later
analysis (complete with authentication details).

Because this information came out over the weekend, it is probable
that it will remain live for at least a few days into next week, and
it is guaranteed that the compromised email file will have reached
the critical number of users required for it to always have a
presence online.

While the file might be readily available and very enticing to look
at, readers should be reminded that if they are caught with it in
their possession or found to have accessed it, that it may be illegal
(civil or criminal) in their jurisdiction. Included amongst the
unedited file (which is still readily available) is information on
server authentication details, pay negotiations, IP lists, trackers
used as decoys, strategies, effectiveness of existing systems, and more.

2.2 When Security Products Weaken Security

It is almost becoming normal for malware to target a range of
antivirus and antimalware products as part of the infection routine,
preventing them from accessing definitions updates, preventing them
from accessing the vendor's website, or even terminating any running
process associated with protective software.

Sometimes it is the protective software that is the greatest risk to
a system, through bugs that introduce weaknesses to the systems it is
trying to protect. This could be as simple as problems with scanning
modules, as has often been seen with antivirus platforms, or it could
be a vulnerability with the core software that then allows an
attacker full access to the system that it is trying to protect.

When it comes to identifying and repairing these vulnerabilities,
which could have significant impacts on the overall security of
systems and networks, it is preferred that vendors release the
information publicly and make the patches available in a timely
manner. Sometimes it doesn't work out that way and hackers are openly
sharing information about critical vulnerabilities in various vendor
products.

Such a situation has recently taken place with Kaspersky Anti-Virus,
when noted Russian rootkit researcher EP_X0FF published a detailed
report on vulnerabilities that Kaspersky introduces into a system,
that otherwise wouldn't be there. Worryingly for users of Kaspersky
products, it seems that the particular vulnerabilities disclosed can
be exploited from an unprivileged account, but have system-wide
effects. At this stage, all the disclosed details will do is result
in a 'Blue Screen of Death', but it is likely to draw the attention
of other hackers, who could find ways to turn it into a situation
where they take control over the system.

While not a vulnerability as such, Microsoft have come under fire
lately for the automatic updates that have been applied to systems
that were otherwise configured not to update automatically. Software
updates to the Windows Update service were not being announced and
were silently being applied to systems where the users had configured
them for manual updates only. Supporters of Microsoft argue that this
isn't a problem, why is there concern over the issue (after all, you
only licence your software), while there has been a vocal chorus of
people who argue that any automated change to their system is a
problem, when they have specifically set up their system not to
automatically update. Why this particular practice of silently
updating Windows Update has suddenly grabbed attention is not known,
as Microsoft have been updating the application in this manner for a
long time.

2.3 How the Online Trust Model is Broken - The Bank of India.com attack

Thanks to the team at Sunbelt Software comes news of a serious hack
perpetrated on the website for the Bank of India at http://
www.bankofindia.com (non clicky for those who aren't reading closely).

While attacks and public defacements on websites are regular
occurrences and can be seen at Zone-h, attacks against high profile
sites are not uncommon. This particular hack introduces an invisible
1 x 1 <iframe> that loads immediately after the <body> tag, so
wouldn't normally be included in the Zone-h archive and wouldn't
normally be identified by the average Internet user.

Although the site that the iframe points to (goodtraff.biz) has since
vanished from the Internet (about an hour before this article was
written), WHOIS records still exist that indicate that the malware
was being hosted out of Russia. Sunbelt's analysis shows several
other sites being involved in the attack, though these no longer load
since goodtraff.biz doesn't respond to queries. Manually entering the
addresses into a browser will load some of them, suggesting that
those upstream malware sources are active (others have already been
shut down). Of interest is one particular referenced site, an Adult
website traffic aggregator that clearly sets out in its rules that
traffic is not to come from:

* pop-ups, consoles, iframes or Error pages
* dialers, iframes, exploits ...

As a money for traffic site, it is not known how much money the
attacker has been able to make from the Bank of India hack, but their
user number (0224) is sure to have attracted a significant amount of
traffic via the hidden iframe.

Goodtraff.biz has been implicated in malicious activity in the past,
though on a relatively small scale. Whoever compromised the Bank of
India site (which is still compromised) has elevated a low profile
malware site into the limelight, at least temporarily. With more than
22 pieces of malware attempted to be installed from the one site
visit, it represents a significant problem for the Bank of India
customers who have viewed the site over at least the last 36 hours.
Unfortunately there is no indication when the site was first
compromised, so there may be a lot of victims from this one
particular hack.

This is a problem when users are relying on various online Trust
brokers to tell them when a site is malicious, either through
displaying a certain colour to indicate malicious activity, or
through actively preventing the user from accessing the site. One of
the better known Trust brokers, SiteAdvisor gives the Bank of India
website a clean bill of health. It takes a bit of effort to drill
down into the comments before a small link is found, from a user,
that points to Sunbelt's coverage of the hack - but the overall
rating remains positive.

SiteAdvisor is not alone in trusting the compromised site. Google's
Safe Browsing extension for Firefox fails to notice the breach, as
does Finjan, NetCraft and PhishTank SiteChecker. It is expected that
most Trust broking sites will report that the Bank of India site is
still valid.

For critics of the various Trust broking models, this is a clear
example of the fatal flaws present in almost all models, that the
refresh time on a site is too long to be useful when a surf-by attack
on a trusted site can take place in a matter of seconds, with a
lifetime of hours, and with a victim base of thousands or greater.

All of the advice given to users for how to protect themselves when
surfing online breaks down in the face of a compromise to a trusted
online financial institution - it should be a trusted site that the
user can run Scripting and ActiveX controls on (as appropriate) with
little fear of compromise.

There are some alternative models of trust being developed, but most
are still being kept quiet by the various developers and vendors who
are working on them, including Sûnnet Beskerming's own Nabu system
(to address previous complaints - the reason why no one has heard of
Nabu and can not find information on it is because Sûnnet Beskerming
does not leak information about what is being created in their
research labs. If you want to know more, you can contact Sûnnet
Beskerming directly).

The best advice for visiting any site on the Internet is to apply
caution. It doesn't matter how well you trusted the site in the past,
it isn't going to take much to completely compromise both it and your
system.

2.4 Windows Vista SP 1 Slips to 2008

After initially reporting that Service Pack 1 for Vista was due
before the end of 2007, Microsoft now say that the Service Pack will
not be due out until the first quarter of 2008. Actually, what they
say is that they are 'targeting' the first quarter of 2008 for the
release, so the actual release date has yet to be made public.

For those who can't wait until 2008, or who weren't part of the
closed testing program, there is always the educated guesswork being
carried out over at vistasp1.net. With no confirmation that these
hotfixes and updates will be incorporated into SP 1, it is noteworthy
that Microsoft are annoyed with the information being put forward
about potential SP 1 content. Microsoft are also expecting to release
the Service Pack for public testing later this year, so there are
some opportunities for the general public to get ahold of the Service
Pack prior to release.

Despite it looking like a short period of time between the release of
Windows Vista and the first Service Pack, it is actually longer than
the amount of time that it took for Windows 2000 and XP to have their
first Service Pack releases.

Download size and hard drive space requirements have also been hinted
at, with around 50MB required for the initial download via WSUS, with
up to 7 GB of hard drive space required for the SP 1 install (it
seems that the standalone image is going to be around 1 GB). Unless
Microsoft have invented a new, ultra-efficient compression algorithm
for the download option, it is probably going to be most efficient
for most users to obtain their Service Pack updates on optical media.

Separating public testing from the public release could lead to
interesting Information Security aspects, with any new security fixes
bound to be reverse engineered and probed prior to the public Service
Pack release.

2.5 Listen to SIP Phones Even When They are on the Hook

Recently disclosed information suggests that it is a relatively
simple matter to remotely eavesdrop on a broad range of SIP-enabled
devices. For readers who aren't aware of what SIP-enabled devices
are, SIP (Session Initiation Protocol) is a protocol that is used by
a lot of VoIP software and associated telephone handsets to
establish, modify, and control a VoIP connection between two parties.

The research that was published indicates that, for at least one
vendor, it is possible to automatically call a SIP device from that
vendor and have it silently accept the call, even if it is still on
the hook - instantly turning it into a classic bugged phone. Whereas
historic telephony bugs needed physical targeting of the line running
to a property or place of business, the presence of VoIP in the
equation allows bugging from anywhere in the world with equal
ability. Now anyone can do from their armchair what only spies and
law enforcement used to be able to do from inside the telephone
switch / pit / distribution board, though it's still illegal to do so.

As well as bugging the phone, the action effectively acts as a Denial
of Service against the device (after all, it is already engaged in a
call).

Having found the bug via fuzzing, the discovering researchers believe
that there may be a number of vendors that have created their own SIP
networking code, with equivalent bugs contained within.

While the vendor concerned is expected to release appropriate patches
soon, the disclosure is likely to turn attention on other SIP device
providers.

This may already be happening, with two separate exploits released
publicly in the last couple of days targeting Cisco SIP handsets,
with the result of a Denial of Service condition against the phones.
VoIP client software from eCentrex has also been targeted with public
exploit code, except this time it allows for control over vulnerable
devices as a result of a remote buffer overflow condition.

Concerned users and administrators who have SIP enabled software or
hardware should be aware of their potential limitations and have
appropriate mitigation strategies in place, especially if they are
used in sensitive areas (military use, national secrets, trade
secrets, etc).

=======================================

Sincerely,

Sûnnet Beskerming Team
info@...
Sûnnet Beskerming Pty. Ltd.
Adelaide, Australia
http://www.beskerming.com
Tel: +61 (0) 410 707 444

** Sûnnet Beskerming Pty. Ltd. **

Established in mid 2004, Sûnnet Beskerming Pty. Ltd. is the sister
company to Jongsma & Jongsma Pty. Ltd., and was formed to develop and
commercialise the research coming out of Jongsma & Jongsma Pty. Ltd..
Sûnnet Beskerming Pty. Ltd. is an Information Security specialist
and, in conjunction with the tools developed by Jongsma & Jongsma
Pty. Ltd., provides total security solutions and services, from the
perimeter to internal data stores, including web application security
and security testing and analysis.

_______________________________________________
Alertmailinglist mailing list
Alertmailinglist@...
http://skiifwrald.com/mailman/listinfo/alertmailinglist_skiifwrald.com

Advisory #248 - Microsoft (Multiple), Symantec, OS X, DXMedia, Multiple News

2007-08-20T15:58:00Z

Sûnnet Beskerming Alert List Advisory #248

You are receiving this message because you have subscribed to our
Information Security Alert Mailing List, or have been selected for a
specific one-off copy. If you believe that you are receiving this
message in error, please contact info@... to resolve the
error.

Why not upgrade to get same day notification on security threats?
Details and rates available online -
(http://www.beskerming.com/premium/generic_advisory.html).

Why not go the next step and get delivery tailored just for your
company?
(http://www.beskerming.com/premium/focussed_advisory.html)

Contents
--------------------------------------------------------------------
1. SECURITY
--------------------------------------------------------------------
1.1 Microsoft (Multiple)
- Remote Hacker Automatic Control
- Time Since Discovery - 7 Days
1.2 Symantec Product Range
- Remote Hacker Automatic Control
- Time Since Discovery - > 1 week
1.3 OS X
- Local Hacker Automatic Control
- Time Since Discovery - > 1 week
1.4 DXMedia
- Remote Hacker Automatic Control
- Time Since Discovery - 7 Days
=======================================
/*
- Remote or Local - Can it be achieved through a network or does it
require physical access?
- Hacker - The bad guy
- Manual or Automatic - Does the vulnerability need to be manually
performed, or can it be automated?
- Control, Denial of Service or Data Theft - Will the hacker get
control of your system / website, will they prevent you from using
it, or will they steal data.
*/
--------------------------------------------------------------------
2. NEWS
--------------------------------------------------------------------
2.1 The Difficulty of Validating Systems and Users
2.2 When InfoSec Companies are Targeted
2.3 German Security Professionals in the Mist
2.4 Protecting Aussie Internet Users for $190 Million
=====================================

1. SECURITY

1.1 Microsoft (Multiple) - Remote Hacker Automatic Control

-- Products Affected --
Windows 2000, XP, 2003, Vista
Visio 2002, 2003
Outlook Express
Windows Mail

-- Technical Description --
MS07-042 - MSXML. Arbitrary remote code execution. Critical
MS07-043 - OLE. Arbitrary remote code execution. Critical
MS07-044 - Excel. Arbitrary remote code execution. Critical
MS07-045 - Internet Explorer. Arbitrary remote code execution. Critical
MS07-046 - GDI (WMF). Arbitrary remote code execution. Critical
MS07-047 - Windows Media Player. Arbitrary remote code execution.
Important
MS07-048 - Vista Gadgets. Arbitrary remote code execution. Important
MS07-049 - Virtual PC. Arbitrary Host code execution. Important
MS07-050 - VML. Arbitrary code execution. Critical

MS07-041 - IIS. Arbitrary remote code execution. Important

-- Description --
Microsoft delivered nine patches as part of the August Security
Update release. Six of the patches have been rated as critical, with
the remaining three as Important. Exploit code has already begun to
circulate for a number of the vulnerabilities.

-- Recommended Action --
All users and administrators should apply the updates at the
earliest opportunity.

-- Source --
http://www.microsoft.com/technet/security/bulletin/ms07-aug.mspx
http://www.beskerming.com/premium/patch_pack.html
http://store.eSellerate.net/s.asp?
s=STR3448907936&Cmd=CATALOG&CategoryID=9811

-- Updates Available --
http://www.microsoft.com/technet/security/bulletin/ms07-042.mspx
http://www.microsoft.com/technet/security/bulletin/ms07-043.mspx
http://www.microsoft.com/technet/security/bulletin/ms07-044.mspx
http://www.microsoft.com/technet/security/bulletin/ms07-045.mspx
http://www.microsoft.com/technet/security/bulletin/ms07-046.mspx
http://www.microsoft.com/technet/security/bulletin/ms07-047.mspx
http://www.microsoft.com/technet/security/bulletin/ms07-048.mspx
http://www.microsoft.com/technet/security/bulletin/ms07-049.mspx
http://www.microsoft.com/technet/security/bulletin/ms07-050.mspx

-- External Tracking Data --
CVE-ID: CVE-2007-2223 (MS07-042)
CVE-ID: CVE-2007-2224 (MS07-043)
CVE-ID: CVE-2007-3890 (MS07-044)
CVE-ID: CVE-2007-0943 (MS07-045)
CVE-ID: CVE-2007-2216 (MS07-045)
CVE-ID: CVE-2007-3041 (MS07-045)
CVE-ID: CVE-2007-3034 (MS07-046)
CVE-ID: CVE-2007-3037 (MS07-047)
CVE-ID: CVE-2007-3035 (MS07-047)
CVE-ID: CVE-2007-3033 (MS07-048)
CVE-ID: CVE-2007-3032 (MS07-048)
CVE-ID: CVE-2007-3891 (MS07-048)
CVE-ID: CVE-2007-0948 (MS07-049)
CVE-ID: CVE-2007-1749 (MS07-050)

-- Threat Matrix --
U O
Home User 10 10 (Highly Critical)
Corporate 10 10 (Highly Critical)

1.2 Symantec Product Range - Remote hacker automatic control

-- Products Affected --
Various

-- Technical Description --
Two ActiveX controls managed by NAVCOMUI.DLL have input validation
errors that can lead to arbitrary code execution.

-- Description --
Symantec have released information about vulnerabilities with two
ActiveX controls associated with Norton AntiVirus, Norton Internet
Security, and Norton System Works. If an attacker is able to convince
a victim to interacting with malicious websites code that targets
these vulnerabilities, then it is possible for the attacker to take
control of the victim's system.

-- Recommended Action --
Run LiveUpdate from within affected Symantec software to obtain the
appropriate updates.

-- Source --
http://securityresponse.symantec.com/avcenter/security/Content/
2007.08.09.html

-- Updates Available --
Run LiveUpdate from within affected Symantec software to obtain the
appropriate updates.

-- External Tracking Data --
SYM07-021

-- Threat Matrix --
U O
Home User 8 8 (Very High)
Corporate 8 8 (Very High)

1.3 OS X 10.4 - Remote hacker automatic control

-- Products Affected --
10.4.10 and prior.

-- Technical Description --
Numerous issues affecting OS X 10.4.x and 10.3.x, including:
bzip2 - bzgrep run on a file with a malicious name may lead to
arbitrary code execution (filename handling issue)
CFNetwork - Poor handling of FTP commands passed via a URI may lead
to arbitrary command execution. A second issue, affecting HTTP
response splitting may lead to XSS conditions. A vulnerability in the
Java interface to CoreAudio (via CFNetwork) allows for arbitrary
memory freeing and arbitrary code execution.
cscope - Multiple vulnerabilities, allowing buffer overflow conditions.
gnuzip - Similar problem to that affecting bzip2
iChat - Denial of Service or arbitrary code execution as a result of
buffer overflow conditions in UPnP IGD.
Kerberos - Multiple vulnerabilities, including remote code execution
(see separate vulnerability reports).
mDNSResponder - Denial of Service or arbitrary code execution as a
result of poor handling of UPnP IGD code. UPnP IGD support has been
removed.
PDFKit - Maliciously named PDF files may lead to arbitrary code
execution.
PHP - Multiple vulnerabilities.
Quartz Composer - Denial of service and possible arbitrary code
execution due to poor handling of Quartz Composer files.
Samba - Malicious MS-RPC requests can lead to arbitrary code
execution or denial of service.
SquirrelMail - Multiple vulnerabilities, most serious of which is XSS.
Tomcat - Multiple vulnerabilities.
WebCore - Multiple vulnerabilities, including the operation of Java
applets when Java support is disabled, scripting within HTML
elements, and multiple XSS opportunities.
WebKit - Poor IDN support leading to URL obfuscation and poor
handling of PCRE can lead to arbitrary code execution.

-- Description --
Apple have released Security Update 2007-007, addressing a large
number of serious vulnerabilities affecting both OS X 10.4.x and
10.3.x (Tiger and Panther, respectively). A number of the
vulnerabilities also affect the iPhone and Safari 3 Betas and have
been addressed via separate updates as well. A number of the
vulnerabilities could allow remote control over vulnerable systems,
while others could lead to loss of functionality for legitimate users.

-- Recommended Action --
Security Update 2007-007 should be applied at the earliest
opportunity. The update can be applied either through the Software
Update application, or through manually downloading it from the
download link below.

-- Source --
http://docs.info.apple.com/article.html?artnum=61798

-- Updates Available --
http://www.apple.com/support/downloads/

-- External Tracking Data --
Multiple

-- Threat Matrix --
U O
Home User 9 9 (Critical)
Corporate 9 9 (Critical)

1.4 DXMedia SDK - Remote hacker automatic control

-- Products Affected --
DXMedia SDK At least version 6

-- Technical Description --
The DXTLIPI.DLL associated with the FlashPix ActiveX control, part
of the Microsoft DirectX Media SDK, has been discovered to have a
buffer overflow vulnerability affecting the SourceUrl() property.
Public exploit code is readily available.

-- Description --
Earlier this week it was discovered that an ActiveX control
associated with the Microsoft DirectX Media SDK, specifically the
DirectTransform FlashPix ActiveX control, contains a vulnerability
that allows an attacker to take control over a victim's system if the
victim can be convinced to interact with a malicious site. It is
possible that the affected ActiveX control is also available via
other products. Public exploit code is readily available from a
number of sources.

-- Recommended Action --
It is possible to mitigate the threat by setting the Registry
killbit (201EA564-A6F6-11D1-811D-00C04FB6BD36) for the affected
ActiveX control. Alternatively, disable support for all ActiveX
controls in order to mitigate.

-- Source --
Krystian Kloskowski (h07)

-- Updates Available --
http://www.apple.com/support/downloads/

-- External Tracking Data --
US-CERT VU#466601

-- Threat Matrix --
U O
Home User 9 9 (Critical)
Corporate 9 9 (Critical)

=======================================
/*
Threat Matrix:
U - User
O - Operator
Harmless - 0 ----- 10 - Highly Critical
*/
=======================================

2. NEWS

2.1 The Difficulty of Validating Systems and Users

One of the issues plaguing Identity management and online
authentication systems is how to accurately validate the identity of
the system or user connecting to a service.

One possible means for identification that has attracted attention
recently is finding and identifying a 'MachineID', some form of
unique identifier that is specific to a particular physical system
and which is difficult to reliably fake. This might take the form of
tracking internal network IP addresses, end user system patch levels
and browser configuration, and even tracking of end user system
hardware configuration.

A problem that is then encountered is how to reliably identify when
more than one user is using an authenticated system - how is the
mechanism to handle seemingly identical requests that originate from
distinct users.

If the authentication system to be used is to be installed alongside
other software then this is a problem that has already been solved
and dismissed from all but casual usage. Many anti-copying software
and hardware efforts come in such a format - additional code that
forms part of an installed product, for the purpose of ensuring only
legitimate copies of the software are in use. These methods could
have modified key software based on how the system identified itself,
required the use of a hardware 'dongle' for authentication, looked
for the presence of hidden system files or the physical presence of
removable media, or even looked for the presence of intentionally-
corrupted space on original installation media.

With every effort to prevent people from copying or using software in
any way they want to comes a dedicated effort to overcome and
neutralise the above listed means of preventing non-authorised usage.
Going back to the first concept raised in this article - the
development and introduction of some equivalent system for use
online, the motivation to bypass or trick it increases rapidly
alongside the financial incentive to break it, and the increased
anonymity afforded to those trying to bypass the authentication. Even
when there is little obvious financial benefit to bypassing the
system, it can fail on its own. The problems encountered by
legitimate system users when Windows Genuine Advantage and the
Windows XP activation tools fail to properly work have been well
documented. If the system can fail completely without user
interaction, what benefit is it to those it is trying to protect?

Introducing this sort of mechanism into the online environment is
much more difficult than merely allowing it to exist on the end
user's system. Developers and administrators need to be cogniscent of
the problems posed by a stateless protocol that can serve consecutive
requests from seemingly different sources as well as the wide variety
of end systems that might be in use to reach the online service, not
only in terms of different operating system types, but also the use
of screen readers, mobile phones, kiosks, and any other of Internet-
capable devices. MAC addresses and hard drive serial numbers can
provide information to local applications, but they are more
difficult to reach via networked systems. Use of platform-dependent
technology like ActiveX can simplify this process, but it then leads
to security concerns and problems for users of other platforms (OS X
and Linux).

There are a number of methods available for basic authentication and
tracking of state across a site, but these all have drawbacks and
issues that become apparent when systems are scaled up and spread
across load balancing and the use of caching proxies. Even the
current 'best of breed' solutions have critical flaws where users can
force the system to a 'fallback' position and force it into a
remedial mode where the level of added security and authentication is
negligible (back to a simple question in some cases). Some of the
theories being put forward for implementation of one of these systems
include browser identification, username in use, system patch levels,
though each can be spoofed or hidden from the networked application.
At the end of the day, these approaches don?t really tie down to a
specific system in use.

Part of the difficulty comes in creating a system that is rigid
enough to identify and alert to changes in hardware or end user
system configuration, yet flexible enough to allow and identify
multiple users from the same machine or a reasonable level of system
changes, such as those that might occur from replacing a hard drive,
applying system patches, or other routine changes. As a result, many
of the systems that come close to achieving these goals don't really
add much overall to the security situation faced by the application
or primary system.

From a holistic viewpoint, addition of a system designed to identify
specific systems can cause problems by actually weakening overall
security (thus highlighting problems exist in the overall system
design).

There are solutions, however.

One of the products in our testing lab is a platform independent
mechanism for attaining this goal. With nothing to install on the
user side, complete platform and system independence, it appears that
Nabu (the product under testing) is close to achieving the goal of
allowing users to safely interact with online services (and vice
versa) even when end systems and the joining network are completely
compromised. If using a web kiosk or heavily infected system could be
made as safe for online account interaction as a heavily locked down
readonly system, it would go a long way towards addressing one of the
key problems facing Information Security researchers today.

2.2 When InfoSec Companies are Targeted

One of the perils of being an Information Security company is that
they become targets of the individuals and groups that produce
malware and engage in illegal online activity. Antivirus and
antimalware vendors have been targets of this sort of activity for a
long time, with a high percentage of current malware actively
preventing infected systems from connecting to antivirus, system,
antimalware and major software vendors - hoping to prevent the
detection and removal of the malware. Some malware variants have even
gone so far as to trigger a payload of what amounts to a distributed
Denial of Service attack (dDoS) against specific targets, with each
infected machine attempting to connect to specific company websites
at certain times.

Other attacks can be more obvious. In the space of 24 hours recently,
WhiteDust, InfoSec Sellout, and Sûnnet Beskerming were all victims of
various attacks from unrelated parties. WhiteDust and InfoSec Sellout
had compromises to their online presence, with attackers replacing
arbitrary content on the main Internet sites associated with each
entity, and Sûnnet Beskerming being targeted with a 'Joe Job' spam run.

The attack against WhiteDust originally resulted in the arbitrary
replacement of news articles and site content, suggesting that the
attacker had either gained administrator access to the site, or was
using a set of SQL injection opportunities to modify backend database
content. In the time since the attack was first identified, the
WhiteDust site has gone completely offline, leaving only the
following message:

14 August 2007 - 23:58 GMT

With the industry and those in it so seemingly hostile to Whitedust, and
pure apathy from anyone who thinks otherwise. Why bother. This site is
now closed permanently. It's staff have abandoned the scene and the
industry
for real world projects - for good, you won't be seeing us again. You
"Won".

Good luck out there. You'll need it.

-The Staff

At this time it is not known whether this is a message from the
attacker, or from WhiteDust staff (there has been no response from
WhiteDust at this time).

The InfoSec Sellout site was in the process of being reinstated after
accidental deletion when unknown parties appeared to take control of
the site and delete the content that had been replaced. As with
WhiteDust, this is not the limit of the disruption to normal site
operations, with the attacker taking the opportunity to fill the site
with spam content which is still in place at the time of writing this
article.

Sûnnet Beskerming, meanwhile, was victim to a major 'Joe Job' spam
run. A 'Joe Job' is when a spammer falsifies the 'Return' or 'From'
address in their spam emails. Not only does this act as a cover for
the true origin of the spam, but it also means that the innocent
victim receives heavy email traffic from bounced and rejected spam.
At its peak, Sûnnet Beskerming was receiving 50-100 messages per
minute, just from bounced replies.

It is worrying that although the industry understands the concepts
and limitations of a 'Joe Job' many systems will still trust in the
falsified data and still cause problems, years after it was known how
'Joe Job' attacks work. This is something that email protection
systems should be taking care of, by default.

2.3 German Security Professionals in the Mist

German Information Security professionals were hopeful after proposed
changes to the UK Computer Misuse Act Police and Justice Act
amendments were suspended due to the fact that if certain clauses
were enacted, it would effectively make the entire Information
Security industry in the UK criminals. This hope was important
because earlier this year the German Government had introduced
similar language into Section 202c StGB of the computer crime laws,
which would have made the mere possession of (creates, obtains or
provides access to, sells, yields, distributes or otherwise allows
access to) tools like John, Kismet, KisMAC, Nessus, nmap, and the
ability to Google effectively a crime.

Despite all efforts to peer through the mist about whether changes
would be made to the proposed law, as of today it became active
legislation. Penalties under the law include up to 12 months
imprisonment, a fine, and potential linkage to terrorism related
activities (at least as per sections 202a and 202b of the law).

Despite some observers fearing a 'Kristallnacht' in the near future,
and while it is likely there will be some abuses of the law (DMCA,
for example), the overall effect to Information Security work and
research in Germany is not likely to be all that great.

That doesn't mean that changes aren't already happening. A number of
security related products and groups have either closed up shop or
relocated to countries of convenience, such as the Netherlands.

KisMAC, an OS X wireless network discovery tool has ceased
development and will soon be reappearing in the Netherlands. This was
one of the first tools to suddenly cease production in a public manner.

Phenoelit have also closed their German presence, though it may be
possible to find their content available online in other locations.

Those who can read German can see the response from the CCC, who are
currently holding their Chaos Communications Camp 2007 near Berlin
(think of DefCon, in a field, with tents). The CCC have decided that
since the German Government took this move, that it means that there
are no more security problems facing computer users.

Stefan Esser, the noted PHP Security activist, has withdrawn all of
the exploit code that originally accompanied the Month of PHP Bugs
project. As Stefan points out:

"The law does not affect our freedom of speech to report and inform
about security vulnerabilities and how to exploit them.

We are just not allowed to create/distribute/use software that could
be used as "hacking tools". "

Like many other legislative attempts to address real or perceived
problems with computer-based activity, the law fails to account for
reality. Others have pointed out that it is only those already
engaged in illegal activity that are using 'hacking tools'. The
legitimate security industry is using 'diagnostics' and other useful
utilities. Already it seems that the law will have the unintended
consequence of making legitimate research just that much harder, only
deterring the legitimate researchers and the opportunistic attacker.
The serious criminal will just keep on going with their malicious
activity, probably a little bit bolder - safe in the knowledge that
the German Government has just made it a little bit more difficult
for them to be found.

2.4 Protecting Aussie Internet Users for $190 Million

Within the last 24 hours the Australian Commonwealth Government
announced that they would be spending $189 million Australian dollars
($162 million USD) on a range of packages and programs designed to
protect Australian Internet users against all that the Internet has
to offer, under the name Netalert. With increasing increasing
coverage by the Australian media, it is worthwhile to investigate
what the features of the proposed scheme actually are, and whether
they have any chances of working.

While the $189 million is not being immediately assigned to the
effort, and reflects a number of endeavours under the guise of
protecting Australians against Internet nasties, there are some
critical problems with the approach that the Government is taking.

Amongst the list of projects that have been earmarked for the money are:

* Internet blocking software for Australian families.
* Resources for efforts to track and identify online predators
on social networking sites and in chat rooms.
* Closing down terror sites, and
* Reducing the variety of pornography viewable by Australian
Internet users

Announced during a streaming video presentation to the largest
pentacostal evangelical church in Australia (Hillsong) - an
Assemblies of God megachurch, the Prime Minister, John Howard,
outlined several measures that would immediately appeal to the
conservative (ultra-conservative?) audience - provision of Internet
filters and efforts to block pornography at upstream providers by
working with ISPs. More than 700 other Christian assemblies were
linked into the address which meant that more than 100,000
Australians watching the presentations. The leader of the Opposition,
Kevin Rudd, also joined in on providing a presentation to the
assembled masses. This inclusion suggests that if the party in
government changes at the next Federal election (later this year),
then the Plan will stay in place (Labor have actually been ridiculed
in the past for their ideas about what it means to protect Australian
Internet users).

Probably the most effective way that the money is going to be spent
will be to improve funding for various online investigative measures
being carried out by The Australian Federal Police such as efforts to
detect and investigate online predators. This may not be all that
effective, though, with the AFP not being well-known for its ability
to keep up with, adequately identify, and understand Internet based
threats.

Despite the difficulty of correctly being able to identify online
predators, something that the social networking companies and other
interest groups are already struggling with (do you share a name or a
birth date with a known predator? If you do, don't go online...),
money will still be poured after it.

Several million dollars to knock the stupid predators offline might
be considered a good investment for some.

One of the ironic measures being proposed is a bucket of money to
establish a working group to find ways around the privacy laws and
measures that are effectively protecting predators, presumably to
make arrest and prosecution easier. If the laws and measures that
protect predators are so effective, what is the $189 million needed
for, again? Why don't those measures work for those we are supposed
to protect?

Even though there are known problems with blacklists, money will go
towards expanding such a blacklist of nasty sites that Australians
aren't supposed to see. If it were the United States, it would be
considered part of the argument about net neutrality and what it
means to be designated a 'Common Carrier', though there are probably
a number of Australian ISP customers secretly pleased that they might
get to sue their ISP for allowing them to view nasty content (the
Government was supposed to stop it, right?).

The effectiveness and speed with which malicious content can be
placed on 'trusted' sites through blended attacks makes all of these
efforts almost worthless. Any impartial observer who noted the big
trends at recent Information Security conferences would have been
able to identify this pattern in an instance.

A hotline to help families install the Internet filtering software
being provided will presumably join the National Security Hotline as
a widely derided black hole of funds, with limited usefulness (if VCR
clocks are taken as a precedence, then the helpline is probably going
to be staffed with the very children that the filters are meant to
stop looking at nasty material).

While voices against the measures have largely focussed on the choice
of audience (Christian conservative), it should not be forgotten that
there will be criticism from those in the technical community who
understand the sorts of threats and problems that are trying to be
faced by the measures.

With fairly strong support for the measures from those who watched
the presentations, ranging from those who are supportive of measures
to help them limit what they and their children can see online to
those supportive of the additional resources to hunt down online
predators.

Countering this is the argument that parents should not expect the
State to do their parenting for them if they are unwilling to. No one
is arguing against extra resources to track, identify, and prosecute
predators - so long as law enforcement get it right. The amount of
money being thrown at the problem has raised some objections, though.

Others have pointed out the abject failure of filtering software to
deal with health resources like breast cancer awareness and support
groups, breast feeding information, and the heavy handed treatment of
sites that push information and opinions that the filtering companies
object to (consider how various Left and Right blogs / news sources
are treated by different filtering programs). Others have pointed to
the inability of filters to keep up with the ability of those with
malicious intent to change the location and presentation of their
'objectionable material'.

At the end of the day, any teenager or young child that is adept
enough to intentionally seek out the content that this scheme is
designed to suppress will have the ability to sidestep the protection
mechanisms implemented by the program.

=======================================

Sincerely,

Sûnnet Beskerming Team
info@...
Sûnnet Beskerming Pty. Ltd.
Adelaide, Australia
http://www.beskerming.com
Tel: +61 (0) 410 707 444

** Sûnnet Beskerming Pty. Ltd. **

Established in mid 2004, Sûnnet Beskerming Pty. Ltd. is the sister
company to Jongsma & Jongsma Pty. Ltd., and was formed to develop and
commercialise the research coming out of Jongsma & Jongsma Pty. Ltd..
Sûnnet Beskerming Pty. Ltd. is an Information Security specialist
and, in conjunction with the tools developed by Jongsma & Jongsma
Pty. Ltd., provides total security solutions and services, from the
perimeter to internal data stores, including web application security
and security testing and analysis.

_______________________________________________
Alertmailinglist mailing list
Alertmailinglist@...
http://skiifwrald.com/mailman/listinfo/alertmailinglist_skiifwrald.com

Advisory #247 - Yahoo! Widgets, Safari, iPhone, Multiple News

2007-08-06T15:27:40Z

Sûnnet Beskerming Alert List Advisory #246

You are receiving this message because you have subscribed to our
Information Security Alert Mailing List, or have been selected for a
specific one-off copy. If you believe that you are receiving this
message in error, please contact info@... to resolve the
error.

Why not upgrade to get same day notification on security threats?
Details and rates available online -
(http://www.beskerming.com/premium/generic_advisory.html).

Why not go the next step and get delivery tailored just for your
company?
(http://www.beskerming.com/premium/focussed_advisory.html)

Contents
--------------------------------------------------------------------
1. SECURITY
--------------------------------------------------------------------
1.1 Yahoo! Widgets
- Remote Hacker Automatic Control
- Time Since Discovery - 7 Days
1.2 Safari
- Remote Hacker Automatic Control
- Time Since Discovery - 5 Days
1.3 iPhone
- Remote Hacker Automatic Control
- Time Since Discovery - 5 Days
=======================================
/*
- Remote or Local - Can it be achieved through a network or does it
require physical access?
- Hacker - The bad guy
- Manual or Automatic - Does the vulnerability need to be manually
performed, or can it be automated?
- Control, Denial of Service or Data Theft - Will the hacker get
control of your system / website, will they prevent you from using
it, or will they steal data.
*/
--------------------------------------------------------------------
2. NEWS
--------------------------------------------------------------------
2.1 Being Prepared is for More Than Just the Scouts
2.2 How has the iPhone Update Affected Research into the Device?
2.3 Worm Threat Forces Apple to Disable Software?
2.4 Beneficial Worm or Digital Menace?
2.5 Firewall Vendor Steps up After BlackICE Discontinued
=====================================

1. SECURITY

1.1 Yahoo! Widgets - Remote hacker automatic control

-- Products Affected --
Yahoo! Widgets 4.0.3 and prior.

-- Technical Description --
Boundary error in the YDPCTL.dll ActiveX control leading to stack
buffer overflow and execution of arbitrary code.

-- Description --
The ActiveX control used by Yahoo! Widgets has been found to be
vulnerable to a memory error that can allow a remote attacker to take
control over a vulnerable system. As this vulnerability affects the
ActiveX control used by the Yahoo! Widgets / Konfabulator engine,
only the Windows version is affected.

-- Recommended Action --
Update to version 4.0.5 of the Yahoo! Widget / Konfabulator engine
to avoid exploitation of this issue. Advanced users can disable the
following CLSID for interim protection - 7EC7B6C5-25BD-4586-A641-
D2ACBB6629DD

-- Source --
(Paid subscription required to access)

-- Updates Available --
(Paid subscription required to access)

-- External Tracking Data --
(Paid subscription required to access)

-- Threat Matrix --
U O
Home User 7 7 (Very High)
Corporate 7 7 (Very High)

1.2 Safari - Remote hacker automatic control

-- Products Affected --
Safari 3.0

-- Technical Description --
Numerous vulnerabilities addressed, including: Safari - Adding
bookmarks may lead to denial of service or arbitrary code execution
due to stack buffer overflow when long site titles are added to the
bookmark list. WebKit - It is possible to operate Java applets even
when Java is disabled. Another issue has also been addressed, where
poor IDN support allows for obfuscation of URLs. Poor support for
PCRE elements may also lead to arbitrary code execution.

-- Description --
Last week Apple released version 3.0.3 of the Safari 3 Beta Internet
browser, addressing a set of vulnerabilities that include issues that
can allow a remote attacker to take control over a vulnerable system,
prevent access to legitimate use of the application, or obfuscate
website addresses.

-- Recommended Action --
Update to version 3.0.3 via the Software Update application (OS X),
or via the download link below.

-- Source --
(Paid subscription required to access)

-- Updates Available --
(Paid subscription required to access)

-- External Tracking Data --
(Paid subscription required to access)

-- Threat Matrix --
U O
Home User 9 9 (Critical)
Corporate 9 9 (Critical)

1.3 iPhone - Remote hacker automatic control

-- Products Affected --
iPhone 1.0

-- Technical Description --
Numerous vulnerabilities addressed, including: Safari - XSS
vulnerability due to race condition in JavaScript implementation.
Another issue, this time heap overflows in PCRE support can lead to
arbitrary code execution. WebCore - HTTP injection in XMLHttpRequest
allowing XSS. WebKit - Poor IDN support allows for URL obfuscation.
An additional issue, this time affecting the handling of framesets
may lead to arbitrary code execution.

-- Description --
Last week Apple released Update 1.0.1 for the iPhone, addressing a
number of serious vulnerabilities. Vulnerabilities addressed include
issues that would allow for remote control over the iPhone by
convincing a victim to view a malicious web page in the iPhone Safari
browser and possible temporary loss of phone functionality. Due to
the integration with iTunes, the only way that this update is
available is to connect the phone to iTunes and allow its update
process to run.

-- Recommended Action --
Update to iPhone 1.0.1 via the iTunes updater.

-- Source --
(Paid subscription required to access)

-- Updates Available --
(Paid subscription required to access)

-- External Tracking Data --
(Paid subscription required to access)

-- Threat Matrix --
U O
Home User 10 10 (Highly Critical)
Corporate 10 10 (Highly Critical)

=======================================
/*
Threat Matrix:
U - User
O - Operator
Harmless - 0 ----- 10 - Highly Critical
*/
=======================================

2. NEWS

2.1 Being Prepared is for More Than Just the Scouts

The need for a strong disaster recovery plan is one of the topics
that has received previous coverage from Sûnnet Beskerming and it
should be an essential component of any business plan. A recent power
outage in San Francisco provides an excellent example of this need,
when some of the largest sites on the Internet went dark after the co-
lo facility where they were hosted was affected by the outage.

When the San Francisco co-location (co-lo) facility for 365 Main was
affected by a San Francisco power outage, sites such as Craigslist,
Typepad, Yelp, LiveJournal, Linden Lab, Sun, and Technorati were
amongst those that temporarily disappeared from the Internet. Initial
reports suggested that someone had physically damaged numerous racks,
though this was later corrected to indicate the power outage as the
root cause for the shutdown.

Embarrassingly for one company, Redenvelope, they were celebrating
two years of 100% uptime with their hosting at 365 Main - sending out
their press release on the same day that the power went out. Users of
the online Second Life environment also found some increased
instability with their online world.

Despite having backup generators and power failover management
systems in place, 365 Main found that they apparently did not
function as advertised. Rather than using traditional battery bank-
style Uninterruptible Power Supplies (UPSs), 365 Main used a
mechanical flywheel-based stored energy system to provide coverage
between when the mains cuts out and when the generators pick up the
slack. Flywheels can only provide power for a short period and are a
viable solution for avoiding the need to cycle power for the few
seconds it takes power management systems to realise there is a
problem and start the generators.

This particular short power gap is more important to dynamic sites
than static sites, where an unexpected short power outage / server
reboot can lead to a lengthy site downtime as databases, hard drives,
and supporting systems fail to recover gracefully.

While geographically remote redundancy is not always something that
can be achieved, it is something that is possible and becoming more
cost effective with the large number of hosting providers spread
across the globe. A load balanced website with multiple failover
locations that are based on separate power grids, in separate
countries, and even on separate host Operating Systems is well within
the reach of most businesses that are paying for external hosting for
their websites and other web services.

If malware authors and spammers are busy using 'Fast Flux Networks'
to remain an elusive target, then the average site owner can apply
the same techniques and capabilities to obtain seamless continuity of
operations when the unthinkable happens.

This might be a fairly simple solution for sites that are relatively
static in content terms (i.e. serving static HTML or simply generated
PHP / ASP / Perl), but achieving the same with dynamic "Web 2.0"
sites isn't that much more difficult. Databases that are primarily
read only can be replicated relatively simply, while databases that
are heavily written to require a little bit more effort with
replication and co-ordination. It certainly isn't out of the realm of
possibility to have proper replication no matter what type of website
is being operated.

To make the best of the available opportunities means that you have
to be aware that they exist in the first place, and that you are
paying the right people to develop and implement the right systems
for your site / business.

If you or your business aren't sure how you would cope with the
sudden loss of availability for a critical business component,
perhaps it is time to look at the various options available. Even if
you are, perhaps it is time that you tested those processes.

2.2 How has the iPhone Update Affected Research into the Device?

Apple's recent update for the iPhone has had some implications for
those who are seeking to dig around inside the system. As reported by
the team responsible for the most progress to date (#iphone @
irc.osx86.hu), the iPhone update does have an effect on what has been
achieved to this point. It is known that the update will perform a
system wipe on modified phones since they fail an integrity check,
and that system downgrades (to 1.0) produce some mixed results (even
if successful, the phone reports as 1.0.1).

After the update has been applied, the researchers have identified
that the previously known activation bypass methods (created by DVD
Jon and others) will still work. Other code that was created for
version 1.0 still works, such as Jailbreak 1.0, and newer versions of
the iPhoneInterface (0.3.3 and later).

Restore images and full diff files have also been created to assist
those who are looking to poke around inside the system.

More third party software has also been compiled and shown to work on
the iPhone, with Ruby now available (version 1.8.6) from here. An
interesting tool, named Webshell, has also been released which allows
command line access to the iPhone through the Safari browser.

Work on one of the remaining stumbling blocks, unlocking the
Provider's Network lock, is progressing steadily. Several different
approaches are under consideration at the moment, with the goal of
eventually being able to unlock from within the system or get write
access to the baseband memory. Gaining write access to this memory
will have some interesting results, as it is basically a dedicated
sub-system that is part of a multimedia engine called S-Gold2
(created by Infineon) and is used in other phones - sometimes as the
primary chip as is the case with at least one Siemens phone (though
using a different firmware).

With the chip responsible for providing this support to the iPhone
running a dedicated RTOS (Real Time Operating System) called Nucleus,
the researchers have had to reverse engineer this system to
understand the various options for opening up the baseband components.

At this point in time, the researchers have reverse engineered most
of the low level functions and they plan to release full
documentation on their results once they have unlocked it. This will
help future researchers / hackers / interested third parties when
encountering S-Gold2 devices in the future.

The release of a generic iPhone exploit at Black Hat is still
expected for this Friday afternoon, but it is not certain at this
stage whether the core vulnerability that is used to achieve the
exploit has been addressed by the iPhone update.

2.3 Worm Threat Forces Apple to Disable Software?

When an online identity (group of identities) known as InfoSec
Sellout made grand claims of a proof of concept worm, dubbed
Rape.osx, that targets OS X, it led to a lot of heated argument and
drama - including anonymous death threats and an accidental deletion
of their blog. While there has still been no external proof of their
claims, or appearance of the worm outside of their testing
environment, the information that accompanied the original claims
pointed to a vulnerability in mDNSResponder as being the underlying
vulnerability exploited by Rape.osx.

Even though Apple had addressed various vulnerabilities within
mDNSResponder in different Security Updates, the claims being made
were that Apple had failed to adequately address a set of
vulnerabilities - only patching specific attack vectors rather than
the underlying problem.

Although InfoSec Sellout has effectively disappeared from the
Internet (their blog has been suspended by Google), it appears that
the drama and initial disclosure may have forced Apple to disable an
OS X system component with their most recent Security Update
(Security Update 2007-007). Contained within Apple's knowledgebase
article accompanying the release, is information about changes to
mDNSResponder behaviour following the application of the Update.

Seeming to closely follow the information disclosed by InfoSec
Sellout, Apple's mDNSResponder update addresses a vulnerability that
can be exploited by an attacker on the local network to gain a denial
of service or arbitrary code execution condition. Apple go on to
identify that the vulnerability that they are addressing exists
within the support for UPnP IGD (Universal Plug 'n Play Internet
Gateway Device - used in port mapping on NAT gateways) and that an
attacker can exploit the vulnerability through simply sending a
crafted network packet across the network. With the crafted network
packet triggering a buffer overflow, it passes control of the
vulnerable system to the attacker.

Rather than patching the vulnerability and retaining the capability,
Apple have completely disabled support for UPnP IGD (though there is
no information about whether it is only a temporary disablement until
vulnerabilities can be addressed).

There has already been some chatter on various mailing lists about
this seemingly-odd move by Apple, with the responses primarily
indicating that observers have found this particular method of
addressing a vulnerability to be humorous.

It is interesting to note that Apple have not attributed any external
party for the identification and reporting of the vulnerability, and
the relevant CVE entry (CVE-ID: CVE-2007-3744) shows only that it is
a reserved entry - with no information about who might have
registered the CVE ID and no information about what the entry relates
to. If the information reported by MITRE is accurate, then it points
to the CVE entry being created prior to the public disclosure of the
existence of Rape.osx (12 July versus 16 July). This may be
coincidental, but it might provide some insight about the spread of
information about the vulnerability if the party responsible for
creating the ID is disclosed.

2.4 Beneficial Worm or Digital Menace?

Via the team at GNUCitizen comes news of a newly discovered AJAX-
based worm that targets Wordpress blogs. An independent researcher,
beNi, discovered several vulnerabilities that affect the current
version of the Wordpress blogging platform.

Ranging from Cross Site Scripting (XSS), including persistent XSS,
through to SQL injection and database errors. If combined, the
threats would allow a malicious attacker to take over vulnerable
blogs. Having been publicly disclosed, these are '0-day'
vulnerabilities, with no current patching available.

Well, almost.

It seems that not only has beNi found the vulnerabilities, but he has
written an AJAX-based worm to patch the issues. Although the initial
response from some has been shock that the worm goes ahead and
installs the patches silently, it has been pointed out that nothing
is done without the administrator's permission - the worm automates
the process of patching and updating once the admin allows it to.

While it isn't the first beneficial (or attempted beneficial) worm in
existence, it is one of the more interesting ones, appearing before
any attack code that targets the vulnerabilities being patched. With
the worm requiring semi-manual activation, there is little chance
that it is going to rapidly spread and is most likely going to remain
a useful tool for administrators seeking to update and protect their
installations. The only risk is that with the code freely available
it could be modified for malicious purposes to target unpatched blogs.

2.5 Firewall Vendor Steps up After BlackICE Discontinued

After security vendor ISS was purchased by IBM, many thought that
their popular software firewall BlackICE would continue as a leading
product, especially with the resources of IBM to help sustain
development and support of the software.

That situation has now changed, with IBM Internet Security Systems
announcing that BlackICE PC / Server Protection has now reached End
of Sale (EOS), with the End of Life (EOL) for the products to come on
September 29, 2008. What this means is that as of September 17, 2007,
consumers are no longer able to purchase new copies of the above
BlackICE products, and that existing customers will no longer be able
to access support for their installed versions after the 29th of
September next year.

With the cancellation of these products coming as somewhat of a
surprise, at least one firewall vendor has already made a move to
provide services to the BlackICE userbase.

Florida-based antimalware vendor, SunBelt Software has created an
online program at http://www.saveblackice.com/ where current BlackICE
users can obtain a free copy of the Sunbelt Personal Firewall product
(formerly the Kerio Personal Firewall), along with complimentary
support and updates for 12 months.

Although no end-date has been identified for this offer, SunBelt have
identified that it is only available for a limited time.

=======================================

Sincerely,

Sûnnet Beskerming Team
info@...
Sûnnet Beskerming Pty. Ltd.
Adelaide, Australia
http://www.beskerming.com
Tel: +61 (0) 410 707 444

** Sûnnet Beskerming Pty. Ltd. **

Established in mid 2004, Sûnnet Beskerming Pty. Ltd. is the sister
company to Jongsma & Jongsma Pty. Ltd., and was formed to develop and
commercialise the research coming out of Jongsma & Jongsma Pty. Ltd..
Sûnnet Beskerming Pty. Ltd. is an Information Security specialist
and, in conjunction with the tools developed by Jongsma & Jongsma
Pty. Ltd., provides total security solutions and services, from the
perimeter to internal data stores, including web application security
and security testing and analysis.

_______________________________________________
Alertmailinglist mailing list
Alertmailinglist@...
http://skiifwrald.com/mailman/listinfo/alertmailinglist_skiifwrald.com

Advisory #246 - Special Notice

2007-08-06T08:33:05Z

Advisory #245 - Microsoft (Multiple), Firefox, GIMP, QuickTime, Multiple News

2007-07-13T02:15:40Z

Sûnnet Beskerming Alert List Advisory #245

You are receiving this message because you have subscribed to our
Information Security Alert Mailing List, or have been selected for a
specific one-off copy. If you believe that you are receiving this
message in error, please contact info@... to resolve the
error.

Why not upgrade to get same day notification on security threats?
Details and rates available online -
(http://www.beskerming.com/premium/generic_advisory.html).

Why not go the next step and get delivery tailored just for your
company?
(http://www.beskerming.com/premium/focussed_advisory.html)

Contents
--------------------------------------------------------------------
1. SECURITY
--------------------------------------------------------------------
1.1 Microsoft (Multiple)
- Remote Hacker Automatic Control
- Time Since Discovery - 3 Days
1.2 Firefox
- Remote Hacker Automatic Control
- Time Since Discovery - 7+ Days
1.3 GIMP
- Local Hacker Automatic Control
- Time Since Discovery - 7+ Days
1.4 QuickTime
- Remote Hacker Automatic Control
- Time Since Discovery - 2 Days
=======================================
/*
- Remote or Local - Can it be achieved through a network or does it
require physical access?
- Hacker - The bad guy
- Manual or Automatic - Does the vulnerability need to be manually
performed, or can it be automated?
- Control, Denial of Service or Data Theft - Will the hacker get
control of your system / website, will they prevent you from using
it, or will they steal data.
*/
--------------------------------------------------------------------
2. NEWS
--------------------------------------------------------------------
2.1 Keeping Information Timely
2.2 Focussing on SAP
2.3 Big Media Consolidation
2.4 Antivirus Vendors Head to Court
2.5 A Matter of Numbers
2.6 It's Official, the iPhone has been Hacked
2.7 Microsoft July Security Patch Release
2.8 A Present for our Readers
2.9 Aussies face the threat of Robo-Pacinos
=====================================

1. SECURITY

1.1 Microsoft (Multiple) - Remote Hacker Automatic Control

-- Products Affected --
Windows 2000, XP, 2003, Vista
Visio 2002, 2003
Outlook Express
Windows Mail

-- Technical Description --
MS07-036 - Office. Multiple arbitrary remote code execution. Critical
MS07-037 - Publisher. Arbitrary remote code execution. Important
MS07-038 - Vista. Information disclosure. Moderate
MS07-039 - Active Directory (LDAP). Remote code execution. Critical
MS07-040 - .NET Framework. Multiple arbitrary remote code
execution. Critical
MS07-041 - IIS. Arbitrary remote code execution. Important

-- Description --
Microsoft delivered six patches as part of the July Security Update
release. Three of the patches have been rated as critical, two as
Important, and the remaining patch as Moderate. Exploit code has
already begun to circulate for a number of the vulnerabilities. A
number of users are reporting issues with the installation and use of
MS07-040.

-- Recommended Action --
All users and administrators should apply the updates at the
earliest opportunity.

-- Source --
http://www.beskerming.com/premium/patch_pack.html
http://store.eSellerate.net/s.asp?
s=STR3448907936&Cmd=CATALOG&CategoryID=9811

-- Updates Available --
(Paid subscription required to access)

-- External Tracking Data --
(Paid subscription required to access)

-- Threat Matrix --
U O
Home User 10 10 (Highly Critical)
Corporate 10 10 (Highly Critical)

1.2 Firefox - Remote hacker automatic control

-- Products Affected --
Firefox 2.0.0.4 and prior.

-- Technical Description --
Firefox on Windows fails to properly parse command line parameters
that are passed, allowing third party applications to run arbitrary
code within the context of the trusted Chrome setting. Specifically,
it is the registration of the 'FirefoxURL' handler which allows for
commands to be passed to Firefox. A separate issue exists with
Firefox's handling of wyciwyg: URIs. It is possible for a local user
(or website) to bypass the protections preventing access to these
cache related URIs, thus allowing access to potentially sensitive
content.

-- Description --
A demonstration of a vulnerability which allows attackers to pass
arbitrary content to Firefox for execution in the 'Chrome' context
has been released, using a link from within Internet Explorer to
execute the attack. Another vulnerability has also been identified
which allows for access to potentially sensitive cache content (on
all systems). Based on the available source code, it is possible for
attackers to embed links in their websites such that when they are
visited with Internet Explorer, arbitrary code can be run against
Firefox on Windows.

-- Recommended Action --
It is possible to deregister the 'FirefoxURL' handler in the
Registry (caution is urged when manipulating the Registry), by
modifying the setting of the 'HKEY_CLASSES_ROOT\FirefoxURL' entry.

-- Source --
(Paid subscription required to access)

-- Updates Available --
(Paid subscription required to access)

-- External Tracking Data --
(Paid subscription required to access)

-- Threat Matrix --
U O
Home User 8 8 (Very High)
Corporate 8 8 (Very High)

1.3 GIMP - Local hacker automatic control

-- Products Affected --
GIMP 2.2.15 and prior.

-- Technical Description --
Arbitrary code execution due to integer overflow vulnerabilities in
GIMP when handling DICOM, PNM, PSD, PSP, Sun RAS, XBm, and XWD file
formats. The vulnerability in the Sun RAS format handling has been
known since April, but the other formats are new disclosures.

-- Description --
iDefense have released an advisory that expands on a previously
known issue (Sunnet Alert Advisory #227 - April 07) affecting GIMP
and the handling of various image types through external plugins.
Previously, it was known that the SunRAS format was vulnerable, but
numerous other formats are now known to be vulnerable. Successful
exploitation requires the victim to open a malicious image file in GIMP.

-- Recommended Action --
Update to GIMP version 2.2.16 at the earliest opportunity.
Alternatively, move unused (and affected) image handling plugins out
of the gimp/2.0/plug-ins directory.

-- Source --
http://labs.idefense.com/intelligence/vulnerabilities/

-- Updates Available --
(Paid subscription required to access)

-- External Tracking Data --
(Paid subscription required to access)

-- Threat Matrix --
U O
Home User 6 6 (High)
Corporate 6 6 (High)

1.4 QuickTime - Remote hacker automatic control

-- Products Affected --
QuickTime 7.1.6 and prior.

-- Technical Description --
Memory corruption when handling H.264, .m4v, SMIL or arbitrary movie
file content can lead to arbitrary code execution. This update also
provides enhanced protection for the QuickTime for Java issue that
was patched earlier this year. Further issues affecting QuickTime for
Java have also been addressed, including removing support for JDirect.

-- Description --
Apple Inc have released version 7.2 of the QuickTime media codec and
associated player application. This release addresses a number of
serious vulnerabilities that can allow a remote attacker to take over
a vulnerable system if the victim can be convinced to interact with a
malicious media file. In addition to fixing security issues,
QuickTime 7.2 provides enhanced capabilities to QuickTime.

-- Recommended Action --
Update to QuickTime 7.2 at the earliest opportunity, either through
the download link below, or through Software Update.

-- Source --
(Paid subscription required to access)

-- Updates Available --
(Paid subscription required to access)

-- External Tracking Data --
(Paid subscription required to access)

-- Threat Matrix --
U O
Home User 9 9 (Critical)
Corporate 9 9 (Critical)

=======================================
/*
Threat Matrix:
U - User
O - Operator
Harmless - 0 ----- 10 - Highly Critical
*/
=======================================

2. NEWS

2.1 Keeping Information Timely

One of the pressing problems that has plagued information sources
since before the Internet is ensuring the timely dissemination of
information, before it becomes stale or out of date. With Information
Security news and related online sources, arriving at a news source
late could have significant cost to business operations or system
stability due to attackers capitalising on threat information that
you aren't aware of.

A Sûnnet Beskerming article on strange Internet traffic patterns that
had been observed drew a lot of traffic and exposure from a number of
sources. Besides being an excellent demonstration of how information
propagates across the Internet, it showed first hand that some
communities could be accessing information for the first time over a
week after it first appears, when its viable lifespan was measured in
hours, not days. Had the information been related to a rapidly
emerging threat, there were a number of communities that would have
discovered that information too late. Even with wider dissemination
of the article, it would have required a concerted concurrent effort
to publish and report the article within a timeframe so that the raw
underlying data would still be relevant.

From a similar point of view, using information that is out of date
can also introduce significant risks to operations and protection of
critical systems and data stores. Information Security seems to be a
field where accepted knowledge and best practices are overturned on a
regular basis due to improved understanding of available threats, the
evolution of new threats, or the development of more robust
methodologies for protection and management.

Just in the last decade and a half in the Information Security field,
the commonly accepted dogma that email and image files are not virus
propagation vectors has been overturned. For many in the Information
Security field it was the seminal paper by Aleph One, 'Smashing the
Stack for Fun and Profit', which really began to show them the risks
associated with vulnerabilities that had otherwise been thought
benign, and the paper was only released in the year 2000.

Users have been connected to the Internet since it was the DARPANet,
but the risks of online activity are still somewhat less understood
when compared to risks associated with compromised desktop
applications. While the risks of visiting untrusted websites are
becoming better known, the true risk of online activity and web
browsing is still being ascertained. Leading research in web
application vulnerabilities and threats is still only scratching the
surface of the issues tied to this platform.

The concept of AJAX worms, JavaScript LAN enumeration and testing,
and non-JavaScript enumeration and testing are areas that are pushing
the field of Web application security forward at a time when most
users are struggling to understand the importance of a secure
transaction (or even what to look for and how to recognise one).

With many of the leading voices in web application security still
only in their early to mid twenties (and with some high school
seniors mixed in), it is a young field that is doing its best to
establish what can and can not be done with web applications.
Information being generated by these researchers is busy turning over
accepted dogma that itself may only be a couple of years old. Reading
the wrong technical book, or not keeping up with the latest
developments could place developers, site maintainers, and security
representatives at a distinct disadvantage when creating and
maintaining online services.

Even though buffer overflows and their associated risks are
relatively well known and understood, the fact that they still crop
up in modern systems (such as Windows Vista) means that even with
security-aware development, there are still risks and vulnerabilities
that can enter complex systems (that may be so complex that they can
not completely be understood or modelled accurately). Keeping current
with information that has not expired or otherwise become out of date
is one of the best ways to help prevent the ongoing inclusion of
known risks in development and maintenance of new services and
applications.

2.2 Focussing on SAP

NGS Software, better known for their focus on Oracle products, have
released information about a brace of SAP product vulnerabilities
that range from low to critical risk for users of the products, who
have not updated their products.

With a heavy web-based interface component for SAP, and also for many
other ERP / CRM / HRM / Enterprise systems, they represent one of the
most prominent targets for web vulnerabilities (which most of the
disclosed issues are). There are plenty of examples of poorly secured
corporate networks where these applications can be interacted with
from the general Internet (finding the appropriate Google Dorks is an
exercise for the reader), so SAP administrators should expect some
increased probing of their systems, given that sample exploitation
code was provided with the vulnerability disclosure reports.

SAP have provided patches for these issues in updates from January to
May (product dependent), so administrators and caretakers of SAP
systems should update as a matter of urgency, if they haven't already
applied the patches.

2.3 Big Media Consolidation

Rumours are flying thick and fast about the push by Rupert Murdoch's
News Corporation to take over the Dow Jones media group (owners of
the Wall Street Journal and other media assets).

News of the proposed purchase rocked much of the media world when the
bid for $60 per share was made in April, though it was welcomed by
many outside observers. While the purchase of the financial news
powerhouse might seem out of the ordinary for the owners of the Sky
network and Fox, a number of outside observers believe that it might
be the push that the Wall Street Journal and other Dow Jones assets
need to improve their awareness and relevance in new markets. It
could be argued, though, that the Wall Street Journal and Dow Jones
already carry sufficient brand recognition not to require assistance
from News Corporation.

Even if the deal has not yet been settled, most sources agree that
the deal is only a matter of days away from being settled, for a
purchase price in the range of $5 billion USD.

It appears that the removal of bids from the owners of the Financial
Times and GE led to News Corporation's bid (with a 67% premium) being
the last one standing.

2.4 Antivirus Vendors Head to Court

A growing dispute between Kaspersky Lab and Rising Tech in China is
now headed to court after Kaspersky sued Rising Tech for
anticompetitive business practices.

The growing dispute, tracked by the Chinese Internet Security
Response Team, started when an update issued by Kaspersky for their
antivirus products misidentified some of the files associated with
the Rising Tech antivirus products as being malicious. This
misidentification led to the Rising Tech products being unable to be
updated. It is unlikely that the problem was very widespread, as it
would have required affected users to be running both Kaspersky and
Rising Tech software and updating them whenever a new definitions
file was released. Even so, it was still a problem that needed rapid
rectification.

Kaspersky, based in Russia, and Rising Tech, a Chinese Antivirus
vendor, kept up the slanging match, with Rising Tech accusing
Kaspersky of misidentifying files at least 22 times within a six
month period, accusing Kaspersky of "show[ing] despise for Chinese
users". Rising Tech announced on the 30th of May that they were
planning to sue the Beijing office of Kaspersky for unfair
competitive practices (though it isn't known whether this suit was
brought to court).

Misidentification of critical system files and competitor files is an
unfortunately all-too common problem that many antivirus and
antimalware vendors have encountered in the past, with several
significant incidents taking place in China over recent months. The
outcome from the case could have widespread ramifications for
antivirus vendors and the misidentification of system and competitor
files, so the outcome from the Tianjin No.1 Intermediate People's
Court is likely to be watched with interest.

2.5 A Matter of Numbers

Over the last couple of weeks traffic to Sûnnet Beskerming has
skyrocketed, largely as the result of introducing our new online
delivery formats for security news and commentary. Since the start of
July, Sûnnet Beskerming content has appeared on many websites,
attracting many thousands of new and eager readers.

Since introducing the new format for content delivery at the end of
June, Sûnnet Beskerming has gone from success to success with
attracting new readership and distribution methods. From time to time
readers will note our content appearing on The Register, Planet-
Websecurity.org, and a number of other sites. Just in the last week,
we have seen our content appear on the following sites:

* The Register
* RootSecure
* InfoSec News
* Planet-Websecurity.org
* Security Bloggers Network
* WhiteDust
* Reddit
* Digg
* Security News Portal
* Slashdot

A question that is often asked is - what is the effect of a
Slashdotting? Although little traffic was observed in the period
following the appearance of our article on Slashdot (due to it being
the weekend), come Monday morning traffic spiked at 160 kilobits per
second of data transfer, before tailing off to a sustained 40
kilobits per second of data transfer several hours later. In
comparison, Reddit peaked at just under 100 kilobits per second of
sustained data transfer, with a much quicker tail off period.

Based on the traffic from last week, Sûnnet Beskerming expects to
attract 60,000 hits per month, based on normal traffic, and triple
that in referred traffic from online distribution (based on one
Reddit and one Slashdot front page article per month). Another 40,000
hits per month are estimated from readership of the primary Sûnnet
Beskerming RSS feed, based on the last few weeks of traffic.

How is it kept running? With a mix of XHTML, PHP, and CSS,
beskerming.com was built by hand completely in house. Always
conscious of the need to deliver content in the most efficient manner
(after all, not everyone has broadband), we have looked at different
ways to bring the same content to the end user without creating a
bandwidth-hungry page. As a result, most of our pages weigh in at
around 100 KB, with the significant proportion of content being
informational text. Our hosting provider also provides us with
sufficient hosting capacity to endure a slashdotting without
straining the underlying hardware and network connections.

Thank you to our readers for helping make our commentary and articles
a success, we trust that you will stay with us into the future to
keep up to date on important Information Security news and events.

2.6 It's Official, the iPhone has been Hacked

Less than two weeks from the release of the iPhone, the researchers
(#iphone @ irc.osx86.hu) who have been rapidly progressing towards
controlling the iPhone have finally succeeded. Even though their most
promising approach, via the bootloader, was cut short when it was
discovered that they could not load arbitrary code into the
bootloader without Apple's 1024-bit private RSA key, they have now
claimed success through their filesystem investigation methods.

Despite not having developed a complete toolchain, as they were
expecting to have done prior to controlling the iPhone, they have
claimed complete control over the device, providing a slightly blurry
screenshot as evidence of their achievements.

According to the detailed instructions that they have posted online,
it will soon be possible (once they commit the code to the SVN) for
anybody with an iPhone and the intent, to be able to take full
control over their device. The detailed instructions do require two
reboots along the way to taking control over the device (a third
reboot then gives complete control), with both reboots into the
device's Recovery mode. As part of this process, the researchers have
been able to escape the chroot jail that was blocking most of their
forward progress.

After so much effort has been expended into researching ways to take
control over the device, it appears that it comes down to a simple
permissions change on 'fstab', and a simple addition to the
'Services.plist' file. Of course, simple is relative, prospective
hackers and researchers still need the as-yet unreleased
'iPhoneInterface' version.

While the researchers involved do not wish for direct links to their
development wiki, it is simple enough to find for those who search
for it.

Now that this milestone has been released, it will be interesting to
wait and see what sort of homebrew community develops around being
able to have system-wide access to the iPhone, to see what Apple's
response to this breakthrough will be, and to see what sort of
influence this event has (remember, the number of iPhones in
circulation isn't much more than a million).

2.7 Microsoft July Security Patch Release

Microsoft have released six patches with the July 2007 Security Patch
Release. As per the pre-release information that was provided last
week, Microsoft released three Critical patches, two Important
patches, and one Moderate patch.

Although there are no known exploits for most of the issues (there
are some minor exploits known for the IIS patch), it is expected that
exploit data and detailed vulnerability code will be released over
coming days by the researchers responsible for the discovery. It
remains to be seen whether the suspected .NET 0-day will receive
widespread release in coming days.

There were minor concerns of a new threat to Windows users after a
release was made to a number of security mailing lists claiming to
have a new 0-day targeting Internet Explorer, though this was later
found to be closely related to known historical problems with the
handling of different protocols by Internet Explorer (which lead to
arbitrary code execution).

As with all other monthly patch releases, Sûnnet Beskerming provides
detailed patch summaries and briefs for all users.

2.8 A Present for our Readers

Here at Sûnnet Beskerming we like any excuse for a celebration, and
what better way to celebrate than to give out presents (yes, we know
you should be giving us the presents, but we're feeling happy and
generous).

For the month of July, all site visitors, RSS readers, or anybody who
decides to look in on our site can obtain our July 2007 Security
Patch Briefing Pack, completely free. All you need to do is to click
on the link to be taken to our online store, then select the 'try'
button (or go to our site, select the Products & Services tab, then
Security Patch Briefing, before selecting one of the 'Per Report'
options. You will then be able to download a .zip containing our
briefing pack for this month's Security Patch Release from Microsoft.
The link points to the SME version of our briefing pack, but it is
the same download for the other service levels. Depending on your
service level, this pack is worth between $5 and $5,000.

What is the reason for this celebration? We've been keeping a close
eye on our web server logs after our recent high traffic periods and
noticed something very interesting over the last couple of days. Not
only were we receiving traffic from more and more interesting and
diverse sources (we're glad to make a difference for them all - even
if some are profiting from our free resources), but some search
engine referrers were implying some interesting results. At the time
of writing, the following Google searches have us extremely high up
in the listings:

"platform draws" - We don't quite understand why someone would be
searching for this particular search, but we come out on top.

"July 2007 Microsoft Patch" - We are the first non-Microsoft result
on what is probably a very popular search term at the moment.

"ARP Poisoning WPA2" - While it is one of our older articles that
turns up first, we are extremely pleased to show up first for this
query.

It is likely that we are scoring highly on a range of other searches,
it is just that these were three of the most recent search engine
referrers to turn up in our logs, and three that we return extremely
relevant and useful results for. If this is how you have found our
content, please enjoy your visit.

2.9 Aussies face the threat of Robo-Pacinos

If reporting from The Age newspaper is to be believed, the Australian
Federal Police (AFP) Commissioner, Mick Keelty, briefed a
Parliamentary Inquiry into the future impact of organised crime that
Australians would be facing the threat of part-robot humans involved
in organised crime in the future.

Without access to the transcripts from the Inquiry, it is difficult
to determine exactly what the Commissioner exactly did say. Taken on
face value, the report has begun receiving attention from security-
focussed sites and blogs, not a lot of it favourable to the
Commissioner's position.

So, what is it that the Commissioner might have said? If the Inquiry
that is mentioned is the Inquiry into the future impact of serious
and organised crime on Australian society, then there is no record of
the transcript available for the session held on July 5, but there is
a record of him having provided a brief to the Inquiry.

Looking at the submission that the AFP made to the above Inquiry,
there are elements which suggest that the Commissioner may have used
it as a springboard for his comments to the Inquiry. Further research
also turns up the transcript of the Commissioner's speech delivered
to the Pearls in Policing Conference, delivered on June 11.

Combining these two sources, the seemingly outrageous claims made in
the article in The Age seem to have a valid background in previous
material published by the AFP.

It is accepted that organised crime groups are making efficient and
effective use of technological advances to enhance their own
activities. The recent spate of Mpack website infections can be
linked back to suspected East European organised crime groups that
have previously been active in other online criminal activity, and it
is well known that many other organised crime groups maintain an
active online activity base.

Whether or not viable cloning and robotic integration will take place
within 20-30 years is more speculation than informed policing. There
are enough dissenting voices out there that almost any position can
be taken on where human cloning and robotic integration will end up,
and it will appear to be a valid claim.

Unfortunately, the Commissioner seems to come across as someone whose
advisors have read too many press releases and dubious whitepapers
and not watched enough 'Ghost in the Shell' to recognise where their
ideas have been previously cleanly laid out and elaborated in an
easily digestible format (especially the concept of a digital copy of
an individual's brain - wrongly attributed to Second Life). If we see
the AFP renamed to Section 9, then we will know where they have been
looking for inspiration.

Citing the presence of scams affecting online environments such as
Second Life (it helps if the correct names and terminology are used
for elements of the environment), the Commissioner suggests that some
of these activities could be illegal, but difficult to track, monitor
and enforce. The answer to this is surprisingly simple, even more so
than the efforts being put into trapping criminals who are active
through other online communication channels. Second Life, World of
Warcraft, EvE Online, and every other form of online community and
virtual world can all be boiled down to the following simple facts:

* Individuals implement a persona when they become part of an
online community
* Individuals may use this persona to engage in actual,
attempted, or simulated criminal acts. Intent now becomes an
important factor.
* It can be tracked. Information will be present on the victim's
system, the perpetrator's system, and more than likely the servers
providing the service. If those servers are in countries where laws
and their application are different, then other existing laws can
come into effect. There is precedent for applying national or state
law to online services that are provided within relevant political
boundaries, but it is fraught with loopholes and simple bypass
mechanisms - something that law enforcement needs to be aware of,
especially given that there will always exist ways around the online
enforcement of legislation.

On the positive side, the Commissioner did acknowledge that the AFP
is really in the position of playing catch up in a number of these
technical fields. He acknowledged that the AFP does not currently
maintain the technical expertise to fully understand the legal and
policing ramifications of different technological activity, and will
need to enhance their interaction with industry in order to
strengthen their future position.

=======================================

Sincerely,

Sûnnet Beskerming Team
info@...
Sûnnet Beskerming Pty. Ltd.
Adelaide, Australia
http://www.beskerming.com
Tel: +61 (0) 410 707 444

** Sûnnet Beskerming Pty. Ltd. **

Established in mid 2004, Sûnnet Beskerming Pty. Ltd. is the sister
company to Jongsma & Jongsma Pty. Ltd., and was formed to develop and
commercialise the research coming out of Jongsma & Jongsma Pty. Ltd..
Sûnnet Beskerming Pty. Ltd. is an Information Security specialist
and, in conjunction with the tools developed by Jongsma & Jongsma
Pty. Ltd., provides total security solutions and services, from the
perimeter to internal data stores, including web application security
and security testing and analysis.
_______________________________________________
Alertmailinglist mailing list
Alertmailinglist@...
http://skiifwrald.com/mailman/listinfo/alertmailinglist_skiifwrald.com

Advisory #244 - iPhone, Java, Asterisk, Multiple News

2007-07-05T09:42:08Z

Sûnnet Beskerming Alert List Advisory #244

You are receiving this message because you have subscribed to our
Information Security Alert Mailing List, or have been selected for a
specific one-off copy. If you believe that you are receiving this
message in error, please contact info@... to resolve the
error.

Why not upgrade to get same day notification on security threats?
Details and rates available online -
(http://www.beskerming.com/premium/generic_advisory.html).

Why not go the next step and get delivery tailored just for your
company?
(http://www.beskerming.com/premium/focussed_advisory.html)

Contents
--------------------------------------------------------------------
1. SECURITY
--------------------------------------------------------------------
1.1 iPhone
- Remote Hacker Automatic Control
- Time Since Discovery - 3 Days
1.2 Java
- Remote Hacker Automatic Control
- Time Since Discovery - 1 Week
1.3 Asterisk
- Remote Hacker Automatic Control
- Time Since Discovery - 2 Days
=======================================
/*
- Remote or Local - Can it be achieved through a network or does it
require physical access?
- Hacker - The bad guy
- Manual or Automatic - Does the vulnerability need to be manually
performed, or can it be automated?
- Control, Denial of Service or Data Theft - Will the hacker get
control of your system / website, will they prevent you from using
it, or will they steal data.
*/
--------------------------------------------------------------------
2. NEWS
--------------------------------------------------------------------
2.1 Vista Security Claims Not All They Appear
2.2 A BlackHat Showdown
2.3 Time to Blacklist Blacklists
2.4 A Glitch in the Matrix, or a Hungry Exploit?
2.5 Hunting Safari
2.6 Acknowledging the Importance of Web Security
2.7 Investigating the iPhone
2.8 Why Hack When You Can Buy Your Way to Identity Theft
2.9 A Lesson in Why Regulating Online Activity is Difficult
=====================================

1. SECURITY

1.1 iPhone - Remote hacker automatic control

-- Products Affected --
iPhone

-- Technical Description --
errata security are claiming the discovery of a vulnerability that
affects the Safari browser on the iPhone. At this stage details about
the level of access that the vulnerability grants have not been
disclosed, but it is considered to be at least an application crash,
and potentially arbitrary control. Although the exact vulnerability
has not been disclosed, knowledge that there are remote code
execution vulnerabilities in existence for the desktop Safari browser
makes it a reasonable assumption that similar issues will be
affecting the iPhone Safari (given that the disclosed issue is
similar to one affecting desktop Safari).

-- Description --
After initial speculation that the first general vulnerabilities
targeting the iPhone would be discovered within the first few weeks
of release, it has been disclosed that at least one vulnerability
exists which can allow a remote attacker to gain some level of
control / application crash if the user can be tricked into visiting
a malicious site using the inbuilt Safari browser. This new issue is
an almost exact copy of issues found on the desktop version of the
Safari Internet browser, which can give some clues to potential
weaknesses to be discovered.

-- Recommended Action --
If iPhone users are concerned about the potential risk to their new
devices, they should apply caution to the sites that they visit using
the inbuilt Safari browser and limit the sites visited to trusted
sites only.

-- Source --
(Paid subscription required to access)

-- Updates Available --
(Paid subscription required to access)

-- External Tracking Data --
(Paid subscription required to access)

-- Threat Matrix --
U O
Home User 10 10 (Highly Critical)
Corporate 10 10 (Highly Critical)

1.2 Java - Remote hacker automatic control

-- Products Affected --
Java J2SE

-- Technical Description --
Java Web Start may provide access to overwrite local files and pass
control of the system to a remote attacker that has convinced a user
to interact with a malicious Java application via the Internet.
Arbitrary code execution is possible within the context of the local
user. Specifically, JDK, JRE 5.0 Update 11 and earlier, and SDK, JRE
1.4.2_13 and earlier are vulnerable on Windows platforms.

-- Description --
Late last week a set of vulnerabilities affecting Java Web Start in
J2SE were disclosed and patched by Sun. These vulnerabilities can
lead to situations where a remote attacker is able to take control of
the victim's system in the context of the current victim's privilege
level. Of note, JDK and JRE 6, Solaris, and Linux versions of J2SE
are not vulnerable to these issues.

-- Recommended Action --
Apply the updates for J2SE at the earliest opportunity

-- Source --
(Paid subscription required to access)

-- Updates Available --
(Paid subscription required to access)

-- External Tracking Data --
(Paid subscription required to access)

-- Threat Matrix --
U O
Home User 8 8 (Very High)
Corporate 8 8 (Very High)

1.3 Asterisk - Remote hacker automatic control

-- Products Affected --
Asterisk 1.4.2 and prior.

-- Technical Description --
Multiple Remote unauthenticated stack overflows in Asterisk
chan_sip.c, specifically two closely related stack based buffer
overflows exist in the SIP/SDP handler. These vulnerabilities can be
triggered with a number of different SIP messages affecting calls
received by Asterisk, or in response to calls made by Asterisk.

-- Description --
Asterisk is vulnerable to two related issues affecting handling of
SIP/SDP network traffic. These issues can lead to an attacker taking
control of a vulnerable server / system that is running Asterisk.
Asterisk developers have released an update to address this issue.

-- Recommended Action --
Update to the latest versions of Asterisk or AsteriskNOW as
appropriate.

-- Source --
(Paid subscription required to access)

-- Updates Available --
(Paid subscription required to access)

-- External Tracking Data --
(Paid subscription required to access)

-- Threat Matrix --
U O
Home User 9 9 (Critical)
Corporate 9 9 (Critical)

=======================================
/*
Threat Matrix:
U - User
O - Operator
Harmless - 0 ----- 10 - Highly Critical
*/
=======================================

2. NEWS

2.1 Vista Security Claims Not All They Appear

Microsoft employee Jeff R Jones (Security Strategy Director) recently
released a report claiming that Windows Vista is significantly more
secure than competing operating system platforms.

After being released to CSO Online, the news was picked up and
repeated by many sites, but not many stopped to analyse the
information actually being put forward in the paper. Some sites, such
as Slashdot, saw heated discussion about the methodology used and
conclusions presented in the report, but overall most people accepted
the report at face value.

Now that more people have had the opportunity to dig deeper through
the report, more claims are being put forward that the report
presents the wrong conclusions and is using flawed methodology.

The first warning sign for many is the fact that a paper written by a
Microsoft employee places Microsoft in an advantageous position.
While parochialism should be supressed by professionalism, it does
lead to concerns about bias.

Parochialism aside, the biggest problem that most observers are
having with the published article is that the author has interpreted
the available data sources in a very constrained manner that is not
consistent for all of the considered platforms.

Windows Vista certainly has had fewer vulnerabilities publicly
reported and patched by Microsoft, but it has only been available for
a few months. Of concern to researchers is the number of critical
vulnerabilities that are due to buffer overflows and those derived
from old code. Technology such as ASLR was supposed to neutralise the
majority of these vulnerabilities.

The report skips 'silently fixed' issues, which Microsoft did not
publicly acknowledge as existing. It also covers bundled software
when considering other operating systems, such as RHEL 4, which are
provided with numerous database, mail, and web servers, along with a
host of other applications that the base Windows installations do not
come with.

With the continuing trend of the same vulnerabilities being found on
Vista as on other systems, some are seeing it as a reason NOT to
upgrade to Vista (or at least not until SP1). Consumers and
businesses are continuing to push for the ongoing sale of Windows XP,
and there are concerns from some quarters that Microsoft may have
painted itself into a corner with Vista.

It appears that Microsoft's big push to rewrite the core system with
security in mind hasn't quite achieved the goals that were set (ASLR
can be defeated reliably, as well). This, and the response to the
recent report is quite disappointing, especially as Microsoft really
has improved their stance on security and development practices in
recent years.

2.2 A BlackHat Showdown

An old-fashioned Wild West show down appears to be on the cards at
the 2007 Black Hat USA Briefings & Training, due to kick off in Las
Vegas on July 28.

Lining up on one side is a team of luminaries who have gathered under
the Matasano Chargen banner, seeking to demonstrate that they can
arbitrarily detect hardware-level (hypervisor) rootkits (such as Blue
Pill).

Opposing this is the Blue Pill team, led by Joanna Rutkowska, who
believe that they have a better than fair chance at evading reliable
detection by the Matasano Chargen team.

With an armament of:

* Direct Timing Observation;
* Indirect Timing Observation, and
* Functional Observation

the team from Matasano Chargen believe that they have what it takes
to identify and knock down Blue Pill. The difficulty will be in
applying these capabilities in a manner that does not adversely
impact the end user experience (some cryptographic attacks that use
timing observation effectively DoS the system while they are running).

Watching the two teams posturing ahead of the challenge, the
impression is gained that they are both moving towards the same
goals, but there is a little bit of a discrepancy between the aim
points. That discrepancy is going to be the key as to whether Blue
Pill succeeds or Matasano succeeds.

Even though there are lines being drawn in the sand by the supporters
of each side, the outcome (at this stage) is basically a coin flip.

If Blue Pill can reliably counter each of the techniques being used
in an attempt to detect it, then the Blue Pill team wins. In a real
infection scenario, disabling the detection software is also a valid
procedure (though it will serve as a detection in this case).

If the Matasano team can implement even one reliable detection
technique, then they win. The real difficulty is making that
technique reliable, given all the other processes that might be
competing for resources that are under observation.

Drawing on how the arms race for kernel-level rootkits, detection,
and counter-detection has developed, there is a slight advantage to
the Blue Pill team.

What everyone watching should hope for is that there is no repeat of
last year, where lengthy arguments developed after disputed claims
were made about being able to hack WiFi connections on OS X machines.

UPDATED -

Black Hat Showdown a No Down.

An eagerly awaited Security showdown at this year's Black Hat
briefings in Las Vegas, between the developers of the Blue Pill
hypervisor rootkit and a team that claims they can reliably detect
it, is no more.

In establishing the ground rules for the face off, the Blue Pill
developers requested a fee of $384,000 USD to be paid as compensation
for time and resources used to develop the technology and bring it to
a commercial stage of completion.

Nobody is claiming that the Blue Pill team should not be compensated
for their efforts, but the amount that they have requested is enough
to throw iced water over the concept of a show down at this year's
Black Hat conference in Las Vegas.

Is this the market rate for complete control of a brand new rootkit?
Or is it indicative of the hidden costs that software development and
security research really bring to a company? The quoted market rate
of $200 per hour might be within a reasonable bracket, but applying
it for the length of time that the rootkit has been in development is
generally being interpreted as unfair. Suggestions have been put
forward that it may be worth closer to 15-20% of what they have asked
for, but with trades for information like this it will always be
worth what someone is willing to pay.

Other suggestions have been that it should be handled like a proper
wager (where better to do it than Vegas), with each side fronting up
their bet, and winner takes all.

The show down may not be a complete writeoff, however. The team who
were lined up to detect the rootkit will still be presenting an
outline at the Black Hat Briefings of the technology and guiding
principles that will allow for detection of these hardware level
rootkits.

After news of the initial challenge grabbed the attention of a lot of
people, the subsequent cancellation has led to some interesting ideas
about how to still achieve some sort of outcome and test the claims
of both parties.

One of the most prominent concepts that has been put forward so far
is for a good faith bet, where the detecting team places their tool
online, and allows arbitrary third party use and testing of the tool
to see whether it would comply with the initial guidelines of the
test, and allow the Blue Pill team to internally test against it
(that particular report would have to be accepted on good faith for
accuracy).

While not the same as a public head-to-head test, it still allows
most of the aims to be achieved, including the most stringent
limitations placed on the detection tool (don't significantly degrade
the user experience).

2.3 Time to Blacklist Blacklists

Blacklists have their place for detecting and identifying malicious
content and activity, with the whole signature-based malware
detection industry effectively being built around the concept that
blacklists are reliable mechanisms.

The only problem is that they aren't.

They certainly are an important element of security models, but the
last couple of decades of security research has shown that they
quickly become ineffective in the face of a rapidly evolving threat.

Early in the life of antivirus tools, simple signature based
detection was enough. An internal blacklist could identify all known
pieces of malware because they did not evolve or spread very rapidly.
When polymorphic malware began to exhibit better software
development, the need for heuristic detection engines became more
urgent. Most antimalware software now has a combination of
blacklisting and heuristics in use to assist in identifying malicious
activity (when they aren't busy deleting critical system files or
being compromised by their own analysis engines).

Having an exhaustive blacklist helps companies claim that they detect
many tens of thousands of viruses and malware, when in reality it may
be many different versions of a few key pieces of malware, just
different enough from previous versions to require a brand new
blacklist signature.

Moving on to blacklists of known spam-generating IPs and malware-
serving sites, we start to see significant problems emerge with this
particular approach to protection.

Many mail server administrators will have encountered at least one
period where they have found their IP on an RBL (Real Time Block
List) alongside IPs that have seen to be spewing spam across networks
(or they could have just had AOL mailing list subscribers who find it
easier to report as spam than unsubscribe from something they
manually subscribed to). With the use of dynamic IP addresses and
virtual hosts, many have found that if they have a bad network
neighbour, they can be hit with the same blocking (we've had it
happen a few times) from indiscriminate RBL maintainers.

Even important registries are not immune from arbitrary blockage and
ongoing annoyance from poorly developed RBLs.

The problem of misidentification becomes even worse when blacklists
of websites that are hosting malware and phishing attacks are
maintained. Microsoft, Mozilla, Opera, McAfee, and Google are just
some of the large bodies that have invested significant resources to
the creation, maintenance, and use of website blacklists to warn
users of potential malicious activity on websites (and in some cases
prevent access).

Anyone who spends even just a little bit of time involved with
researching and observing the patterns and pace of website attacks,
hacks and defacements will know that websites are essentially fragile
entities and it doesn't take much for a well-trusted site to become a
malware-spewing nightmare.

Like trying to use DRM to restrict the spread of copyright
infringement, using blacklists / blocklists to limit access to sites
will only stop the honest, and the casual attacker (extremely casual
attacker) from getting people to see their site. Any attacker that is
remotely serious about their work will have plenty of ways to bypass
and overcome the minor inconvenience that the blacklists pose.

If any further evidence was required, a security researcher (Kuza)
has published a small set of techniques that can be used to bypass
these website blacklists. The set of techniques published reflects
just a small number of the many different ways that it is possible to
avoid these lists, not least of which is the fact that it takes time
for a site to be added to a blacklist.

The response that Kuza received from Microsoft when he reported his
techniques for phishing detection avoidance is actually quite an
intelligent response - "[it] is not a security feature".

The only problem with this is that many, many people (including a lot
of 'security' people who should really know better) consider these
lists to be just that - a security feature.

It is time that people became aware that these lists are a small tool
of their protection arsenal, and not the major innovation that their
creators and maintainers describe them as. It is also time that
people became aware of the problems that these lists can cause when
improperly developed and maintained (and even when they aren't).

2.4 A Glitch in the Matrix, or a Hungry Exploit?

Sûnnet Beskerming researchers observed an interesting deviation in
global network traffic over the last 24 hours, particularly for South
American, Asian, and Australian networks. Normally, global Internet
traffic (as observed by the Internet Traffic Report) oscillates
around 9% packet loss, with global response times of 138 ms, and the
internally derived traffic index at around 79.

Sustained over the last 24 hours, the traffic index has dipped almost
5%, packet loss has climbed to 11%, and the global response time to
almost 150 ms.

Normal spikes and dips as observed on the Internet Traffic Report
show up as no more than 3 or 4 hour blocks of odd results before
settling back into normalcy. This latest spike and dip has been
sustained for at least 18 hours, with a rapid ramp up in the six
hours prior to the peaks (and lows) being reached.

When the figures are considered against the 7 day average, and the 30
day average, the deviation appears to be quite significant and seems
to mark a distinct event or set of events. When the reports for Asia,
South America, and Australia are looked at in isolation, the three
regions appear to be suffering from a related event, with similar
patterns being observed in the data being put forward for those
regions. Data for Europe and North America indicates that whatever is
affecting the other regions, it isn't affecting Europe or North
America. Independently sourced data at Keynote (using their Internet
Health Report) indicates that there is nothing adversely impacting
the US at this time.

Either these regions are experiencing the first stages of a global
event, or they contain networks that are under a sustained attack for
some specific reason.

So, what can be causing this problem? There appears to be nothing
that is being reported by any of the usual agencies or news feeds,
with SANS indicating a GREEN Threat level, and Symantec, McAfee, and
the other major security software providers not indicating any new
malicious software emergence.

Looking at the current Top 10 report from SANS, it appears that Port
5901 (used for VNC) is leading the charge for the top rating across
all metrics (including a 20% lead on the next port on the rising
Trends chart). At the time of writing, the raw data for Port 5901 was
showing disturbing results.

While there is spam, drive-by phishing attacks, and persistent worms
attacking global networks, these have been ongoing attacks and should
not be responsible for such a large change in such a short period of
time by themselves.

If we consider port 5901 to be relevant to the reason behind the
attacks, then we might have found a potential cause, and a potential
target.

An exploit was added a couple of days ago to a number of security
mailing lists, distribution sites, and other sources, which targets a
remote code execution vulnerability in the AMX VNC ActiveX control.
Since appearing on these sources it has spread to thousands of sites,
and is guaranteed to have been seen by many, many people - some with
malicious intent.

Although a remote code execution exploit is nothing special nowadays,
this particular piece of code claims to achieve its goals without
alerting the victim to the fact that they have just been successfully
hacked.

Whether or not it is relevant to the real reason behind the observed
response time and packet loss deviation will be seen over time. At
the least, administrators and end users should keep a closer eye on
their systems and networks over the next few days to see if this
unknown problem is going to spread.

UPDATED -
Since so many people have been asking about whether there are any
updates to our Glitch in the Matrix post, we've decided to post a
quick update based on what our researchers are continuing to observe.

Overall Internet traffic, as observed by The Internet Traffic Report
has settled back into normal ranges, though the 7 day charts show a
clear deviation from the norm at the end of last week (29-30 June)
and a little bit more volatility in the period since.

There is still no clear picture as to what was behind the lengthy
deviation, with some regional networks still encountering out of the
ordinary behaviour (though that might be within normal operating
ranges for those networks, especially if they are under maintenance).

Port 5901 has now dropped to more reasonable levels on the SANS Top
10, but the fact that it is still present on the Top 10 should still
be a concern for end users. Feedback from various sources and
communication with the ISC indicated that while the observed traffic
patterns were of interest, there was nothing that could be clearly
identified as being more than a possible source for the behaviour.

2.5 Hunting Safari

When Apple's Safari browser was released for beta testing on Windows
at this year's WWDC, it was expected that many researchers would turn
their attention to this little piece of Apple in a Microsoft world.

These expectations were met when vulnerabilities were rapidly
discovered and disclosed within a matter of hours of the release of
the browser, some with detailed exploitation code accompanying the
disclosure.

A lot of the remaining publicly known vulnerabilities are low threat
issues, providing cross site scripting and minor data corruption
opportunities. However, there are still serious vulnerabilities being
released, such as the '0-day' code execution vulnerability due to
excessive Title tag length when a page is added to the bookmarks.

While Apple quickly moved to patch the known vulnerabilities,
bringing the browser to beta version 3.02 in short order, some
'researchers' have decided to take a more unprofessional route while
vulnerabilities continue to be disclosed by others.

Repeating the oft-used line that unpaid research and Quality
Assurance for a software vendor is not what they are there for, at
least one security researcher has publicly stated that they will be
withholding disclosure of serious Safari vulnerabilities until after
the release of OS X 10.5 (Leopard), preferring to wait until a
reasonable userbase has been established prior to disclosure.

The risk of taking this approach is that it is possible (maybe even
probable) that another researcher will identify and report the
vulnerabilities before the release and widesperad use of Leopard.

Intentional suppression of vulnerability data (including not
reporting it to the vendor), with the intention of later publicity,
is a practice that many find unethical and unprofessional and the
researchers may find that software vendors will be less willing to
negotiate with them in the future.

Whatever the outcome, it is to be expected that many more Safari-
focussed vulnerabilities will be disclosed over the next several months.

2.6 Acknowledging the Importance of Web Security

Two recent articles in the mainstream technical media are helping to
bring increased awareness to the importance of web security as a key
component in the overall security picture.

With acknowledgement of the increasing difficulty of spreading
malware through traditional channels (email), Paul Henry suggests
that the web is becoming the dominant distribution channel for malware.

Supporting this argument through figures that point to increasing
numbers of websites hosting malicious content, Paul fails to
recognise that the recent explosion in the number of sites hosting
malicious content has largely been due to hosting providers that were
compromised through known weaknesses in their hosting solutions
(especially of systems with numerous virtual hosts).

There are still increasing numbers of dedicated malicious sites, but
this analysis (like many) fails to properly account for previously
trusted sites that are temporarily compromised by an attacker or via
included third party content (such as banner ads). This sort of
problem will forever be the Achille's heel of programs like
SiteAdvisor and browser-based phishing protection.

Although the article at ZDNet is a press release masquerading as news
(guess who has a vested interest in the product hawked in the
article), it does raise some valid points that people outside of the
web security sphere may not have been aware of, but should be
informed about.

A better article, over at C|Net, identifies some of the problems
associated with web security, particularly in terms of creating and
implementing standards.

The assertion that the industry is 'basically making up web security
as it goes along', however, is somewhat unfair. Perhaps this is the
case in companies where there is not even a basic understanding of
web security, but there is a growing repository of freely available
information and common baseline knowledge that will propel companies
and developers a long way towards implementing reasonable levels of
security.

Beyond reasonable security the situation changes. It becomes like the
rest of Information Security, where a small set of researchers and
attackers are constantly probing away at the edges of what is known -
seeking to improve the common knowledge (or improve the ability to
attack and control).

Creating and implementing standards that can get entities to a level
of reasonable security is the difficult part (as the article points
out). Any standards body risks becoming irrelevant as soon as a
standard is published (just like every other standards body),
particularly with the rapid pace of security research and discovery.
It doesn't take much research to find examples of this (PCI DSS), but
the ongoing efforts of groups like OWASP and WASC are likely to form
the initial basis of any eventual standards (it would almost be
criminal for them not to).

2.7 Investigating the iPhone

When Apple's iPhone was released at the end of last week, not only
were purchasers lined up to get their hands on the device, but
security researchers were keenly awaiting physical access to the device.

It didn't take long, with what appears to be a recovery system image
posted to a number of sites within a matter of hours of the release
of the iPhone. Initial analysis of the files has provided clues about
the internal setup of the phone (assuming the files represent an
accurate firmware image). The presence of low level accounts (admin
and root), along with passwords for them came as a minor surprise.
Password recovery tools quickly allowed recovery of the underlying
passwords.

Those discoveries are a major assistance to web security researchers
on both sides of the fence. Web security researchers sat up and took
closer notice after Steve Jobs announced at the recent WWDC that
third party developers will be able to develop applications for the
iPhone by creating 'Web 2.0' style applications that iPhone users are
able to access using the Safari browser on the phone.

Observing what sort of vulnerabilities continue to be discovered for
desktop browsers, it is only going to be a matter of time until
someone discovers a vulnerability that will allow for complete access
to all of the data on the iPhone. Already researchers are busy
looking at ways that can be used to access the information stored on
the device.

Researchers who are focussed on the network that the iPhone connects
to have disclosed that in order to access voicemail across the
network a password is not required, merely a valid Caller ID.
Guidance on addressing the situation has also been released, which
should be followed by all iPhone holders.

Initial analysis of the network traffic coming from the iPhone has
raised some interesting possibilities and similarities to OS X, and
it is likely that there are going to be some significant results to
come from this approach over coming weeks.

The next couple of days are likely to see activation cracks released,
according to one group looking at the code, and it is reasonable to
assume that arbitrary execution code will only be a matter of weeks
away (at most).

The team over at errata security are claiming what could be the first
set of vulnerabilities to affect the iPhone, after less than 96 hours
of general availability of the device.

At this stage they are claiming the presence of an unidentified
Safari bug, and an interesting Denial of Service against the
Bluetooth connection. Even without full disclosure, the Safari bug
throws up some interesting material for others who are looking at the
potential weaknesses in the device.

It appears to be the same as a bug that errata security have
identified with the desktop version of Safari (but not fully
disclosed). If this not just a one off, then there are plenty of
vulnerabilities affecting the desktop version of Safari that will
give enterprising researchers and attackers a useful means to probe
deeper into the iPhone.

With the timeframe since the release of the iPhone so short, the
vulnerabilities being discussed and disclosed are somewhat raw around
the edges, it should be expected that they will soon become more
useful and more efficient, even if the potential infection base is
around 1 million devices.

2.8 Why Hack When You Can Buy Your Way to Identity Theft

Continuing a trend of employees stealing valuable data, an employee
at a Fidelity National Information Services subsidiary at some time
prior to May 2007 stole more than 2 million records that contained a
range of personal, financial account, and credit card data for users
of Fidelity services.

Immediately profiting off the theft, the employee sold the
information to a data broker that then sold the information on to
direct marketing companies. Even though officials from the Fidelity
subsidiary involved have stated that none of the data was used for
fraudulent financial activity, the consumers who were subsequently
contacted by the direct marketing firms might think otherwise.

Even though they have found no fraudulent activity, the Fidelity
subsidiary just doesn't know what the data has been used for, or
where it has exactly spread to - which is always the considered risk
with identity data theft. A clear example of failing to understand
how fluid the storage and distribution of information is, the company
has set out to recover all of the data stolen. They will be able to
recover copies of it, but there will be no guarantee that they can
recover all copies of it.

The employee who stole the data was a senior DBA who has subsequently
been fired and is likely to face civil and criminal charges in the
near future.

2.9 A Lesson in Why Regulating Online Activity is Difficult

When the controversial online music distribution site AllofMP3.com
went dark recently, it was touted as a victory by various groups
responsible for music royalties (who weren't getting a cut from
AllofMP3.com) and a positive sign of US-Russian relations due to the
intimation that US pressure was used to force the Russian authorities
to terminate the link between AllofMP3 and their ISP.

This celebratory feeling was somewhat short-lived when MP3Spark.com
suddenly appeared from nowhere, apparently being operated by the same
parties responsible for AllofMP3.com. Account holders from
AllofMP3.com have confirmed that it appears that their accounts and
other details appear on the new site, and the catalogue presented on
MP3Spark.com contains the same spelling errors and misattributions
that AllofMP3.com maintained.

MP3Spark.com also appears to have the same arrangement with the
disputed collector of royalties within Russia that AllofMP3.com
maintained. It is claimed that this particular organisation has tried
to distribute royalty funds, but has been turned down by rights holders.

Media Services, the company that appears to be behind both sites is
currently in the process of being sued by multiple parties inside and
outside of Russia, so it may be a shorter timeframe before the new
site is taken offline (or moved to a country that doesn't care about
copyright as much).

=======================================

Sincerely,

Sûnnet Beskerming Team
info@...
Sûnnet Beskerming Pty. Ltd.
Adelaide, Australia
http://www.beskerming.com
Tel: +61 (0) 410 707 444

** Sûnnet Beskerming Pty. Ltd. **

Established in mid 2004, Sûnnet Beskerming Pty. Ltd. is the sister
company to Jongsma & Jongsma Pty. Ltd., and was formed to develop and
commercialise the research coming out of Jongsma & Jongsma Pty. Ltd..
Sûnnet Beskerming Pty. Ltd. is an Information Security specialist
and, in conjunction with the tools developed by Jongsma & Jongsma
Pty. Ltd., provides total security solutions and services, from the
perimeter to internal data stores, including web application security
and security testing and analysis.

_______________________________________________
Alertmailinglist mailing list
Alertmailinglist@...
http://skiifwrald.com/mailman/listinfo/alertmailinglist_skiifwrald.com