« Return to Thread: Advisory #229 - OS X (Multiple), QuickTime, Office OCX, Multiple News
Advisory #229 - OS X (Multiple), QuickTime, Office OCX, Multiple News
by Sunnet Beskerming Alert mailing list
::
Rate this Message:
Sûnnet Beskerming Alert List Advisory #229
You are receiving this message because you have subscribed to our
Information Security Alert Mailing List, or have been selected for a
specific one-off copy. If you believe that you are receiving this
message in error, please contact info@... to resolve the
error.
Why not upgrade to get same day notification on security threats?
Details and rates available online -
(http://www.beskerming.com/premium/generic_advisory.html).
Why not go the next step and get delivery tailored just for your
company?
(http://www.beskerming.com/premium/focussed_advisory.html)
Contents
--------------------------------------------------------------------
1. SECURITY
--------------------------------------------------------------------
1.1 OS X (Multiple)
- Remote Hacker Automatic Control
- Time Since Discovery - 3 Days
1.2 QuickTime
- Remote Hacker Automatic Control
- Time Since Discovery - 3 Days
1.3 Office OCX
- Remote Hacker Automatic Denial of Service
- Time Since Discovery - 4 Days
=======================================
/*
- Remote or Local - Can it be achieved through a network or does it
require physical access?
- Hacker - The bad guy
- Manual or Automatic - Does the vulnerability need to be manually
performed, or can it be automated?
- Control, Denial of Service or Data Theft - Will the hacker get
control of your system / website, will they prevent you from using
it, or will they steal data.
*/
--------------------------------------------------------------------
2. NEWS
--------------------------------------------------------------------
2.1 Microsoft Security Movements
2.2 The Power of Numbers
2.3 What's In A Vulnerability
=====================================
1. SECURITY
1.1 OS X (Multiple) - Remote Hacker Manual Control
-- Products Affected --
OS X 10.4.9 (and Server)
OS X 10.3.9
-- Technical Description --
AirPort - Minor patch for systems where connectivity was lost
following sleep (10.3.9 only)
FTPServer - Users with ftp access may be able to navigate to
directories outside the normal scope. (10.4.9 Server only)
Remainder of patch equivalent to Security Update 2007-004.
-- Description --
Apple have released an update to their previous Security Update
2007-004 (now at 1.1). This patch provides not only the contents of
the original Update, but also a fix for a minor issue with Airport
devices that were lost following sleep, and an FTP Server issue which
could allow connected users to access local resources outside of
their privileges. Users and administrators who have not already
applied Security Update 2007-004 have a Threat Matrix of Highly
Critical (10), while others have a Threat Matrix of High (6).
-- Recommended Action --
Apply Security Update 2007-004 v 1.1 at the earliest opportunity.
-- Source --
(Paid subscription required to access)
-- Updates Available --
(Paid subscription required to access)
-- External Tracking Data --
(Paid subscription required to access)
-- Threat Matrix --
U O
Home User 9 9 (Critical)
Corporate 9 9 (Critical)
1.2 QuickTime - Remote Hacker Automatic Control
-- Products Affected --
Apple QuickTime 7.1.5 and earlier
-- Technical Description --
Heap overflow leading to arbitrary code execution in QuickTime for
Java. This vulnerability was used and semi-disclosed recently to
compromise the CanSecWest test system, but full exploit code has not
yet been released.
-- Description --
Apple have released QuickTime version 7.1.6 to address the semi-
disclosed vulnerability affecting QuickTime for Java that was used to
hack into the test machine at CanSecWest 2007. Allowing a malicious
attacker to run software of their choice on a vulnerable system, the
vulnerability could be used by a remote attacker to take control of
system.
-- Recommended Action --
Update to QuickTime 7.1.6 at the earliest opportunity.
-- Source --
(Paid subscription required to access)
-- Updates Available --
(Paid subscription required to access)
-- External Tracking Data --
(Paid subscription required to access)
-- Threat Matrix --
U O
Home User 9 9 (Critical)
Corporate 9 9 (Critical)
1.3 Office OCX - Remote Hacker Automatic Denial of Service
-- Products Affected --
Word Viewer OCX 3.2
PowerPoint Viewer OCX 3.1
Excel Viewer OCX 3.1
-- Technical Description --
Numerous Denial of Service vulnerabilities have been discovered and
disclosed with the above products from Office OCX. Multiple methods
within each vulnerable ActiveX control can be exploited via buffer
overflow to provide a denial of service attack against the controls.
While the vulnerabilities are only listed as Denial of Service at
this time, arbitrary code execution does remain a risk.
-- Description --
A number of the ActiveX controls from Office OCX, used to provide
access to Office documents in an Internet Explorer browser session,
have been discovered to be vulnerable to attacks which could prevent
the legitimate use of the controls by end users.
-- Recommended Action --
Remove the applicable Office OCX viewer ActiveX controls until
Office OCX are able to release appropriate patches. Alternatively,
the killbit for the appropriate controls can be set in the Registry
(PowerPoint Viewer - 97AF4A45-49BE-4485-9F55-91AB40F22B92; Excel
Viewer - 18A295DA-088E-42D1-BE31-5028D7F9B965; Word Viewer -
97AF4A45-49BE-4485-9F55-91AB40F22BF2).
-- Source --
(Paid subscription required to access)
-- Updates Available --
(Paid subscription required to access)
-- External Tracking Data --
(Paid subscription required to access)
-- Threat Matrix --
U O
Home User 8 8 (Very High)
Corporate 8 8 (Very High)
=======================================
/*
Threat Matrix:
U - User
O - Operator
Harmless - 0 ----- 10 - Highly Critical
*/
=======================================
2. NEWS
2.1 Microsoft Security Movements
Within the space of a week, Microsoft suffered the indignity of
having a subdomain defaced (ieak.microsoft.com), and also launched a
security portal (http://www.microsoft.com/security/portal) - which
is not being officially launched until July. Even though it has not
gone completely live, the Microsoft Malware Prevention Center (as the
portal will be known) is already shaping up as a valuable resource
for Windows users and administrators (and those who are interested in
Windows security).
It has been reported by the attacker that managed to deface the
Microsoft site that the attack was carried out via an SQL injection
opportunity, which eventually allowed them to publish content of
their choice on the domain (and thus take it over).
2.2 The Power of Numbers
A string of only 16 hexadecimal numbers has been enough to take down
the popular community site, Digg.com. Following the discovery and
subsequent dissemination of the HD-DVD AACS processing key, which
could be used to copy HD-DVD titles, it was posted to Digg (amongst
other sites). Although Digg is designed to be unmoderated, the first
posting to make the front page with the number in it was quickly
deleted and the user who submitted it was banned.
This did not go unnoticed, and another story was quickly promoted by
site users to take its place. This, too, was squashed, and a rapidly
escalating race ensued, between site maintainers (who were keen to
suppress the story), and the site users (who were keen to see it
published). The users won, when the whole front page of Digg was
devoted purely to stories with the processing key in them - either as
the subject or worked in to the actual story.
The only thing left that site maintainers could do to restore order
was to pull the plug and take Digg offline for a period. The rioting
between maintainers and site users, for a site that is dependent upon
its users for its very existence, and the resultant site outage, has
left a sour taste in the mouth of users and has served as an
interesting case of how not to act and react.
How other sites handled the publication, and attempted publication of
the set of numbers is also important when considering the pattern of
Internet moderation and censorship. Sites such as Slashdot did not
publish the number in their main content, but allowed users to
include it in their comments. Others, such as Wikipedia, actively
prevented any publishing or commentary about the number (though there
are sneaky examples where the number has been inserted in otherwise
innocuous content). In the long run, information will settle in a
state of openness, even if no one cares to look at it. Valuable
information will always attract attention when it is released.
While the actual numbers are no longer a secret, anybody who
reproduces them could face the raw end of a Cease & Desist letter, or
worse.
2.3 What's In A Vulnerability
Historically, vulnerabilities in ActiveX controls have been regarded
as extremely serious, as the purpose of the controls is to allow
applications to control other applications and data stored on the
local system. With Internet Explorer using ActiveX controls to allow
remote Internet sites to access local data, the risk of remote
compromise increases rapidly with any new vulnerability discovered
and disclosed.
With yet another 'Month of "x" Bugs' underway - this time the 'Month
of ActiveX Bugs', there have been some active discussions about the
relative severity of the vulnerabilities being disclosed.
The researcher responsible for the discovery of the vulnerabilities,
known as shinnai, has identified that the first few vulnerabilities
disclosed are only Denial of Service vulnerabilities, causing the
relevant ActiveX (OCX) control to crash, preventing its use. Some
third party Information Security vendors have identified the reports
as arbitrary remote code execution risks, instead.
While it is a definite risk that a Denial of Service vulnerability
may become an arbitrary code execution vulnerability (such as the
onload() problem faced by Internet Explorer), at this stage the
threats have only been identified and listed as Denial of Service
issues. Even though the vulnerabilities identify memory overflows,
and multiple vulnerable paths have been identified, they only result
in DoS conditions.
=======================================
Sincerely,
Sûnnet Beskerming Team
info@...
Sûnnet Beskerming Pty. Ltd.
Adelaide, Australia
http://www.beskerming.com
Tel: +61 (0) 410 707 444
** Sûnnet Beskerming Pty. Ltd. **
Established in mid 2004, Sûnnet Beskerming Pty. Ltd. is the sister
company to Jongsma & Jongsma Pty. Ltd., and was formed to develop and
commercialise the research coming out of Jongsma & Jongsma Pty. Ltd..
Sûnnet Beskerming Pty. Ltd. is an Information Security specialist
and, in conjunction with the tools developed by Jongsma & Jongsma
Pty. Ltd., provides total security solutions and services, from the
perimeter to internal data stores, including web application security
and security testing and analysis.
_______________________________________________
Alertmailinglist mailing list
Alertmailinglist@...
http://skiifwrald.com/mailman/listinfo/alertmailinglist_skiifwrald.com
You are receiving this message because you have subscribed to our
Information Security Alert Mailing List, or have been selected for a
specific one-off copy. If you believe that you are receiving this
message in error, please contact info@... to resolve the
error.
Why not upgrade to get same day notification on security threats?
Details and rates available online -
(http://www.beskerming.com/premium/generic_advisory.html).
Why not go the next step and get delivery tailored just for your
company?
(http://www.beskerming.com/premium/focussed_advisory.html)
Contents
--------------------------------------------------------------------
1. SECURITY
--------------------------------------------------------------------
1.1 OS X (Multiple)
- Remote Hacker Automatic Control
- Time Since Discovery - 3 Days
1.2 QuickTime
- Remote Hacker Automatic Control
- Time Since Discovery - 3 Days
1.3 Office OCX
- Remote Hacker Automatic Denial of Service
- Time Since Discovery - 4 Days
=======================================
/*
- Remote or Local - Can it be achieved through a network or does it
require physical access?
- Hacker - The bad guy
- Manual or Automatic - Does the vulnerability need to be manually
performed, or can it be automated?
- Control, Denial of Service or Data Theft - Will the hacker get
control of your system / website, will they prevent you from using
it, or will they steal data.
*/
--------------------------------------------------------------------
2. NEWS
--------------------------------------------------------------------
2.1 Microsoft Security Movements
2.2 The Power of Numbers
2.3 What's In A Vulnerability
=====================================
1. SECURITY
1.1 OS X (Multiple) - Remote Hacker Manual Control
-- Products Affected --
OS X 10.4.9 (and Server)
OS X 10.3.9
-- Technical Description --
AirPort - Minor patch for systems where connectivity was lost
following sleep (10.3.9 only)
FTPServer - Users with ftp access may be able to navigate to
directories outside the normal scope. (10.4.9 Server only)
Remainder of patch equivalent to Security Update 2007-004.
-- Description --
Apple have released an update to their previous Security Update
2007-004 (now at 1.1). This patch provides not only the contents of
the original Update, but also a fix for a minor issue with Airport
devices that were lost following sleep, and an FTP Server issue which
could allow connected users to access local resources outside of
their privileges. Users and administrators who have not already
applied Security Update 2007-004 have a Threat Matrix of Highly
Critical (10), while others have a Threat Matrix of High (6).
-- Recommended Action --
Apply Security Update 2007-004 v 1.1 at the earliest opportunity.
-- Source --
(Paid subscription required to access)
-- Updates Available --
(Paid subscription required to access)
-- External Tracking Data --
(Paid subscription required to access)
-- Threat Matrix --
U O
Home User 9 9 (Critical)
Corporate 9 9 (Critical)
1.2 QuickTime - Remote Hacker Automatic Control
-- Products Affected --
Apple QuickTime 7.1.5 and earlier
-- Technical Description --
Heap overflow leading to arbitrary code execution in QuickTime for
Java. This vulnerability was used and semi-disclosed recently to
compromise the CanSecWest test system, but full exploit code has not
yet been released.
-- Description --
Apple have released QuickTime version 7.1.6 to address the semi-
disclosed vulnerability affecting QuickTime for Java that was used to
hack into the test machine at CanSecWest 2007. Allowing a malicious
attacker to run software of their choice on a vulnerable system, the
vulnerability could be used by a remote attacker to take control of
system.
-- Recommended Action --
Update to QuickTime 7.1.6 at the earliest opportunity.
-- Source --
(Paid subscription required to access)
-- Updates Available --
(Paid subscription required to access)
-- External Tracking Data --
(Paid subscription required to access)
-- Threat Matrix --
U O
Home User 9 9 (Critical)
Corporate 9 9 (Critical)
1.3 Office OCX - Remote Hacker Automatic Denial of Service
-- Products Affected --
Word Viewer OCX 3.2
PowerPoint Viewer OCX 3.1
Excel Viewer OCX 3.1
-- Technical Description --
Numerous Denial of Service vulnerabilities have been discovered and
disclosed with the above products from Office OCX. Multiple methods
within each vulnerable ActiveX control can be exploited via buffer
overflow to provide a denial of service attack against the controls.
While the vulnerabilities are only listed as Denial of Service at
this time, arbitrary code execution does remain a risk.
-- Description --
A number of the ActiveX controls from Office OCX, used to provide
access to Office documents in an Internet Explorer browser session,
have been discovered to be vulnerable to attacks which could prevent
the legitimate use of the controls by end users.
-- Recommended Action --
Remove the applicable Office OCX viewer ActiveX controls until
Office OCX are able to release appropriate patches. Alternatively,
the killbit for the appropriate controls can be set in the Registry
(PowerPoint Viewer - 97AF4A45-49BE-4485-9F55-91AB40F22B92; Excel
Viewer - 18A295DA-088E-42D1-BE31-5028D7F9B965; Word Viewer -
97AF4A45-49BE-4485-9F55-91AB40F22BF2).
-- Source --
(Paid subscription required to access)
-- Updates Available --
(Paid subscription required to access)
-- External Tracking Data --
(Paid subscription required to access)
-- Threat Matrix --
U O
Home User 8 8 (Very High)
Corporate 8 8 (Very High)
=======================================
/*
Threat Matrix:
U - User
O - Operator
Harmless - 0 ----- 10 - Highly Critical
*/
=======================================
2. NEWS
2.1 Microsoft Security Movements
Within the space of a week, Microsoft suffered the indignity of
having a subdomain defaced (ieak.microsoft.com), and also launched a
security portal (http://www.microsoft.com/security/portal) - which
is not being officially launched until July. Even though it has not
gone completely live, the Microsoft Malware Prevention Center (as the
portal will be known) is already shaping up as a valuable resource
for Windows users and administrators (and those who are interested in
Windows security).
It has been reported by the attacker that managed to deface the
Microsoft site that the attack was carried out via an SQL injection
opportunity, which eventually allowed them to publish content of
their choice on the domain (and thus take it over).
2.2 The Power of Numbers
A string of only 16 hexadecimal numbers has been enough to take down
the popular community site, Digg.com. Following the discovery and
subsequent dissemination of the HD-DVD AACS processing key, which
could be used to copy HD-DVD titles, it was posted to Digg (amongst
other sites). Although Digg is designed to be unmoderated, the first
posting to make the front page with the number in it was quickly
deleted and the user who submitted it was banned.
This did not go unnoticed, and another story was quickly promoted by
site users to take its place. This, too, was squashed, and a rapidly
escalating race ensued, between site maintainers (who were keen to
suppress the story), and the site users (who were keen to see it
published). The users won, when the whole front page of Digg was
devoted purely to stories with the processing key in them - either as
the subject or worked in to the actual story.
The only thing left that site maintainers could do to restore order
was to pull the plug and take Digg offline for a period. The rioting
between maintainers and site users, for a site that is dependent upon
its users for its very existence, and the resultant site outage, has
left a sour taste in the mouth of users and has served as an
interesting case of how not to act and react.
How other sites handled the publication, and attempted publication of
the set of numbers is also important when considering the pattern of
Internet moderation and censorship. Sites such as Slashdot did not
publish the number in their main content, but allowed users to
include it in their comments. Others, such as Wikipedia, actively
prevented any publishing or commentary about the number (though there
are sneaky examples where the number has been inserted in otherwise
innocuous content). In the long run, information will settle in a
state of openness, even if no one cares to look at it. Valuable
information will always attract attention when it is released.
While the actual numbers are no longer a secret, anybody who
reproduces them could face the raw end of a Cease & Desist letter, or
worse.
2.3 What's In A Vulnerability
Historically, vulnerabilities in ActiveX controls have been regarded
as extremely serious, as the purpose of the controls is to allow
applications to control other applications and data stored on the
local system. With Internet Explorer using ActiveX controls to allow
remote Internet sites to access local data, the risk of remote
compromise increases rapidly with any new vulnerability discovered
and disclosed.
With yet another 'Month of "x" Bugs' underway - this time the 'Month
of ActiveX Bugs', there have been some active discussions about the
relative severity of the vulnerabilities being disclosed.
The researcher responsible for the discovery of the vulnerabilities,
known as shinnai, has identified that the first few vulnerabilities
disclosed are only Denial of Service vulnerabilities, causing the
relevant ActiveX (OCX) control to crash, preventing its use. Some
third party Information Security vendors have identified the reports
as arbitrary remote code execution risks, instead.
While it is a definite risk that a Denial of Service vulnerability
may become an arbitrary code execution vulnerability (such as the
onload() problem faced by Internet Explorer), at this stage the
threats have only been identified and listed as Denial of Service
issues. Even though the vulnerabilities identify memory overflows,
and multiple vulnerable paths have been identified, they only result
in DoS conditions.
=======================================
Sincerely,
Sûnnet Beskerming Team
info@...
Sûnnet Beskerming Pty. Ltd.
Adelaide, Australia
http://www.beskerming.com
Tel: +61 (0) 410 707 444
** Sûnnet Beskerming Pty. Ltd. **
Established in mid 2004, Sûnnet Beskerming Pty. Ltd. is the sister
company to Jongsma & Jongsma Pty. Ltd., and was formed to develop and
commercialise the research coming out of Jongsma & Jongsma Pty. Ltd..
Sûnnet Beskerming Pty. Ltd. is an Information Security specialist
and, in conjunction with the tools developed by Jongsma & Jongsma
Pty. Ltd., provides total security solutions and services, from the
perimeter to internal data stores, including web application security
and security testing and analysis.
_______________________________________________
Alertmailinglist mailing list
Alertmailinglist@...
http://skiifwrald.com/mailman/listinfo/alertmailinglist_skiifwrald.com
« Return to Thread: Advisory #229 - OS X (Multiple), QuickTime, Office OCX, Multiple News
| Free Forum Powered by Nabble | Forum Help |
