« Return to Thread: Advisory #233 - Darwin, Multiple News
Advisory #233 - Darwin, Multiple News
by Sunnet Beskerming Alert mailing list
::
Rate this Message:
Sûnnet Beskerming Alert List Advisory #233
You are receiving this message because you have subscribed to our
Information Security Alert Mailing List, or have been selected for a
specific one-off copy. If you believe that you are receiving this
message in error, please contact info@... to resolve the
error.
Why not upgrade to get same day notification on security threats?
Details and rates available online -
(http://www.beskerming.com/premium/generic_advisory.html).
Why not go the next step and get delivery tailored just for your
company?
(http://www.beskerming.com/premium/focussed_advisory.html)
Contents
--------------------------------------------------------------------
1. SECURITY
--------------------------------------------------------------------
1.1 Darwin Streaming Server
- Remote Hacker Automatic Control
- Time Since Discovery - 1 Day
=======================================
/*
- Remote or Local - Can it be achieved through a network or does it
require physical access?
- Hacker - The bad guy
- Manual or Automatic - Does the vulnerability need to be manually
performed, or can it be automated?
- Control, Denial of Service or Data Theft - Will the hacker get
control of your system / website, will they prevent you from using
it, or will they steal data.
*/
--------------------------------------------------------------------
2. NEWS
--------------------------------------------------------------------
2.1 Grand Claims Require Solid Evidence
2.2 How We Do What We Do
2.3 Using The System Against Itself
2.4 Windows News
2.5 Multiple AntiVirus Vendor Issues
=====================================
1. SECURITY
1.1 Darwin Streaming Server - Remote Hacker Automatic Control
-- Products Affected --
Darwin Streaming Server 5.5.4 and earlier
-- Technical Description --
Two buffer overflows in the Darwin Streaming Proxy when handling
RTSP requests can lead to arbitrary code execution. It appears that
these vulnerabilities are very similar to issues already patched in
QuickTime.
-- Description --
The Darwin Streaming Server is the open source Darwin equivalent to
the QuickTime Streaming Server that is available for the OS X
platform. Patches have been released to address a set of
vulnerabilities that appear to be related to previously disclosed and
patched issues with QuickTime (certain streaming protocols had some
inbuilt weaknesses). In the worst case, an attacker could gain
control over a vulnerable system that was running the Server, by
supplying malicious network traffic.
-- Recommended Action --
Update to Streaming Server 5.5.5 at the earliest opportunity.
-- Source --
(Paid subscription required to access)
-- Updates Available --
(Paid subscription required to access)
-- External Tracking Data --
(Paid subscription required to access)
-- Threat Matrix --
U O
Home User 7 8 (High - Very High)
Corporate 7 8 (High - Very High)
=======================================
/*
Threat Matrix:
U - User
O - Operator
Harmless - 0 ----- 10 - Highly Critical
*/
=======================================
2. NEWS
2.1 Grand Claims Require Solid Evidence
Getting online identity systems correct is difficult. Getting them
secure is even more so, and it appears to be a problem that has not
been reliably solved up to this point in time (secure in a lab is not
being considered at this time). A new service that is seeking to
provide something analogous to a single-sign on system (like
Microsoft's PassPort before it), appears to be drawing on similar
technology to that used by Bank of America in their SiteKey
authentication system.
While comparable technology already exists, the company behind the
service are making claims that have caught the attention of security
researchers.
Claiming to protect the user against four of the most prevalent means
of compromising authentication (Phishing, Keystroke logging, Man-In-
The-Middle-Attacks (MITM), Brute Force), the service has already been
demonstrated to fail on at least one of those areas. An independent
researcher has already demonstrated the ability to perform an
effective MITM attack against the service (though it does rely upon
the user not noticing the lack of an https address, but this can
easily be overcome).
Unfortunately for end users, and for those who have invested funds
into this concept, false claims of security are more harmful in the
long run than no security mechanisms at all.
2.2 How We Do What We Do
A recent posting on the McAfee Avert Labs blog (http://
www.avertlabs.com/research/blog/?p=272) provides an excellent primer
on how Information Security research is conducted, in particular the
sort of research that we carry out here at Sûnnet Beskerming. If
readers are interested in finding out some of the difficulties
associated with research, and some of the ways that services will
differ, it makes for a good read.
The upshot, using their analogy, is that we are more effective at
setting the size and composition of our net than our competitors, and
we have used a lengthy (and ongoing) study of the winds, tides,
coast, and sea floor to find the best fishing spots. Ultimately, we
are here to provide the best possible Information Security knowledge
and advice to our clients, irrespective of what else is happening in
the industry.
2.3 Using The System Against Itself
Amongst other news being reported by Symantec at the moment (they are
on a big PR push to improve the market's attitude towards their
acquisition of Veritas), is news that they have detected malware that
is using the software update service built in to Windows in order to
download and install essential components of the malware. The fact
that Symantec is hyping new anti-rootkit software is more than just
coincidence.
Since the malware authors are using a key component of Windows to do
the heavy lifting, it allows them to sneak the critical parts of
their malware past any defences that might be in place (users can't
have their firewall stopping the system from downloading their
essential Windows updates). While the use of this system module is
of concern for those developing defences against malware that might
use it, it does represent a useful example of how difficult it is to
establish the proper trust credentials, even for software that is
embedded within the system and meant to only download system updates.
That concept might be at the core of how the problem could be
resolved by a future patch - by limiting the functionality of the
software to only downloading from trusted Microsoft locations (like
some other Windows components already do), it would be possible to
recover the original intended functionality for the component,
without providing malware authors with such an easy way of moving
their software onto a victim's system.
2.4 Windows News
As being reported by the ISC, official support from Microsoft for the
Windows 2003 operating system has been ended, but only for the SP0
version (i.e. straight out of the box, with no patches or Service
Packs applied). While it is unlikely that there will be many systems
that are still at SP0 (although we do know of some production systems
that are in this configuration), it is an important change to take
note of, especially as the most recent system patches (from earlier
this week) will not install if the system is still at SP0.
Other changes that have recently happened with Windows is a fix has
been released by Microsoft that allows iPod owners to safely eject
their players from a Windows Vista system. Previously, users were at
risk of corrupting data on their iPod, even if they followed the
recommended procedure for removing the device from their computer.
Exploits have already begun circulating for some of the
vulnerabilities patched this week by Microsoft (at least exploits for
vulnerabilities that didn't already have exploits circulating). If
users have not applied the patches, it is critical that they apply
them as soon as possible.
2.5 Multiple AntiVirus Vendor Issues
Computer Associates (CA), McAfee, Symantec, and Trend Micro have all
recently had serious vulnerabilities disclosed with a range of their
products that could allow anything from a loss of the service through
to complete control of a vulnerable system.
Users and administrators should ensure that they have the latest
patches applied as there is already exploit code circulating for a
number of the vulnerabilities, and it is expected that other vendors
may also be vulnerable to related issues (such as the ZOO archive
multi-vendor issue reported a few weeks ago).
Unfortunately for Windows users, most of the available exploits are
targeting weak ActiveX controls installed alongside a number of the
product, leaving them at greatest risk of compromise.
=======================================
Sincerely,
Sûnnet Beskerming Team
info@...
Sûnnet Beskerming Pty. Ltd.
Adelaide, Australia
http://www.beskerming.com
Tel: +61 (0) 410 707 444
** Sûnnet Beskerming Pty. Ltd. **
Established in mid 2004, Sûnnet Beskerming Pty. Ltd. is the sister
company to Jongsma & Jongsma Pty. Ltd., and was formed to develop and
commercialise the research coming out of Jongsma & Jongsma Pty. Ltd..
Sûnnet Beskerming Pty. Ltd. is an Information Security specialist
and, in conjunction with the tools developed by Jongsma & Jongsma
Pty. Ltd., provides total security solutions and services, from the
perimeter to internal data stores, including web application security
and security testing and analysis.
_______________________________________________
Alertmailinglist mailing list
Alertmailinglist@...
http://skiifwrald.com/mailman/listinfo/alertmailinglist_skiifwrald.com
You are receiving this message because you have subscribed to our
Information Security Alert Mailing List, or have been selected for a
specific one-off copy. If you believe that you are receiving this
message in error, please contact info@... to resolve the
error.
Why not upgrade to get same day notification on security threats?
Details and rates available online -
(http://www.beskerming.com/premium/generic_advisory.html).
Why not go the next step and get delivery tailored just for your
company?
(http://www.beskerming.com/premium/focussed_advisory.html)
Contents
--------------------------------------------------------------------
1. SECURITY
--------------------------------------------------------------------
1.1 Darwin Streaming Server
- Remote Hacker Automatic Control
- Time Since Discovery - 1 Day
=======================================
/*
- Remote or Local - Can it be achieved through a network or does it
require physical access?
- Hacker - The bad guy
- Manual or Automatic - Does the vulnerability need to be manually
performed, or can it be automated?
- Control, Denial of Service or Data Theft - Will the hacker get
control of your system / website, will they prevent you from using
it, or will they steal data.
*/
--------------------------------------------------------------------
2. NEWS
--------------------------------------------------------------------
2.1 Grand Claims Require Solid Evidence
2.2 How We Do What We Do
2.3 Using The System Against Itself
2.4 Windows News
2.5 Multiple AntiVirus Vendor Issues
=====================================
1. SECURITY
1.1 Darwin Streaming Server - Remote Hacker Automatic Control
-- Products Affected --
Darwin Streaming Server 5.5.4 and earlier
-- Technical Description --
Two buffer overflows in the Darwin Streaming Proxy when handling
RTSP requests can lead to arbitrary code execution. It appears that
these vulnerabilities are very similar to issues already patched in
QuickTime.
-- Description --
The Darwin Streaming Server is the open source Darwin equivalent to
the QuickTime Streaming Server that is available for the OS X
platform. Patches have been released to address a set of
vulnerabilities that appear to be related to previously disclosed and
patched issues with QuickTime (certain streaming protocols had some
inbuilt weaknesses). In the worst case, an attacker could gain
control over a vulnerable system that was running the Server, by
supplying malicious network traffic.
-- Recommended Action --
Update to Streaming Server 5.5.5 at the earliest opportunity.
-- Source --
(Paid subscription required to access)
-- Updates Available --
(Paid subscription required to access)
-- External Tracking Data --
(Paid subscription required to access)
-- Threat Matrix --
U O
Home User 7 8 (High - Very High)
Corporate 7 8 (High - Very High)
=======================================
/*
Threat Matrix:
U - User
O - Operator
Harmless - 0 ----- 10 - Highly Critical
*/
=======================================
2. NEWS
2.1 Grand Claims Require Solid Evidence
Getting online identity systems correct is difficult. Getting them
secure is even more so, and it appears to be a problem that has not
been reliably solved up to this point in time (secure in a lab is not
being considered at this time). A new service that is seeking to
provide something analogous to a single-sign on system (like
Microsoft's PassPort before it), appears to be drawing on similar
technology to that used by Bank of America in their SiteKey
authentication system.
While comparable technology already exists, the company behind the
service are making claims that have caught the attention of security
researchers.
Claiming to protect the user against four of the most prevalent means
of compromising authentication (Phishing, Keystroke logging, Man-In-
The-Middle-Attacks (MITM), Brute Force), the service has already been
demonstrated to fail on at least one of those areas. An independent
researcher has already demonstrated the ability to perform an
effective MITM attack against the service (though it does rely upon
the user not noticing the lack of an https address, but this can
easily be overcome).
Unfortunately for end users, and for those who have invested funds
into this concept, false claims of security are more harmful in the
long run than no security mechanisms at all.
2.2 How We Do What We Do
A recent posting on the McAfee Avert Labs blog (http://
www.avertlabs.com/research/blog/?p=272) provides an excellent primer
on how Information Security research is conducted, in particular the
sort of research that we carry out here at Sûnnet Beskerming. If
readers are interested in finding out some of the difficulties
associated with research, and some of the ways that services will
differ, it makes for a good read.
The upshot, using their analogy, is that we are more effective at
setting the size and composition of our net than our competitors, and
we have used a lengthy (and ongoing) study of the winds, tides,
coast, and sea floor to find the best fishing spots. Ultimately, we
are here to provide the best possible Information Security knowledge
and advice to our clients, irrespective of what else is happening in
the industry.
2.3 Using The System Against Itself
Amongst other news being reported by Symantec at the moment (they are
on a big PR push to improve the market's attitude towards their
acquisition of Veritas), is news that they have detected malware that
is using the software update service built in to Windows in order to
download and install essential components of the malware. The fact
that Symantec is hyping new anti-rootkit software is more than just
coincidence.
Since the malware authors are using a key component of Windows to do
the heavy lifting, it allows them to sneak the critical parts of
their malware past any defences that might be in place (users can't
have their firewall stopping the system from downloading their
essential Windows updates). While the use of this system module is
of concern for those developing defences against malware that might
use it, it does represent a useful example of how difficult it is to
establish the proper trust credentials, even for software that is
embedded within the system and meant to only download system updates.
That concept might be at the core of how the problem could be
resolved by a future patch - by limiting the functionality of the
software to only downloading from trusted Microsoft locations (like
some other Windows components already do), it would be possible to
recover the original intended functionality for the component,
without providing malware authors with such an easy way of moving
their software onto a victim's system.
2.4 Windows News
As being reported by the ISC, official support from Microsoft for the
Windows 2003 operating system has been ended, but only for the SP0
version (i.e. straight out of the box, with no patches or Service
Packs applied). While it is unlikely that there will be many systems
that are still at SP0 (although we do know of some production systems
that are in this configuration), it is an important change to take
note of, especially as the most recent system patches (from earlier
this week) will not install if the system is still at SP0.
Other changes that have recently happened with Windows is a fix has
been released by Microsoft that allows iPod owners to safely eject
their players from a Windows Vista system. Previously, users were at
risk of corrupting data on their iPod, even if they followed the
recommended procedure for removing the device from their computer.
Exploits have already begun circulating for some of the
vulnerabilities patched this week by Microsoft (at least exploits for
vulnerabilities that didn't already have exploits circulating). If
users have not applied the patches, it is critical that they apply
them as soon as possible.
2.5 Multiple AntiVirus Vendor Issues
Computer Associates (CA), McAfee, Symantec, and Trend Micro have all
recently had serious vulnerabilities disclosed with a range of their
products that could allow anything from a loss of the service through
to complete control of a vulnerable system.
Users and administrators should ensure that they have the latest
patches applied as there is already exploit code circulating for a
number of the vulnerabilities, and it is expected that other vendors
may also be vulnerable to related issues (such as the ZOO archive
multi-vendor issue reported a few weeks ago).
Unfortunately for Windows users, most of the available exploits are
targeting weak ActiveX controls installed alongside a number of the
product, leaving them at greatest risk of compromise.
=======================================
Sincerely,
Sûnnet Beskerming Team
info@...
Sûnnet Beskerming Pty. Ltd.
Adelaide, Australia
http://www.beskerming.com
Tel: +61 (0) 410 707 444
** Sûnnet Beskerming Pty. Ltd. **
Established in mid 2004, Sûnnet Beskerming Pty. Ltd. is the sister
company to Jongsma & Jongsma Pty. Ltd., and was formed to develop and
commercialise the research coming out of Jongsma & Jongsma Pty. Ltd..
Sûnnet Beskerming Pty. Ltd. is an Information Security specialist
and, in conjunction with the tools developed by Jongsma & Jongsma
Pty. Ltd., provides total security solutions and services, from the
perimeter to internal data stores, including web application security
and security testing and analysis.
_______________________________________________
Alertmailinglist mailing list
Alertmailinglist@...
http://skiifwrald.com/mailman/listinfo/alertmailinglist_skiifwrald.com
« Return to Thread: Advisory #233 - Darwin, Multiple News
| Free Forum Powered by Nabble | Forum Help |
