Advisory #233 - Darwin, Multiple News
|
View:
New views
1 Messages
—
Rating Filter:
Alert me
|
 |
Advisory #233 - Darwin, Multiple News
by Sunnet Beskerming Alert mailing list
::
Rate this Message:
Sûnnet Beskerming Alert List Advisory #233
You are receiving this message because you have subscribed to our Information Security Alert Mailing List, or have been selected for a specific one-off copy. If you believe that you are receiving this message in error, please contact info@... to resolve the error. Why not upgrade to get same day notification on security threats? Details and rates available online - (http://www.beskerming.com/premium/generic_advisory.html). Why not go the next step and get delivery tailored just for your company? (http://www.beskerming.com/premium/focussed_advisory.html) Contents -------------------------------------------------------------------- 1. SECURITY -------------------------------------------------------------------- 1.1 Darwin Streaming Server - Remote Hacker Automatic Control - Time Since Discovery - 1 Day ======================================= /* - Remote or Local - Can it be achieved through a network or does it require physical access? - Hacker - The bad guy - Manual or Automatic - Does the vulnerability need to be manually performed, or can it be automated? - Control, Denial of Service or Data Theft - Will the hacker get control of your system / website, will they prevent you from using it, or will they steal data. */ -------------------------------------------------------------------- 2. NEWS -------------------------------------------------------------------- 2.1 Grand Claims Require Solid Evidence 2.2 How We Do What We Do 2.3 Using The System Against Itself 2.4 Windows News 2.5 Multiple AntiVirus Vendor Issues ===================================== 1. SECURITY 1.1 Darwin Streaming Server - Remote Hacker Automatic Control -- Products Affected -- Darwin Streaming Server 5.5.4 and earlier -- Technical Description -- Two buffer overflows in the Darwin Streaming Proxy when handling RTSP requests can lead to arbitrary code execution. It appears that these vulnerabilities are very similar to issues already patched in QuickTime. -- Description -- The Darwin Streaming Server is the open source Darwin equivalent to the QuickTime Streaming Server that is available for the OS X platform. Patches have been released to address a set of vulnerabilities that appear to be related to previously disclosed and patched issues with QuickTime (certain streaming protocols had some inbuilt weaknesses). In the worst case, an attacker could gain control over a vulnerable system that was running the Server, by supplying malicious network traffic. -- Recommended Action -- Update to Streaming Server 5.5.5 at the earliest opportunity. -- Source -- (Paid subscription required to access) -- Updates Available -- (Paid subscription required to access) -- External Tracking Data -- (Paid subscription required to access) -- Threat Matrix -- U O Home User 7 8 (High - Very High) Corporate 7 8 (High - Very High) ======================================= /* Threat Matrix: U - User O - Operator Harmless - 0 ----- 10 - Highly Critical */ ======================================= 2. NEWS 2.1 Grand Claims Require Solid Evidence Getting online identity systems correct is difficult. Getting them secure is even more so, and it appears to be a problem that has not been reliably solved up to this point in time (secure in a lab is not being considered at this time). A new service that is seeking to provide something analogous to a single-sign on system (like Microsoft's PassPort before it), appears to be drawing on similar technology to that used by Bank of America in their SiteKey authentication system. While comparable technology already exists, the company behind the service are making claims that have caught the attention of security researchers. Claiming to protect the user against four of the most prevalent means of compromising authentication (Phishing, Keystroke logging, Man-In- The-Middle-Attacks (MITM), Brute Force), the service has already been demonstrated to fail on at least one of those areas. An independent researcher has already demonstrated the ability to perform an effective MITM attack against the service (though it does rely upon the user not noticing the lack of an https address, but this can easily be overcome). Unfortunately for end users, and for those who have invested funds into this concept, false claims of security are more harmful in the long run than no security mechanisms at all. 2.2 How We Do What We Do A recent posting on the McAfee Avert Labs blog (http:// www.avertlabs.com/research/blog/?p=272) provides an excellent primer on how Information Security research is conducted, in particular the sort of research that we carry out here at Sûnnet Beskerming. If readers are interested in finding out some of the difficulties associated with research, and some of the ways that services will differ, it makes for a good read. The upshot, using their analogy, is that we are more effective at setting the size and composition of our net than our competitors, and we have used a lengthy (and ongoing) study of the winds, tides, coast, and sea floor to find the best fishing spots. Ultimately, we are here to provide the best possible Information Security knowledge and advice to our clients, irrespective of what else is happening in the industry. 2.3 Using The System Against Itself Amongst other news being reported by Symantec at the moment (they are on a big PR push to improve the market's attitude towards their acquisition of Veritas), is news that they have detected malware that is using the software update service built in to Windows in order to download and install essential components of the malware. The fact that Symantec is hyping new anti-rootkit software is more than just coincidence. Since the malware authors are using a key component of Windows to do the heavy lifting, it allows them to sneak the critical parts of their malware past any defences that might be in place (users can't have their firewall stopping the system from downloading their essential Windows updates). While the use of this system module is of concern for those developing defences against malware that might use it, it does represent a useful example of how difficult it is to establish the proper trust credentials, even for software that is embedded within the system and meant to only download system updates. That concept might be at the core of how the problem could be resolved by a future patch - by limiting the functionality of the software to only downloading from trusted Microsoft locations (like some other Windows components already do), it would be possible to recover the original intended functionality for the component, without providing malware authors with such an easy way of moving their software onto a victim's system. 2.4 Windows News As being reported by the ISC, official support from Microsoft for the Windows 2003 operating system has been ended, but only for the SP0 version (i.e. straight out of the box, with no patches or Service Packs applied). While it is unlikely that there will be many systems that are still at SP0 (although we do know of some production systems that are in this configuration), it is an important change to take note of, especially as the most recent system patches (from earlier this week) will not install if the system is still at SP0. Other changes that have recently happened with Windows is a fix has been released by Microsoft that allows iPod owners to safely eject their players from a Windows Vista system. Previously, users were at risk of corrupting data on their iPod, even if they followed the recommended procedure for removing the device from their computer. Exploits have already begun circulating for some of the vulnerabilities patched this week by Microsoft (at least exploits for vulnerabilities that didn't already have exploits circulating). If users have not applied the patches, it is critical that they apply them as soon as possible. 2.5 Multiple AntiVirus Vendor Issues Computer Associates (CA), McAfee, Symantec, and Trend Micro have all recently had serious vulnerabilities disclosed with a range of their products that could allow anything from a loss of the service through to complete control of a vulnerable system. Users and administrators should ensure that they have the latest patches applied as there is already exploit code circulating for a number of the vulnerabilities, and it is expected that other vendors may also be vulnerable to related issues (such as the ZOO archive multi-vendor issue reported a few weeks ago). Unfortunately for Windows users, most of the available exploits are targeting weak ActiveX controls installed alongside a number of the product, leaving them at greatest risk of compromise. ======================================= Sincerely, Sûnnet Beskerming Team info@... Sûnnet Beskerming Pty. Ltd. Adelaide, Australia http://www.beskerming.com Tel: +61 (0) 410 707 444 ** Sûnnet Beskerming Pty. Ltd. ** Established in mid 2004, Sûnnet Beskerming Pty. Ltd. is the sister company to Jongsma & Jongsma Pty. Ltd., and was formed to develop and commercialise the research coming out of Jongsma & Jongsma Pty. Ltd.. Sûnnet Beskerming Pty. Ltd. is an Information Security specialist and, in conjunction with the tools developed by Jongsma & Jongsma Pty. Ltd., provides total security solutions and services, from the perimeter to internal data stores, including web application security and security testing and analysis. _______________________________________________ Alertmailinglist mailing list Alertmailinglist@... http://skiifwrald.com/mailman/listinfo/alertmailinglist_skiifwrald.com |
| Free Forum Powered by Nabble | Forum Help |