« Return to Thread: Advisory #236 - OpenOffice.org, Multiple News
Advisory #236 - OpenOffice.org, Multiple News
by Sunnet Beskerming Alert mailing list
::
Rate this Message:
Sûnnet Beskerming Alert List Advisory #236
You are receiving this message because you have subscribed to our
Information Security Alert Mailing List, or have been selected for a
specific one-off copy. If you believe that you are receiving this
message in error, please contact info@... to resolve the
error.
Why not upgrade to get same day notification on security threats?
Details and rates available online -
(http://www.beskerming.com/premium/generic_advisory.html).
Why not go the next step and get delivery tailored just for your
company?
(http://www.beskerming.com/premium/focussed_advisory.html)
Contents
--------------------------------------------------------------------
1. SECURITY
--------------------------------------------------------------------
1.1 OpenOffice.org
- Remote Hacker Automatic Control
- Time Since Discovery - 2 Days
=======================================
/*
- Remote or Local - Can it be achieved through a network or does it
require physical access?
- Hacker - The bad guy
- Manual or Automatic - Does the vulnerability need to be manually
performed, or can it be automated?
- Control, Denial of Service or Data Theft - Will the hacker get
control of your system / website, will they prevent you from using
it, or will they steal data.
*/
--------------------------------------------------------------------
2. NEWS
--------------------------------------------------------------------
2.1 Online Advertising Movements
2.2 .bank Backers Fighting on
2.3 The Threat That is the Internet
2.4 Being Secure is Not Easy
2.5 When Updates go Bad
=====================================
1. SECURITY
1.1 OpenOffice.org - Remote Hacker Automatic Control
-- Products Affected --
OpenOffice.org, all versions
-- Technical Description --
A macro worm, dubbed 'BadBunny', targeting OpenOffice.org has been
discovered by Sophos (after the developers forwarded it to them).
This worm is multi-platform, with different payload infections based
on the current operating system (Windows, Linux and OS X are
targeted). Dropped files target mIRC and X-Chat, which are then used
to distribute the worm to other users. Other dropped files target
various scripting languages (JavaScript, Perl, Ruby) and will also
attempt basic network attacks against various antivirus and
Information Security company websites.
-- Description --
Antivirus vendor, Sophos, has identified a new worm that is
targeting the popular OpenOffice.org alternative office productivity
suite. Separating the worm from most other macro worms is its ability
to attack Windows, Linux, and OS X systems from the same infection (a
different attack is launched based on what system is being used).
Although the worm has been discovered in the wild, and it will
attempt to gain control of vulnerable systems, it is not widespread
at this time - the only known copy was forwarded directly to the
Sophos antivirus team.
-- Recommended Action --
Update to the latest antivirus definitions files, and apply caution
when interacting with OO.o files from untrusted sources, particularly
files which contain macros. Consider using OO.o from a lesser
privileged account until appropriate patches can be released.
-- Source --
(Paid subscription required to access)
-- Updates Available --
(Paid subscription required to access)
-- External Tracking Data --
(Paid subscription required to access)
-- Threat Matrix --
U O
Home User 8 8 (Very High)
Corporate 8 8 (Very High)
=======================================
/*
Threat Matrix:
U - User
O - Operator
Harmless - 0 ----- 10 - Highly Critical
*/
=======================================
2. NEWS
2.1 Online Advertising Movements
Following the recent purchase of DoubleClick by Google, and the
rumoured discussions between Yahoo! and Microsoft, comes more
significant purchases from major Information Technology companies in
the field of online advertising.
Yahoo! recently bought out its remaining $680 million USD stake in
Right Media Inc, and Real Media Inc has been bought up for $649
million USD by WPP Group, but the biggest news is in Microsoft's
recent purchase.
Microsoft paid $6 billion USD to capture aQuantive, at a premium of
over 80% over the current market value for the company. Even more
interesting than the price is that it has been paid in cash ($66.50
per share when they closed at $35.87 on Thursday) and it represents
the largest acquisition in Microsoft's history. For existing
shareholders in aQuantive, the payday has already arrived, with
shares jumping to $63.77 late Friday.
The recent spate of purchases and conglomeration taking place has
left ValueClick as one of the few large online advertising companies
left in public ownership.
With Google purchasing the #1 company in the sector for $3 billion
USD, and Microsoft purchasing the #2 for $6 billion a number of
observers are concerned that this is another sign of an overheated
tech sector (at least on the stock market). Even though the figures
appear excessive when compared to each other, both companies were
purchased for almost the same multiple of annual revenue (15x and 13x
respectively).
2.2 .bank Backers Fighting on
After initially raising the idea of a .bank top level domain (.tld)
as a means to defeat phishing and a number of other online financial
fraud opportunities, the team at F-Secure are still strongly in
support of the idea, despite the critical responses that the idea
received on its initial publication.
Extending the original argument, the claim is made that because the
domain authority will be limiting access to the domain to legitimate
financial institutions ($50,000 per domain can't hurt) then users can
be reassured that only a legitimate site will be able to own one of
these domains. Unfortunately, history has shown (at least for
commercial domains) that it is not possible to isolate complete .tlds
as easily as that. Tightly controlled domains, such as .gov, .mil
or .edu have had more success, but .bank will lack the necessary
teeth behind it to ensure it remains clean (unless it is decided to
give a government or a military control over it).
Even if .bank could be established, and was kept completely clean of
malicious sites, it doesn't address the issue of banks that have the
same name, but exist in different countries - such as 'National
Bank', and it doesn't address the greater problem of attackers using
flaws in the bank's own sites in order to redirect / confuse / con
users. When banks are more than happy to use third parties to deliver
content on their behalf (such as a number of US banks are known to
do), all the work of ensuring users know that they are on a .bank
domain is suddenly useless as official bank correspondence is coming
in from a domain that is obviously not a .bank domain.
Unfortunately for F-Secure, they make the argument that smaller banks
and credit unions will not be considered as important as larger
financial institutions because they may not be able to afford the
$50,000 registration fee. This is not going to make either the
financial institutions or their customers happy (or safer), and
conditions users to accept that official banking domains can still be
not on the .bank tld.
Going further, arguing that companies such as PayPal (and presumably
online trading companies such as ScottTrade and ETrade) should be
eligible for a .bank domain even though they are not banks (though
PayPal may soon be a bank in Europe) will further dilute the
appearance of .bank as a place purely for banks and major financial
institutions.
2.3 The Threat That is the Internet
Jikto, the JavaScript web scanner, relied upon basic research
conducted by an independent researcher who has now come out and
released a conceptual description of how a major AJAX / JavaScript
Internet worm would work and how it could be configured for greatest
effect.
Using a set of common, well known building blocks, it will soon be
possible to construct a worm that attacks the Internet, spreading by
user contact (i.e. every page they visit), and which creates havoc
across the Internet, rather than the relatively limited scope of
worms such as Samy (MySpace) and Yamaner (Yahoo! Mail).
This relies upon the way that JavaScript is implemented in browsers
and features of the language itself. In this case it is resulting in
something that isn't so pleasant for end users, or has the risk of
being not so pleasant, but there are other cases where
vulnerabilities have been declared, when it is the expected behaviour
of a system.
Apple's flagship Internet browser, Safari has been declared
vulnerable to a JavaScript flaw that could allow a malicious site
operator to see what links are being clicked on from the site. Before
rushing off to Apple to complain, consider that it is possible, using
JavaScript or CSS (for those who surf with JavaScript disabled), to
determine where a site visitor has been. Also consider that many
sites (Information Security sites included) use formatted links that
temporarily direct to an interstitial page before going to the
desired location. This allows them to track where their visitors are
going and also allows another opportunity to throw advertising in
front of the site visitor.
Now to the 'vulnerability'. Unfortunately for the discoverer, and for
the Information Security companies that have jumped on the discovery
with glee, what Safari is doing is actually the expected behaviour.
In the described situation, and the demonstrated proof of concept,
the site coder has configured their anchor link <a> to trigger a
JavaScript function which then loads the desired link in a new window
(target="blank" is so much easier). Once the window has opened, the
function continues to run and references a subsequent function, which
references the opened window and identifies the URL.
In JavaScript, if a new window has been opened from a page,
JavaScript can be used to perform various manipulations on the new
window, and the same can be done from the spawned window.
The fact that the script continues to run in the original window and
then referencing a known parameter of the new window is nothing new.
It is not a vulnerability.
2.4 Being Secure is Not Easy
Building a system that is secure is a difficult prospect, but it is
something that most people would assume about the Space Shuttle,
modern fighter aircraft, and nuclear power plants - that they are
secure systems.
Well, they aren't.
Even though it operates probably the most tested, reviewed, bug free
and analysed code base in existence, the Space Shuttle was only
recently discovered to have a unique roll-over bug that would lead to
an unknown condition if the Shuttle was in flight over New Year's Eve
- New Year's Day.
Even though the ultra-modern fighters are only just entering service,
a flight of F-22 fighters were forced to turn back to Hawaii after
their flight computers exhibited chaotic behaviour after crossing the
International Date Line.
Even though nuclear power plants are supposed to have their control
systems isolated from external network influences (one solid SCADA
design principle that should be applied), a US nuclear plant was
manually shut down after two water pumps failed following an unknown
spike of network traffic. While it was assumed that a faulty
controller on another piece of equipment was at fault, the operators
can not rule out external traffic influences (i.e. they don't know
where it came from).
These incidents are excellent examples of the problem surrounding
secure software development - with the improvement of development
tools, developers are producing bigger and better disasters - a
concept being promoted by Professor Ross Anderson from the University
of Cambridge in the UK. Professor Anderson also believes that
security engineers need to know how things fail, and to study history
to learn from past mistakes (just like licenced engineers do).
While the above cases provide three excellent examples of unexpected
failures, it appears that 'security' companies can have problems of
their own that still have not been addressed even after many months
of notification.
McAfee Labs have picked up on some of the problems associated with
VeriSign's assurance Seal that appears on many websites to indicate
that Verisign has validated the identity of that particular website
(alongside the SSL certificate).
These are just a subset of the problems that Sûnnet Beskerming
reported to VeriSign in December 2005. Problems that included not
only sites that could put a seal on their main pages that pointed to
any other validated site record, but also the problem that it is
possible to completely fake the record that it is being pointed at.
This can easily be achieved by setting up a fake page to look like
the VeriSign record, but it can also be done using VeriSign's own
results.
2.5 When Updates go Bad
In the space of less than a week, software updates caused two major
system and network outages in Japan and China, and a less major
outage over the weekend.
In Japan, a set of updates to Cisco routers led to a network-wide
failure for the NTT East and West networks. Up to 4,000 routers were
affected by an update that led to router tables (what tells the
network traffic where the next hop in the path to the end destination
is) being rewritten on each device. This rewrite caused the routing
tables to fail, and ultimately the devices stopped forwarding network
traffic (effectively self-DoS'ing). The outage, from Tuesday night
until Wednesday morning, left millions of users without Internet
access and has led to the network provider considering the use of a
heterogenous network structure (i.e. multivendor devices, rather than
Cisco-only - most likely to introduce Juniper devices).
It appears that some of the cause for the incident was the use of
routers without sufficient spare capacity, which meant that when a
handful of devices suffered resource exhaustion, it led to a
cascading failure as subsequent routers quickly ran out of capacity
while trying to identify new routes for network traffic.
Chinese Windows XP SP2 users who regularly maintain their system by
applying the latest patches from Microsoft and running Norton-branded
antivirus tools from Symantec (Norton AntiVirus, Norton 360, Norton
Internet Security) found that a definitions file delivered by
Symantec late last week left their systems unusable. The rogue update
misidentified two critical system files as being part of the Haxdoor
trojan - a very nasty piece of malware that has been causing
significant problems for Windows users globally. The quarantining of
the critical files left systems unbootable, even in safe mode,
requiring significant effort to rebuild and recover the systems.
According to Chinese reports, several thousand users were affected,
mainly corporate users. Symantec quickly released an updated
definitions file which no longer quarantined the system files, so the
current updates should be safe for ongoing use.
On Saturday, it was then reported that Kaspersky Antivirus was
identifying files from Rising Antivirus (a popular Chinese antivirus
product) as part of a malicious trojan, thus disabling the product.
While it requires both antivirus products to be present and in use,
that configuration is a common setup - according to the Chinese
Incident Security Response Team.
These events aren't the first time that rogue updates from Antivirus
vendors have led to significant system damage or outages, and it is
sure to not be the last time, either. Incidents like this lead to
users being conditioned against installing the latest system and
critical software updates (Windows and OS X updates have also been
known to break systems) for fear of having their system rendered
inoperable from a rogue updae. This extends the exploitation window
that attackers can make use of to compromise vulnerable systems.
=======================================
Sincerely,
Sûnnet Beskerming Team
info@...
Sûnnet Beskerming Pty. Ltd.
Adelaide, Australia
http://www.beskerming.com
Tel: +61 (0) 410 707 444
** Sûnnet Beskerming Pty. Ltd. **
Established in mid 2004, Sûnnet Beskerming Pty. Ltd. is the sister
company to Jongsma & Jongsma Pty. Ltd., and was formed to develop and
commercialise the research coming out of Jongsma & Jongsma Pty. Ltd..
Sûnnet Beskerming Pty. Ltd. is an Information Security specialist
and, in conjunction with the tools developed by Jongsma & Jongsma
Pty. Ltd., provides total security solutions and services, from the
perimeter to internal data stores, including web application security
and security testing and analysis.
_______________________________________________
Alertmailinglist mailing list
Alertmailinglist@...
http://skiifwrald.com/mailman/listinfo/alertmailinglist_skiifwrald.com
You are receiving this message because you have subscribed to our
Information Security Alert Mailing List, or have been selected for a
specific one-off copy. If you believe that you are receiving this
message in error, please contact info@... to resolve the
error.
Why not upgrade to get same day notification on security threats?
Details and rates available online -
(http://www.beskerming.com/premium/generic_advisory.html).
Why not go the next step and get delivery tailored just for your
company?
(http://www.beskerming.com/premium/focussed_advisory.html)
Contents
--------------------------------------------------------------------
1. SECURITY
--------------------------------------------------------------------
1.1 OpenOffice.org
- Remote Hacker Automatic Control
- Time Since Discovery - 2 Days
=======================================
/*
- Remote or Local - Can it be achieved through a network or does it
require physical access?
- Hacker - The bad guy
- Manual or Automatic - Does the vulnerability need to be manually
performed, or can it be automated?
- Control, Denial of Service or Data Theft - Will the hacker get
control of your system / website, will they prevent you from using
it, or will they steal data.
*/
--------------------------------------------------------------------
2. NEWS
--------------------------------------------------------------------
2.1 Online Advertising Movements
2.2 .bank Backers Fighting on
2.3 The Threat That is the Internet
2.4 Being Secure is Not Easy
2.5 When Updates go Bad
=====================================
1. SECURITY
1.1 OpenOffice.org - Remote Hacker Automatic Control
-- Products Affected --
OpenOffice.org, all versions
-- Technical Description --
A macro worm, dubbed 'BadBunny', targeting OpenOffice.org has been
discovered by Sophos (after the developers forwarded it to them).
This worm is multi-platform, with different payload infections based
on the current operating system (Windows, Linux and OS X are
targeted). Dropped files target mIRC and X-Chat, which are then used
to distribute the worm to other users. Other dropped files target
various scripting languages (JavaScript, Perl, Ruby) and will also
attempt basic network attacks against various antivirus and
Information Security company websites.
-- Description --
Antivirus vendor, Sophos, has identified a new worm that is
targeting the popular OpenOffice.org alternative office productivity
suite. Separating the worm from most other macro worms is its ability
to attack Windows, Linux, and OS X systems from the same infection (a
different attack is launched based on what system is being used).
Although the worm has been discovered in the wild, and it will
attempt to gain control of vulnerable systems, it is not widespread
at this time - the only known copy was forwarded directly to the
Sophos antivirus team.
-- Recommended Action --
Update to the latest antivirus definitions files, and apply caution
when interacting with OO.o files from untrusted sources, particularly
files which contain macros. Consider using OO.o from a lesser
privileged account until appropriate patches can be released.
-- Source --
(Paid subscription required to access)
-- Updates Available --
(Paid subscription required to access)
-- External Tracking Data --
(Paid subscription required to access)
-- Threat Matrix --
U O
Home User 8 8 (Very High)
Corporate 8 8 (Very High)
=======================================
/*
Threat Matrix:
U - User
O - Operator
Harmless - 0 ----- 10 - Highly Critical
*/
=======================================
2. NEWS
2.1 Online Advertising Movements
Following the recent purchase of DoubleClick by Google, and the
rumoured discussions between Yahoo! and Microsoft, comes more
significant purchases from major Information Technology companies in
the field of online advertising.
Yahoo! recently bought out its remaining $680 million USD stake in
Right Media Inc, and Real Media Inc has been bought up for $649
million USD by WPP Group, but the biggest news is in Microsoft's
recent purchase.
Microsoft paid $6 billion USD to capture aQuantive, at a premium of
over 80% over the current market value for the company. Even more
interesting than the price is that it has been paid in cash ($66.50
per share when they closed at $35.87 on Thursday) and it represents
the largest acquisition in Microsoft's history. For existing
shareholders in aQuantive, the payday has already arrived, with
shares jumping to $63.77 late Friday.
The recent spate of purchases and conglomeration taking place has
left ValueClick as one of the few large online advertising companies
left in public ownership.
With Google purchasing the #1 company in the sector for $3 billion
USD, and Microsoft purchasing the #2 for $6 billion a number of
observers are concerned that this is another sign of an overheated
tech sector (at least on the stock market). Even though the figures
appear excessive when compared to each other, both companies were
purchased for almost the same multiple of annual revenue (15x and 13x
respectively).
2.2 .bank Backers Fighting on
After initially raising the idea of a .bank top level domain (.tld)
as a means to defeat phishing and a number of other online financial
fraud opportunities, the team at F-Secure are still strongly in
support of the idea, despite the critical responses that the idea
received on its initial publication.
Extending the original argument, the claim is made that because the
domain authority will be limiting access to the domain to legitimate
financial institutions ($50,000 per domain can't hurt) then users can
be reassured that only a legitimate site will be able to own one of
these domains. Unfortunately, history has shown (at least for
commercial domains) that it is not possible to isolate complete .tlds
as easily as that. Tightly controlled domains, such as .gov, .mil
or .edu have had more success, but .bank will lack the necessary
teeth behind it to ensure it remains clean (unless it is decided to
give a government or a military control over it).
Even if .bank could be established, and was kept completely clean of
malicious sites, it doesn't address the issue of banks that have the
same name, but exist in different countries - such as 'National
Bank', and it doesn't address the greater problem of attackers using
flaws in the bank's own sites in order to redirect / confuse / con
users. When banks are more than happy to use third parties to deliver
content on their behalf (such as a number of US banks are known to
do), all the work of ensuring users know that they are on a .bank
domain is suddenly useless as official bank correspondence is coming
in from a domain that is obviously not a .bank domain.
Unfortunately for F-Secure, they make the argument that smaller banks
and credit unions will not be considered as important as larger
financial institutions because they may not be able to afford the
$50,000 registration fee. This is not going to make either the
financial institutions or their customers happy (or safer), and
conditions users to accept that official banking domains can still be
not on the .bank tld.
Going further, arguing that companies such as PayPal (and presumably
online trading companies such as ScottTrade and ETrade) should be
eligible for a .bank domain even though they are not banks (though
PayPal may soon be a bank in Europe) will further dilute the
appearance of .bank as a place purely for banks and major financial
institutions.
2.3 The Threat That is the Internet
Jikto, the JavaScript web scanner, relied upon basic research
conducted by an independent researcher who has now come out and
released a conceptual description of how a major AJAX / JavaScript
Internet worm would work and how it could be configured for greatest
effect.
Using a set of common, well known building blocks, it will soon be
possible to construct a worm that attacks the Internet, spreading by
user contact (i.e. every page they visit), and which creates havoc
across the Internet, rather than the relatively limited scope of
worms such as Samy (MySpace) and Yamaner (Yahoo! Mail).
This relies upon the way that JavaScript is implemented in browsers
and features of the language itself. In this case it is resulting in
something that isn't so pleasant for end users, or has the risk of
being not so pleasant, but there are other cases where
vulnerabilities have been declared, when it is the expected behaviour
of a system.
Apple's flagship Internet browser, Safari has been declared
vulnerable to a JavaScript flaw that could allow a malicious site
operator to see what links are being clicked on from the site. Before
rushing off to Apple to complain, consider that it is possible, using
JavaScript or CSS (for those who surf with JavaScript disabled), to
determine where a site visitor has been. Also consider that many
sites (Information Security sites included) use formatted links that
temporarily direct to an interstitial page before going to the
desired location. This allows them to track where their visitors are
going and also allows another opportunity to throw advertising in
front of the site visitor.
Now to the 'vulnerability'. Unfortunately for the discoverer, and for
the Information Security companies that have jumped on the discovery
with glee, what Safari is doing is actually the expected behaviour.
In the described situation, and the demonstrated proof of concept,
the site coder has configured their anchor link <a> to trigger a
JavaScript function which then loads the desired link in a new window
(target="blank" is so much easier). Once the window has opened, the
function continues to run and references a subsequent function, which
references the opened window and identifies the URL.
In JavaScript, if a new window has been opened from a page,
JavaScript can be used to perform various manipulations on the new
window, and the same can be done from the spawned window.
The fact that the script continues to run in the original window and
then referencing a known parameter of the new window is nothing new.
It is not a vulnerability.
2.4 Being Secure is Not Easy
Building a system that is secure is a difficult prospect, but it is
something that most people would assume about the Space Shuttle,
modern fighter aircraft, and nuclear power plants - that they are
secure systems.
Well, they aren't.
Even though it operates probably the most tested, reviewed, bug free
and analysed code base in existence, the Space Shuttle was only
recently discovered to have a unique roll-over bug that would lead to
an unknown condition if the Shuttle was in flight over New Year's Eve
- New Year's Day.
Even though the ultra-modern fighters are only just entering service,
a flight of F-22 fighters were forced to turn back to Hawaii after
their flight computers exhibited chaotic behaviour after crossing the
International Date Line.
Even though nuclear power plants are supposed to have their control
systems isolated from external network influences (one solid SCADA
design principle that should be applied), a US nuclear plant was
manually shut down after two water pumps failed following an unknown
spike of network traffic. While it was assumed that a faulty
controller on another piece of equipment was at fault, the operators
can not rule out external traffic influences (i.e. they don't know
where it came from).
These incidents are excellent examples of the problem surrounding
secure software development - with the improvement of development
tools, developers are producing bigger and better disasters - a
concept being promoted by Professor Ross Anderson from the University
of Cambridge in the UK. Professor Anderson also believes that
security engineers need to know how things fail, and to study history
to learn from past mistakes (just like licenced engineers do).
While the above cases provide three excellent examples of unexpected
failures, it appears that 'security' companies can have problems of
their own that still have not been addressed even after many months
of notification.
McAfee Labs have picked up on some of the problems associated with
VeriSign's assurance Seal that appears on many websites to indicate
that Verisign has validated the identity of that particular website
(alongside the SSL certificate).
These are just a subset of the problems that Sûnnet Beskerming
reported to VeriSign in December 2005. Problems that included not
only sites that could put a seal on their main pages that pointed to
any other validated site record, but also the problem that it is
possible to completely fake the record that it is being pointed at.
This can easily be achieved by setting up a fake page to look like
the VeriSign record, but it can also be done using VeriSign's own
results.
2.5 When Updates go Bad
In the space of less than a week, software updates caused two major
system and network outages in Japan and China, and a less major
outage over the weekend.
In Japan, a set of updates to Cisco routers led to a network-wide
failure for the NTT East and West networks. Up to 4,000 routers were
affected by an update that led to router tables (what tells the
network traffic where the next hop in the path to the end destination
is) being rewritten on each device. This rewrite caused the routing
tables to fail, and ultimately the devices stopped forwarding network
traffic (effectively self-DoS'ing). The outage, from Tuesday night
until Wednesday morning, left millions of users without Internet
access and has led to the network provider considering the use of a
heterogenous network structure (i.e. multivendor devices, rather than
Cisco-only - most likely to introduce Juniper devices).
It appears that some of the cause for the incident was the use of
routers without sufficient spare capacity, which meant that when a
handful of devices suffered resource exhaustion, it led to a
cascading failure as subsequent routers quickly ran out of capacity
while trying to identify new routes for network traffic.
Chinese Windows XP SP2 users who regularly maintain their system by
applying the latest patches from Microsoft and running Norton-branded
antivirus tools from Symantec (Norton AntiVirus, Norton 360, Norton
Internet Security) found that a definitions file delivered by
Symantec late last week left their systems unusable. The rogue update
misidentified two critical system files as being part of the Haxdoor
trojan - a very nasty piece of malware that has been causing
significant problems for Windows users globally. The quarantining of
the critical files left systems unbootable, even in safe mode,
requiring significant effort to rebuild and recover the systems.
According to Chinese reports, several thousand users were affected,
mainly corporate users. Symantec quickly released an updated
definitions file which no longer quarantined the system files, so the
current updates should be safe for ongoing use.
On Saturday, it was then reported that Kaspersky Antivirus was
identifying files from Rising Antivirus (a popular Chinese antivirus
product) as part of a malicious trojan, thus disabling the product.
While it requires both antivirus products to be present and in use,
that configuration is a common setup - according to the Chinese
Incident Security Response Team.
These events aren't the first time that rogue updates from Antivirus
vendors have led to significant system damage or outages, and it is
sure to not be the last time, either. Incidents like this lead to
users being conditioned against installing the latest system and
critical software updates (Windows and OS X updates have also been
known to break systems) for fear of having their system rendered
inoperable from a rogue updae. This extends the exploitation window
that attackers can make use of to compromise vulnerable systems.
=======================================
Sincerely,
Sûnnet Beskerming Team
info@...
Sûnnet Beskerming Pty. Ltd.
Adelaide, Australia
http://www.beskerming.com
Tel: +61 (0) 410 707 444
** Sûnnet Beskerming Pty. Ltd. **
Established in mid 2004, Sûnnet Beskerming Pty. Ltd. is the sister
company to Jongsma & Jongsma Pty. Ltd., and was formed to develop and
commercialise the research coming out of Jongsma & Jongsma Pty. Ltd..
Sûnnet Beskerming Pty. Ltd. is an Information Security specialist
and, in conjunction with the tools developed by Jongsma & Jongsma
Pty. Ltd., provides total security solutions and services, from the
perimeter to internal data stores, including web application security
and security testing and analysis.
_______________________________________________
Alertmailinglist mailing list
Alertmailinglist@...
http://skiifwrald.com/mailman/listinfo/alertmailinglist_skiifwrald.com
« Return to Thread: Advisory #236 - OpenOffice.org, Multiple News
| Free Forum Powered by Nabble | Forum Help |
