Advisory #239 - PHP, Kaspersky, IIS, Multiple News
|
View:
New views
1 Messages
—
Rating Filter:
Alert me
|
 |
Advisory #239 - PHP, Kaspersky, IIS, Multiple News
by Sunnet Beskerming Alert mailing list
::
Rate this Message:
Sûnnet Beskerming Alert List Advisory #239
You are receiving this message because you have subscribed to our Information Security Alert Mailing List, or have been selected for a specific one-off copy. If you believe that you are receiving this message in error, please contact info@... to resolve the error. Why not upgrade to get same day notification on security threats? Details and rates available online - (http://www.beskerming.com/premium/generic_advisory.html). Why not go the next step and get delivery tailored just for your company? (http://www.beskerming.com/premium/focussed_advisory.html) Contents -------------------------------------------------------------------- 1. SECURITY -------------------------------------------------------------------- 1.1 PHP - Remote Hacker Automatic Control - Time Since Discovery - 4 Days 1.2 Kaspersky - Remote Hacker Automatic Denial of Service - Time Since Discovery - 1 Day 1.3 IIS - Remote Hacker Automatic Data Theft - Time Since Discovery - 5 Days ======================================= /* - Remote or Local - Can it be achieved through a network or does it require physical access? - Hacker - The bad guy - Manual or Automatic - Does the vulnerability need to be manually performed, or can it be automated? - Control, Denial of Service or Data Theft - Will the hacker get control of your system / website, will they prevent you from using it, or will they steal data. */ -------------------------------------------------------------------- 2. NEWS -------------------------------------------------------------------- 2.1 Bad Blood Over 'Sponsored' Speaking Positions 2.2 Recent Advancement for Network Worms 2.3 When Good Intentions go Bad 2.4 Antivirus Vendors and Filtering Vulnerabilities 2.5 City Loses Funds After Systems Infected 2.6 Misidentification Hurts 2.7 Developing Safe Sites is Hard 2.8 MOSEB Underway ===================================== 1. SECURITY 1.1 PHP - Remote Hacker Automatic Control -- Products Affected -- PHP 5.2.2 and prior -- Technical Description -- PHP have released version 5.2.3 of the PHP scripting language, providing a number of security related fixes including integer overflows in chunk_split(), infinte loop vulnerabilities in imagecreatefrompng, email validation vulnerabilities, safe_mode bypass, improved fixes for database support, and also added some functionality to the base set. There are also a number of other security-related patches included. -- Description -- The PHP development team have released version 5.2.3 of the scripting language. A number of key security fixes are included, including patches for vulnerabilities that could allow an attacker to take complete control of the system that PHP is running on. Noted PHP security researcher, Stefan Esser, has claimed that there are still known vulnerabilities outstanding. -- Recommended Action -- Apply version 5.2.3 of PHP at the earliest opportunity -- Source -- (Paid subscription required to access) -- Updates Available -- (Paid subscription required to access) -- External Tracking Data -- (Paid subscription required to access) -- Threat Matrix -- U O Home User 9 9 (Critical) Corporate 9 9 (Critical) 1.2 Kaspersky Antivirus - Remote Hacker Automatic Denial of Service -- Products Affected -- Kaspersky Antivirus 7.0 and prior -- Technical Description -- By sending malicious parameters to NtOpenProcess, it is possible to crash Kaspersky Antivirus, when it uses klif.sys to access the process. Ironically klif.sys is designed to prevent malicious software from arbitrarily closing or otherwise controlling Kaspersky Antivirus. -- Description -- All current versions of Kaspersky Antivirus (including the upcoming 7.0) are vulnerable to an attack that will crash the software at any account level, preventing its use by authorised users. This may leave systems unprotected from further malware / virus infection attempts and result in a completely compromised system. -- Recommended Action -- UConsider the use of alternate antivirus solutions in a defence-in- depth approach to system and data security. -- Source -- (Paid subscription required to access) -- Updates Available -- (Paid subscription required to access) -- External Tracking Data -- (Paid subscription required to access) -- Threat Matrix -- U O Home User 7 7 (High) Corporate 7 7 (High) 1.3 Internet Information Service (IIS) - Remote Hacker Automatic Data Theft -- Products Affected -- Internet Information Service (IIS) 5.x -- Technical Description -- Internet Information Service (IIS) is vulnerable to an authentication bypass attack that can be carried out by targeting the hit highlight feature of the software. By targeting a file that doesn't exist, then using features of the hit highlight feature, it is possible for an attacker to bypass the basic authentication protection. -- Description -- Microsoft's web server software (IIS) has been found to be vulnerable to an attack that will allow a remote attacker to bypass the basic authentication settings. This could be used by a remote attacker to gain access to sensitive areas of hosted sites, potentially allowing for reconfiguration of the server or leverage of other vulnerabilities within the site software. -- Recommended Action -- Consider upgrading to IIS 6.0 or later, or consider installing and running an alternative web server (such as Apache). -- Source -- (Paid subscription required to access) -- Updates Available -- (Paid subscription required to access) -- External Tracking Data -- (Paid subscription required to access) -- Threat Matrix -- U O Home User 0 7 (Nil - High) Corporate 0 7 (Nil - High) ======================================= /* Threat Matrix: U - User O - Operator Harmless - 0 ----- 10 - Highly Critical */ ======================================= 2. NEWS 2.1 Bad Blood Over 'Sponsored' Speaking Positions Less than a week after appearing at AusCERT 07, one of the invited speakers has published an interesting take on the rise of 'sponsored' speaking engagements and related Information Security conferences (although it does not appear that AusCERT partakes in this). After being contacted to contribute expert views for a television program, he was surprised to find that he was going to have to pay in order to provide his opinion (a $15,000 USD fee). This isn't the only time that he has been asked to front up fees in order to deliver a presentation at a conference, with at least one 'security conference' requiring payment from presenters in order to fill spots. This is not limited to conferences, with some traditional printed media only running articles created by experts if the publication receives advertising beyond a certain value (i.e. sponsored editorials). For professionals working in the field, this practice of paying to present makes it appear that the only information being presented at conferences and in the media (and by certain industry groups) is corporate propaganda. As a result there is a small, but growing, backlash from IT professionals who are frustrated by this practice and the time it takes away from important issues that need coverage. Some qualified researchers are refusing to submit papers for conferences if they are required to submit fees in order to present, or if they are not provided with free entry to the full conference. Others have just given up on the whole conference process. 2.2 Recent Advancement for Network Worms After hinting at the possible future development of widespreading worms that exist only on the Internet, spreading from browser session to browser session when victims visit compromised sites, the researcher who was behind the technological development that led to Jikto (before Billy Hoffman picked up on it) has provided more information about what is soon to be available. A technological demonstration script has been created and pulished, which utilises a number of freely available resources to automate an attack against the browsing history of a victim. All that a victim needs to do is to visit a site which is hosting the malicious script, with Active Scripting activated (or JavaScript support active for other browsers), and the script does the rest. If the victim has visited any of the targeted vulnerable sites in that particular browsing session, then it uses that visit as the basis for executing a XSS attack against those sites, resulting in the compromise of site cookies, and the capture of potentially sensitive data (at the least it can allow for impersonation of the victim). This means that if they have used webmail (GMail, Hotmail, Live Mail, Yahoo! Mail, etc), accessed online financial accounts, or any other number of potentially sensitive sites, that the script can capture these details and take control of the victim's presence on those sites. 2.3 When Good Intentions go Bad Two incidents from the last several days have provided excellent studies in how difficult it is to ensure that the data sets that you are working with are accurate, and also how much a website can be considered a mini-dictatorship - where whatever the site owner says, goes. Popular blogging site, LiveJournal, has been busy deleting accounts that reference incest, sex abuse, paedophilia and other related vicious crimes. The deletions are the result of a third party that complained to LiveJournal that unless they deleted accounts that discussed the various matters, then they would present that information to the LiveJournal advertisers, in an attempt to force LiveJournal to take a financial loss if they did not delete the accounts. The intent behind these deletions is admirable, however the implementation is causing some trouble. While there are deletions that are appropriate, it appears that many of the account deletions have hit blogs that have been established to help victims of abuse. Keyword-based deletions mean that no only will you hit the perpetrators, but you will also snare those who are supporting the victims. Understandably, this has annoyed many of the site users. For a site where the community is tightly-knit (compared to many other sites), the apparently arbitrary deletions are having a much wider effect than would normally be expected. That many of the account holders are also paying subscribers means that there is also a financial basis for the incorrectly-deleted users to complain about. In an ironic twist, the website of the group behind the original push to have the accounts removed is embedded with significant levels of spyware and other malicious software that will infect any unprotected system that browses their site. Since the major outcry, the LiveJournal management have back-pedalled and acknowledged that a number of their deletions were in error, and they will be taking steps to try and ensure that those accounts are reinstated. From community reactions, it appears to be too-little, too-late. The second major case affected MySpace, which recently introduced a plan to identify and suspend account holders who were sex offenders. As with the LiveJournal issue, it appears that one or more false- positives have resulted - an innocent woman was identified as a sex offender because she shared the same name and birthdate as an offender who lived in a nearby state. Observers have pointed out that this suggests that MySpace is engaging in a fairly poor cross referencing of the government list of sex offenders that they are using as the basis for identifying users as potential sex offenders. This suggests poor validation, and ignorance that it is a simple process for users to supply false information in order to register on the site. Fortunately for the user who was mis-identified, MySpace did not publicly identify the reason for the account suspension, which means that there would be no reason for other users to even know why the suspension took place. Unfortunately, even though MySpace is not responsible for the original database being used to cross reference names, it is turning over data from the suspended accounts to law enforcement, which could lead to dilution of the official databases with incorrect data. 2.4 Antivirus Vendors and Filtering Vulnerabilities Finland-based antivirus and security software vendor, F-Secure, recently released a set of updates for almost their entire product line, with the most serious vulnerability allowing an attacker to take control of a vulnerable system. While the denial of service and privilege escalation vulnerabilities that were also fixed with the update are serious, it is the arbitrary code execution vulnerability associated with a scanning library that is the most interesting. Over the last few years, a high percentage of serious vulnerabilities to affect antivirus software have been to do with weaknesses in the libraries used to scan various filetypes. This means that the antivirus product is becoming a target by itself, and it is worthwhile for attackers to try and target these known issues when distributing their malware. After all, why try and attack a system that may be protected when you can target the protection itself. In many cases, the vulnerabilities affect software libraries used to peer inside files that may be compressed or archived with various compression software. Because the antivirus software can't see inside a compressed archive, it needs to be able to extract it to see whether the files within it are affected. It is this step where antivirus software is most at risk. With the inability of antivirus vendors to keep up with the rate of emergence for new malware threats (ref. the recent .rtf based malware for an example, even though it was a variant of a Bancos trojan), and vulnerabilities associated with scanning compressed archives, it seems like end users are in a difficult place - they are at risk if they don't use it, and they are at risk even if they do. That is certainly true, but regularly-updated antivirus software is an important layer of any security model, and should be in place on all systems. 2.5 City Loses Funds After Systems Infected The Californian city of Carson was left almost $450,000 USD out of pocket after a spyware-infected system in use by the city's Treasurer provided attackers with the details necessary to gain access to the city's online bank accounts. Over two transactions (of $90,000 and $358,000) in late May, the attackers were able to wire the funds to accounts across the country. Fortunately for the taxpayers of Carson, the city was able able to recover all but $45,000 USD. This isn't the first time this year that a Californian city has lost tax payer's money due to remote attackers, with the city of Willows having lost $4,000 from a city fund earlier this year. In an effort to offset the risk of further loss, the Treasurer has mentioned the prospect of seeking out legislation to address the problem. The only problem with this is that it is already illegal to carry out attacks like this, and additional legal restrictions are unlikely to result in any difference in how often attacks are carried out. 2.6 Misidentification Hurts After a poor update to the Symantec Antivirus suite caused havoc for Chinese Windows XP 2 users earlier this year, another poor update to the Antivirus definitions file has led to an antimalware product being misidentified as malware. This time, the popular SpyBot Search & Destroy product had one of its critical files identified as malicious. While the misidentified file was only targeted in the 1.3 version of the product (current version is 1.4), it is another case of antivirus definitions files going haywire with unfortunate results for people struggling to ensure their systems stay as secure and safe as possible. Fortunately for potentially affected users, Symantec quickly released an updated definitions file that addressed the problem. 2.7 Developing Safe Sites is Hard Developing safe websites is a difficult task for any developer, so when the experts are caught developing and operating sites that are vulnerable to attack, it is a timely reminder that keeping systems safe against potential attack takes a lot of work. It was recently disclosed that the Internet Storm Center (part of SANS) was vulnerable to an XSS attack through the search box on the site. While there are many, many sites vulnerable to XSS attacks, public acknowledgement of the issue by site administrators is rare. The developer's initial reaction of scepticism and denial provides an insight into how a significant percentage of vulnerability notifications proceed - ignorance or dismissal of the report, even more so from those who are 'experienced' or 'expert' security personnel. 2.8 MOSEB Underway The latest in a string of 'Month of X Bugs' projects is underway, with the 'Month of Search Engine Bugs' (MOSEB) commencing at the start of June. Five vulnerabilities have already been disclosed, starting with a number of XSS and redirector issues affecting a Ukranian search engine, Yahoo!, and Hotbot. While these vulnerabilities are relevant and are usable against the Search Engines, their usefulness is largely limited to spoofing - perhaps part of an effort to misdirect or compromise users. The greater risk is for disclosed vulnerabilities in sites which provide additional services, such as webmail or other account-based features. These could then be used to capture the victim's account and allow for impersonation of the victim. Unlike the Month of ActiveX Bugs, which ran during May, the vulnerabilities identified as part of MOSEB are being presented in English and Russian. After the first few ActiveX bugs were disclosed in May, the disclosures were being made in Italian, and focussed on relatively obscure ActiveX controls - mainly third party controls. ======================================= Sincerely, Sûnnet Beskerming Team info@... Sûnnet Beskerming Pty. Ltd. Adelaide, Australia http://www.beskerming.com Tel: +61 (0) 410 707 444 ** Sûnnet Beskerming Pty. Ltd. ** Established in mid 2004, Sûnnet Beskerming Pty. Ltd. is the sister company to Jongsma & Jongsma Pty. Ltd., and was formed to develop and commercialise the research coming out of Jongsma & Jongsma Pty. Ltd.. Sûnnet Beskerming Pty. Ltd. is an Information Security specialist and, in conjunction with the tools developed by Jongsma & Jongsma Pty. Ltd., provides total security solutions and services, from the perimeter to internal data stores, including web application security and security testing and analysis. _______________________________________________ Alertmailinglist mailing list Alertmailinglist@... http://skiifwrald.com/mailman/listinfo/alertmailinglist_skiifwrald.com |
| Free Forum Powered by Nabble | Forum Help |